Re: AB 2097 -- Proposed Amendment

From: Joseph Lorenzo Hall <joehall_at_gmail_dot_com>
Date: Wed Apr 19 2006 - 20:13:25 CDT

On 4/19/06, Alan Dechert <> wrote:
> People are concerned what happens if vendors refuse to comply.
> Currently, Sec 2, (4)(f) says,
> A public review process shall be in place by
> June 30, 2007. In the event that a vendor of a
> system certified before June 30, 2007, refuses to
> comply with the disclosure requirements, his or
> her system shall be decertified. The Secretary
> of State shall ensure that a suitable replacement
> be available.
> Here's what I'm thinking ....
> A public review process shall be in place by June 30, 2007. If, by February
> 1, 2007, the Secretary of State is for any reason dissatisfied with vendor
> compliance progress with provisions of this measure, the Secretary of State
> may contract with any or several campuses of the University of California to
> create voting system software to run on existing voting system hardware or
> replacement COTS hardware. In this case, the Secretary of State will forego
> the federal certification process normally required.

I was going to propose alternative language, but I'm not sure I can
(I'm in a hurry).

Here are my thoughts:

* You'd still want the provision in there that systems would be
decertified if the vendor doesn't comply.

* Why just UC? It would be better if businesses were included and it
specified that the work would have to be done under a license that
meets the requirements of the bill (public disclosure). Also, who
gets the copyright assignment? The contractor or the SoS? (In general
the government isn't allowed to have copyright but can be assigned
copyrights in works... you'd definitely want an IP lawyer's opinion on
this instead of mine. :) ).

* It's unclear if the contractor would be writing software for *all
systems* where a vendor didn't comply or would be writing software for
just a single COTS platform (like the OVC design).

* I'm on the fence about the federal certification part. First,
regardless if this is a smart thing to do, doesn't HAVA require
federal certification for systems used in federal elections? I think
so (although there's no fed. election in 2007). Second, it's unclear
to me whether or not federal certification is a useful thing anymore.
Obviously, systems (the TSx) have made it through the fed. cert.
process when they were blatantly non-compliant. The standards
themselves aren't that good; for example, it's not that you'd want to
ban interpreted code altogether (HTML, Java, etc.), what you want is
to make sure that the software that is tested doesn't change between
the test/audit and the election. That requirement will be in the VVSG
until the next revision of the standards... which won't go into affect
until 2010 at the earliest. However, there's some useful things that
happen at the federal level that, say, the CA SoS would be poorly
positioned to test (shake and bake testing, etc.) and I can't imagine
academics like Wagner, Jefferson and Bishop will be available to do
source code audits indefinitely in the future.

This is all written very quickly... so I apologize for any mistakes,
overgeneralizations, misstatements, etc. -Joe

Joseph Lorenzo Hall
OVC-discuss mailing list
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Tue May 2 21:06:52 2006

This archive was generated by hypermail 2.1.8 : Tue May 02 2006 - 21:06:54 CDT