 Hello, hello. Hello, everybody. Welcome to the Open Government Track here at Scale19x. I'm really excited that you guys have all come out here, have braved the Omicron wave to come out here, and listen to Amanda talk. Amanda's coming to us from the UK. We're really excited to hear what she has to say, and she's got several slides to introduce herself, so I'm not going to spend too much time on that. I will ask at the end, we're going to have some questions. When you ask your question, then Amanda will just repeat so that we can get it recorded, so that everybody can hear it later. This will be streamed on YouTube later. So, with that, I've been said. Thank you. So, good morning, LA. Something I've never said before and always wanted to. Thank you very much to everybody at Scale for having me come and join you today, and in particular Mark for being brave enough to let me use his laptop. So, I'm Amanda Brock. I'm just working his laptop out. So, I'm the CEO at Open UK, and Open UK is the industry organisation for open technology, and I'm going to spend a few minutes actually talking you through what we do, because I think it's useful, and I suspect that most of you have never come across me or Open UK before. So, I hope that's all right. If it's going on too long, let me know. I'm Scottish, so I have an accent, and I tend to speak quite quietly, and I may well forget that I'm supposed to hold the mic up. So, if you can't hear me at any point in time, or if I'm walking in front of the screen where the slides get messed up, will you let me know? Just wave at me and we can work out what the issue is. So, I often get asked what a nice girl like me is doing in a space like open source. Back at the beginning of 2008, I joined a company some of you will have heard of. I can't tell with masks on, but I don't think I worked with anybody in this room there. I know some of my former colleagues are here. And Canonical at the time was the commercial sponsor of the Ubuntu operating system, which was pretty popular back then. I'm just going to move this. And today, Canonical is probably known for many things beyond Ubuntu, but back then, we were at a time when we were doing deals with Dell, we were in the desktop space, and we also had just started to work in cloud. And Canonical went from being about 0% to over 70% of the cloud operating system market almost overnight. And it was a bit of a sign of what things were going to be in the future, the sign of things to come that we saw back then. And I'll talk a little bit about that as we go on. So, having spent five years at Canonical where I was the first lawyer, the general counsel, I moved into a law firm and spent a couple of years where I advise startups primarily and UK businesses around open source. And that was 2013-14. I was very much too early stage. And I ended up going back into a couple of other companies until 2019. And through that period from 2008 to 2019, I have been on a number of different advisory boards and open source projects, because something happened at Canonical that wasn't expected. And I was expected to go in there and be a corporate and commercial lawyer who knew about IT and technology, but I wasn't expected to fall in love with open source. And for me, the value set that went with the open source community at the time and the work they were doing was really important. There are some chairs if you want them, so round them out. There's one right at the front that's not next to anyone if you want space. So that whole piece with Canonical for me was a very big deal. And it led to me being on things like the UN's open source advisory board where I was the chair. Last year I ended up being appointed by the UK government to an open standards board that they have at the cabinet office. And then this year I stood for election for the first time in my life and it was really nerve wracking to be honest for the OSI board. And I did it. Some people told me not to. And I did it because I feel that the OSI is really important to open source and it's something that needs to be strong. I think it's absolutely critical that we have a strong OSI. We have a booth here and if anybody wants to talk to OSI people on myself about it I'm sure we're all happy to do that. So something I found that I could do during the pandemic was right and generally I write for the tech press. I like it because it's lightweight short. I was persuaded to take on the second edition of this book and I've edited a book of 24 chapters by 22 authors free and open source software law policy practice. The authors are world leading experts in what they do. Each and every one of them. And it's the only time you will ever see my name as an editor on the front of a book because it is the most horrendous task I've ever undertaken. You imagine mostly the lawyers, 22 of them, they've all got opinions and it's a really long book. Some of them are 15,000 word chapters. So it's going to be really expensive and Oxford University Press are publishing it for us this autumn. However, it's also going to be open access thanks to the Beach Foundation. So I hope that it's something that will be used widely as a tool where you can use the PDF or the e-reader and download the bits that you need or you find useful. So that should be out September, October. We're going to do a book signing all things open. And the other thing I do is talk. And pre-pandemic, I used to travel the world talking. Obviously I'm here again today. But then I spent a couple of years in my kitchen with my kitten who is now a fully grown cat. I was going to say because I expected this room to be empty that at least then I knew there was one person or one kitten listening to me and I'm really taken aback by you all being here. But of course, Scale brought me on this incredible journey and these are some photos from my incredible journey a couple of days ago. I couldn't believe the journey I had. We went over the north of Greenland, the Rockies and Salt Lake City on the way here. Absolutely incredible to be with you. And to talk about Open UK a little bit. And I'll try and keep it quite short because I could talk to you about this for hours. We are the UK organization for the business of open technology. Don, do you want to wave? So Don Foster is one of my board members. We're quite a different organization. And we started being different when the board came on board. It's hard to say, at the beginning of 2020. And we have a board of 12 who are generally known in their areas in technology globally. And we made a decision that we wouldn't focus anymore on open source software. So Open UK had started life as an open source software organization. But we didn't think you could run a country or geographic or even a project properly without focusing on data as well and understanding the place of data and software. And we expanded it out to the three opens, so open source software, hardware and data. And what we've done is build an organization over the last two and a half years that has about 100 to 150 people who volunteer and they are the leadership. Most of them are leaders and projects within the UK or international projects. So we tried to build quite a diverse organization. I think it's probably one of the most diverse in UK tech, maybe in open source. So we have our board, we have pro bono leadership team, only a couple of us are paid. And then we have ambassadors. A lot of them are from Kubernetes and Cloud Native. And what we've done by bringing those people in is we've started the process of building a cohesive community. Building a community that can be recognized within the UK. Now bear with me, this has a relevance to government. So we brought these people together so they can have a voice. And we do things like award ceremonies, we have an honours list, a very British thing where we celebrate their achievement and what they work on and what that does is allow us to have influence because we can demonstrate that we have these smart people doing clever things with open and the benefits of that open source, that open technology. And there's a whole list there, you'll see these in the slides. But we were very quickly recognized in Europe as the voice of open. We then joined an amicus brief and Google the Oracle here in the US and we also responded to the Biden ordinance last year. And I think we were the only non-US organization that did that. And last year we shifted to starting to do reports. Now I know I'm disappointing at least one person in the room because I'm not going to go into detail in case studies. But these reports do. So what we did was we started by taking the data that existed in other reports and doing a literature review and cutting that data for the UK so we could demonstrate stuff that nobody had shown before by looking at the UK. It's probably easier to do that for other countries because Brexit sort of messed up for us where most people focused on Europe. And what we were trying to do there was demonstrate our position as a centre of excellence. I think, I don't think this has been published anywhere but when the UK Brexited the figure Europe was using was 490,000 developers doing open source work in Europe. After Brexit they think it's 260. So almost half of Europe's developers doing open source work are in the UK. Germany is very close behind us and then there's a big drop down to France and then for some of the other countries it's tiny. And that's the kind of information that helped us influence government and helped us get a connection with government. So we started the literature review. We moved on in phase two to doing a survey. Our surveys are difficult, right? So I want to ask questions that survey organizations tell you you can't ask. And I keep pushing and pushing until I get them sort of close to what I want because I think the way we've looked traditionally at open source is we look at value generated by number of developers, lines of code and that gives you a very skewed idea, a total cost of ownership type idea which is a decade old. That worked in tech 10 years ago. It's not how the rest of the tech sector measures itself. And what I think we need to shift to is looking more at value that open source generates. We did calculations following the methodologies, these traditional methodologies and we showed the open source software purely was 20% of the UK's GDP year on year. Now I think it's probably three times that if you look at the value it generates and think about the platform economy. And we shifted in the third phase and if only I could change the world and maybe it is changing we looked at values and sustainability because we were hosting COP26 and we had an event at COP26. So we looked at other things that you could measure like collaboration, education, skills development all the good things that happen through open source that aren't economic and we've been working on how we measure that. So this does all relate to government, I promise. This is just from this year's report we shared on the 7th of July. It's long, it's 50-60 pages and the intention was it was a full report and we weren't going to do three phases. But for various reasons that I'll come to later we're going to do a second phase on curation of open source and infrastructure particularly focused on the public sector and then a third phase on sustainability. And if you look at this up here you'll see this sum, the 4.872, 6.65 billion. That's a calculation we did on the amount that's invested by UK enterprises in open source software and it's incredible. We have a thing called the leveling up fund where UK government is building technology to help bring us back out of the pandemic. This sum is 29 to 35 times the amount UK government is putting in. There's a huge amount of open source happening and one of the things that I think we all have to do when we talk about government is find ways to demonstrate the importance of open source. Now everything we've gotten here is creative commons. The questions from our surveys are also at the end of the reports and they're filled with case studies. So I think there were about eight last year. There's a similar number in this year's report and we have more that we'll share in September and November. So if you want case studies are good examples and I'm also happy if anybody wants it to share things like the questions we used. And we just keep evolving and learning. Every two months we have a group that does a collaborative session and we try to bring together people around the world who are looking at reporting, who are looking at surveys and open source so that we can compare notes and learn from each other and it's a completely open list if anyone's interested. And what we saw in this report in phase one is that you're on a journey when you start with open source and I'm going to say I think this is a journey that every company today is on we've all digitalized, like it or not over the last 10, 12 years, companies that didn't like it have done it through the pandemic. They've started to digitalize, they've fully digitalized and they've become companies that focus on having their products and services created, distributed or consumed using technology which means it's software defined and that's got a huge impact on everything we do. And what we try to do, these are the questions that the survey people don't like, is we try to correlate activities around governance, good housekeeping, compliance, good technology development. We try to correlate them to the stage and the journey and also the length of time that companies have been at each stage. And it's not necessarily exclusive so you might get somebody who contributes and consumes. I think the figure was 7% that consumed only but didn't contribute. The bit that I'm really interested in is those who consume and distribute but don't contribute. And I'm not allowed to use what we saw from that because we had under 2%, but there's still 2% of companies who are using open source knowingly, distributing it and not giving anything back and I really want to investigate that further. I mentioned that we did an event at COP26 last year. We shared a blueprint for the data center of the future using open source software hardware data. The blueprint's now in the Eclipse Foundation. This year we're going to host another event in November. We're going to try and hold ourselves accountable for what we talked about last year and where we've got to a year later. And we're going to do another blueprint which will be on EV charging and we'll bring together all the different components of EV charging into a blueprint and it will also go into Eclipse. The idea is that we show that this blueprint model is feasible and rigorous and then we will next year share the model and try and get others to own, probably in medical devices. We also are going to be doing something called the societal value metrics looking at the non-economic values of open source. So this second piece of what we do, this policy and legal work, is a huge chunk of what we do. We, I guess, are unique because we try to bring all this engineering community together, all this business community together so that we can then have influence. You know, when people see the achievements that are made, when people in government understand the achievements that are made in their own patch, in their own geography, they're willing to listen to you and we then try to direct the conversation. But the third piece has to be about learning and I didn't take this out of my bag earlier, which I should have. So purely by chance we were having a kids competition when the pandemic started and we were going to distribute these digital gloves. A glove with a micro-bit, which is also created in the UK. If you look at openuk.uk slash openkidscamp you'll see these and you'll see two courses teaching children. For the UK it's age 11 to 15, Key Stage 3. And it teaches them how to code, it teaches them about open source, it teaches them about collaboration, about community through 10 digital lessons and then there's 10 magazines that go with it. Now I'm going to take this off again, having gone through all that trouble putting it on. We gave away 8,000 of those gloves to kids in these little packs like this and you'll see the back of it has 10 images and those are the open source definition. So we try to take some responsibility and teach the next generation about the open source definition but we also taught them about the sustainable development goals and about community and collaboration. And in the first course we got to be a GNOME Community Challenge finalist I think we were a runner up. And this year we're looking at building a MOOC, a massive open online course with the Entrepreneurship School at Scottish University. And the idea there is that we'll start to teach people who want to build businesses about things like how you hire from communities, how you grow communities, how you build revenue when you've given away your crown jewels. We're a tiny organization, I've shown you everybody that really leads it and we've been able to get this level of press and we get over a million impressions on Twitter we've got a lot more than that this year but it's because everybody works together to have influence and we started this at the beginning of 2020 at the same time what we saw was a shift and I've mentioned digitalization already we saw this shift going on around as a government level not just in the UK but also in Europe and Europe was talking about the start of a digital decade in 2020 and it was still really optimistic. Now you probably realise I don't speak to words but this quote is worth knowing and this is Ursula von Delain who is the president of the European Commission and this is a quote from a letter that she wrote to a lady called Marguerite Vestiger who is the antitrust or competition commissioner and when she appointed her she said changes in digital technologies and geopolitics are already having a profound effect on the lives of Europeans we're witnessing major shifts all the way from global power structures to local politics what we do now will determine what kind of world our children live in and will define Europe's place in the world creating a Europe fit for the digital age so if you take those words and you change it to be UK or US or British or American this is the situation we're all in we're all looking at the same thing maybe collaboratively maybe not we're all trying to work out what's going on with the future through technology and we see how technology impacts our day-to-day life and our day-to-day lives impact technology now this is a photograph at a conference I was talking to some of you about earlier and this was my last pre-pandemic conference and it's first Sunday of February every year and for us it was 31st of January and 1st of February we were the UK Brexited or Exited from Europe on the 31st of January and we were in Brussels so we went to the European Commission and here I'm with Cheryl Hung who you might know from Cloud Native Jonathan Riddle from KDE and Kavita Kapoor who was our learning officer and we were at the commission at midnight as we exited and the lights went off and we were standing there in the dark in February, January, February and it really felt profound and that was a moment of geopolitical shift that you could pin down to the exact moment in time and there are a few that you can do that with this is the little known Scottish variant that one or two of you may have come across and you can generally tell it's coming because of the noise it makes now geopolitical shift digitalization were both really impacted in the last couple of years through the pandemic and one of the things we saw was the European reaction to data being flowing, data flows, data privacy from Europe to the US and what we saw was this case Shrems 2 where previously Mr. Shrems had brought a case and the case had had the impact that the model clauses the contract clauses we used to move data from Europe over to the US were set aside and we used to, I used to be a lawyer and we just used to pick those up stick them in a contract and know everything was good and the case said you couldn't do that anymore and you had to start to rely on the ability to shift data because the US had a safe harbor Shrems 2 half way through the pandemic 2020 part way through the pandemic sets that aside and so the US is no longer a safe place for us to transfer data from Europe to we see the start of digital and data sovereignty in Europe and I don't know if you've come across that term sovereignty absolutely constant now in Europe Gaia X is the business infrastructure building a cloud for Europe a federated infrastructure that can be used for data and create privacy but it's something that's all built on open source and looking at open data we don't just see that friction though between the EU and the US we also see it between the EU and China and we see it between the US and China and the UK and China and we don't just see these things happening at a national state geopolitical level we also start to see civilian and civil action through Black Lives Matter through the youth movement at COP26 and of course sadly this year in the war in Ukraine so why am I talking about all of this why does it matter why is it relevant to your government track and what's it got to do with open source and what is open source even so I told you I joined Canonical and I was a lawyer and I could have written a two line open source is code with the source code which is the human readable part shared publicly on an OSI approved license and that would have given me a basic definition of open source and I could have applied it to everything but if I'd done it it wouldn't have worked because open source is much much more than that open source is about community it's about collaboration it's about building the best most innovative code that's something that is diverse that will be well maintained and secure it's a big picture and you can go back to the OSD and in the OSD the open source definition which is custodianed by the open source initiative as you all know you'll find a couple of principles around things like non-discrimination non-discrimination amongst people non-discrimination amongst fields of endeavour and those have had a really big impact in the last year or two particularly when you start to think about these geopolitical shifts and the way that we're trying to close down the world and split countries off yet as open source communities we continue to collaborate and this is the kind of thing that governments have to understand so how did we get to where we are? I've mentioned digitalisation digitalisation has been a big big thing over the last decade but it's not just that we also have this situation where the role that the developer plays has changed the engineers role was totally different so when I was back in canonical it was pretty exhausting actually I was that parrot and I was the point of escalation for every commercial deal and I spent my days talking to procurement talking to legal, sometimes finance explaining risk and open source and trying to persuade them that it wasn't as bad as they thought and that shifted but that's not an issue anymore if the companies are smart they'll know that you don't manage your risk and open source around contracts you manage it at the engineering level because today engineers can make the decision to go and bring open source into their organisation without approval, without a contract and what that means is that not only has the risk shifted but the power of the engineer has escalated and risen they've got an elevated status if you're providing open source what that means is that it's very very easy for you to have your product become ubiquitous without having to go through that risk management of legal and procurement so that shift is one of the biggest things that most people don't acknowledge which has really seen the rise of open source and when you look at reports around open source you'll see 58 to 98% of the stack generally credited whether you're in the public or private sector as being open source and this is partly why partly digitalisation, partly the fact that the developers have this elevated status and partly cloud now I mentioned also that we were dealing with that back in 2010 in canonical and this is an old slide I really need to update it but if you look at the cloud native landscape you'll see what market cap and the trillions and funding and the billions the fact that open source permeates that cloud is inescapable and it's got a huge amount to do with why open source has become what it's become and why the stacks are full of it now I'm going to tell you that I'm so witty so don't listen to us I don't know if anybody follows Steve Wally on Twitter but I was having a conversation with him this morning about this slide so this is Steve Wally's slide he's not able to be here now and Steve tells the Microsoft story and this is him in 2018 doing a keynote in Edinburgh and he's at the Linux Foundation's