Eliminate this loophole which serves no public purpose.
9c. Privatization of Software Escrow
The EAC shall store disclosed software with an entity selected by NIST.[33]
Public servants in an accountable and capable governmental agency should hold the software. The law should not require privatization of functions related to elections.
Solution
NIST should both receive and store the software, because NIST has the skills to manage these functions.
9d. Disclosure
Disclosed information may be provided to the EAC; NIST; the Chief State election official of a state already using the software; Federal or State governmental entities that administer or enforce election laws (but only for administering or enforcing election laws, or for review, analysis, and reporting); parties in litigation over an election in which the software is used but only as necessary for the review and analysis for the litigation; independent technical experts; and persons and entities who meet standards to be set by the EAC but only for reviewing, analyzing, and reporting on the operation.[34,35,36]
The scope of review, analysis, and reporting is limited to describing operational issues including vulnerabilities, and describing or explaining a failure voting system, but only if the information does not "compromise the integrity of the software or result in the disclosure of trade secrets or other confidential commercial information, or violate intellectual property rights in such software."[36a]
Wrong!
The limitations on disclosure in this section make clear that this section is intended to protect commercial rather than election integrity interests of citizens and candidates:
An unspecified entity will have responsibility and authority to administer disclosure: evaluate disclosure recipients and their purposes, establish a procedure for application and for appeal of decisions, enforce the restrictions, and provide the software to be disclosed.
Parties in litigation in which the voting system programming is in question need to have the software taken directly from the equipment that was used, in addition to the software that was certified and escrowed. One reason for having both is to determine whether the software actually in use in the equipment is the proper version, or is corrupted.
It is unclear what information may be safely disclosed. For example, if a researcher discovers that a system uses a pre-coded easily-guessed password such as 1111, or that the software contains a "back door" that enables an insider to tamper with ease, could such information be claimed to be confidential commercial information, and could revealing it be claimed to compromise the integrity of the software?
Next Page 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).
