August 19, 2019

Where are the California E-Voting Reports?

I wrote Monday about the California Secretary of State’s partial release of report from the state’s e-voting study. Four subteams submitted reports to the Secretary, but as yet only the “red team” and accessibility teams’ reports have been released. The other two sets of reports, from the source code review and documentation review teams, are still being withheld.

The Secretary even held a public hearing on Monday about the study, without having released all of the reports. This has led to a certain amount of confusion, as many press reports and editorials (e.g. the Mercury News editorial) about the study seem to assume that the full evaluation results have been reported. The vendors and some county election officials have encouraged this misimpression – some have even criticized the study for failing to consider issues that are almost certainly addressed in the missing reports.

With the Secretary having until Friday to decide whether to decertify any e-voting systems for the February 2008 primary election, the obvious question arises: Why is the Secretary withholding the other reports?

Here’s the official explanation, from the Secretary’s site:

The document review teams and source code review teams submitted their reports on schedule. Their reports will be posted as soon as the Secretary of State ensures the reports do not inadvertently disclose security-sensitive information.

This explanation is hard to credit. The study teams were already tasked to separate their reports into a public body and a private appendix, with sensitive exploit-oriented details put in the private appendix that would go only to the Secretary and the affected vendor. Surely the study teams are much better qualified to determine the security implications of releasing a particular detail than the lawyers in the Secretary’s office are.

More likely, the Secretary is worried about the political implications of releasing the reports. Given this, it seems likely that the withheld reports are even more damning than the ones released so far.

If the red team reports, which reported multiple vulnerabilities of the most serious kind, are the good news, how bad must the bad news be?

UPDATE (2:45 PM EDT, August 2): The source code review reports are now up on the Secretary of State’s site. They’re voluminous so I won’t be commenting on them immediately. I’ll post my reactions tomorrow.

Comments

  1. How bad must the bad news be? What is worse than the entire state sticking with paper ballots for a few more years?

  2. In Reason We Trust says:

    How much fun would a public review of the source code be!

  3. SOS Bowen is damned no matter what she does.
    She stuck her neck out to order this review, but people seem to forget that. Well, DONT forget what happened to former SOS Shelly, who also pulled the vendor’s chains.

    We all owe a huge debt to the SOS for even ordering this review.

    You see, no matter what SOS Bowen does, there will be an army of critics going after her head. It could be election officials who dearly love their voting machines, politicians uncomfortable with the new reality, or activists who expect miracles.

    And, no good deed goes unpunished.

  4. Joyce,

    I agree, SOS Bowen deserves tons of credit for commissioning the study. I hope she comes through and releases the remaining reports, and then goes on to make a well-considered decision about which systems (if any) to decertify.

  5. I’d be a bit concerned at this point about redactions appearing in the final reports – or, worse yet, the teams being asked to resubmit their reports with certain items “stealth-redacted”.

    If open source were a statutory requirement for voting machines, then “security-related issues” wouldn’t be a concern at all. Would companies like Diebold refuse to submit an entry to an open-source voting machine arena? Perhaps. But the voting fairness community is quite motivated, and I wouldn’t be surprised if a community effort to design both the hardware and software for a voting machine resulted in an alternative, and I’m sure there’s *some* company out there willing to fabricate thousands of such units, even if they didn’t design it themselves.

  6. Another possible explanation is that regardless of the expertise of the study teams and their ability to discriminate between public- and private-appropriate material, the SOS fears that the vendors will claim that the study did not discriminate correctly and that proprietary information is contained in the public body. I would not be surprised to learn that the SOS had passed the public reports to the vendors for their release blessing. Of course the vendors would drag their heels about giving this blessing. I would not be surprised to learn that the vendors had demanded this, under threat of lawsuit if any proprietary details leaked.

  7. The source code reports have been released:

    http://www.sos.ca.gov/elections/elections_vsr.htm

  8. Hi, i’m iranian girl
    your blog is very interesting for me
    I have ma in philosophy
    great job…….

  9. Philosophy isn’t our main topic of discussion here. Do you have any thoughts on the e-voting issue? Those would be much more useful here than a plain “hi, how are you” post.

    [This refers to an apparent spam comment, which I deleted. — Ed]

    [After further investigation, I concluded it wasn’t spam, so I undeleted it. –Ed]

  10. For that matter, do you have e-voting in Iran?

  11. It was not actually spam, I don’t think…I actually followed her link, which I believe really was her blog. Unfortunately, it was written in Arabic script, so I couldn’t read the content, but given the number of artworks and paintings of Socrates and such, I guess she really was an Iranian philosophy student.

    [You’re right. I undeleted her message. — Ed]

  12. Ned Ulbricht says:

    Meanwhile, perhaps slightly off-topic, but relating to the study…

    The Document Review Security Plan, by David Wagner, in para 7 on p.2 contains:

    Removable storage media (e.g., USB dongles, CD-Rs, DVD-Rs) will be labeled Confidential once proprietary or confidential document or information has been installed on them. […]

    And the Source Code Review Security Plan, also by David Wagner, in para 9 on p.1, similarly contains:

    External hard disks and removable storage media (e.g., USB dongles, CD-Rs, DVD-Rs) will be labeled red once source code has been installed on them. […]

    I wouldn’t recommend this sequence for this procedure.

    Instead, blank media should be labeled red or confidential before confidential information is transferred to the media.

    You might ask, “Well, what’s the difference?” The difference in sequence affects the failure state of a partially completed procedure. If the media is marked before the data transfer, then an incompleted procedure may result in media wrongly marked as red or confidential while not containing confidential data. Contrariwise, as the procedure was documented, a fire alarm in the middle of the procedure may result in media containing confidential data, but unmarked.

    Further, marking the media before the data transfer then admits the simple rule: “Confidential data may only be transferred to media marked red.”

    Thankfully, due to large hard disks, it’s been a long time since I’ve had to work with 50 and 100 -volume data sets. But I do remember that careful attention to a defined procedure helps to prevent errors during a process where it’s pretty easy to just sort of space-out or read something totally unrelated to the job.

  13. Why on earth would you suspect a comment to be spam that makes no attempt to sell cheap generic pharmaceuticals or anything else?