open source summit now there isn't anybody who was at canonical with me in the room is there so back in the day when I joined canonical we had something called Launchpad and it was a bug tracking system and bug zero was the destruction of Microsoft Microsoft were not our friend in fact we thought they were public enemy number one I can't tell open source jokes anymore because all the jokes I know the punchline is Microsoft things have changed things have changed to the extent that in 2018 Steve's standing on a stage in Scotland asking for forgiveness now Bomber described open source when he was a CEO of Microsoft as a cancer Steve's got Sacha Nadala behind him on this screen saying judge us by the actions we have taken in the recent past, our actions today and Steve tells a really good story it's 13 minutes long it's worth downloading and watching if you're trying to persuade someone to use open source and he explains there are three reasons the first is that Microsoft customers never used to ask for open source the second is developers who've learned code in the last 20 years use open source there is no way around it you can't employ them if you're not going to let them do it they're going to reuse and recycle and the third is cloud back to that point I was just making and what he said is that you can't engage in cloud at any scale without dealing with the community so it's no good just being a user you want to be further along that journey and contributing if you want to have any influence now I mentioned Microsoft back in the day and we used to call it FUD I don't know if people still do fear, uncertainty and doubt and I'm very quickly going to run through three situations that are current where there is fear uncertainty and doubt that I think impacts what you're all doing with governments so the first is something called strict mining you've probably all heard of it it's a 1970s New York piece of law and it's about coal mining and it's about taking too much from the land and not leaving enough to sustain for the future and back in 2019 this is a piece from the New York Times interviewed seven open source founders who were not happy with AWS you've got AWS people in the room it's alright I'm not going to be nasty so they talked about strict mining and they said that Amazon was doing something wrong because they were taking their software now do you remember I said I worked in a law firm for two years advising startups I came up with this very quick way of letting people go and I used to say to them what if so what if you open source your software and someone else uses it and most people got that that's what open source is second what if you open source your software and someone else uses it to make money and they weren't always comfortable third and remember I'd just come out of canonical what if someone else uses your software and makes a shed load of money and you don't make any or you don't make as much and usually they would leave so I put a lot of people off open sourcing and their businesses and building their businesses around it but I did the right thing because open source is not one thing it is not a business model so when you're looking at open source and its sustainability you need to understand what you can do with it and how it will be used by others and what your business model will be if you want to generate revenue and that has to be totally separate from what you open source so Amazon did nothing wrong because the OSD and the licenses allow others to take your code and commercialize it there's nothing you can do about it if you don't want them to do it you shouldn't open source it there's nothing to stop you sharing the code using a proprietary license like SSPL the problem we have is thought so things like this many of you will have seen this back in 2020 it's the SSPL which is a proprietary license and that also is fine but the issue is the headline doubling down on open when in fact what they're doing is moving away from open and there's a nice lawyer word disingenuous that I like to use about that so that's the first sort of piece of fud is the confusion about what open source is and trying to apply licenses that aren't OSI approved second issue is really heartbreaking second March just after the war in Ukraine started I don't know how that is in the US but for us in Europe or in the UK we're still in Europe it really feels close it's been really really tough and eight developers got on Twitter and started to talk to us about putting down their keyboards and taking up arms really heartbreaking so at Open UK we set up a Red Cross donation line for open source and we raised a few thousand pounds only last week the war is ongoing there was a piece in the Financial Times talking about it being the first open source war because of the impact technologies having and I had to turn down a friend so I've worked in Ukraine years ago and I was asked to get involved with some of this protest work and what protest work does is restrict who can use code and I wouldn't get involved because that's not open source and it doesn't matter what people are doing whether it's a war, there will be other wars too I'm sure where you can't restrict who can use your code in the same way and again protest work is bringing open source and to distribute and then the third thing that I'm going to talk about quickly because I have quite a few slides here if you're interested in it it's detailed it's technical and you should read it the third thing is very much around standards and there are a number of standards and standard essential patents and whatever you think about patents doesn't really matter they exist and these people have patents and the SEPs are distributed under frowned fair reasonable and non-discriminatory licenses the problem is you have to pay for them and they don't work with open source and what we're seeing is a lot of misinformation being spread to standard bodies and through them by a few companies and a few companies are known where they are talking about what open source means and trying to imply it's something entirely different from what it is to make their standards work and there's a lot of work needing done in this area back in the day at Canonical I was interviewed by the Department of Justice when they were talking about the Rockstar Patents Rockstar was a consortium with Microsoft and Apple and others who bought the Nortel patent suite when Nortel was split up and what they were doing was transferring those patents in a way that could be used to attack open source but with a license that allowed themselves to use it now the reason I mention it isn't to dwell in the past it's the fact that they came up with a solution which was either to use a GPL license or give open open invention network rights which allow you to use each other's patents without cost and without suing each other it's a cross license and anybody can sign up and as we see this journey that companies go on like Microsoft we see Microsoft signing up to that and a few years ago it was a really big deal when Microsoft put their patents into OIN so I'm still not talking about the public sector right but I am because all of this is applicable to enterprise and to the public sector and to government if they're using open source and we talked about open source creating value and about total cost of ownership and how you measure it and the economics of open source which are really important to how you how you use it and how you get others to use it particularly when you go through procurement processes and government and you'll notice here this starts to talk about digital infrastructure and digital infrastructure is where government is going today 10 years ago in the UK we were one of the first countries in the world to have an open first policy there was a cabinet office a cabinet office decision a cabinet office advisory board that I was on and they decided that we should use open source more across the UK government and they created something called GDS Government Digital Services which is now 10 years old which is world leading it's been replicated across the globe in places like Australia and Canada Francis Maud Lord Maud and Liam Maxwell who is now at AWS and the public sector group behind this and they created something that was really innovative but of course we were talking about this before about change changes in government and there was a change in the leadership and it sort of got brushed under the carpet a bit this year we got a new digital strategy in the UK and our government's digital strategy does not mention open source anywhere so they shared it with me the weekend before under embargo and I spent the whole weekend going back and forward with their press office trying to persuade them to write the word open source at it and they just kept coming back saying don't worry Amanda open sources are given for us so I'm now working to try and get them to clarify that we have here something called a playbook and this is where it gets interesting so governments can have these policies or not if they have these policies it's a bit like my lawyer's definition from the beginning of my talk open source is something where the code is shared where the public human-relatable source code is put on something like a repo like github github and it's also under an open source approved license and that's all well and good but unless you know how to do it it doesn't work and through the course of this year we've done a lot of work with the health care system in the UK with the NHS I've interviewed about 20 different case studies and we've worked with the NHS and a report for their internal usage and what I would say what I saw from that and other interaction in the public sector and government is that they use open source because they want to achieve economic value and they do that for two reasons to avoid vendor lock-in and to create code that can be reused and recycled but of course if you don't know how to do that and you don't know how to do it well you don't understand the governance you don't understand contribution then you end up with something that's not usable and it comes in it's not as good as it should be and they are updating it but it is an attempt to give government the guidance so I'm putting all of this on slides for you so if you want to go and find assets later you can and we see how government now is using open source and it's doing it for many for many reasons and in many ways but a lot of that is also like enterprise use and it starts with things like apps a few of us at the beginning of this about the impact that COVID had had about the apps that were used, test and trace being one of them and in the UK our test and trace app is possibly not the best our rollout of our vaccine using something called QCOVID calculator which is an NHS case study of in one of our reports I think the last one those are maybe better but you see government shifting from simply using open source and apps and the like to policies like our health care policy which requires open source first the UK's energy sector the digitalisation task force reported in January saying that they want to build a spine built on open source software so we move from just apps to infrastructure and we're trying to work out what infrastructure means because our national infrastructure like an enterprise's infrastructure and our national critical infrastructure is being built on open source and then of course last year, last May we have President Biden the White House start to focus on supply chain start to focus on S-bombs software bill of materials start to look at this infrastructure and panic and I'll come to that more in a minute and curation I mentioned already that we responded to this the White House ordinance from Open UK we were thinking about this about 18 months ago but then everybody's mind got focused last year in the run-up to Christmas with Shelfra J we see open SSF growing up and we see open SSF having two meetings in the last year with the White House talking about security talking about how we make open source secure for that national infrastructure and for that public sector and government usage and they've come up with a 10-point plan and only what, 10 days ago? I don't know what date it is the Cyber Safety Review Board come up with their report on Shelfra J and then on Monday this week Atlantic Council which is a policy organisation focusing on security one of their team published this article open source security how digital infrastructure is built in a house of cards now it's a sensation grabbing headline but it's a concern and it's actually it's a good article it's well written, it's done a lot of research I don't agree with everything in it but it focuses the mind on the thing that I want you to take away from this talk and the thing I want you to take away is that for all the reasons I've explained our public sector and our governments are using open source software and they're doing it in a way that they initially started to procure to avoid lockdown to create code that was reusable but without understanding what that meant without understanding how to do it so it was fine at a top level creating that policy but as you cascade it down if people don't know how to do it you might as well throw your money away you're going in commissioning open source that's put on GitHub that's not recyclable not maintained, not secure because you haven't explained to them how to do it and I think for the public sector this piece is critical and what we get to is a point in time where on this side what you've got is open source coming from communities coming from businesses coming from collaborations of businesses and on this side you've got government infrastructure and down the middle here you've got a road Matt do you want to sing? so if I could sing I'd be singing LA is a great big freeway but I can't sing so I'm not going to so you have this freeway like the one you see out of this hotel window with cars flying down it and you've got to get from here where you've built your open source to here where it's your app where it's your critical infrastructure or just infrastructure now you could be like Wiley Coyote and Roadrunner and you could just fly into the traffic and across the road you could be conservative or perhaps smart and go to the narrowest point in the road and find an underpass or find a zebra crossing I don't know what you call them and that already exists with things like RHEL with Red Hat Enterprise Linux with Google's new product with other procured or curated open source you could find out how to get across the road safely yourself and build those skills in your own team or you could go and pay somebody over here who might have a good idea of how to get across the road but somehow you are going to have to get from one side to the other because the people who distribute that software distribute it without warranty and they specifically say you have no rights to come back against them if something is wrong with it yet over here you want to use it perhaps for air traffic control perhaps for your energy sector to build a spine how are you going to balance the two now the words that I am hearing that I think is going to be the buzz word is curation how do you curate open source from here to here and I think what is going to happen is that we are going to see bodies being built called stewards that is my word I call them stewards and there is an economist in the UK at LSE called Mariana Matzakato not very British name but she is based in the UK a book called Mission Economics and if you read her work part 4 she starts to talk about data and how data will be managed by the state and what she talks about is building public-private partnerships and engagement and I think that is where we are going to end up with these stewards now I don't know if we can build one you know it is like the Coca Cola advert all around the world and everybody is happy we will end up with state by state country by country countries perhaps coordinated across countries I don't know but I suspect to get from here to here for the energy sector or the UK energy sector we need a steward and that steward will be a body that makes the approval of the journey across from one side to the other and that curation of open source software and open UK we have actually started this work we have got two sectors that are interested and at very very early stages and we are hoping about six months time we will have a minimum viable product to start to talk about now economists never used to interest me but I found myself looking at them more and more in the last few years as I try to justify open source to government and there is a second economist a woman called Kate Raworth who wrote a book you might know called Donut Economics talking about, if you don't know how we changed the sight in capitalism and re-create capitalism in a different way in a more equitable way but Kate talks about open source software specifically and when she talks about it she talks about re-characterizing open source as a digital public good now I know that this is an old concept for some but I think it is time that we really started to have the conversation with our public sector and with our government because to get from here to here costs and these people also need contribution back, the maintainers and others need contribution back to the open source project and if you read the Atlantic Council piece they are saying that money won't fix it but money will help and I think it is time that we started to encourage our governments to look at open source as a digital public good and to work collaboratively around that so I've talked for about as long as I want to I think 2020 is the, well I know 2020 is the year of the tiger and I think it's the year of the open source tiger and this is a piece that I wrote that has a number of recommendations and tips about open source in 2020. Thank you for indulging me in going on a journey with me because I wanted to take you through an understanding of how my thought process got here but I think when you look at the individual case studies today, when you listen to others talking about the public sector about government use of open source you can't just go ahead and replicate it you have to understand why you're doing it, what you're doing it and what you need from government and what we need is engagement and understanding of this journey. Anybody want to ask me any questions? Don't just look at me. So I've been back in the kitchen with the cat he won't ask questions either so I think the way that I balance that personally I'm not speaking for anybody else is that open source is a specific thing and the specific thing is set out for me in the open source definition and part of that is that anybody can use a judge and jury. I don't want that to change I want it to be absolutely open for everybody and for every usage I think it's then up to the individual whether they feel that there are restrictions they want to place on something and if they can't share it on an open source basis with what that means they shouldn't they should just not open source it I'm not in a position to I'm not in a position to we had a chap called Nicholas Chalon speak at Open UK about three weeks ago the video is on our website and he talks about exactly this he's ex-department of defence and I don't think that is a separate issue the rights and the wrongs and the morals are not for open source and if you start to get into that we'll destroy it I think what open source is about is the ability for everybody to collaborate without discrimination which is why I'm concerned about what's happening with geopolitical shift I want everyone to be able to contribute now to get back over here with the infrastructure when there's friction and geopolitical shift between countries clearly we have to work that out and we have to talk about it we can't ignore it can I go to the no it's the opposite they all have it there isn't an open source approved licence that doesn't disclaim liability and it's really important yeah so just to pick up on what you're saying there which is that going across the road I want to be really clear that this is not about creating liability on developers it is about the opposite somebody standing in the middle of this road we have lollipop men and women in the UK I don't know if you have an equivalent they have a stick with a circle at the top and they take little kids across the road safely to school what was it called? a crossing guard right I've learned something so the crossing guard effectively could say the crossing guard going across the road could say and by the way make sure that if you get sued give me a few extra hundred dollars and I will make sure that that liability is fixed it's called insurance and it's part of things like Red Hat Enterprise Linux they have that rolled in back when I was at Canonical we bought for some of our products too some organisations will self-insure some will do it through directly buying insurance policies but there is a pool of indemnity there but that's not something these people should take on that's something that you take on the road and the curation it's really important now I'm glad you asked the question I'm trying to get a cartoon made and it's really hard because I've got Wiley Coyote and Roadrunner in my head and I don't think they're out of copyright but we're trying to get a cartoon showing them to you if you try and do this without thinking it through and I'll try and make sure that that's called out yes SpongeBob maybe does he play in the traffic? it's not going there yeah I really struggle to get anyone to listen to me for over a year I'm still really taking about how many of you are in here today I I went through a year of knocking on doors and I wrote a piece because I discovered I could write that the tech press published saying where is the UK's digital strategy and then they started to phone me back it was really strange and it was totally unexpected I think you need to build resources that explain in practical and clear ways the value take what we've got drop me an email and we can give you more but things like things like case studies things like case studies that prove the point that's statistic if I can show you that 20% of the digital economy is based on open source and much as I would like us to focus away from the economics it's what government wants to see it's what politicians want you to talk about I shouldn't really say this but I'm going to so we're trying to build something that will be announced in September that I'm not meant to be talking about called an APPG an old party parliamentary group and they're meant to be politically agnostic groups which the politicians engage with and I'm part way through getting enough members of parliament from different parties to engage to allow us to do one I am allowed to talk about this but on the 19th of September we are going to have an event in London where we're going to structure curation and security and we're hoping to have senior level politicians at that we'll have a lot of panels and speakers looking at things like open source governance looking at what security means from a technical perspective what it means from a policy perspective the curation piece and the stewards that I've been talking about we're going to start the conversation about those and the goal is that next spring we will have a big conference in London so we all have to pray for the Crown and other variants not to happen quiet or noisy and that we can get together as much as possible in London if anybody wants to go to that I can't promise that I will be able to cover your travel but I will get you free tickets if you're stuck to get into it and the idea is that we bring as many people from around the world together to talk about these issues that our governments are facing because right now what you see is that the UK has its strategies you see the US taking real leadership in the White House I mean what they did was really impressive on the S-Bomb piece and that focus on supply chain is really required I was speaking to Kate Stewart from SPDX who also did a talk for us and Kate got a survey that shows something like 71 or 76% of US organizations now use S-Bombs we asked the question in our report 21% so it shows you, I mean it's not hard and fast, I can't say it's a 50% difference but there's clearly a difference between having a potential regulation and not and being able to show things like that to politicians, to government that's what makes the difference that's what persuades them money's obviously number one for them but particularly in the economy we're in right there's no point in pretending it's not the case but sort of working collaboratively come to the sessions that we do every couple of months and meet the others in your space that are doing it there's a chat called Avi Press at a company called SCARF and one of the one of the data points and my nine key points about open source in the UK is