FROM:
Teresa
Hommel
Chair, Task
Force on Election Integrity, Community Church of New York
TO:
New York
State Board of Elections
40 Steuben
Street
Albany, NY
12207-2108
Comment on
Draft Voting Systems Standards
Section
6209.5 Submission of Voting Systems Equipment
--------------------------------------------------------------------------------------------------------
SBOE DRAFT
Section
6209.5 Submission of Voting Systems Equipment
HOMMEL
SUGGESTED REPLACEMENT
Section
6209.5 Submission and Escrow of Voting Systems
REASON
The title
should be descriptive.
--------------------------------------------------------------------------------------------------------
HOMMEL
SUGGESTION -- REPLACE THE ENTIRE SECTION WITH THE FOLLOWING:
A. Each
voting system considered for certification by the State Board shall be
delivered to the State Board or its designee. Items delivered shall include:
1. All hardware including auxiliary
components, supplies, equipment used to program ballot layouts, vote tabulating
equipment, and any other hardware needed for the operation of the voting
system.
2. A complete copy of the source
code for all programming, whether software, firmware, or any other kind, for
the voting system including its equipment used to program ballot layouts, vote
tabulating equipment, and any other equipment that contains or uses
programming. Such source code shall be delivered to the State Board on a CD,
flash memory device, or comparable commonly-used removable memory device.
3. A complete new, unopened,
never-used set of all commercial-off-the-shelf software products used in the
voting system, including operating systems, compilers, assemblers, installers,
database software, spreadsheet software, and any other products.
4. A detailed and complete set of
instructions for installing all commercial-off-the-shell software products and
for compiling, assembling, and installing all voting system programming in
executable form.
B. Each
specific voting system delivered to the State Board or its designee for
certification shall be known as an Escrow System and shall serve as the Escrow
System of its type, and the State Board or its designee shall perform the
Escrow Procedure describe in subsection C. below on such system and shall
create an Escrow Component List for such system.
1. The Escrow Component List shall
contain a complete list of all components in the Escrow System, including all
items specified under subsection A. above.
2. The Escrow Component List shall
contain the name and a brief description of each component sufficient to
identify the component and its purpose or use.
3. The Escrow Component List shall
contain a diagram of all file system hierarchies in the voting system, and the
name and file system location of every file stored in the voting system,
regardless of whether the storage used for such file system is firmware, disk,
or any other type of storage, and regardless of whether the file contains
programming, data, documentation, fonts, or any other contents.
C. Escrow
Procedure.
1. The source code submitted by the
vendor shall be examined in comparison to documentation supplied by the vendor
as required by Section 6209.6 to determine that the source code consists of
documented modules only and that all source code and documentation has been
supplied. Examination of the source
code shall confirm that these modules contain code that appears to be of
professional quality and workable, and does not contain malicious code.
2. All source code may be
independently examined by any registered voter and by representatives of each
recognized political party in New York State after each such voter or
representative signs a non-disclosure agreement, provided that each such voter
or representative does not work for any vendor or manufacturer of voting
systems. Such source code shall be made available on a CD or in another
computer-readable form.
3. The State Board or its designee
shall clear all computer storage other than firmware in the Escrow System and
then shall install in the Escrow System all commercial-off-the-shelf software
products and shall compile, assemble, and install all programming in executable
form in the voting system according to instructions provided by the vendor. The
vendor shall supply complete and detailed instructions for independent and
meaningful comparison of the contents of the Escrow System’s firmware with
newly-prepared executables.
D. After the
Escrow System has been loaded with all programming by the Escrow Procedure and
the State Board or its designee has confirmed that the contents of firmware are
exactly the same as newly-prepared executables, and the Escrow Component List
has been made, the Escrow System shall be submitted for certification testing
for security, functionality, and conformance to all applicable standards.
E. All
reports and documentation of certification testing for security, functionality,
and conformance to applicable standards shall be available for examination by
any registered voter and by representatives of each political party recognized
by the State of New York upon written request, provided that each such voter or
representative signs a non-disclosure agreement and does not work for any
vendor or manufacturer of voting systems. Such reports and documentation shall
be made available on a CD or in another computer-readable form.
F. If the
Escrow System is certified by the State Board, the Escrow System shall become
the property of the State Board for as long as voting systems of that type are
for sale or in use in the State. If an
Escrow System is denied certification, it shall be disposed of pursuant to the
vendor's direction.
G. In each
county where certified voting systems are to be used, within five business days
after delivery of such voting systems, ten percent of such voting systems shall
be chosen by random selection process and these selected voting systems shall
be compared to the Escrow System of their type.
1. If any county receives delivery
of fewer than ten voting systems of the same type, one system shall be chosen
by random selection process from those delivered.
2. The County Board shall post
public notice at the office of the County Board for a minimum of five days
prior to the random selection process. The County Board shall provide notice of
the random selection process a minimum of four days in advance by mail,
telephone, and email to the heads of all political parties in the county that
are recognized by New York State.
3. The random selection process
shall be conducted in public before any member of the public who may wish to
attend and observe.
4. The State Board shall compare the
selected voting systems to the Escrow System of their type with regard to all
components on the Escrow Component List to determine that the voting systems
delivered for use are identical to the Escrow System of their type.
5. If any selected voting system is
not identical to the Escrow System of its type, the State Board shall
immediately rescind certification of that voting system.
