September 25, 2020

Rethinking the voting system certification process

Lawsuits! Everybody’s filing lawsuits. Premier Election Systems (formerly Diebold) is suing SysTest, one of the EAC’s testing authorities (or, more properly, former testing authorities, now that the EAC is planning to suspend their accreditation). There’s also a lawsuit between the State of Ohio and Premier over whether or not Premier’s voting systems satisfy Ohio’s requirements. Likewise, ES&S is being sued by San Francisco, the State of California, and the state of Oregon. A Pennsylvania county won a judgment against Advanced Voting Systems, after AVS’s systems were decertified (and AVS never even bothered showing up in court to defend themselves). And that’s just scratching the surface.

What’s the real problem here? Electronic voting systems were “certified”, sold, deployed, and then turned out to have a variety of defects, ranging from “simple” bugs to a variety of significant security flaws. Needless to say, it takes time, effort, and money to build better voting machines, much less to push them through the certification process. And nobody really understands what the certification process even is anymore. In the bad old days, a “federally certified voting system” was tested by one of a handful of “independent testing authorities” (ITAs), accredited by the National Association of State Election Directors, against the government’s “voluntary voting system guidelines” (the 2002 edition, for the most part). This original process demonstrably failed to yield well-engineered, secure, or even particularly usable voting systems. So how have things improved?

Now, NASED has been pushed aside by the EAC, and the process has been glacial. So far as I can tell, no electronic voting system used in the November 2008 election had code that was in any way different from what was used in the November 2006 election.

Regardless of whether we jettison the DREs and move to optical scan, plenty of places will continue using DREs. And there will be demand for new features in both DREs and optical scanners. And bug fixes. The certification pipeline must be vigilant, yet it needs to get rolling again. In a hurry, but with great caution and care. (Doesn’t sound very feasible, I know.)

Okay, then let’s coerce vendors to build better products! Require the latest standards! While brilliant, in theory, such a process is doomed to continue the practical failures (and lawsuits) that we’re seeing today. The present standards are voluminous. They are also quite vague where it matters because there is no way to write a standard that’s both general-enough to apply to every possible voting system and specific-enough to adequately require good development practices. The present standards err, arguably correctly, on the vague side, which then requires the testing authorities to do some interpretation. Doing that properly requires competent testing labs and competent developers, working together.

Unfortunately, they don’t work together at all (never mind issues of competence). The current business model is that developers toil away, perhaps talking to their customers, but not interacting with the certification process at all until they’re “done,” after which they pitch the system over the wall, write a big check, and cross their fingers that everything goes smoothly. If the testing authority shoots it down, they need to sort out why and try again. Meanwhile, you’ve got the Great States of California and Ohio doing their own studies, with testers like yours truly who don’t particularly care what the standards say and are instead focused on whether the machines are robust in the face of a reasonable threat model. Were the problems we found outside of the standards’ requirements? We don’t care because they’re serious problems! Unfortunately, from the vendor’s perspective, they now need to address everything we found, and they have no idea whether or not they’ll get it right before they may or may not face another team of crack security ninjas.

What I want to see is a grand bargain. The voting system vendors open up their development processes to external scrutiny and regulation. In return, they get feedback from the certifying authorities that their designs are sound before they begin prototyping. Then they get feedback that their prototypes are sound before they flesh out all the details. This necessarily entails the vendors letting the analysts in on their bugs lists (one of the California Secretary of State’s recommendations to the EAC), further increasing transparency. Trusted auditors could even look at the long-term development roadmap and make judgments that incremental changes, available in the short term, are part of a coherent long-term plan to engineer a better system. Alternately, the auditors could declare the future plans to be a shambles and refuse to endorse even incremental improvements. Invasive auditing would give election authorities the ability to see each vendor’s future, and thus reach informed decisions about whether to support incremental updates or to dump a vendor entirely.