the second one at the top now Avi's company have started in January to look at how many downloads are happening in the UK, he didn't do the UK separately before and it was sort of somebody obviously said oh Brexit, split them out so in five and a half months we can show 11.9 million downloads of open source software packages I suspect that by next year he'll have that more together but I'm sure he'll share that data for other places if you want it in a more granular way you need to talk to SCARF about it but there'll be multiple companies doing these kinds of things that we need to start engaging with and we need to start collaborating and sharing that data because it's the only way that we're going to have impact so to go back to your specific question is what would I do one I would start to be a nuisance and keep pushing people I'm very resilient, I don't take anything personally well mostly and I just keep going back and back and back and back and inviting and inviting and inviting until you wear them down secondly I would start to write or find somebody who can write and once you start to write they'll start to ask you for quotes in the press if somebody asks you for a press quote you drop everything else and you give them the press quote you do it first thing so I often get them overnight and I'm on an early bird these days so I get up and I've written them before anybody else has gone to work so then we get the kind of press stats I showed you purely down to being somebody who they can rely on to turn it around quickly not so many smarter than anybody else and that kind of thing makes a big difference be accessible take the time to explain things and work within the public sector I spend a lot of time going through some of the stuff I've explained to you because they're really smart and they're really engaged and they're really interested but a lot of them don't have a background in tech or they don't have a background in business even so trying to help them understand the implications of the laws and why we need better laws that encourage open or why we need not just a policy but a playbook that technically will show people how to do it and for the stuff we've got everything is code of commons to take our stuff it's not perfect and if you've got feedback that we can improve it on, please give us it sorry open source is a movement isn't it it's a socio-political movement already it's what I always say to the people who want to build code that has shared or public source but doesn't meet with the open source definition is go and build your own movement because it takes years, it takes energy it takes money and it takes time we've got that, we just need to coordinate and we need to make sure that we're all sharing and reusing our tools that we create within countries that's why we're trying to set this thing up next spring to bring people together but go and do others but it's not an exclusive basis the more that's done the better any more questions? yes yeah I think the private sector sees a lot of money in this so I think the private sector to quote you sir it gives a shit I also think that building those skills in the house is really important and that's part of what we can all help with sorry I said I think that building those skills in the house is definitely important I think it's something we should be doing and one of the things that we try to show in our stats and the survey we did is that when you look about the benefits of open source beyond money skills development is really high up there and I suspect the US like the UK will show that skills development and technology is critical and that they're way behind and that they haven't got enough of it and they need more of it so being able to demonstrate that the open source communities bring more of that helps I feel you have to stay I'm not going to be offended thank you so let's it should work then but let's just check to make sure everything's all good I'm marked by the way hello hello hello sorry I was just doing a mic check I didn't mean for everybody to calm down we still have five more minutes before it all gets going no school is not in session I mean I could see you so I don't know what you want from me on that one unless you've got a cloak of invisibility you're going to whip out I've got a Bluetooth scanner so anybody who's got their phones on when they walked in I'm just keeping track of stuff RFID scanner too for all your driver's licenses haha you're from Montana you've got the sheet of paper driver's license there you go I think it was Montana or Wyoming for the longest time it was like here's your sheet it's just a tight piece of paper you can drive cool nobody's going to replicate that there's not a 12-year-old running around with one of those sheets of paper they drive the tractor down the freeway I mean we all have goals we all have goals so are you so this is connected so it should be coming into this HCM I got to work on mine when I did mirroring that's what I did if it doesn't work now is a good time for me to run to the AV desk if I have to tell you guys what I have to go run to the AV office and figure out why this is showing up instead of his I'm going to let Axel who is giving this talk about fighting the surveillance technologies in our cities and lives I'm going to let him get started and hopefully we can get all the slides set up I apologize in advance for what I hope is not about to happen so thank you thanks a lot Mark hi everybody thanks a lot for coming thanks for coming to the talk it's really nice to see so many faces I've just come all the way from London this is mostly going to be a talk about what's happening in France because I was born and raised in Paris and I have been part of an organization in France which was created about 15 years ago called Le Coeur d'Hature du Net a very English friendly name it was modeled loosely after the EFF so that's a bit of a starting point so it's a bit harder without the slides I'm going to just give a brief intro I guess so the talk is about we're calling it Techno Police which is a bit of a weird name but a fun name the play on words there is a bit about like metropolises and then the technopolis which is supposed to be like the metropolis and this is really a lot of what we're seeing is like let's make the city more technological let's make it smart, let's make it safe and when that started happening we realized there was a lot of parallels with what was happening in the digital space so that's how we got interested in that because yay excellent alright cool thank you very much so Techno Police now I've lost my train of thought of course so La Cuella Childrener is an organization founded in 2008 and we were basically doing a lot of stuff in the digital space so we don't like calling them digital rights because there's nothing digital about the rights they're exactly the same rights away from keyboard world it's just that we specialize in trying to defend them in the digital space but yeah so fundamental rights in digital space and we started seeing all this stuff happening in the cities, thanks Marcus you're great and for a long time it seemed just out of our reach to do that but as time went by we just felt the need we had to extend what we were doing because it just became harder and harder to just avoid it and we took bigger and bigger space in the French activism and sort of policy space so as I was saying sort of a play on word on the metropolis and the technopolis and the beginning of this campaign so it's 2017 down in the south of France in sunny Marseille one of our members lives down there and one of our co-founders and he starts seeing this thing show up this thing called the big data observatory of public tranquility which is not at all ominous for a start and so yeah it says down there like you know a technological platform of data management to better anticipate risk so it's all this sort of very corporate you know empty speak of saying we're going to use all this data but never really quite explaining why I want to say can I get my notes on this thing too wow it's like it does everything and so yeah so as we started looking at this and paying attention we saw that this was popping up in really random places like you would expect maybe it to show up in like in Paris in Brussels in Marseille in Lyon like the big French and Belgian cities but no we were seeing it sort of all over the place like really like lots of lots of little little towns that we'd never necessarily heard of and so we saw these safe cities proliferate everywhere this is actually a screenshot I took of the tool this morning and I'll go more into the tools in a sec but so like each of these dots is actually a live link that you can click and go see about what's being deployed in each city so I've clicked on Paris because it's probably the most obvious thing to click here but you've got a variety of different projects going on here so there's predictive policing there are drones there's also like sound sensors microphones in the streets or bugging the streets literally and what we tend to call automatic video surveillance which is a bit of a catchall term that describes facial recognition, gate recognition pattern recognition like is a person standing, loitering supposedly, are they lying down it sounds like a dangerous homeless person that sort of stuff so we started like basically making note of all these projects and documenting and over time we realized that there was just more and more of them and more and more like random small towns even villages that had maybe a couple thousand people and it didn't really make sense like why would you want to set up expensive video surveillance in a sort of small town where there's very little crime and definitely not the sort of stuff that would require high tech facial recognition video surveillance and of course we saw it spread not only in France but in Europe and we've had it here too in the States so there was a EU regulation in Europe that is sort of covering this there's been a lot of predictive policing in the US in China there's the well known social credit system which is actually a bit more subtle than it's made to be there's a great presentation a chaos communication congress event from a few years back it might be 31C3 I can't quite remember but about the subtleties of that which I can only recommend even in Australia too and so really this was sort of the worrying step of seeing just more and more of this stuff and just as a side note I'm not going to go here into all the systemic bias that happens with all of this predictive policing and facial recognition and how it fails generally to either see people of color or to recognize the intrinsic biases that are built into this system I'm not even going to go into that and that's a whole other part that deserves probably a whole other talk this is not specifically what our campaign has been focusing on we've been more interested in the links of where this comes from and who is trying to build these markets to sort of diminish that aspect it's just there's enough here to be shocked in all without even going into that aspect which is saying a lot I'm just going to grab a little thing that I had notes on, I just remembered so what's the next one so we saw this is one of the things that really struck us quite early on it felt like we were seeing some tech and some technologies that had been tested in the online world that sort of creep into the real world the physical world because the online world is real but it started to creep and basically we were now seeing more advanced technologies that had been tested online that were trying to be replicated in the real world and stuff like that and this is also when we realized that there had been urban activists for a long time trying to make cities more livable and more amenable to sort of just real life for instance and for us we've been on the sort of digital side of trying to fight for rights online try to fight surveillance try and fight censorship try and make the internet keep it open keep it friendly and we realized that this was only going to work if these two crowds started talking to each other we were not going to be able to defeat this or to have any impact but we didn't get the digital activists and the urban activists to come together and to start working together and this is something that had happened in the early 90s in Europe at least I don't know elsewhere and so the idea was to try and start building that back up and the way to do it and the way we know how to do things is to run a campaign and use open source tools and try and be a toolbox for the early days when we started early days to us 2008 so we would put a lot of stuff out there for people to use and reuse so we thought we'd do the same here and so that was the point of the whole campaign we thought we'll create this toolbox we'll make it available we'll start trying to raise awareness about these issues and try and connect all these dots of all these tiny places setting up surveillance and try and get the media to get interested and give them ways to work together so I'm going to go briefly through the different tools we've got not to spend too long on each of them a lot of them are quite obvious some of them are a little less but they all work relatively well in the overall campaign and it's been some success and I'll also go into some of the more direct actions and successes we had at the end so yeah basically we got a website something very fancy here but it's a good way for people to have a first starting point and to see what the campaign does and to put a lot of media friendly material out there we also have a forum which is I think a NodeBB the point here is to be able to once people are a bit more interested and they actually want to take part and they want to do something the first step they can do is create an account of what's happening in their city and their town are there other people working on it other things they should be aware from a local municipality is not too far from theirs and they'd like to see what's happening I was at Hope last week and there was a really interesting talk about Minneapolis and how they defeated facial recognition in Minneapolis and got it banned at the municipal level and this is exactly the sort of thing we're trying to do on the French level here which is like give people who are trying to do that the tools to do that one difference is that in the states from what I understand local politics are very different and so the way it works in Minneapolis might not work in Chicago might not work in San Francisco so that's complicated in France we are lucky in that way that it's a bit more we can replicate it a bit more the local rules basically are the same so you don't get vastly different ways of doing things which helps a lot so it's a bit easier for people to take inspiration from what their neighbors are doing for instance we've got a shared document database which is not as active as it has been but it's still a useful tool it's an instance of Uazie and we use it to basically organize and share documents that people might find handy so a form is really not great for that because you'll easily get stuff lost and you'll have to rely on a search function here we can do something a bit nicer which is we can we can start organizing them making them searchable having an actual database of stuff and that database is full of like for your request instruction manuals for some of this video surveillance and facial recognition whenever we can get it there's a way we can get it sometimes which is leaks so we'll get into that in a sec but also just like jurisprudence activism toolkits here's how you can do it for your request if you've never done all of this guide you'll usually get good results and if you don't here's how to go to the next step and ask the courts to force release of the document that sort of stuff nothing that anybody else hasn't done but the idea is just to put it all in a place that makes it easy for people to use it we also have another tool which is the good old name and chain technique so a lot of these a lot of these tools the surveillance tools are sold by given companies that stand to make a profit by selling them so we have a list of these companies and actually on the right you can see there's a graph that tries to tie together the different companies and how they relate to each other how they work together who is a supplier of whom and all that so that's just a page on the website but it's quite interesting it sort of shows how the overall space sort of enter what tries to document at least how the overall space interacts and functions there are other people making another list that's what that second line there says here's another list of companies making these sorts of tools so we're not the only people doing this obviously and that's something I think it's important to say it's part of an overall movement of how these technologies function for leaking we've got a secure drop instance so that allows we haven't had huge success yet so if anyone is in a position to be a whistleblower and leak more documents please leak more documents we need to know more about how these technologies function or claim to function because that's a huge part of it also they really are very obscure and we don't necessarily know how they really work but we don't always have the technical data to prove it so that's another thing so people who either work on the municipal side, government side and who are doing the tenders or people who are on the other side in companies who are invited to go and leak documents on the secure drop so I've covered this a little bit before but for your request in and of themselves they are a really interesting tool they're one of the only relatively reliable ways we have of documenting this and understanding a lot of the time they should be a tender but the tender is not properly done or they will only release documents if really forced by a court so in France we have a mechanism we have a mechanism similar to FOIA which makes it possible to release documents and so this is how we've been able to get a lot of information about some of the different projects so it's a good request for something and they make a mistake and they send you back too much data and then you can start digging into that and finding more and more information and sometimes wild claims about things that we know technically are not possible or promises to local governments for things that are unlikely or just even really not desirable and would not look good in a PR campaign so the messaging in some of these documents is not at all geared towards the greater public which can be really interesting from our perspective and we can say look they're saying this on one hand but they're actually selling this to the governments to the local governments there is a clear discrepancy this is what they're really trying to achieve a lot of this technology of course is sold under the guise of making streets safer but it doesn't do that much for that from what we know it's like this is quite a common finding in studies about video surveillance but it doesn't actually prevent crime and it moves it somewhere else so this is a lot of time why these cities are using it it's just so whatever happens in their walls moves away and goes somewhere else so not really solving any of the issues another tool I really like is mapping so a big shout out to the open street map community which is always a great community to work with and people have taken on adding some of the surveillance mechanisms directly on maps so that's a great way of representing stuff I was hearing at Hope something there used to be a map like 15 or 20 years ago in New York that would plot away for you to get to point A from point B without being on video surveillance and they had to stop because it was no longer possible to go from anywhere to anywhere without being on video camera so like they just gave up on that tool but beyond sort of the usefulness as a way of evading security or not security but surveillance sorry which has now reached its limits it is still useful as a symbolic and visual representation of surveillance when you start putting all the cameras on a map or even the other things like microphones when they start putting those out there you start realizing just how many they are I live in London and there's just so much video surveillance even I have become desensitized to it because I was really quite annoyed by it at first but we just get used to it so much that it's really useful to every now and then stop and take stock of how much there is versus how little it actually does and how much it costs at the expense of other things because that's always the thing budgets are not unlimited so you're always choosing that against something else so yeah these maps well they won't actually stop anything they are useful to represent and to people to take a visual representation of what's happening now some of the things that this campaign has done which I'm really fond of which has been a bit different from my usual campaigns is we've done a lot more sort of boots on the ground stuff so here is a really interesting action that happened in early 2020 I think maybe late 2019 we discovered that they wanted to put a gates that would use facial recognition at the entrance of high schools as a pilot experimental program but they hadn't really informed kids so I'm going to just go back a few to show you what it looks like so this here we played a little game and we put this picture on Twitter and we asked people to guess what it was and you wouldn't really know but these are actually facial recognition enabled gates to a school and so that was quite shocking and we we went to the school and we actually wrote a little pamphlet which you can see there a little flyer and we basically told the students are you aware of this do you know that they're trying to put facial recognition on the gates to the school a lot of the students of course were not they had not been properly informed so consent was another thing that was completely out of the question because it was supposed to be an experiment a laboratory thing so no real reason to inform anybody you can just give it a try and see how it works out and so so yeah we were sort of trying to tell the students you know they're trying to get you to accept this and you know not say anything about it and just go with it and of course quite a few of them were outraged and so we took that to the French Data Protection Office which is called the CNIL and we were able to get them to ban it to say no you can't experiment like this on students this is just too much so that was one of the things that that was a success but basically yeah doing more direct on the ground action which is not something that was so much in our DNA initially being a very online organization and actually going to visit these places and visit these people that basically the people directly affected and this is something I realized I forgot to say earlier but a lot of the time these projects are started out in areas where people have less time less energy less money to fight them so they are usually deployed first in poor neighborhoods and very much target poor people first and use that as a way as a sort of foot in the door strategy to say well look it was okay here nobody complained of course and so now it's fine to sort of creep it up a bit and take it to other neighborhoods until eventually you get it all over the city and this strategy is really this heartening it's really quite disgusting because it really is by design like you target poor people first and I was saying earlier this idea also like body pattern recognition like protecting people who are standing too long or lying down you know they're not doing that in the nice neighborhoods and you know detecting who is having a good time and you know having a drink they're literally hunting for homeless people or for people who just are hanging out outside because maybe they have less money and they don't have the means to go and entertain themselves by you know by spending money all day so this is something that happens a lot and this is sort of I think where the connection with the urban activists comes back fully because it's really important to sort of take in consideration those aspects otherwise you're just going to miss the part of the strategy on the other side and part of how you should react to it and also very much if you want to give people the means to be able to act against these things then you have to know who's affected first and you have to sort of understand their context and not sort of you know parachute yourself in their lives and say this is horrible let us tell you why like they know they understand they just you know sometimes they just need a bit of support to be able to take things into their own hands and you don't necessarily need tons and tons of people to act against these things you know a small core group of very