NSW iVote source code to be opened for review

Proprietary source code underpinning the e-voting software used in NSW will be opened to “qualified reviewers”, the NSW Electoral Commission says.

The commission said in a statement that the software’s maker, Scytl, had agreed to selectively reveal the source code “to support continuous improvement to the iVote platform”.

Reviewers will be given a year to examine the source code, stored in a Bitbucket repository, according to terms and conditions published today.

In return for access to the source code, “approved registrants must report their findings, if any, to Scytl so that reported findings may be investigated and verified and, if required, remediated,” the company said.

Scytl said that reviewers “may publish” information about vulnerabilities they find provided responsible disclosure procedures are followed and “at least 45 days” elapses.

Source code reviewers are able to apply to participate here.

“Release of the source code is being undertaken as part of our commitment to transparency and scrutiny of the iVote system,” the NSW Electoral Commission said.

“Under the code release a comprehensive list of components will be made available for review, including the voting system, the iVote verification application and the mixnet.”

Use of iVote at the last state election was less than half of the volume expected.

This may have been the result of an outage to iVote registration on the election eve.

However, the Scytl software was also dogged by security concerns in the lead-up to the election, after it emerged that a critical defect found in the Swiss government’s e-voting system - which also uses Scytl software - was also present in the NSW iVote system.

Scytl fixed the defect but not before criticising the Australian and international researchers that uncovered the problem in a similar code review initiated by Swiss authorities.