E-voting companies file code
Voters may demand escrow data
BY Michael Hardy   Federal Computer Week
Published on Nov. 8, 2004
In the weeks leading up to the Nov. 2 election, officials at five electronic voting machine companies filed digital signature information for many of their software products with the National Software Reference Library, a repository maintained by the National Institute of Standards and Technology.
Although the officials filed the signature information rather than source code that people can read, computer experts say that it could be useful, within limits, if disputes arise about voting software used in elections.
The data stored in the library can be used to verify that the software used on voting machines has not been modified, said Barbara Guttman, manager of the interoperability group in NIST's Information Technology Lab. However, the library does not have copies of the actual software code, she said.
What the library has is a "hash of the binary," said Aviel Rubin, a computer scientist at Johns Hopkins University and a critic of e-voting technology. Hashing is a cryptographic process that creates a signature code based on the binary machine language derived from the software's source code.
Verifying that the software itself is unaltered is not enough to ensure voting security, said Rebecca Mercuri, computer scientist and fellow at Harvard University's Radcliffe Institute of Advanced Study and a critic of electronic voting.
"Just because it's archived doesn't mean that the software is safe," she said. "It doesn't mean it was used correctly. It doesn't mean the ballot was laid out correctly." 
The filing offers only a back-end reference for checking and is not a visible assurance for voters, she added. "The voter going in to vote doesn't know that the machine has the same version of software" that the company filed, she said. "It's not a transparent process. It's one step in a multistep process."
Officials also have wide latitude in how they approve software for use, said Kim Alexander, president of the California Voter Foundation. The process doesn't always require analyzing source code.
"The federal voting system standards are voluntary, and about 40 states claim to follow these standards, but doing so is not always a matter of state law," she said. "States that don't follow the federal standards do have their own standards sometimes, but those standards may not require source code examination."
Alexander said determining the best method to approve software might become more of an issue than it has been in elections so far.
"While it would be difficult and perhaps impractical to mandate a uniform voting system across the country, it seems obvious that, at a minimum, we should have mandatory security standards and procedures for federal contests imposed by the federal government," she said.
Officials at a sixth company, VoteHere Inc., submitted hashes of their auditing software. VoteHere's system is not a voting machine. Instead, it offers auditing capabilities for machines made by other companies. Avante International Technology Inc. officials will submit code for the Vote-Trakker system shortly, Guttman said.
E-voting has aroused considerable suspicion, and many fear that such machines can be programmed to skew election results in a way that would be difficult to detect. 
The heightened attention makes it particularly critical that the software not be changed after voting authorities accept it, even with a seemingly innocuous software patch or bug fix, said Will Doherty, executive director of the Verified Voting Foundation, a group that favors paper backups and other safeguards for votes cast electronically.
The software reference copies will help ease those fears, Doherty said. "It's not all we would ask, but it is a step in the right direction."
Officials of the federal Election Assistance Commission had been urging companies since the summer to file the code. 
NIST's library maintains similar code for more than 5,900 applications, Guttman said. 
The reference copies improve the overall security of the electoral process, she said. With them on file, altering code without detection is harder than it would be otherwise. "Security is about making things harder, not impossible," she added.
A measure of uncertainty in the voting process always exists because of differing practices at individual polling locations and varying state laws, said John King and Ellen Theisen, who run an e-voting watchdog group called Voters Unite. 
Theisen said the companies' gesture might be a publicity stunt. "It seems a lot like that to me," she said. "I can't see it being all that useful. I'm just wondering what real value it has." What if voting officials find out that their software has been changed, she said. "What recourse do they have but to say, 'Huh?' "
Alfie Charles, a spokesman for Sequoia Voting Systems, said the company will keep its software in the library up-to-date as new versions come out. "The objective is to make sure that there is a copy of whatever programs are in use in our elections," he said. "As upgrades are made, changes are made, the upgraded versions will be released" to the library.
***
Code for safekeeping in library 
Before Election Day, officials at five manufacturers of electronic voting machines placed digital signature information for their voting software in escrow, where it could be examined in the event of disputed election results. The companies are:
Diebold Inc.'s Diebold Election Systems.
Election Systems and Software Inc.
Sequoia Voting Systems.
Hart InterCivic.
Avante International Technology Inc.