motivated people can make a difference so here's something that I discovered earlier I hadn't seen before which I think is really interesting from my perspective so that's a graffiti that was done not by us but that reuses one of the slogans from the campaign which it basically says it's infringed by the basically says you know please report yourself in case of suspicious behavior like we didn't know nobody just play a part and just do it directly and so that's and the whole campaign has a lot of that very sarcastic tone it's pretty much all in French because it's geared to the French crowd but there's a lot more messages like that you know if it is more than three of you please immediately separate and go to your own ways and stuff like that and so that was done like just outside a train station the classic French looking train station for anybody who's a train spotter and this is maybe one of the most most unusual parts of this campaign I guess so you've seen some of the some of the style the graphic style it's quite striking and quite unique and that was thanks to our graphic designer and sort of art director who really she really came up with this stuff and so we've actually had enough people be interested in this very sort of strange object which is is both the actual surveillance which is in itself very weird like you know small villages or towns having sort of video cameras enabled with facial recognition or patent recognition and the campaign that fights it which is also highly specific but affects a lot of people in a very direct way and so we've had several exhibitions that have taken some of this stuff from the campaign and made an exhibit out of it which then serves again to sort of propagate the message and get more people to understand that this is happening and that you know this is really out there it's not theoretical it's not like in the near future maybe the police will use facial recognition they already do over 1500 times a day from what we know so this is a great way of raising awareness but in a slightly different way there are a lot of people who can be interested in these issues but who unlike me and maybe like you are not going to be that interested in the message that basically tells them here's a political problem, here's the political solution let's do it, that works with me I'm like okay yeah that's interesting I've been doing activism for 15 years so I get it but a lot of people they don't, that's not how they approach things and so you know this is another way of reaching out to people that is really interesting so I don't know how easy it is to replicate this one because it's quite specific but it does show that if you've got some interesting some interesting artwork that goes with your campaign it can become like a second degree tool again which is something I found something I found very cool right so that's basically most of the tools we've been using I don't think I've missed any maybe just some obvious stuff like you know emailing and social media and stuff like that which is all campaigns use that so I'm not sure it's really worth going into much and also we've been an organization now for a while so we have media connections so you know we know some journalists which makes it easier to sort of reach out and say this is what we're working on so that's also something that is a tool obviously but is a bit of a different one because you can't really replicate it that easily so the campaign's been going on since September 2019 I think so we're doing almost three years of campaign and so what have we been able to do so this slide is a bit messy a bit all over the place but that's sort of the idea so in the good things that happened so there's a city in the east of France called Saint-Étienne they started an experiment to bug the streets and put microphones so I think that one was a bit too much for everyone even for people who were generally in favor of surveillance and so we were able to take that again to the city and they said no you can't do that sort of experiment like people can't consent this is just a no so that got stopped that was good the one I was mentioning just before the high school entry gates in the south east of France near Marseille that also got banned in those two schools we had a whole song and dance with the Paris police they thought it was a fun idea to fly drones over demonstrators without any legal context that enabled them to do that they just decided well we're the police so if we're the police what we do is legal so you know screw it let's just do it so they just started flying drones over the city during demonstrations which beyond the fact that it's illegal and unethical it's also dangerous because drones can fall and hurt people so it was wrong on a bunch of levels so we took them to court and the court said yeah of course it is illegal there's no law that enables the police to fly drones you must stop flying drones the police went ahead and kept flying drones because they're the police so what are you going to do call the cops so they just kept on flying drones so we went back to court and said this is not being applied she should need to apply this the police are still flying drones so we had a back and forth like that and after I think the third time they got convicted they got like an actual obligation not like it's illegal stop doing it but if you keep doing it there are going to be consequences but it stopped and then the French government bailed them out by pushing a law through parliament that said oh we'll just change the law if the law doesn't give them the right to fly drones we'll just change the law so a little skirmish went back and forth so now currently they are again allowed to fly drones because the law has changed even though it was deemed illegal I think three maybe four times I can't remember exactly so that's a little fun skirmish and they'll be more in the future because maybe if we get a different political majority in the future that law will be reverted and then we'll be back to having the drones and the demonstrators be illegal and this is an interesting example also in that it shows that these sort of fights if you look at them in a binary way or in a sort of war like way you can be very you can easily get depressed that it's not working like we went to court four times we won four times and the police are still literally spying on demonstrators and trying to recognize people and you know sort of put them in databases through drones so that's quite depressing but also this does not happen on a short amount of time this is a medium to long haul affair we're going to have to keep going we're going to keep going and the more people are aware of this and the more politically toxic and radioactive sort of this blanket surveillance of the population when they just exercise basic civil rights like demonstrating or like walking in the street the more that becomes unacceptable to engage in that sort of surveillance that they're going to be to keep on the books so while this is not really positive right now I think the fact that we've had several victories shows that also you know things do go sometimes in the right direction and the symbolic cost to the opponent when basically they're the police they expect to be able to do whatever they want and now all of a sudden here's this ragtag group of you know random citizens and lawyers and techies who are just saying you know you can't do this and we're going to take it to court and who win and so that's a huge blow for them they really don't expect that in the first place and the prefect who was in charge of this whole the Paris police has just been fired very recently under following another affair well officially he resigned but you know his time had come and I'll cover that in a sec but it was the euro final at the stadium in France that you might have heard of which was a whole debacle the next one I really like Aurelion is a city in the west of France so they are also trying apparently they didn't see the writing on the wall so they're trying to do street microphones again so to bug the streets so we attacked and we said you can't do this again you can't do it and we just saw I think it was yesterday or this week the brief that the company that does this that build these things sent back in defense to say why it wasn't a problem and the line is I'll have to read it to you because it's just so creepy and so weird so this company called Sensivik I say that they don't capture sound but they perceive vibrations of the air wait wait wait the next bit is like I don't even know please tell me if you understand the next bit one mustn't confuse the sound as a physical order of magnitude air pressure variation and the message that humans can transmit using sound as a mechanism speech translation but I think it's quite close so they're not capturing sound they're just perceiving vibrations of the air sure yeah it's almost self satire I don't know if they realize when those people write that that they might end up in a room with other interested parties but sometimes the PR writes itself you realize what you're actually saying you're really taking us for idiots and fools so I don't know how that's going to go that that's ongoing so the case that started so the big data observatory from 2017 that case is still going on it hasn't concluded yet so who knows how that's going to go but that's one of the next bits and then elsewhere we've obviously followed what happens in the US with Winchester because that sort of is an interesting parallel to what's going on in Europe and there's been some success in the US I think San Francisco, Boston Portland and Minneapolis that I was mentioning earlier have all banned facial recognition so it is possible to get results at the local level as I was saying, French politics the French political system and the US political system are different so while some cities here can actually ban and have strong control over what happens locally and in the municipal area I think in France it's less the case we need more of a national law or using our favorite trick but it doesn't work all the time or that then supersedes French law that's a great thing to do at the European level so we are of course in contact with our European peers lots of other organizations in Europe like Bits of Freedom or Open Rights Group there's lots of other organizations that are really doing good work in Europe I'm forgetting half of them so they listen, sorry folks we love you but there is a lot of work to be done so ideally we'll eventually get something at the European level to reign this in this is what the Reclaim Your Face campaign has been trying to do but we'll get I'll mention that a bit later on but yeah, this is sort of the state of current legal and future legal actions and so I'll go in one second to the future actions that will be almost the last bit of the talk but first I just wanted to cover after all we've said about all this stuff like why is this happening I think this might be one of the most interesting aspects of the whole thing why are they doing this why do we see this a small town, 2,500 people not that much crime all of a sudden engaging and the mayor being hell bent on buying these really expensive contracts and full of like opacity, you don't even really know how it works the reports are all really messy why are they doing this on the face of it, it doesn't make sense so this is something that I find possibly the most interesting aspect of the whole thing we've realized so basically so I'll go through a bit but basically it's crap and it's undesirable like personally I don't want a system that you know, detects homeless and then for you know, activists and you know, people who have like some decency to them think oh well then we're gonna have to build them special tents to avoid algorithmic surveillance like you could do that but what I want is that money to go to shelters like just you know that's all this money is going to these expensive contracts all these other things you can do to end homelessness you know, to fight poverty some cities in Europe have really worked hard on ending homelessness I've read that Oslo had great success I don't think they're doing it by you know adding facial recognition to cameras like the cameras don't step down from the wall and prevent crime or help people you know, they don't and there was one point of message in France someone was trying to argue in favor I think it was a politician, local politician saying oh well imagine this case this like this old person suffering from Alzheimer gets lost in a crowd well with good facial recognition and pattern matching you could have the camera detect that and automatically send someone to find them and help them go back home look at how helpful and humane this technology is it's like it's this great combination of technology and humanity and if you pull on that thread a bit and you deconstruct it's like well what does that really say if you're going to get a coffee or you're going to meet some friends we no longer need to worry about this poor old person who looks really lost because don't worry the system will take care of it the machine will take care of it it's no longer your responsibility I don't find that a desirable society I'd rather society where you know you stop, you talk to the person you realize they're lost you send a text to your boss or you send a text to your friend saying sorry I'm going to be 45 minutes late this is much more desirable and these obsession with putting technology as a full proof solution which doesn't actually work is really worrying so it's undesirable it's unreliable facial recognition has really matured so facial recognition in and of itself works relatively well I mean you can use it on your phone to unlock and stuff like that but overall the results of the tech this actual surveillance tech and they never really provide proper data that is you can reproduce and you can take independently and sort of look at so it's it's really a case of like you know it works just trust us, we're not going to show you how you're going to have to trust us and then buy the expensive contract it's expensive, it literally costs millions of sort of stuff but a recent report and we're finally starting to see reports like this from the French general accountant like the national accountant concluded that about 2% of cases that are sold involves cameras so the investment compared to what you get out of it is absolutely ridiculous like so much of this money could be better invested elsewhere so 2% of cases that's tiny, I remember reading it was about 12 years ago Scotland Yard, use Scotland Yard in the UK had released data about a case in a thousand that was sold involves camera surveillance CTTD so these numbers are just tragically low, like even you go from one in a thousand to two in a hundred that's still very very low compared to the investments but the worst bit is that it's on purpose like they know it's unreliable and they know it's expensive it doesn't really matter and that's I think the heart of it is that this is not about solving the problems like the problems are poorly defined on purpose and they're not well resolved by these technologies that's not the point the point is to create a market for these technology companies to have something to sell so by pressuring local governments to say oh look, this other city here they're buying this, why are you not buying it do you not care about the safety of your citizens they can create a market and they can actually build it up and then France is all too happy, the government is all really quite happy to push for its local champions of technology to sell more stuff internally so France is a great exporter of weapons like military weapons in the world I think it's the third or fourth biggest one and we've not been that good on the digital weapons front so now we've got this little cottage industry which is ballooning up and they're all too happy to help it build by creating a local market I was meeting with someone from Restore the Fourth so I think they're an organization based in the States that specializes in the Fourth Amendment and that's what they were calling security grifting so basically pretending that you're going to sell an actual security solution which does very little it's greenwashing too a lot of the time we haven't really gone into that much but it's all about how this is going to help optimize the city's transit or stuff like that usually it's completely overblown in relationship to what it can do and what you need to do that you can count cars with a simple wire put on the ground, you don't need car recognition software on cameras and it's going to be more expensive and less reliable and at the end of the day it's just techno solutionism which is just like putting your face in technology rather than trying to solve problems politically, socially, you know in other ways just assuming that the technological solution is going to be the superior one just like out of principle and one last thing you can see here on the left for those of you who don't speak French which I'm going to assume is quite a few of you it says video surveillance plus tracking plus artificial intelligence equals total surveillance so that's obviously a sort of blunt messaging for the campaign but it's what I sort of started looking at is the dystopian triangle it's the idea that this works and it works in France really, people don't, people assume in France we have no facial recognition and what happens is that basically the police will stop you maybe for an identity check or something like that and they will run you against a database that is central and they will use their phone to take a picture of you and the facial recognition will be done back at the station and so we've got these three things that keep playing together which have been growing at separate speeds over time but are now sort of all converging which is databases I was talking earlier about the data protection officer in France, sorry, organization authority, DPA data protection authority which is the CNIL it was literally created in 78 it was called the freedom and computer authority so it was about databases and there was a real concern at that point in time in France that everybody would be putting a database and we should have an independent national authority that could overlook that and oversee it and they've not really succeeded in doing that over time because the database is everywhere now and I'm talking not about the nice kinds like the DB that we just used for other projects but really citizen database and stuff like that and so we've had the tracking the database of people video surveillance has been growing and now we've got the third side of triangle that is really sort of being added on top of that which is all these sort of artificial intelligence and patent recognition and facial recognition and all that and that really creates something that is quite hard to escape and the reality is that now in France it is about 1,600 facial recognition by the cop today so it's really a system that is out there they're using and they're using it no matter whether you're the fact that you're innocent or not has absolutely no bearing in this equation they just run on everybody at this point so that's a pretty stark state of play but so let's talk a bit about the next steps so the big one is the well two big ones the Olympics that's going to be the next big sort of experiment in the surveillance tech both the government and the private sector have been very upfront about it and saying that they're going to experiment, they're going to do new things so that's something we're definitely going to be concerned about and we know that like for a lot of Olympics they're going to pass specific laws to give specific rights to the police to the national, to the regional authority and all that this happens pretty much in every Olympics there's often a request slash a mandate from the an obligation from the from the Olympic Council so that's one of the things that's happening and the other half of that is again we're seeing the whole technosolutionist bend coming back in full swing with people throwing their face into these technological tools these surveillance tools because they've lost the capacity to do crowd control and crowd management and sort of social organization in other ways I was mentioning early on briefly the Champions League debacle at the Stade de France so I'll go over that in a sec because I don't know how much it made the US news it made the news in the UK but because it involved Liverpool football team which is a big team it was the final of the European League of Champions so basically the best club the best football club in all the countries in Europe went into the and they had the final which was Madrid versus Liverpool I think and the Stade de France just outside Paris is one of the biggest stadiums in Europe I think it holds 80,000 people so they had the the final there and instead of having proper crowd management letting people through understanding how you know streams of people work making sure there's no people don't get blockaded, people don't get stuck it was a complete shit show, there's no other word they started using tear gas they started beating people I don't know how much they beat people there was some beating but there was a lot of tear gas against people who had legitimate tickets who were just trying to get into the match and the match was late started like two hours late weirdly while there was the whole area blanketed with video surveillance there was an accident and they deleted by accident the video surveillance data that would have been able to show how the police operated on the field what decisions were actually made and were enacted on the actual field so we know that the French police has lost a lot of its capacity to de-escalate situations unlike other European peers they've spent a lot of time they've just become objectively more and more violent over the years and so that probably explains why they're putting so much faith in these tools because they've actually lost the social know-how to just manage crowds and so now they're thinking we don't need to know this we can just use these tools and these tools will just solve it for us which is again the only word that really describes that well is technosolutionism and one last thing which is a bit more positive is we're starting a class action group action in France against the Ministry of the Interior because after three years of documenting all these things we decided it might be time to actually take this more generally to court more direct results in 2019 we had a campaign that basically took Amazon, Google, Facebook Microsoft am I forgetting one? the five of them to court about their business model and basically saying that they couldn't just spy on people I'm simplifying but basically they couldn't just spy on people and make money from that and so that was quite a success that led to some finds for Amazon some finds for Google some quite large finds I think it was like several million for Google I can't remember the numbers exactly and so we're trying to do the same thing a lot of people signed up for the first one depending on how you look at it we had I think over 5,000 people maybe 10,000 people signed up so that was quite good and so now is probably the time to be able to do another campaign of that kind so we're trying to tell use also the campaign as a way for people to understand that this is happening right now which is again a lot of the message yeah and so that's essentially what I wanted to talk to you about there's some links here so the first one is just a general campaign website the next one is our class action group action Reclaim Your Face is a European campaign that is run by our friend Edry which is European Digital Rights and Le Coil Chaudinet is the name of the organization I'm part of so thanks all for coming yeah if you've got any questions actually someone here has some so the question is what are we doing about mobile phones and how they are literal tracking devices well the answer is in this campaign nothing because this campaign is dedicated to another aspect of the issue obviously this plays into a larger problem in society but I think it's such a huge thing to attack and while we all want to do something about it there's only so much you can do to not dilute your energy and dilute the message so this campaign is very much about here's what's happening in terms of surveillance of the cities here's how it's being sold as smart safe cities here's really why it's a grift and it's just about market building and controlling our lives and making the public space less public and more privatized so we're trying to as I was saying earlier we're not even talking about the bias of technology which is a huge aspect like predictive policing which has had like inherent racial bias it's just like incredible and horrible so we're trying to keep this quite specific so that people