9a. Disclosure to states already using the software
Disclosure of software is supposed to enable citizens to have oversight of vote recording, casting, storage, handling and counting.
Currently, secrecy of software is supported by trade secret and intellectual property provisions of vendors' contracts of sale.
S1487's disclosure section would limit disclosure and make non-disclosure a legal mandate.
"Election-dedicated software" and "information as necessary to assess the integrity and efficacy" of it must be disclosed to the EAC and to states that are already using the software.[30,31]
Wrong!
Software needs to be disclosed to states when they are evaluating the systems prior to certification, purchase, and use, not just states that are already using it. It is unclear whether this bill would preempt state law and prevent state law from requiring additional disclosure.
One important purpose of disclosure prior to use is to enable jurisdictions to verify that software delivered, present in systems after maintenance, or present in systems before or after elections, is the same as the software that was certified and ordered for purchase.
To assess the integrity and correct function of software, jurisdictions must perform comprehensive pre- and post-election logic and accuracy tests, and completely audit the work that the software performs. "Integrity" in the abstract is not a characteristic of software, but rather integrity is a conclusion that users of the software can draw after verification of the work the software has performed and determination that no errors were made. No computer scientist has ever claimed to be able to read a large software product and determine that it is free of errors and malicious code. Moreover, since malicious code can delete itself, it is questionable whether any Board of Elections can properly confirm what software is in its machines during any election, even if they were willing to attempt to do so.
Solution
Either drop the entire "disclosure" section, or mandate that software be disclosed to all states and to citizens who sign a non-disclosure agreements.
9b. Other software in a voting system
Voting systems may contain any software whatsoever as long as the manufacturer discloses information about it that the EAC determines is appropriate to the EAC, NIST, and states already using the system.[32]
Wrong!
This is a dangerous loophole that circumvents certification testing, and enables voting systems to contain undetected malicious code.
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22
