Can State Ignore Its E-Vote Law?
By Kim Zetter WiredNews Dec. 14, 2005 PT
E-voting rules head to court this week in North Carolina, where election officials stand accused of ignoring a tough new state law designed to raise the bar on procedures to ensure machines are secure and accurate.
A hearing is set for Wednesday in the suit, filed by the Electronic Frontier Foundation, against two state agencies in North Carolina for certifying voting machines in violation of state law. Though it's limited to North Carolina, court watchers say the case is a critical test of one of the strongest laws governing how e-voting machines are scrutinized before they are used in elections.
"Everyone is watching this carefully," said David Jefferson, a computer scientist at Lawrence Livermore National Laboratory and chair of California's Voting Systems Technical Assessment and Advisory Board, which advises the secretary of state on voting systems.
The case comes as e-voting-machine makers put on their best faces in advance of looming deadlines for states seeking to qualify for federal funds to replace aging voting systems.
Amid the jockeying, Diebold Systems chairman and chief executive Walden O'Dell resigned from his post Monday. The move caps a controversy that engulfed the company after O'Dell wrote a fund-raising letter at the height of the 2004 presidential contest promising to deliver Ohio to President George W. Bush.
In the suit filed last week, EFF says the North Carolina State Board of Elections working with the Office of Information Technology Services certified two vendors to sell machines in North Carolina although the vendors did not comply with a new law requiring them to place all source code for a system into escrow before the machines could be certified.
The suit also charges state officials with breaking the law in failing to review the source code before certifying voting systems of the two vendors, Diebold and Election Systems and Software.
The Public Confidence in Elections bill was passed after e-voting mishaps in 2002 and 2004 angered North Carolina voters and election officials. In the state's 2002 primary, touch-screen machines made by Election Systems and Software experienced problems in two counties and lost more than 400 ballots. Then last year during the presidential election, electronic voting machines made by UniLect lost more than 4,500 votes.
To prevent future problems, the law mandates that voting vendors place source code for "all software that is relevant to functionality, setup, configuration and operation of the voting system" into escrow and provide a list of all programmers who created the software. Breaking the law is a felony and carries civil penalties up to $100,000 per violation.
For their part, the state Board of Elections is required to review or designate an independent expert to review all source code made available by the vendors.
"It's a really good, really robust transparency-in-election-processes bill," said EFF staff attorney Matt Zimmerman. "The statute really has teeth and does more than the pro-forma requirement that other states have."
Zimmerman is referring to laws in some other states that require vendors to place source code in escrow but don't require state officials to examine the code or allow technical advisors to review it.
"That's a reason North Carolina is important," Jefferson said. "It's a positive requirement on the board of elections that they study the code, which would be a precedent-breaking feature (of election law)."
In November, just as North Carolina was closing its bidding process for voting vendors, Diebold sought a temporary restraining order to exempt it from liability under the law.
Diebold spokesman David Bear said the filing was necessary because Diebold's system uses some commercial-off-the-shelf software, or COTS, created by other companies. Its touch-screen machines, for example, run on Microsoft's Windows CE operating system. Bear said Diebold didn't have authority to escrow code belonging to another company.
"Obviously we have no problem providing our own source code; we do provide it in other states," Bear said.
Bear said Diebold wanted the court to protect it from liability until it could clarify the law with state officials. The court ruled against Diebold.
After Diebold told the Board of Elections it couldn't comply with the law, the board certified it and Election Systems and Software anyway. ES&S initially told the state it could comply with the escrow law but changed its statement after Diebold went to court.
"After Diebold brought the case and we had an opportunity to dive into the details of the decision, it became clear to us there were some things we needed to discuss with the state as well," said ES&S spokeswoman Jill Friedman, referring to the fact that the company's optical-scan machine uses Adobe Acrobat, for which the company could not legally provide source code.
North Carolina's decision to certify the vendors came under a looming deadline.
Under the Help America Vote Act of 2002, states receive federal funding to replace outdated punch-card and lever machines with new electronic equipment if the new systems are in place by the first federal election after Jan. 1, 2006. North Carolina's primary is in May, with early voting in April. In order to have systems installed and workers trained by then, counties need to purchase machines by Jan. 20.
States aren't required to upgrade their machines but they are required to provide disabled voters with at least one accessible voting machine per precinct. Only electronic voting machines with audio guidance satisfy that requirement.
Board of Elections Executive Director Gary Bartlett declined to discuss the issue while the lawsuit is pending. But officials previously told reporters they considered the law for escrowed code satisfied if vendors provided all of their own proprietary code.
The board also said it didn't have to review the source code because testing labs that qualified the systems at the federal level reviewed the code.
"The law says you have to meet both federal and state requirements," Zimmerman said. "In the name of transparency, you simply can't let election officials start making up rules when they get into a bind. We're not saying none of these systems can be certified, but they have to go through the process by which this legislation was designed."
Zimmerman said federal testing alone was inadequate because vendors regularly upgraded and patched systems after the testing. Federal testers also didn't examine COTS if the voting vendor didn't modify the software.
This has long been a stickler for voting activists and computer scientists who say Diebold does modify Windows CE. Furthermore, COTS software is just as vulnerable to tampering as any other software and probably more so if hackers or election fraudsters know it will never be examined. This is why, they say, the North Carolina law is so important.
"We've had so many problems with these machines in the past," said Joyce McCloy of the North Carolina Coalition for Verified Voting. "We just want election officials to follow the law the state passed."