get what we're talking about right here and I think a lot of people will also get interested in further aspects probably including the phone I would expect those conversations just emerge right so the question is following a trip to like early Covid China where video surveillance is everywhere and this sort of technology has been deployed at scale what can you do in totalitarian places to fight back against this or what tools you have at your disposal it's a really hard question because one of the tools we have is basically public campaigning we can do that in the safety the worst we're going to get is some pressure but you know we're not at risk in any personal way when we do this in France for sure we're not in France thankfully not there yet so what can you actually do so one thing we don't really talk about in this campaign is the pragmatic actions you can take on your own level like what operating system are you running on your phone do you can you use like special clothing or haircuts or facial you know makeup to sort of fight back against that we as a group of people in the campaign like as a group of people we love that sort of stuff like it's cypherpunk cypherpunk sorry it's it's really fun it's really hacker it's the sort of stuff we really like and we don't talk about it as a campaign because they're individual solutions and they don't scale and a lot of people can't use them so what's really hard about your question is that you're talking about a system where there is surveillance at scale and the only tools we can I can think of right now are individual tools that don't scale so I don't really know how to solve that and that is that is one of the worrying aspects I mean basically the only way the only strong strategy we know that has worked in the past is making things politically radioactive so when you can turn something from something that's obvious politically to something that everybody agrees or enough people agree is problematic then you can muddy the waters and people can start really thinking oh you know this is not as simple as that when they tried to do the freedom so this was back in 2009 they tried to pass a three strike law like if you download the stuff online three times then they will you know will shut down your internet access you know problems in terms of like it was completely unconstitutional regarding French law and you know and presumption of innocence but like that we were able to fit to defeat that because politically it became it sort of died in the water even though the law did pass politically it wasn't worth it anymore and that's why we sort of won that one but just to replicate that in China you'd need to get like you know sort of a groundswell in a grassroots movement and I'd know how you'd organize that sorry that's not a very positive answer but sorry yeah yellow? okay so the question is like as you ride your motorcycle back from Mexico you can see the sort of facial these cameras that do license plate recognition facial recognition and they're not in cities and this talk is mostly about what happens in cities and towns and so how do we try and address that what can we do and should we fight at city level first the reason why we so the city scale of this campaign makes sense in that people are good at fighting what is directly affecting them so that's one of the reasons why it's so hard for people to care about like you know online surveillance for ad purposes and then for social control because they don't really feel like it affects them like once you start seeing loads of creepy ads people are like oh this is weird but until that goes that happens most people are like oh yeah well I know it's a bit of a problem but they don't really care but when you start seeing it in your daily life like you see the cameras or you can or you start you know seeing more people arrested maybe that they should be because or just demonstrations broken up in weird ways people react more to that so so how would so that can sort of become a collection of local movements can become a regional movement that can become a national movement in the case of purely federal stuff that happens like really outside of cities I don't know maybe you could sort of try and find a thread between people that that unites like you know bikers and truckers and I don't know like you know other people who travel a lot who might all start coming together as a group and say well you know we're road users we like the open road and this is sort of destroying the spirit of the open road and so you know here are arguments against this is why we started this campaign you know keep the open roads open sort of thing or keep the open roads free I don't know but you can start messaging around a group of people that have a common common approach common interest maybe or just you can start trying to build a coalition of different people which is always hard, coalitions are really brittle and they're hard to maintain over time but they can also be really powerful at moments in time so if you can yeah build a coalition maybe with you know different road users that can sense there's a problem but maybe don't have haven't had time to either have the conversations or have the arguments or still think that some of the counter arguments are convincing like by having those conversations you can start building potentially a group of people who agree and then can start you know I don't know how you actually who you'd actually talk to I don't know if the federal government would even listen but you could still start a campaign possibly and obviously I'm going to tell you start a campaign yeah in the back right so the question is like from an American perspective or just in general how does GDPR affect all of this so GDPR has a few so GDPR does so GDPR is a general data protection regulation it's a a European regulation which means it's a law that was so in this way the European European Union functions a little bit like the federal government in that it has the power to enact text legal text that will then directly apply to all the member states so the regulation is a text that the European Commission and the European Parliament made happen and that now applies all over Europe and it even goes beyond because it applies to anybody that provides a service to European people European citizens or people living in Europe so it's really wide ranging and it's a very privacy oriented text it does a lot to sort of curtail and limit the data you can collect on people but crucially it also has a bunch of exceptions that make it possible to still collect data and I'm really not an expert of the GDPR but there is this idea of legitimate interest so if you for instance a basic example if somebody leads you to a number to be called back you are allowed to keep their number because otherwise you can't call them back so something very basic like that you have a legitimate interest in keeping the phone number I hope my lawyer friends are not going to be disgusted by my example but so usually they will invoke public safety or stuff like that as a form of legitimate interest on the local government level so there are ways to weasel around it I don't think it's an angle we've specifically used so far so I wouldn't want to go much further than that but the exceptions are probably what they're using do we have enough time for another question seven minutes cool yes here right so the question is we've talked a lot about like facial recognition in surveillance in cities what about IoT devices and how they can be used either directly or indirectly like creatively to spy on people so I mean a bit of the same answer as before like the campaign talks about this so far because it's what we identified and it's also the energy and the means we have I mean likewise your unit is like seven full time people six right now I think so with one of them only working full time on this campaign and a bunch of volunteers so yeah sure I mean we'd love to do more stuff about IoT we just need a bigger budget more people more volunteers more everything so in a way it also makes sense to let other people run other campaigns if they can what are our opinions on it I think we're all quite concerned literally about what you're talking you know and how you can creatively reuse a lot of IoT stuff to turn it into surveillance networks and meshes like just in supermarkets or you know in commercial areas you get Bluetooth beacons that can basically track you around and that was a big thing that we were we had in Europe also the COVID apps there were a big thing in Europe when they were trying to sort of you know use an app that will enable you to sort of know if you've been in contact with somebody who potentially has COVID and the thing is with a mesh of Bluetooth beacons like in a commercial zone they can track you and that the app could literally please buy so there's there's definitely concern there and there's definitely we've talked a bit about it not necessarily directly in this campaign more as part of the culture in general so in the more sort of you know we do a lot of like one shot stuff when we see something that is problematical maybe do a press release and you know a bit of media about it but it is again like you know we need more specialists on the issue it's each one of these things is a rabbit hole so it's like how many how many people do you have to go into different rabbit holes it's a bit of the issue but yeah that's great sorry there's someone in the back who's been sort of holding up their hands for quite a while yeah you could it doesn't scale but you could that's always the problem is like you know if we could create a groundswell movement where everybody starts carrying high beam lasers and burning out you know I think we'd already be at the point where politically this stuff is toxic and a lot of people would just drop it like a lot of the local administrations and councils and municipalities if the population was against it that much they were willing to go burn out the lenses with high beam lasers would be in a different political setting and so it wouldn't be worth you know there would be they would be putting their political career on the line just by putting more of it they would be gaining probably politically by saying I'm going to be the candidate that reigns in video surveillance because it's not useful it's a waste of taxpayer money so like it's again it's a fun thing it's a fun solution but like I don't see it scaling up with like you know thousands and thousands of people in France and the UK and in the US sort of doing that but it could also be useful for instance you know for your own neighborhood yeah I mean there's a German campaign called camover where they were ripping off cameras off walls if you want to look that up yeah sorry the person behind yeah yeah you can do that yeah in blue in the back yeah excellent alright so the question is I'm going to try to repeat it without getting it wrong you're part of a group that has used a lot of data and it has access to data and chose what the LAPD where they do where they stop people and you're going to be basically in office or close to office in four months and so what can you do pragmatically once you're in that position to do good and change things one thing I think I would request is documentation that proves how useful this stuff is like that is actually work show us data and show us that can be independently audited and replicated and if it doesn't work then your shit doesn't work and so why would we keep buying it that's because once these contracts start rolling over and over a lot of time they just keep going because if you stop them you're basically saying oh well why are you removing locks from the doors you're making us less safe and the thing is like this is not a lock on a door it's somebody like drawing a weird symbol and then every year you pay more and more for them to come and draw the symbol again it doesn't do anything it never did anything so if you can get actual data that proves that then it becomes a conversation about what they do where the money goes versus where the money could go and if you can play it in terms of you know we're putting all this money in the surveillance tech that doesn't do actually anything fights the wrong problem and we could be putting it in this sort of stuff that is much more useful socially and would create safer areas for everybody which supposedly is the goal that's probably quite a strong thing to do if you're in a position to to request those those studies and those numbers Thanks a lot for coming I'll be outside if more people want to chat Hi everybody, welcome to the third talk today from the Open Government Track this is a slight different because the last few talks we've seen have been about opening a municipal government or a state government or a federal government and this is going to be open governance of open source projects rather than necessarily some sort of legal framework or municipal framework but how to run your care how to do things so with that I mean we said I'm going to pass it off to Josh who is you know a lot about this space and is here to educate us about his plans Thank you very much So welcome everybody I I'm Josh Berkus I'm one of the maintainers for the Electo Project which you'll be hearing about later on I have been an election officer for both Kubernetes and K-Native projects I'm on the open source initiatives election tools committee because we keep switching around how we do elections and a long time ago in history I was actually an election reform lobbyist here in California which will also become relevant later on and if you want to tweet this that's me So if you're in here hopefully one of these describes you right either you're involved with an open source project you're some kind of a community manager or Ospo person you're in general and interested governance and elections in general what this talk is not about as you mentioned here is I am not going to talk about any kind of solution for public elections although some of the lessons learned will apply to public elections hold on I'm going to see if I can actually get my headset because I'm going to be typing later on so let's see if we can get the headset on here would be live second awesome so this is not going to be about public elections although some of the lessons learned are applicable to designing public election systems as well one of the questions is if you're so I know some of the people are here from the open source project side is anybody here from the sort of open government side or is everybody here an open source project person kind of okay so if you're open source project person you know open source projects have elections a lot of the bigger projects have elections with elections in Kubernetes, elections in Knative Fedora has elections Debian has elections a lot of open source projects have elections for certain offices within the project this can be for a steering committee for a project leader for a technical oversight committee for a lot of other things where there's going to be a limited number of people who are going to actually have the authority to do something they want to make it democratic and if your open source project is part of an open source foundation that foundation is definitely going to have elections and this includes foundations like SPI the GNOME foundation Python foundation, open stack all of these have elections and so they need to actually run those elections and for that matter this is such a common thing that within tag contributor strategy which is a committee I set on in the cloud native computing foundation we even devised a generic template for steering committee elections for an open source project and by the way at the end of these slides the slides are public and online and at the end of the slides there's a whole page full of links so if you need the links you can go ahead and look at my slides online and you can actually click on them but even a template this is such a commonplace thing to do so if we're looking at hey we're going to have an election in an open source project what makes elections in an open source project possibly different from other kinds of elections and there's a set of a few characteristics we define this they can share this with their elections but we actually sort of look at those open source project elections are going to be online and public at least publicly viewable secret ballot voter authentication archival records in preference voting let's go over all of these so the first thing is we have this sort of interesting combination of things where because we have people spread out all over the world in our project and we can't feasibly make them physically come together in order to participate in the election the election actually needs to be on a public website but at the same time we want to restrict voting to legitimate members of the project for however we've defined legitimate members of the project sometimes that'll be a certain number of contributions for a year sometimes that will be some other nomination system sometimes that will be having your name in certain files or whatever but there's going to be something of this is how you're entitled to a ballot and not everybody in the world is even though everybody in the world can actually see the election happening now there's a couple of ways to handle this, a few ways to handle this one of those that people kind of tried early on was to just have a stand-alone application where people registered through the application the problem was that wasn't really a good solution because it's 100% disconnected from why somebody is legitimately a voter in the first place and it ends up requiring them to maintain an ID in a completely separate system that's unrelated to the system they have to have an ID in order to contribute to the project so the stand-alone app method wasn't really good and so what we've ended up with is two different systems that get used in different online voting systems one of those is email and the other one is OAuth so a lot of them are projects are email heavy particularly older projects Linux, kernel, Postgres, QL Debian Fedora tend to be highly email centric and as a result it makes a lot of sense for them to do some form of email back authentication for the voting system because to be entitled to vote you have to be on the mailing list in the first place and therefore your membership in that mailing list is a good way to define whether or not you can vote now the problem with that is how many people have had to send out mass emails to large numbers of people what's your percentage of like bounces or people not receiving the email that's a major issue in email back systems everywhere and when it's important that each person when they're getting their ballot by email it's kind of a critical fail if it goes into their spam box and they can't find it and OAuth is the alternative to that and OAuth just means for anybody who doesn't do web dev, OAuth simply means doing authentication against an external system that has an authentication API where the person has some more robust login and sometimes that OAuth is going to be something belonging to the project like the Fedora ID authentication and sometimes it's going to be something external like GitHub and what I see is mostly is actually to do this and that's nice because somebody else is maintaining the machinery of identity but the drawback to that is that you need this external provider and you have to sort of maintain code that's compatible with the external provider and obviously it has to be an external provider that's appropriate for your project right so for Kubernetes where everybody has to have a login on GitHub to contribute it makes sense for us to use GitHub OAuth ID but if your project didn't have anything like that then this would be problematic so then the second thing that we need obviously is secret ballot and some people may say well it's open source it's all open why can't we all vote in the open well here's the problem if I'm voting on an open source project chances are I am friends with every single person who is running and therefore I cannot allow them to see who I voted for and who I didn't vote for and that's true like across the people who are voting in the project and so we really do need to have some kind of secret ballot but here's the problem we're having secret ballot in an election that is being held on a public website and may be backed by a public source code repository so how do we do that and particularly we have another problem which is usually the people who are administering the voting system are going to be contributors themselves who are also voters and therefore they need to not be able to see how other people are voting even though they may have direct access to say the database backing the voting system well this is why we have cryptography and I'm not talking about blockchain here right just forget that entirely no I'm talking about just classic secret key cryptography nothing particularly special and by encrypting the connections between voters and ballots using a pass key supplied by the user we can have public or semi public systems that nevertheless have secret ballots because you cannot figure who voted for what without either getting a complete copy of the database and doing a whole bunch of number crunching that's obviously you know an option particularly if it's a very small pool of voters or by having the voters individual pass key that they came up with I can actually flip over and you can see this let's not hold on sorry so this is the electoral system which is one of the systems we'll be exploring but you can see right here is that rather than having a norm foreign key link in the database we have the voter ID which is an instantiation from user and election and we have the voter ID and they have a ballot ID that's actually an encrypted string an encrypted bit key that is made from encrypting their pat encrypting their the link to their ballot with their pass key and then if you actually see the ballot this links to UUIDs in the ballot and that way even though like say I'm an election officer actually I'm not I finally managed to get off of being an election officer but even though I was an election officer last year for the 2021 Kubernetes steering committee elections even though I had direct access to the database I still can't tell who's voting for what and you also use UUIDs here so there's no ordering so and then one of the other things that I mentioned here might be a surprise to some people which is preference voting so we need to talk about preference voting a little bit and why it works better for open source projects so first let's go over what is preference voting so regular elections like what we're used to in the United States for most elections in most places is what are called plurality or first pass the post elections and that means everybody votes for a candidate and whoever the top voters are even if they were elected by a minority of voters win and one of the things that we've noticed is a problem with plurality elections is it actually gives an advantage to a candidate who has a dedicated minority of the voters over a candidate who is generally liked by a majority of the voters which then tends to promote extremism among your candidates because it's more important to maintain that dedicated minority following than to be generally acceptable a preference election has you actually in some way rank the candidates in how each candidate you would prefer to each other candidate and that tends to result in candidates who are more generally acceptable winning over candidates who are more liked by a dedicated group so let me actually give you a story of why this is something you actually want for your open source project elections how many people here know what software in the public interest is so software in the public interest is a 5-1-c-3 non-profit so charitable non-profit which hosts financial resources for a bunch of projects primarily among them Debian it's also the legal backing for Debian as well for the other projects that hosted just host financial resources for them and it's been doing this for a long time and back in 2006 we were having a political and operational problem with SPI which was that we had an extreme candidate who was interested in being very disruptive and making political points using his board position on the SPI and since SPI's job was really to be the legal and financial backing for open source projects we actually honestly needed to be as stable and as low-key as possible you want a bunch of boring people on that board because their job is to like not land anybody in court and this person was didn't care about that and the problem is that because he took these extreme positions he actually had a dedicated popularity among maybe about a quarter of the followers particularly people in the Debian project and so as long as we were doing plurality voting even though the other three