Where can we look for a a role model for this process? I initially thought I’d write something here about how the military procures weapon systems, but there are too many counter-examples where that process has gone wrong. Instead, let’s look at how houses are built (or, at least, how they should be built). You don’t just go out, buy the lumber and nails, hire people off the street, and get banging. Oh no! You start with blueprints. Those are checked off by the city zoning authorities, the neighborhood beauty and integrity committee, and so forth. Then you start getting permits. Demolition permits. Building permits. Electrical permits. At each stage of construction, city inspectors, the prospective owners, and even the holders of the construction loan, may want to come out and check it out. If, for example, there’s an electrical problem, it’s an order of magnitude easier to address it before you put up the interior walls.

For voting systems, then, who should do the scrutiny? Who should scrutinize the scrutineers? Where’s the money going to come from to pay for all this scrutiny? It’s unclear that any of the testing authorities have the deep skills necessary to do the job. It’s similarly unclear that you can continually recruit “dream teams” of the best security ninjas. Nonetheless, this is absolutely the right way to go. There are only a handful of major vendors in the e-voting space, so recruiting good talent to audit them, on a recurring part-time basis, is eminently feasible. Meta-scrutiny comes from public disclosure of the audit reports. To save some money, there are economies of scale to be gained from doing this at the Federal level, although it only takes a few large states to band together to achieve similar economies of scale.

At the end of the day, we want our voting systems to be the best they can be, regardless of what technology they happen to be using. I will argue that this ultimately means that we need vendors working more closely with auditors, whether we’re considering primitive optical scanners or sophisticated end-to-end cryptographic voting schemes. By pushing the adversarial review process deeper into the development pipeline, and increasing our transparency into how the development is proceeding, we can ensure that future products will be genuine improvements over present ones, and hopefully avoid all these messy lawsuits.

[Sidebar: what about protecting the vendors’ intellectual property? As I’ve argued before, this is what copyrights and patents are about. I offer no objection to vendors owning copyright on their code. Patents are a bit trickier. If the auditors decide that some particular feature should be mandatory and one vendor patents it, then every other vendor could potentially infringe the patent. This problem conceivably happens today, even without the presence of invasive auditors. Short of forbidding voting machine patents as a prerequisite for voting system certification, this issue will never go away entirely. The main thing that I want to do away with, in their entirety, are trade secrets. If you want to sell a voting machine, then you should completely waive any trade secret protection, ultimately yielding a radical improvement in election transparency.]


  1. Kiaser Zohay says:

    Good, Fast, or Cheap: Pick Two.

    Starting shortly after HAVA, the voting system we got as a result were fast and cheap, but clearly not good. Now with the certification process frozen, fast is being factored out of the equation, but whether or not we get good in return remains to be seen.


  2. Let’s think about the things that could induce voting-machine companies to accede to this kind of bargain.One problem is that in the short run vendors seem to do better by building garbage and using whatever means necessary to get it certified and get jurisdictions to buy it. Under the new approach, some of them would lose sales — and given the apparent widespread presence of serious flaws, it’s not clear even to the companies what their fates would be. So uncertainty encourages resistance.

    You might be able to get companies to agree if the alternative was for all of them to lose sales, but for the time being government entities have to keep buying voting machiens or getting the current ones upgraded because the status quo is so lousy. So what would make every vendor believe that they would lose sales unless they comply with such a scheme?

  3. I’m generally with you on transparency, and wanted to comment on your sidebar:

    If the auditors decide that some particular feature should be mandatory and one vendor patents it, then every other vendor could potentially infringe the patent.

    A few comments. First, if the auditors invent a feature, then there’s prior art, so the vendor can’t patent it. I’ll go forward assuming you mean “one vendor has already patented it.” There’s likely to be more than one way to achieve a goal. If there’s not, it seems that the government could immunize vendors of voting machines who infringe for voting purposes. There would an unusually clear public interest This might be a taking, and appropriate compensation may be tricky, but I don’t think it insurmountable.

    (Speaking only for myself.