H. On the
day following each election, in each county where certified voting systems have
been used, five percent of such voting systems shall be chosen by random
selection process and these selected voting systems shall be compared to the
Escrow System of their type.
1. If any county uses fewer than
five voting systems of the same type, one system shall be chosen by random
selection process from those used.
2. The random selection process
shall be conducted in the office of the County Board before any member of the
public who may wish to attend and observe.
3. The State Board shall compare the
selected voting systems to the Escrow System of their type with regard to all
components on the Escrow Component List to determine that the voting systems
used in the election are identical to the Escrow System of their type.
4. If any selected voting system is
not identical to the Escrow System of its type, the State Board shall
immediately rescind certification of that voting system and shall require the
vendor to pay for a hand-to-eye count of 100% of paper ballots scanned by such
system if it is an optical scan system, or 100% of voter verified permanent
paper records cast on such system if it is a DRE.
I. Any
service or maintenance performed on the Escrow System after certification shall
be performed by the State Board or its designee, under direction of the
vendor. The vendor shall provide such
direction and supply all components that may be required at no cost.
J. If any
modification is made to the Escrow System, whether for upgrading of any feature
or any other reason, the Escrow Procedure shall be performed again, a new
Escrow Component List shall be created, and the modified Escrow System must be
submitted again for certification.
REASON
The Standards
must ensure that each voting system submitted for escrow consists of the same
components that are (1) tested for certification, (2) delivered to the counties
for use, and (3) used in elections.
The
Standards must also ensure that each system submitted for escrow consists of
only of those hardware and programming components that are necessary for use as
a voting system, and contains no additional hardware or programming, and no
hardware or programming with malicious purpose.
Allegations
have been made in other states that systems submitted for certification testing
have been "souped up" models, that systems delivered for use after
purchase have been both different and flawed, and that systems used in
elections had been modified by vendor technicians by installation of
uncertified, unexamined, and undisclosed software modifications after delivery
and prior to use in elections.
Evaluation
of software in a voting system requires a disk image consisting of all files of
any kind (whether data, documentation, and programming) and all directory
hierarchies, as well as a copy of all contents of firmware that have been made
independently by the State Board.
--------------------------------------------------------------------------------------------------------
Relevant
section of the Election Reform and Modernization Act
24 S 8. The election law
is amended by adding a new section 7-208 to read
25 as follows:
26 S 7-208.
ESCROW REQUIREMENTS. PRIOR TO THE USE OF ANY VOTING MACHINE
27 OR SYSTEM IN ANY
ELECTION IN THE STATE, ON OR AFTER SEPTEMBER FIRST, TWO
28 THOUSAND SIX, THE STATE
BOARD OF ELECTIONS AND THE
LOCAL BOARD OF
29 ELECTIONS USING SUCH
VOTING MACHINE OR SYSTEM SHALL:
30 1. REQUIRE THAT THE
MANUFACTURER AND/OR VENDOR OF SUCH VOTING MACHINE,
31 SYSTEM OR
EQUIPMENT SHALL PLACE
INTO ESCROW WITH THE STATE BOARD OF
32 ELECTIONS A COMPLETE
COPY OF ALL PROGRAMMING, SOURCE CODING AND SOFTWARE
33 EMPLOYED BY THE VOTING
MACHINE, SYSTEM OR EQUIPMENT WHICH SHALL BE
USED
34 EXCLUSIVELY FOR PURPOSES AUTHORIZED BY THIS CHAPTER AND
SHALL BE OTHER-
35 WISE CONFIDENTIAL.
36 2. REQUIRE THAT THE
MANUFACTURER AND/OR VENDOR OF SUCH VOTING MACHINE,
37 SYSTEM OR EQUIPMENT
FILE WITH THE STATE BOARD
OF ELECTIONS AND
THE
38 APPROPRIATE LOCAL
BOARDS OF ELECTIONS A WAIVER,
PREPARED BY THE STATE
39 BOARD OF ELECTIONS,
WHICH SHALL WAIVE ALL
RIGHTS OF THE
VENDOR OR
40 MANUFACTURER TO
ASSERT INTELLECTUAL PROPERTY OR TRADE SECRET RIGHTS IN
41 ANY COURT OF COMPETENT
JURISDICTION HEARING A CHALLENGE TO
THE RESULTS
42 OF ANY ELECTION AND
REQUESTING THAT PROGRAMMING SOURCE CODING, FIRMWARE,
43 AND SOFTWARE AS WELL AS VOTING MACHINES
OR SYSTEMS BE TESTED BY INDE-
44 PENDENT EXPERTS UNDER
COURT SUPERVISION AND AT THE
CONCLUSION OF SUCH
45 PROCEEDING SHALL BE
SEALED.
46 3. REQUIRE THAT THE MANUFACTURER AND/OR VENDOR
OF SUCH EQUIPMENT FILE
47 WITH THE STATE BOARD OF
ELECTIONS AND THE APPROPRIATE
LOCAL BOARDS OF
48 ELECTIONS A
CONSENT TO HAVING
AND COOPERATING IN THE TESTING OF ANY
49 PROGRAMMING, SOURCE
CODING, FIRMWARE, OR SOFTWARE, PURSUANT TO AN ORDER
50 OF ANY
BOARD OF ELECTIONS OR COURT OF COMPETENT JURISDICTION. ANY SUCH
51 BOARD OR AGENT THEREOF
SHALL BE REQUIRED TO MAINTAIN THE CONFIDENTIALITY
52 OF ANY PROPRIETARY
MATERIAL.