quarters of the voters really disliked him he was always on the board because having 25% of the people vote for him was sufficient to keep him on the board so in 2006 we switched over to preference voting and as a result voters were able to rank not only who they liked the best for the board but also who they liked the least which makes a difference and suddenly we ended up with a board where the people who were the most generally acceptable were the ones who got elected to the board and the people who caused people to hate them as well as causing some people to like them ended up off the board I think you can see why this is a good thing for open source projects particularly for elected positions in open source projects we're really looking for people who are good stewards rather than people who are necessarily inspirational the so there's two different kinds of preference election types one of them is called instant runoff voting there's a subset of that called single transferable vote there's a variety of permutations on this the other one is called ranked choice voting and I'll go over both of those for instant runoff voting the idea is that you pick a first, second and maybe third choice nobody tends to do that if they want 10 or 100 they tend to go over to ranked choice so it's generally first, second, third sometimes I've seen fourth on some things but it's rare for instant runoff voting to work together with choosing everybody but not unheard of because that's how we did the last election in OSI actually it was instant runoff but we chose everybody but usually it's first, second and third choice fourth on and then any kind of instant runoff voting works through a series of eliminations this is actually a snapshot from the last OSI election but I can actually show it to you in a lot more detail and so what happens is you gradually eliminate instant runoff algorithms to work a variety of ways this one is actually what's called Scottish IRV and so with Scottish IRV first you look for any candidates who already have above a majority threshold of votes and there are anything that they have over that majority are called excess votes and those get redistributed and if that pushes anybody over the majority they're also one of the candidates and if not then you eliminate the person who got the lowest preference and redistribute their votes and keep going from there Scottish is one of the more complicated systems for IRV most of the time you just take the lowest vote get a redistribute their votes then keep going up until you've narrowed it down to the number of candidates that you have so if somebody has the lowest number of first place votes then you eliminate them from the list of candidates and you look at what their second place votes are and you take those second place votes and you redistribute those to the other candidates and then you recalculate whose first, second, third, etc in what way how is that any different from a group of people deciding to vote for a particular person in a plurality election I'm going to say that's called voting and that's called campaigning basically the one way that political parties have rank choice voting is if it's only one, two, three rank choice voting, we're only ranking say the first three candidates they'll stuff the ballot with a bunch of likely looking extra candidates in order to prevent the candidates they don't want to win from grabbing those number two and number three spots yeah, yep now rank choice is a little bit different because first of all in rank choice you're expected to rank or for some systems give no position to every single candidate on the ballot so if there's five candidates in the ballot you do five, if there's 12 candidates in the ballot you number them one to 12 depending on the system you can have some of them have no position you can have some of them do a tie some systems allow this some don't and then but then one of your problems is you say hey this is a complicated thing of everybody's gonna have a different list of the order they prefer them in how do I compare all these to decide who is the most preferred candidate and the answer there actually comes to us from the 18th century the Marquista Condorcet so this free thinker, enlightenment thinker in the 18th century was actually thinking about how do we improve elections to get the most preferred candidate and he came up with a set of mathematical algorithms to evaluate whether or not the first most preferred candidate was chosen and we still use these algorithms today like literally nobody has been able to improve on this dude work in terms of the verification portion of this and so the condorcet algorithms are basically our test for test driven development for designing condorcet compliant voting systems when and this is something that confuses people because they say it's a condorcet election and saying something to the condorcet election is saying something like it's it's an IETF certified network protocol right as in the condorcet portion is actually the certification that the election produces the correct result given the correct inputs the actual code can be a whole bunch of different things and so what you see are documented is condorcet methods and the condorcet methods are the actual practical algorithms that can be rendered as code in order to produce a condorcet outcome most of these use pair wise preference comparisons some also do DAG evaluation where it says hey if I prefer if I prefer candidate B to candidate C and candidate C to candidate A it actually matters the complete chain of those other ones don't they just compare individual pairs you can actually see this so for example this is one of the ways of implementing this is something called the beat matrix which is you create a two-dimensional matrix of which candidate was preferred to which other candidate in numbers and so for example in here candidate A was preferred to candidate B by 38 more people than preferred candidate B to candidate A and this is a little bit easier to picture and again this is this 2006 SPI election as a graphical diagram so you can actually see right here which is and I was running in this election which is why I picked it out but like that 17 more people preferred Neil McGovern to Michael Shilstis than the other way around and that's how you decide and you add those mathematically together you calculate the matrix and then you decide who won on that basis there are other mathematical things that can go in there if you're actually writing the code so let's talk a little bit having given us our requirements let's talk a little bit about election software that's available there's a lot of stuff out there and there are actually multiple choices now which is really nice for a long time there was only one choice which is the first one that I'm going to actually go over so there's some extra steps we want to look at when we're evaluating election software for our open source projects or similar open source foundations or similar organizations one is hosting options as in who's going to host the software one is which kinds of voting tally they support because some organizations already have pre-decided hey we do our elections by Scottish IRV or by the Condorset and Max method or something and therefore they need voting software that supports that particular kind of tally and the third is which authentication options they support because there's a lot of differentiation there now for hosting our basic options here are self-hosted which probably means that it's going to be open source software that you run and host yourself second is free-hosting that you don't host yourself that someone else hosts and then third is paid-hosting that someone else hosts and there's trade-offs there it's all available to people and I'll show it to you and so on that basis we're going to go which I think kind of exemplify what's out there actually the four most popular platforms that I know of at least within the space of doing elections for open source projects so our first one here is CIVS and CIVS stands for a Condorset International an internet voting system it was probably the first practical and widely used Condorset election system in the internet age it was actually developed at Cornell University more as a demo that Condorset elections now that we all had computers Condorset elections were not a theoretical thing but can actually be a practical possibility it's been around since 2003 and there's still an instance of it hosted at Cornell University that is available for you to use for free so free-hosting at Cornell University you can use anytime or code is available on github internet and cell-host if you want to have your own instance it supports at least like eight or nine different known Condorset methods including something called proportional Condorset where you do a really complicated set of matrices where different groups of votes get calculated in their own matrices and then those matrices get compared it's complicated there's a lot of math I've never had a reason to use proportional Condorset but there are people who do and CIVS is the only one I know that's an option all of CIVS CIVS only authentication option is email authentication versus emailed tokens so advantages, disadvantages using CIVS one is it's already been localized to five different languages so that gives you different options for doing it disadvantage it's really old code if you're doing cell-hosting it's an early Perl 5 version I think it's like Perl 5.4 or 5.5 so you might have difficulty running it and certainly might have difficulty hacking it if you need to make changes if you're using the publicly hosted thing it's being run as a best effort service by Cornell University so they have not dealt with things like not getting their blacklisted by several blacklists because people have abused the service to send spam to people etc and as a result they will have a very high degree of non-receipt of the emails for voter tokens I will tell you having run several elections on CIVS I if you are an election administrator a good 40 to 60% of your time will be dealing with email problems so you don't want to use CIVS for those reasons for email things what are other options well there's Helios now Helios was created by a bunch of open election geeks who were specifically focusing on the issue of end-to-end encryption and verifiability for online elections they were really thinking about building this for public elections and they wanted to say that hey it is possible to make public elections that happen over the web secure and that's where they put all of their effort into it it's available you can either run their code yourself self-hosted it's a Django javascript application that you can run on your own or they have an instance of it that they run for free and you can use that to run elections again they're running it for free there's no paid staff it's best effort sometimes it goes down but you don't pay for it you don't have to figure out how to host it now one problem that rules out Helios for me personally is that it does not have support for any preference elections it is strictly first pass the post elections so if you are not in fact doing preference elections then Helios is a good option for you if you are it's not there are a number of issues open that show how complicated it would be to add preference election capabilities to Helios there are a couple of forks of it that have preference elections sort of half implemented the actual project would welcome that they're just not going to do the work themselves so Helios won't work for you, Civs won't work for other reasons what else do you have in there? well there's actually a whole set of proprietary elections apps that are available on a paper election or subscription basis several of which are actually pretty good the probably most popular one about that partly because it's the most reasonably priced is Opavote now Opavote is a closed earth voting system and it was created so I mentioned that a number of years ago I was a lobbyist in Sacramento for verifiable elections which is how we got paper trail on the computer voting machines is because of that lobbying well one of the other lobbyists who was there with me went off and decided to develop a voting use all of their computer engineering stuff that they did as part of the lobbying and deploy this voting company and make a little bit of money off of it so that they could actually credibly maintain it and that became Opavote only paid hosting so there's no open source option you pay per election they support several condorsate methods and several IRV methods for elections and it works through email authentication only and again email tokens the same way that we have with SIVS because it is a paid service with staff that maintain it their spam blocking problem is a lot less than it is for SIVS the one of the advantages is because it is a paid service the documentation and the hosting are relatively high quality it includes one feature that it has that was unique among the systems I surveyed was automated reminders to send out to all of the voters and this Opavote is actually localized in four languages so you have multi-lingual options there again none of these systems are designed for public elections for public government elections but none of the systems I'm covering today are designed for that scale there's a bunch of similar ones to Opavote the ones that I saw that had good ratings and good reputations were election buddy election runner and simply voting similar value proposition to Opavote slightly different detailed features like election buddy has really nice design features for your actual voting page which is not something Opavote bothers with but it has fewer voting tally options and you just figure out those trade-offs and all of these are either subscription or paid for election now the last one I'm going to talk about is the one that I worked on myself and still work on myself which is called Electo and I think we will have time for me to go through a demo of Electo yes we will so it's Electo so Electo was a voting system we specifically designed for Kubernetes and a bunch of other cloud native projects at the Cloud Native Computing Foundation to support their specific election workflow and their specific election workflow involved being extremely get-op centric I'll explain what that means in a minute and this is now officially a project of Tag Contributor Strategy within the CNCF so major avow points currently only available through self-hosting it's a very simple application there's a container image available it's a Flask app requires a relational database and you can self-host it there are no free or paid hosting options that I know of somebody it's Apache license somebody could create one but they haven't as far as I know and the only authentication current that it supports is some form of OAuth the only OAuth that's currently implemented is GitHub there's a very obvious plug-in location if anybody wanted to contribute OAuth authentication to other OAuth providers but nobody has yet and actually the OAuth thing is a hard thing in the project because one of the reasons the project was developed we were previously using CIS and so one of the requirements of the electrical project was no email so we're not going to change that OAuth is using external authentication providers through their API so authenticating against something like GitHub or Google Docs or the Fedora ID or somebody else who provides an authentication API now I mentioned it's GitHub centric so the idea is that it applies into GitHub or GitLab repository and instead of using a web UI all election administration actions are a pull request or a merge against your repository and the reason why this made sense for these projects is that these projects already have very sophisticated apparatus for approval and authority for merging code and so having an election system that uses that means that how they approve elections is not different from how they approve everything else it's a very young small project it's only a little over a year old at this point the advantage of that is the super simple and portable code very easy to host yourself disadvantage obviously is it's not very sophisticated doesn't provide a lot of options one of the features that Electo offers that I realized surveying other things that other places don't offer is none of the election systems I look at allow you to have an election administration team so even OPA vote which is otherwise very sophisticated you're expected to have a single election administrator which again was a problem for a lot of open source projects where they want to have an election team there are five people so that they have distributed responsibility and avoid questions of bias of the individual election admin so I'm going to actually give you a tour of that one because it's an easy one to tour so this is the Electo interface so again like I said it works for you all so when I'm signing in I'm signing in against GitHub and I previously authorized GitHub that this Electo instance which is just our test instance is allowed to request my credentials from GitHub now that's very interesting okay maybe I'm not doing a demo yeah or maybe it can't actually reach GitHub right now for some reason yeah so okay maybe I'm not doing a demo I got zero off yep oh there we go okay now with having internet problems I am on the conference internet so okay so one of the other ideas of Electo is that these are the elections for your project and so it stores them all in perpetuity because we want to have a permanent record of the elections so this is the current election but we can actually look at all of the elections that we had previously this is our test instance so these are a bunch of random elections that we either copied from a real one or generated you know as part of our test case but the one of them that I currently have open right here is the original one that we tested the system which was naming the project because we had a number of ideas or names for the project and the way that you actually vote in that and so we'll show you here explore preference voting here right which is like maybe I like Ribamont oh yeah but it tries because most people don't intentionally do that you know you that that's the way that you can do it because you are actually allowed we're using the Schultz e-condorset method which does allow ties so you can actually have two people who are placed number two and the calculations will go through it yeah oh no it's yeah let me finish the demo and then we will field that the okay so so like I'll do here's my set of votes and then and then I have to create a past key of at least eight characters and part of this is that in order to in order to have this actually secret no one else has that past key there's no if the election administrator to recover it if I decide I want to change my ballot and I've forgotten so we go back and it's still open in that sort of thing now if I actually re-enter this who I did not type that correctly I can actually oh I apparently didn't type it correctly before though there we go um and and I can review that and if I entered my past phrase again I could revoke my ballot so that I could either decide not to vote in the election or I could vote again and again this was one of our requirements because in a lot of cases people wanted to vote early in the election to make sure their vote but then stuff would come out during the election that would cause them to want to change their vote and if we could technically support that without invalidating voter privacy we wanted to and we figured out a way to do it um yeah the um okay so now can't see the results this way so let us go ahead and do something about seeing the results now I said everything is a pull request right so this is actually the this is the definition of the election in the test election repository so what I want to do here is I actually want to go ahead and end the election so that I can actually do the vote tally because until I've ended the election it will not allow me to do the vote tally um and I'm already defined in github as one of the election administrators which you can see right here so this pull request will actually go in it does not so that's an important thing to keep in mind with changing the start and end things is it does not actually cancel out ballots by date because there are no dates on the ballots and the reason why there are no dates on the ballots is because we want to make it difficult to snoop via timing attacks the um because that's something somebody could otherwise do over the network um the um so yes I can do this because actually my vote was on the 29th and it's going to be part of the tally so just an important thing to keep in mind that the system will allow me to change the date to a time in the past but it's not something you would actually want to do during a real election well yeah all they can see is though that ballots are coming in they can't even know who are who's casting those ballots and that's the important part right is they can't know who's casting those ballots um so yep so let's go ahead and commit that so yep and it got picked up pretty quickly it's watching for the stream of changes from github so we can sometimes take 10 minutes to pick it up this time it was just really fast so since I've actually got this now this results page is actually manually generated by the admin um so it's not actually the real results page right now uh the admin has to manually enter it and actually and the reason for that is that a lot of projects have rules around how much of the election results they disclose so this actually gets typed in by the admin um so let's actually look at the real election right so we have number of winners we have four voters um you can download the anonymized ballots as a csv for archival purposes and if you have a voting geek in your project who wants to personally verify that the ballot was correct um you can say here's the csv knock yourself out um but let's just have electo do it for us and there we have electo is the condor set winner and these are rankings and and because we're using you know um you can get ties and that's been a problem in the past and and ties happen when you basically have a cycle right voter one likes b and then c voter two likes c and then b so that is our basic um and it's actually kind of a good tour obviously you can use one of the other systems because the other systems involve more options they're more complicated than electo is um the um but that gives you an idea of administering a rank choice election system so concluding for this um um you can and should have online secret ballot elections for the office near projector foundation um preference elections are preferable as both open source and proprietary solutions is various often hosting options um they're available to you according to what you need and then we'll go into questions so you had a question about ranking so ask me that question again actually here wait a minute this on tape hey look at that yeah um so as a export line native I'm super stoked about something called star voting which was developed there um essentially it is intended to be a upgrade of like rcv and other irv based methods that score than automatic runoff so the tabulation is super super simple um with rank choice as you alluded to a couple times it gets kind of hairy depending on where they want to do the scottish version or other versions and it's tricky to kind of go through the math you have to have an election geek to look at the csv to verify with star which is another kind of preference one you basically do zero through five stars just like any kind of product rating system out there and um it's super simple the top two scoring candidates are um go into an instant runoff and then it goes through every ballot and you know looks at each about each person's ballot and says which of those two candidates which ones do you prefer that's the winner of the election um I guess my question was can you include that one too? it's a great rating it's a great voting system I didn't actually look at that's that's part of a general class called rating based of voting systems it's scoring I think it's scoring based voting system and I didn't include those mostly because I don't know any widely available online software that implements them it's a problem um there's a there's a to to to that I guess there's a really interesting slack um plugin called Accord which has a whole it has a all of them it has like all kinds of cool ranking and rating and approval and IRV and RCV and etc it's it's really good so steal their code if it's open source cool cool where does the encryption between uh of the that foreign key happen does that happen in the browser that happens on the server um that's actually one of the big differences between that's one of the big differences between Electo and Helios um Helios because um solidly trustable