Re: CA voting bill we're drafting

From: Ron Crane <voting_at_lastland_dot_net>
Date: Fri Jan 20 2006 - 15:27:35 CST

I largely agree with Mr. Johnson's comments, but think we need to go
farther. Here's what I think we need.


1. The bill should require the full procedure for publication of all
sources (including firmware, hardware schematics, bills of materials,
etc.), review, incorporation of comments, production of the final
version (with appropriate checksums), and verification via public build
and checksum comparison.

This implies, of course, that all source must reasonably be buildable
and checksum-able by the public, which implies that it may not use
proprietary build systems, compilers, linkers, etc. – and that it must
refrain from using expensive ones (e.g., Rational Rose), too. Also the
vendor must provide full instructions so that any reasonably-competent
software engineer can download the source, buy the tools, build
everything, compute the checksums, and compare them without undue
expense or delay.

Also, all sources must be published long enough before deployment to
allow useful public review.

2. The bill should require that the vendor incorporate reasonable
security-related comments. This will have to be mediated by a review
board; let’s call it the California Elections Integrity Board. This
Board should have a small number (say 5) of technically-versed voting
members and a technical advisory group. The bill should prohibit any of
these people from having ties to vendors.

3. The bill should prohibit any use of equipment (software, firmware, or
hardware) of any kind that have not undergone the required review, and
there should be criminal penalties for violations.

4. If a fatal bug is discovered near an election that would require
unreviewed patches, the jurisdiction must conduct the election using
another certified system or by the use of hand-filled, hand-counted
paper ballots (with assistance available for the disabled). If a fatal
bug is discovered during an election, the election must be voided and
re-run in the affected jurisdictions using another certified system or
hand-filled, hand-counted paper ballots.

5. The bill must proscribe all NDAs. Even pre-purchase NDAs are
problematic because they actively prevent public review until the
jurisdiction has committed itself to lease or buy the machines. At that
point, the officials who’ve leased or bought have put their reputations
on the line, and will find it very difficult to reverse themselves,
irrespective of what the public finds during its review. Essentially
they’d have to be heroes to do the right thing.

Voting systems do not use rocket science, and secrecy surrounding them
serves no useful competitive purposes. And even if it did, those
purposes are heavily outweighed by the need to ensure elections’
integrity. Vendors are not just selling stuff, they’re acting as
fiduciaries for a vital public trust. Therefore the bill should require
that all source code (including firmware source, FPGA programs, ASIC
code) and all hardware design information (including schematics, bills
of materials, etc.) be made public (and easily-accessible on the web)
concurrently with any bid.

California has the power to create a revolution in how voting systems
are produced and supervised. Let’s take the bull by the horns and fully
open these systems.

6. The bill should require that all software be loaded only from a
CD-ROM or other write-once media so that the public actually can
supervise what these machines are running. The bill also needs to
establish a public right to examine the media before use, including
computing the appropriate checksum and witnessing the installation and
locking of the media into the machine and the machine’s placement into

7. The bill should mandate a complete random-inspection regimen
administered in a manner similar to how the Nevada Gaming Control Board
supervises electronic slots. This should be another duty of the
California Elections Integrity Board (see item 2), and should include
the right to go into any jurisdiction at any time, take any machine, and
rip it to shreds to search for unauthorized anything. The Board should
also have the power to issue subpoenas to vendors for any missing
information. And the bill should provide compensation to jurisdictions
for machines taken out of service.

We really need this regimen. COTS certifications are not enough. A
vendor crooked enough to attempt to steal an election will think nothing
of falsely certifying the use of unmodified COTS components. And without
a rigorous, mandatory random inspection regimen, the chances of catching
such a vendor are very small.

8. The bill should require parallel testing (again, administered by the
California Elections Integrity Board) in every election in a
statistically-significant, randomly-selected set of precincts in every
jurisdiction. And “randomly-selected” means by using hard-to-dope
procedures such as the fair-from-unfair-coin-flip procedure [1], not by
pulling numbers out of some official’s head.

9. The bill must create an individual right to sue to enforce its
provisions and the rules of the California Elections Integrity Board,
with the state and/or vendor (depending on who’s at fault) paying the
plaintiff’s attorney fees if she wins. These suits must be handled on an
expedited basis instead of being condemned to languish at the end of the
ordinary civil docket.

[1] This procedure uses pairs of coin flips to produce a fair result
even if the coin is doped. You do it by flipping a coin twice. If the
result is HT, take that as heads. If the result it TH, take that as
tails. Throw away HH and TT pairs. This works because P(HT) = P(H)P(T) =

OVC-discuss mailing list
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon Jan 8 20:24:33 2007

This archive was generated by hypermail 2.1.8 : Mon Jan 08 2007 - 20:24:39 CST