By Declan McCullagh, 9 June 2004 08:45
NEWS Electronic voting machine vendors should make their source code available for scrutiny by state elections officials, the head of a federal voting commission said.
DeForest Soaries, chairman of the Election Assistance Commission (EAC), said disclosing the source code - the line-by-line instructions that comprise an electronic voting machine's software -would help to restore public trust in the elections process. Vendors should not "have the right to keep this source code a secret," Soaries told a dinner gathering of Maryland election officials.
Soaries' suggestions, which also include standardised security checks and better record-keeping of problems, stop short of calling for paper receipts from electronic voting machines. Some advocacy groups are lobbying for "voter-verified paper ballots" that would create a physical audit trail to flag what could be a buggy computerised election machine.
"I find myself at the middle of a national debate that will quickly go global," Soaries said. "How do we secure electronic voting devices for the 28 or 29 per cent of the population that will use them?"
Some 50 million Americans are expected to use e-voting machines in the November election.
It's unclear, however, what impact these recommendations will have. Soaries readily acknowledges that the commission he chairs has no authority to impose its views on state election officials, and he said he had not yet approached the other three members of the commission to seek their endorsement.
"Now is the time for computer scientists and election officials to get together and solve the problem," Soaries said.
His recommendations include:
The EAC should ask voting machine vendors to release the source code to states under nondisclosure agreements. Computer scientists in each state should be asked to sign the agreement and review the code.
An existing National Software Reference Library, operated by the Department of Commerce, should be expanded to include source code for voting machines. Using a technique such as a checksum, state officials would be able to verify that their machines are running the same code as the version in the library.
States should undertake "enhanced security measures" in November. One suggested option is cryptography, which is receiving favourable reviews from the computer science community.
Problems with electronic voting machines should be compiled and analysed. No federal database of such glitches currently exists.
Linda Lamone, Maryland's election administrator, called the recommendations "terrific" in an interview after the dinner speech.
Maryland, which uses Diebold e-voting machines everywhere but Baltimore, already has access to the source code to the devices under a non-disclosure agreement, Lamone said. "We already follow some of the recommendations."
Congress created the EAC as part of reforms enacted after the November 2000 Florida election debacle. It's charged with certifying election hardware, doling out billions of dollars in grants to states and "conducting studies and other activities to promote the effective administration of federal elections."
Declan McCullagh writes for CNET News.com
Comments
There is 1 comment. Join the discussion
1. Jim Garrett
This article describes some positive developments for e-voting security, but what's described here is far from "open source." Open source would give people the right and ability to fix problems they find and distribute the fixes to others.
As the article mentions, Maryland has already received source code under a non-disclore agreement. They gave it to security experts in academia for an assessment. The experts declared, in essence, that not only were there numerous problems, but they were skeptical that Diebold had the means to create fundamentally secure software. So where are we now? Well, Diebold has made some changes to their software, perhaps enough to make the shrieking subside to a dull roar and give the impression that Something Is Being Done. But are all the problems fixed, and is the software now fundamentally sound? Yeah, right.
Open source means the right to FIX problems, not just see them. And I'll just mention that open source software is available for _all_ to see, not a select group of designated experts.