voting was basically the sanctity of the voting booth was their primary priority they do the encryption in the browser um I it was just easier for us to do the encryption on the server side and and it wasn't that wasn't our primary um wasn't the primary problem we were trying to solve so presumably like the election but but if somebody submitted a patch to Electo that didn't on the browser we would probably accept it as long as it was sufficiently wide support for browsers um that's one of the problems you look at the code in Helios and to support sort of a wide array of browsers it's pages of code speaking of ancient developments uh Lewis Carroll wrote a book called the Calculus of Consent quite a few years ago and his point was that designing this kind of system can determine the result just as in your election that you referred to at the beginning of the you changed the voting system to change the result is that a fair thing to try to do that's a philosophical question well I don't the philosophical question I can't get a determinative answer but you know in this case changing the result was a case of the majority so seven out of the nine board members who were elected by the membership voted to make this change and these are the ones who were voted who were elected under the old system so um you know it's a question of if you believe that the old system was at least somewhat democratic um then then you know then the change is valid because the elected representatives are actually making it all of these systems are valid in a sense that's for sure but by choosing one you're prejudicing the result in some way whether you understand it or not yes and in this case we were consciously prejudicing the result that was the that was the entire intention and more importantly it did not trigger a mass walkout of the voters right the majority of the the majority of the registered voters voted in the following election I think this is one of the reasons that some countries have six thousand amendments to their constitutions because they keep changing their mind yeah just to add on to what Dave was saying um when I was a freshman graduate student uh I took a course that talked about health psychology and they talked about among other things election systems and I recall from that if I remember correctly that someone named Kenneth Arrow got a Nobel Prize for analyzing these things and essentially he came up with something which is analogous to the um I'm forgetting the name of the other thing here but basically he showed that election system uh meets all of the requirements and and not only that it's mathematically impossible to have an election system that meets all of the requirements so if you look at all the things that are obviously good you can't get it it's impossible so that means you have to choose and just get the best you can find and that depends on your preferences and so that's kind of sad and uh every once in a while something comes up in mathematics and then people commit suicide because they're really unhappy because the theoretical ideal is impossible anyhow that's the thing I think he got the it may have been in economics or something where the field that gave him the Nobel Prize but it did happen and as an example of that one of the reasons is so like I'm talking about this in the context of elections for open source projects and one of the reasons why you see IRV a bunch in actual public political elections but you never see condorset is you can only really get a bunch of computer geeks to trust complicated code algorithms they're going to calculate who won because the actual condorset code is a recursive algorithm um that operates over the ballots and I wouldn't even propose that for say California elections simply because I couldn't possibly get the public to trust it even though I feel like it produces better outcomes than IRV does I just had a quick quip about your thing yeah that's Aero's theorem which reminds me of like in the tech world you know we have the cap theorem right the oh my gosh my brain just dumped it consistency availability and performance partition tolerance it's like you can't have all three it's just not possible Aero's theorem is really similar to add a little bit more to that in the same course which surprisingly turned out to be kind of important through my whole life because it affects your mind view your world view of things the other thing has to do with the properties of numbers the concept of scaling and so a nominal scale is you know boy girl, apple, banana, whatever it's just a name and then there's the ordinal scale which is just the order but it doesn't have a it doesn't have a zero and it's not mathematic and the operations of mathematics are not really defined on the ordinal scale and a lot of these systems do require the scaling properties which allow you to mathematically and sensibly do mathematics and do multiplication and division if you can't if your data don't support mathematics and your voting system requires mathematics then you're making a big mistake in using it and so for that reason I kind of prefer the ordinal scales data because it's pretty clear who came in first, second or third like horse race data or track data some of these other systems and I haven't looked at this for quite a number of years like 40 do require the mathematics and you can comment on the kinds of scale data that are appropriate for these various systems you've outlined I would appreciate the review but I think that's a really good reason for using the ordinal data well yeah you could talk about a metric space for various things but I don't know if you want to so I'm not sure that I actually understand the terms scale data and ordinal data in the way that you're using them but yeah okay now I get it yeah but the condorcit the condorcit elections just do who's ahead of who I'm not sure because I don't recall but I'm saying that's what it is it's fair-wise comparisons who's ahead of who what he was talking about in terms of the scoring elections actually is an attempt to look at who is like twice as much as who which is a you know which is a different comparison alright thank you so I'd like to tap into your lobbying chops for a little bit if I may Josh so being on Capitol Hill you've had to convince various people of the efficacy of these voting systems that are alternatives to first pass the post I myself have tried to do the same thing in speeches and debates and I continue to run into the problem that there is a learned helplessness when it comes to systems that aren't one person one vote that is a common refrain I'd like to know what you do what easy things you say to people to convince them to give these other voting systems a try because we know they're more effective yeah well so it's a very different so when I was actually lobbying Sacramento was specifically lobbying for the requirement to have a transparent auditable paper trail for voting systems not not promoting IRV or anything the we were also trying to get the folks in Sacramento to buy into having the open the voting systems be open source but that was definitely a secondary vote goal because this was back in back in the early aughts when we got the debold machines that had no paper trail the I don't remember I don't remember what the secretary said at the time and the funny actually the huge turnaround there by the way is the primary people who at the time were lobbying to not have a paper trail was actually the LA registrar of voters and now they're going to be in the talk slide after me talking about how they're open sourcing elections so it is such a 180 degree turnaround the end it's amazing to watch so so I wasn't actually trying to convince those other things and you have here's the big challenge you have when you're talking about visions right is you are talking to people who were elected under the old system and therefore they are going to fear a change in the system because they personally might not get elected again with some way where it is to their advantage to change the system or alternately you need to build a coalition of people who are about to term out and say because we're talking about public politics you grab the people who are about to rotate out of Capitol Hill and we put together enough of those you can often get them to do the right thing even if it's not personally advantageous yeah the the and like I said you know the example is I wouldn't even try to convince anybody to use condor set or scoring based elections or anything like that in a public election system right now because they would be afraid of the math instant runoff voting is something they can understand because you can demonstrate it with a pack of playing cards which is actually exactly how I would do it is I would bring a pack of playing cards and demonstrate it not using a computer at all the for open source projects it's a little bit different right because in general in open source project you've got a group of engineers they actually trust the math and so you just need to show them citations that show that this thing is better right it's with open source programmers always you can show them the numbers they will often accept it even if they don't even if they haven't actually looked at the code advocate the pieces and I don't know how to demonstrate that simply with a deck of cards so let's put a pin in that conversation for a second so because we've got to translate speakers coming in in 30 minutes and that actually is L.A. County is going to be to Josh's point they are going to be talking about their voting solutions for all people which is actually what they've been using for the last couple of elections I personally helped them design some of the stuff they're doing so I'm really excited for that talk so please come back to see that so let's thank Josh again test test yep and I'm the chief information officer welcome we're excited to share our experience welcome absolutely thank you thanks a lot Mark good afternoon everyone as Mark said my name is Amman Buller I'm the CIO for Los Angeles County Registrar Recorder County Clerk I know that's a big name Registrar Recorder County Clerk is one of the departments of L.A. County and part of what we do is we conduct elections we provide election services to the constituents of Los Angeles County so the voting system that Mark was mentioning I'm going to show you a video that'll lay some foundation of what are we talking about that'll give you some context because there's a lot that has gone into this project so let me play the video it's not too long hopefully followed by a presentation and then we can have a good healthy conversation there you go welcome we're excited to share our experience and journey of revamping voting experience for the residents of Los Angeles County with you today my name is Amman Buller and I'm the chief information officer of Los Angeles County Registrar Recorder County Clerk and I'm Abigail Calderon and today we're going to discuss our journey of the voting solutions for all people the voting solutions for all people or VSAP is a revolutionary project that changed the way of voting forever I'm here in the VSAP operation center or VOC where much of the magic of election preparation happens this warehouse prepared and holds over 150,000 devices and equipment that are deployed all around the county of Los Angeles as part of the implementation of the VSAP model several fundamental changes were implemented to the way voting was conducted part of these changes includes the creation of vote centers which allowed voters to vote at any locations throughout the county and replace the assigned one day voting was also extended to 10 days prior to the election day to provide voters the flexibility to vote on their own terms in support of these new fundamental changes the devices housed here in this warehouse were acquired ballot marking devices were custom built by the county to replace the old punch paper ballot system with the new stand-alone and digital system these devices enabled users all around the county to cast their votes in up to 19 different languages as well as accommodated voters with accessibility challenges additionally voters were provided the ability to cast their voting options in the comfort of their own home and preload those selections on to any ballot marking device to cast their vote through the interactive sample ballot paper rosters were replaced by electronic pull pads that allowed voters to vote in any voting location due to real time access of voter information these are just some of the amazing technologies housed here in the VOC warehouse and launched as part of the VSAP implementation operations in support of VSAP program that are outside of the VOC warehouse these include operations such as Tali which created a secure air-gapped network facility to tabulate the voted ballots with new high-speed scanners and a new vote by mail facility which processes millions of incoming mail-in ballots before sending the Tali facility for processing as you can see there are many components and operations that went into the implementation of success the video we are about to show you provides a wonderful overview of the entire project the systems and the work that went into making this project successful this will help provide some context for the presentation that will be presented later on today we hope you enjoy and before election day making sure that they get full information non-partisan information on the issues prepare themselves to vote so on voting day the last thing you wanted for them to feel like they need to overcome all these challenges to submit their ballots to make their voice heard historically voting systems have been designed around the regulatory requirements with the law that's about how to deliver elections but no one had really stopped and looked at voting systems the actual equipment, the ballot design and everything around that from the perspective of the voter so VSAP flipped that on set let's start with that for 35 years voters in LA County used the Votomatic punch card system in 2003 the silence was replaced with felt-tip pins and Inca vote was how we elected presidents and school boards and decided over 450 propositions but with every election cycle it became clear that voting technology had fallen out of step with voters' needs in every election you know something's going to happen a lot Charles Stewart is the co-director of the Caltech MIT voting technology project and provided his expertise to Los Angeles County during the earliest stages of the VSAP initiative you have to be agile to this environment because there's new ways either to screw up or there's new ways for people to cast doubt on the outcome research has shown that people care a great deal about elections they're passionate about candidates and issues on the ballot but at each step of the process they are asking themselves is it worth the effort deciding who and what to vote for is just the first hurdle how and where to vote as even more obstacles where this started was a desire to create a voting experience something more than just technology and systems but a voting experience that has the ability to measure up to the significance the fact that in the act of voting that we're doing something very individualized but it has a cumulative impact you know at the end of the day we're all voters and we all face the same challenges time education access we all just want to be able to know where we can vote have it be a place where we feel safe and we can get to relatively quick and when we walk out we feel like we trusted the process that our vote has been cast the process to design a new voting system began with the open design search it cast a wide net and collected input from a broad range of experts designers and the general public so where do we stand today this is our latest prototype this is a more sophisticated prototype it's not fully functional but it is something that we can take out to voters walk them through what that voting experience would look like it started by really getting to know the voters the various interest groups the people who had ideas about what Los Angeles needed for voting and then use that to develop a set of principles and they built this slowly and carefully in a way that so few projects have the luxury of doing and so few project leaders have the patience to do thanks for coming to vote today there is a touch screen in front of you and the paper trades to the right Helen is now loading the interesting thing about the project of course I don't live inside Dean's head but I know at the beginning Dean was very interested in the user experience we literally had people in our first forum when we started this project who I would say were pretty active critics of our operation and critics of the systems that were previously used for voting we wanted them at the table IDEO is a global design company based in Silicon Valley it was hired as a design partner to work with the registrar's office and the stakeholders advisory committee to design the concept, look and feel of this voting system a modular system that could adapt over time Dean is taking a major risk and the risk isn't like that he's doing something wild and dangerous the risk is that he's doing something radical to improve a fundamental part of our democratic system but no one else wants to do that and especially a system of largest Los Angeles county excuse me do you have ink or boat? if you think about designing for equity in voting so you think about starting with the people who have been most underserved by the audience designing for the voter experience or the customer experience is actually bringing somebody in who has those needs and having them interact and realizing that it doesn't matter if it's the right height if it doesn't feel comfortable for that person or if it doesn't give them the sense of privacy or the independence that it gives any other voter our number one goal is a private and independent voting experience say like when it says the thing about customized I couldn't reach that selection as the voting rights advocate for disability rights California Gabe Taylor brought a needed perspective to the BSAP project he remembers an early brainstorming session at IDEO you know people would be chiming in with ideas like I would want greater sensitivity on the touch screen I would want larger keys on the keypad I would want and as people would suggest different ideas someone from the IDEO team would just be popping up welcome so we seem to have some technical difficulty but we can actually go to the presentation and so the video that I was showing you it actually showed you the journey of how we created LA County created a voting system of our own it took us some time because of the design elements we were very deliberate and we wanted to have a design that was inclusive of everyone and the forefront of our design was the voter and the most important user of the system so again when we talk of BSAP voting solutions for all people it's not necessarily one system it's actually a group of systems or programs or processes that we created the first one that we create that I want to highlight is the modern tally system so once the ballots are casted how do we tabulate those ballots with the LA County's population I think our bigger challenge was how do we create a tally system that's accurate and fast as you can imagine it's the election day and 8pm everybody wants to know the immediate trends that we're losing so we had to create a new modern tally system another cool thing that we implemented is something called interactive sample ballot and I'm going to show you some images of interactive sample ballot the voters of LA County and I don't know how many of you are voters of LA County but you're supposed to get a sample ballot sample ballot is nothing but it has more information it's the contests the measures the propositions for and against all the arguments so that you can in your own time you can study those and make up your mind we digitized that we made a public facing web application called interactive sample ballot a person would be able to see their contests in the ease of their own home another full front of this was ballot marking device in fact we have a ballot marking device here today we have few individuals from our staff so if you have any questions you want to see it you want to experience the voting experience yourself it's downstairs we will be happy to take you there and show you the ballot marking device we created it ourselves including the design as well as the manufacturer another big concept was early voting the voting is really not no longer limited to a random Tuesday that someone decides in LA County we give you options to vote 11 days before that what is known as official election day so that was a new concept vote centers was another new concept that was introduced so no longer you have to go to your neighborhood precinct to cast your ballot you could go to any of the vote centers in LA County and you could vote you could cast your vote in order to do that of course we had to implement electronic poll books and then we also redesigned our vote by mail ballot as you know voters have their own choice whether they want to vote in person or vote by mail by default we send vote by mail to all the voters of LA County and electronic poll books I just mentioned that in order for us to do the early voting as well as vote centers we had to implement something called electronic poll book that way people can verify your voter registration status and check you in and you could vote now when we talk of the open source components there are several things that we intend to make open source of course the software design document which is the foundation we want to make it open source BMD or the ballot marking device and the associated software there's a management software behind it that allows us to control those devices that's part of the open source strategy interactive sample ballot which is a web application so that is definitely in the purview of open source ballot layout that's another application again for internal purposes how do we lay out the ballot so there's an application that we've created ourselves tally system tally is the tabulation system and the way we've created it is now LA County may have resources to have those high speed scanners those tend to be expensive if a jurisdiction wants to use cheaper scanners cheaper hardware they should be able to use the same system so it's hardware agnostic and then there's a cool technology that we've developed enterprise signing authority that allows all these systems to handshake with each other and talk to each other remember most of these systems are air-gabbed and isolated networks so we need some way to authenticate traveling between various systems is authentic or not just a little bit history I don't know if you guys remember but we used to have ballots that looked like this something like a high school test and it was pretty cumbersome for people to vote even for vote by mail they had to match their candidates against the actual ballot they used to mark believe it or not about 3 years ago we were still using this technology this is 1960s technology very confusing and frankly speaking the ballots also had limitations right now the most recent election that we had we had about 42 or so contests with hundreds if not thousands of candidates with this system there were physical limitations on how many contests can we have in an election and here comes the ballot marking device this is the new ballot marking device that we've created it allows people to have a great voter experience it has a touch screen it started as a concept back in 2007-2008 by 2016 we had developed the specifications and in 2018 we started manufacturing these devices so we contracted with contract manufacturer to create these devices this hardware and the associated software as per our specifications 2019 we had a mock election and 2020 was the big day which coincided with the presidential primary election in March 2020 this is a touch screen in fact I would encourage you to go there and see it for yourself the actual ballot is still a paper it actually prints a ballot and that is the official ballot that gets tabulated so we're not talking of electronic voting here because state of California does not allow us to do that interactive sample ballot this is a web application and the goals were primarily to digitize the paper sample ballot that you receive in the mail now once we digitized it we also came up with an idea that how about we can expedite the experience of people who have actually studied the ballot themselves or studied the pros and cons and they have made up their mind who are they going to vote so we came up with something called poll pass screens of interactive sample ballot at the end of interactive sample ballot it gives you a QR code that has your selections the QR code can be downloaded take a picture printed go to a vote