January 15, 2006

Advocates urge adherence to North Carolina voting code review

Author: Jay Lyman

Advocates for transparency in electronic voting systems praise North Carolina's Public Confidence in Elections law that requires rigorous review of the code used in the state's certified elections software. They just wish North Carolina elections officials would adhere to the legislation.

The Electronic Frontier Foundation (EFF) has sued the state's Board of Elections and Office of IT Services on behalf of voting integrity advocate Joyce McCloy for certifying Diebold systems for use in the state without the legally required review.

While they concede the legislation is perhaps the most rigorous review of e-voting code required in the US -- it requires code review based on nine criteria, including code and application security -- transparency proponents fear that North Carolina lawmakers will fold under pressure from e-voting system vendors, including Diebold, and undo the requirements.

"The election code [law] is very good on the transparency side," EFF staff attorney Matt Zimmerman told NewsForge. "It shouldn't be thrown out because a company can't comply, and I hope elections officials don't cringe. This is a very stringent election code -- the most stringent in the country. Part of the problem with new [e-voting] systems is that the law, in a lot of places, simply hasn't caught up to the technology."

Despite Diebold's arguments that the North Carolina law is overly broad, Diebold Director of Marketing Mark Radke told NewsForge the company has not fought a thorough review of its systems and code. "In fact, just the opposite is true," Radke wrote in an email. "Our systems have been reviewed more than any other electronic voting system in the marketplace, and are viewed as secure and reliable."

That contention may be arguable, considering past reports on Diebold code, including Johns Hopkins University professor and e-voting expert Avi Rubin's critical review. In an email, Rubin said Diebold's contentions that their systems are among the most thoroughly tested and trustworthy in the country reflect how poorly voting systems have been tested in general in the US.

"When we looked through the Diebold source code, we found it to be poorly written and incomplete," Rubin said. "If their systems are truly among the most rigorously tested and trustworthy, then we are all in a lot of trouble."

Rubin added that the North Carolina law is a step in the right direction to increase transparency and decrease the likelihood of a rigged or flawed voting machine ending up in use.

"It's hard to imagine that there would be anyone that would not fully support such a law," he said. "This should be the absolute minimum required standard for security practices."

Radke nonetheless indicated that while escrow and review of code is common for such systems, the North Carolina law requires review of any and all code associated with the system, including some that Diebold does not control.

"Diebold has escrowed its election system source code in a number of states, and would gladly escrow our software applications in North Carolina," he said. "However, the North Carolina state law requires the escrowing of 'any' software used with our election system, which includes Microsoft software products and other third-party suppliers. Diebold does not have direct access to the source code of third-party suppliers and therefore cannot meet the requirement of the very broad state law. This will be a problem for any vendor wishing to provide election systems in North Carolina."

After fighting Diebold's lawsuit seeking an exemption from the law and winning, EFF attorneys and observers including Rubin were stunned when Diebold continued its effort to certify its e-voting systems for the state and succeeded.

Zimmerman said North Carolina's lawmakers made progress in addressing some of the issues that plagued e-voting systems in the fall of 2004 with the law, but election officials brought the state back to faulty procedures in its request for proposals (RFP).

"There were problems in the RFP that led them down the wrong path right away," Zimmerman said, referring to the state's new requirement that all code relevant to voting systems must be reviewed. "From the beginning, prior to certifying, they should have reviewed all this code. It's a bit of a tall order here, but let's remember what we're talking about."

Instead, according to Zimmerman, North Carolina's Board of Elections relied on reports from the Independent Testing Authority (ITA), which has OKed systems and software that have been problematic in the past.

"The [North Carolina] legislation required hiring of source code reviewers," Zimmerman said. "They didn't do that. It's a rather straightforward rule of law question. They can do [the required review], it's just that it's difficult."

Diebold's Radke complained the North Carolina law would not only require a review of all the code involved in the Diebold e-voting system, but would also require identification of all developers of the code. "This means all the developers involved in the creation of the Microsoft operating system products and other third-party software products would have to be listed," he said. Radke again blamed North Carolina's stringent code review as prohibitive for vendors wishing to provide the state with e-voting technology. "We will gladly escrow the software we have developed, as we have in many other states," he said. "However, without a modification of the state law, it is believed that no election system manufacturer can meet the requirements of the law, which constitutes a felony charge if not met."

While Diebold has dropped its bid to have its systems cleared, many remain concerned about the fate of the state's e-voting legislation.

Calling transparency an important piece of the trustworthy e-voting puzzle, Zimmerman said the North Carolina fight has implications for the rest of the country. He said the North Carolina legislation may indeed provide an opportunity for open source e-voting systems. However, unfortunately, those systems have yet to emerge, according to Zimmerman.

"A lot depends on how this turns out," he said. "There's no quick fix here. I hope they don't change the law. That would be a horrible mistake."

While no open source systems were considered in North Carolina, and none have achieved federal accreditation, Zimmerman said he hopes that will soon change. "I'm encouraged," he said. "I'd love to see an open source system developed. It's just not there yet."


  • Government
Click Here!