center scan it in a BMD and it pre-populates it does not cast it pre-populates your selections kind of a speeding up of voting experience imagine if there are 25 different contests and every voter starts reviewing and making their mind at the vote center that's going to slow down things in LA county with about 6 million voters that can be pretty daunting task so we have to keep in mind our operational nuances as well so interactive sample ballot and the poll pass is one way to speed up the ballot absolutely we do not capture that data the question was about do we have any statistics about the poll pass or how many people use it the answer is yes we have all that data how many people now one thing to keep in mind is that by design we do not capture voter information we don't want to capture any voter information so we don't need to know who the voter is and what choices have they made so it's by design a disjointed process and we can talk about it a little later as well another cool application that we've developed is the ballot layout application we worked with secretary of state we worked with the legal teams, the design teams we went out in the community we asked them how would they want to see their vote by mail ballot and of course we have to work with a ballot printer somebody who can print these at a mass scale so we worked with certain elements that are given on the screen every contest or every election will have a specific color that's assigned by the secretary of state by the way in California secretary of state is the regulatory and the authority over so we have to follow their guidelines the layout we made it more dynamic so that it's up to us if we want to add some instructions for the voters because these will keep changing and of course we added customization we could add pictures we could add our own text and then this was all done with mark sense technology so that there are some registration marks the system can read for many many many years this is actually one of the pictures of our old system these are IBM cards, card readers they're pretty fast but at the same time it's a primitive technology it was based on Microsoft DOS literally three years ago we were running our elections and tabulating elections on Microsoft DOS in 2020 we changed all we used to have about 40 ballot readers and the vision was how do we change that we wanted to create a modern interface for the operators as well as for the administrators and we wanted the ballots to be full face front and back these old antiquated readers could only read one side and then we also wanted to track the ballot especially when it comes to recounts when it comes to auditability we want to be able to know where is this ballot remember in all this there is no voter information voter's job is once they come to a vote center they check in that's it after that whatever happens it's an anonymous ballot we don't have any idea how to match them another cool thing that we did was ballot viewer and this is where we got some ideas from other companies that have multiple millions of transactions happening so we used Kubernetes, Docker, CentOS we created a ballot viewer that will give us all the information about the ballot it also has an image of the ballot and what system has incorporated we also added different options so that we know exactly where system has identified the marks what is the threshold is system confident enough in fact we've been doing auditing after every election since 2020 the system has actually performed 100% accurately so our confidence has gone up drastically as well thank you just a glimpse of LA County we had to come up with new facilities new operational flows we created a new facility in Downey there is a designated area where media and public observers can come in and watch our process we deliberately made it transparent because we want people to watch us, we want people to see what is being done and we also added monitors so that the operators of tally system whatever they see the public can see we also stream it online so that there is a full public transparency and we've seen transparency always triggers public trust people start trusting the system if we are fully transparent COVID was a great opportunity for us to stream because if people couldn't come in in our building they would watch it from their home these are the scanners certain salient features are scanners can scan front and back 500,000 ballots in a regular shift shift of 8 hours we have multiple I would say about 40 staff working in one shift there are document details that are shown right away and these scanners actually are pretty good if they are unable to identify the QR code they will put it in a different pocket or a different slot so that those can be validated by humans another component that we've created is the enterprise signing authority this is a critical piece we create certificate keys a public-private key combination before every election or from time to time whether it's one year or two year as per the policy and then those keys are distributed to all the systems by hand and we track where exactly these keys have gone we use iron key as a USB device so that we have full control of we can even delete that remotely in case of a breach a lot of measures and controls now when it comes to components of open system at a very high level we want it to work on the governance framework how are we going to govern as the vSAP now it's been in use for two years we are the pioneers we wrote this the intellectual property belongs to LA county how are we going to govern the code management as you all know code management is a big piece and we're gonna work on that infrastructure of course whether that's in cloud or in house that's yet to be determined but we would seek some feedback from open source community about pros and cons and licensing frankly speaking the lawyers at LA county they would work on the licensing mechanism whether we piggyback on the existing licenses in open source or something else something we are working with our council the comment is if you license it it's not open source I think there are legal ramifications there are license agreements with the open source software as well whether that's Apache or MIT whether it's copyright, copy left that's what I meant by it that we are still trying to determine so the next step is of course governance model that's something we are working very diligently very very closely with Secretary of State yes that is correct Los Angeles County doesn't want to be a vendor we are a public entity this was never we never mean to be a vendor when VSAP let me give you a little bit history when VSAP was conceptualized we knew that we have antiquated systems we knew that we have to modernize and frankly speaking when it comes to elections the entire market place is kind of control I shouldn't say control but there is a vast majority of market which is owned by a handful of vendors maybe a dozen or so and frankly speaking nobody could scale to our level they are great for smaller counties but LA County and that's when we wanted to break this dependence from the vendors we wanted to create something for ourselves if it can work in LA County it can work in any jurisdiction within the nation and whatever investments we have made for design and development we want to give that back to the election community so yes you are right our intention is to give the system this code to the back to election community so that they can use it and again it doesn't have to be all or none they can even take pick and choose they can take tabulation system for example they can still use their own ballot marking device or whatever devices they want to we want to leave it open and another benefit that we want to get from open source community is transparency and security frankly speaking if there are more eyes on the code it will be better and better especially when it comes to security so that's something we want to work with Secretary of State so that they can create certification and regulatory framework and the open source community in whatever way if you all can reach out to whoever you can and push for regulatory framework definitely something we would we would love to collaborate with you code management versioning again it's relatively a simpler thing but that's something we can work on whether we put the code in github there are several examples that we've looked at infrastructure goes with code management outreach and communication we want to be very open and transparent whenever there's a new version of vSAP we want the community to know we want our users to know and we want all the jurisdictions to know this is the new system this is the enhancement there's got to be a communications protocol and a platform there security patches and vulnerabilities I think that's a big one because imagine one version of vSAP is certified by Secretary of State in California let's say Texas wants to use it Secretary of State is not their regulatory body and there's a vulnerability that is identified how do we patch it if it's right before the election do we patch it right away so there are some nuances again not a huge thing it's not a big barrier but these are nuances that everybody has to understand and consider remember this is the first time in election industry something like this has been done so we are actually breaking ground a lot of our community doesn't understand or sometimes they are not even ready sometimes people think that if we make it open source it's going to be more vulnerable to hacks and stuff but my counter argument is that we have controls and measures in place the entire system of ballot marking devices is isolated contained in one physical location that itself has some inherent security built in licensing as I said that's another thing what happens to the third party libraries because frankly speaking there are thousands of them we built on top of open source stack but there are many libraries these libraries come with their own licensing some are restrictive licensing and some are permissive how can we frankly speaking we have to probably scan through the entire code base and start identifying the libraries that we can ship as part of our open source model or we may have to update our documentation some libraries may have their own licensing and their own terms and conditions that the consumer may have to sign just to give you an example if there's a arbitrarily if MySQL is there there might be an agreement between MySQL and the user they may have to get into or at least agree to their terms and conditions so there's some work to be done the system has worked for us it's still in its early stages I would say two years right now and we've had about three or four major elections so I think the time is right we want to go through and we want to make our software ready for open source yes questions so the question is Secretary of State Shirley Weber what are the concerns that she has when I say Secretary of State I do not mean the Secretary of State Shirley Weber I mean the office of the Secretary of State they have a team we work with them they are certification authority they have not told us if there are any concerns and frankly speaking we have gone through multiple levels of testing penetration testing we hired our own companies in addition to the certification bar that any voting system has to meet in fact we raised our bar so much that the certification testing becomes a cakewalk so I would not say that Secretary of State herself has any problems or issues because we don't interact with her directly her office we are in touch with her office and we are just working with them on the certification and the regulatory framework so the question is what type of measures and controls do we have during an election for the tally system we have several I would say more than a dozen or so different steps that we have to go through before every election the certified code which is in a repository we call it trusted build we have to reinstall the software from that trusted build always so imagine we keep conducting elections after every election we wipe out our production servers we archive them and we reinstall the software from a trusted build so that we are getting it from one source there is a hash value verification are we indeed getting the same trusted build that's been certified or not once the system is installed then we do a public logic and accuracy test this is a public event where members of public and observers can come in and watch us do a logic and accuracy test and logic and accuracy test is nothing but we go through each and every possible combination in a ballot it just goes in millions and see if tally system has read each of them, each of those combinations correctly or not and we test end to end the entire system during an election after all this testing during an election we keep scanning the ballots throughout the 11 day or 15 day election day itself 8 o'clock so by law 8 o'clock is when we are supposed to tabulate the system the ballots 8 p.m. we tabulate and then there is a frequent frequency determine every 2 days or every 3 days there is going to be regular updates and that period is called canvas period during the canvas period we do 1% annual check of all the ballots of all the contests and again it's a public event observers and campaigns are generally watching us campaigns will send their people who will be looking over our shoulders it's generally divided into a glass barrier so that people can watch us while we do our work once the election results are certified we again do a public logic and accuracy test the same test and once everything is done once the election is certified then there is a period of 30 days when people can contend the results are not accurate the campaigns come back to us sometimes sometimes they don't and then we do whatever is legally allowed and then we wipe out the production servers before wiping out we archive everything into a storage and production server so it's a rather intense activity from technology as well as from the operations but we make sure that we are doing everything possible above and beyond what we are supposed to do legally great question do we have other jurisdictions that have expressed interest the answer is yes there are many jurisdictions and you can imagine LA county being the largest in terms of population whatever we do gets highlighted very visible nationally and internationally so there are many jurisdictions within the US that have expressed interest they are just waiting for you know either get a hold of the code or some jurisdictions basically just want to take our ballot marking devices the device that you will see downstairs some they just want to take our tally system some are only interested in learning about our operations and maybe take aspects from our operations any other question yes I would say it's less than a dozen ten or so yes and as the things mature as the word goes out as the public trust is established in fact we have started seeing that people trust our system so much that the amount of questions that we were asked earlier three or four years ago the nature of the questions has changed the number of questions are becoming lesser and lesser so it just shows and then we get feedback from the public as well what do you want us to change the system is modular it's a living system we are continuing to change the system and the idea is public trust and transparency yes question great question something very near and dear to me so the question is when you vote there's a QR code that gets printed on the ballot how as public member of a public how can you know what's contained in the QR code so we've made it all transparent the QR code contains there's a chance I can show you when the ballot gets printed if you are voting for Mickey Mouse or whoever there is there is a string associated with that value in the QR code that string is contained in the QR code you can use any scanner your camera phone camera or any scanner and understand what those values are we create a database before every election and we publish it what is 25 means what is 49 means what is 2FC means so that people can independently on their own verify what is in their QR code in an instant you can also there is a human readable selections that you have made whether it's in English or other languages you can actually read what your ballot contains both from human readable as well as QR code we are being fully transparent I think there is a question here there is never going to be a discrepancy human readable human readable so the law says the intent what is the intent of the voter who are they intending to vote and we see that in vote by mail so there are rules and regulations around it yeah and that's why we test the system so much I think there is a question at the end great question it was two part question one is about the bug bounty program that is something we are working on as I said we've established a pretty well defined cyber security program and we work with a lot of agencies including DHS at the federal level and at the state level FBI and even the third party security companies as well but bug bounty is definitely on the horizon something I cannot comment right now when would it happen but that's something we are considering the second question was there is no way for voters to know who they are registered as and who did they vote for I think that's a legal question and the policy maker question unfortunately I wouldn't be able to tell you I'm a technologist I make things the democracy and how the voting happens in the United States or in California there are laws we merely follow the laws so I think it's more of a policy question rather than it's not the first time but I think and I can understand both sides of the story I can understand why things are the way they are there needs to be a privacy I mean if I'm a voter why does registered need to know who did I vote for I wouldn't be very comfortable letting anybody know it's a very personal experience right in some other jurisdictions in some other countries it may happen I cannot comment but again there are policy questions there's a question yes the question is you know if it's our intent LA County's intent to make it open source the answer is yes that is why this was the prime philosophy behind VSAP we wanted to break that dependence from the vendors because frankly speaking in vendor supported system there were a lot of flaws accessibility was something that was add-on I think that was an afterthought we didn't want that we wanted the in fact the law says in a vote center there should be one accessible device all 100% of our devices are accessible so I mean that's the kind of bar we are raising for ourselves you mentioned that there's an inertia and there are risks if we further delay it yes you're right in 2020 2020 had two major elections the primary and the presidential general so 2020 was the first year when we rolled out for ourselves we refined our processes we made enhancements we added some more languages in 2021 we had a recall election in 2022 we just finished the gubernatorial primary so I think the time is right right now and we want to make it open source it is and again for the benefit of open source community we want it to be fully transparent we want people to audit our code we have and that's the philosophy that we bring to the table even the transparency that I spoke to you about that people can actually watch us what we do we want to be fully transparent so there are as I said issues or items that we are working on I think the governance and the regulatory framework would be something big one that we would need Secretary of State to collaborate with us there are questions this is something new that we are doing this has never been done it's a breakthrough so I think the governments also need to mature and learn from the private industry and see what's going out there there are several examples at the federal level you know open data for example sure there's nothing wrong with that and I totally get it I understand where you are coming from where we are coming from is we want to make sure that all the regulatory bodies they know exactly what we are doing what are the rapid questions once it's certified another county takes a certified code do they do the certification testing or do they do operational testing do they do a functional testing because in various aspects it can be a same mirror of what we do in many cases it may be totally different it may look very different for other counties so yes you are right opening up of the source code and as part of our certification testing we have opened it up in a controlled manner to much more scrutiny than any other voting system they don't have it entities they don't do all that but we went above and beyond we invited DHS to do a critical product evaluation on our dime we invited two or three third party entities to do a security testing vulnerability testing penetration testing and all the responses all the feedback that we get and again software will have bugs there will be security issues and we are always trying to before any major version that we release and get certified we're always addressing all the security bugs and all the vulnerabilities that are found yes so there are multiple layers of issues and I'm sure we'll collaborate with the open source community and move forward that's our intention we don't want to hold back it's just that these are certain gotchas and nuances that we are working on and in government as you know things take their time but we LA County prides itself that we've done this work so fast I'm telling you I was here in 2019 and 2018 we were still using old Inca card Inca vote and the cards technology unfortunately I think I will have time for one and then maybe we can close out the session and then I'll be hanging out here if you have any questions one on one we can talk about it just one last I'm sorry I think I've had some questions I think this gentleman wants to ask something yes so the question is has Secretary of State expressed interest in publishing the code themselves unfortunately that's not the case Secretary of State's office has expressed interest that they want to make it open source they want LA County to take the lead we are working they are committed to creating a governance framework and certification framework but there hasn't been any conversation that they will publish so I think those are certain things that we are still working on with them hopefully we come to a resolution and we just make it available on GitHub great thank you thank you very much that's what you insert in your satisfactory device that tells you that these are the content that needs to be changed a lot of people people move in people move out of the county people die people turn 18 so it's a moving data right now it's coming out of 5.7 to 5.8 so vendors involved in multiple systems always been vendors were severely holding and then it's in our control all the management I don't know the percentage because many systems have different program lines so we go back central so there's a mix we are here so rel is where we are leading for we start with the planning for the next version and Red Hat we are talking with them we want to move to much more standard because frankly taking the central it has taken us this far to get the skill set to break down the standard and then there's software that controls what they have going for them we have to get the loss back so by the same algorithm there's actually a part of it that is hard so we have created these boxes or cards in which these are stored these devices are stored and these boxes and cards are relatively smarter so we shut down all the rest four devices in that card the card becomes useless if a forward device comes in so I think there are many controls and measures in place when it comes to security I'm not saying it's an end-all I think there's still much more we can do and we want to get those kind of ideas for the security community what more we can do if some jurisdiction they can manufacture it's a different software they can manufacture for the help so there are some protection obligations for the manufacturer they are the only ones right now but eventually the idea is to make it's very hard for mine but I would encourage you to work with our office it has to be done by a sector of space there's a running machine there's a running machine, one vendor but sector of space is in charge it won't just benefit any company I think we've come this way we've come far I want that I want to know that one of them is a VMD ID so once that ballot goes forward that means we run it forward we have the ballots that say in the VMD that there's one ballot if that happens we will know there's a foreign ballot now what you say oh who did it, that's the investigation that will take time so we will call the cyber experts and have the data the FBI that's involved all of those 2019 sector things