  4. Here’s the situation. Let’s say we have a clever auditor, paid by the state, to evaluate several successive vendors. The auditor visits vendor #1 and says “what you need are hash tables”. The auditor then visits vendors #2 and #3 and also reaches the same conclusion. Meanwhile, vendor #1 has run to the patent office and filed for a patent on a “method and apparatus for the use of hash tables in voting machines.” Vendors #2 and #3 are facing the same requirement, yet might be taking a risk that vendor #1 beats them to the punch with the hash table patent.

    If it came down to a subsequent lawsuit, vendor #1 could say that the idea occurred in discussions between the auditor and the vendor, and thus vendor #1 has a legitimate ownership in the idea.

    You might deal with this contractually, saying that any technological improvements that result from interactions with the state-mandated auditors cannot be patented. I’d want to learn more about how the military deals with this sort of thing, since they presumably don’t want patent squabbles among their big contractors getting in the way of the latest weapon systems, yet I’m sure they regularly make upgrades to weapon systems, armor, and so forth, and they want to do them consistently across different vendors’ products.

  5. There is one simple and most-efficient answer to this problem.

    Voting software should be open-source. Every voting machine should use substantially the same software. The government should sponsor writing the software, starting from an initial strawman standard. Anyone can review the software, and anyone can (potentially) contribute to the software. Feedback from review should be used to revise the software and standard, until both reach a generally approved of final form.

    Voting machines are relatively simple beasts. There is no reason for proprietary designs. The same approach should be used to design the core hardware. Pay a couple design firms to build a few different designs of prototype hardware to an initial specification. Anyone can review the designs. Revise the design and standard based on feedback.

    Voting machine manufacturers might need to develop drivers for specialized hardware, and might come up with different packaging, but the core of the design should be standardized and throughly reviewed.

    As I wrote earlier, when asked, to an election official:
    You do not need to become an expert in the design of secure systems. When well-designed e-voting systems appear, they will be easy to recognize. Look for the following:

    The design for the hardware will be published in complete detail and subject to public review many months prior to the manufacture.
    The design for the software will be published in complete detail and subject to public review many months prior to the manufacture.
    The e-voting system will allow for sufficient end-to-end checks.

    That is pretty much all you need to know.

  6. I think open source is more complicated than you think.

    First, I’ve argued for years that voting systems should have disclosed source. Anybody and everybody who wants to read the code should be free to do so. Source code disclosure encourages openness and transparency of the process. It also allows vendors to maintain their intellectual property rights via copyright and patent.

    If you want to completely pitch the present vendors and start anew, then an open-source software model, on commodity hardware, seems very attractive, but it would require a significant, sustained effort, particularly given all the state-specific variation among different voting systems. Politically, it would be much easier for a single large state, like California or New York, to commission the development of such a system, tuned to their specific needs. At that point, other states could adopt it or ignore it.

    The financial question is quite significant. Who’s going to pay for this wonderful open source development? States are in a deep financial hole right now. You’re unlikely to find a state willing to budget a sustained development effort for a new voting system, and the EAC is similarly unfunded and unlikely to pursue such a thing.

    The big point of my blog post is that, like it or not, we have to be pragmatic about evolution in the voting system space. We need a low-energy, low-cost path that gets us incrementally from where we are today to where we’d like to eventually be tomorrow.

  7. Dan,

    When I was a PI on some US government grants, we had IP rights, which the government got an automatic license for. I would guess that the US military does the same.

  8. To do the equivalent for voting machine would effectively render their patents worthless, since it would mean that every potential customer for a voting machine would hold the rights to the patents.

    (Not that I have a particular objection to that, but I think the voting system vendors certainly would object.)

  9. Lawrence D'Oliveiro says:

    That’s easy to answer. The electoral bodies using the voting machines are already paying for their development (the companies have to make a profit, after all). Why not redirect that budget into developing the open-source replacements?

  10. I suspect patents may not be as big an issue as you might think, for two reasons:

    1. There exist very many standards that require the use of patented technology (e.g., many of those used in DVD players and other entertainment-related areas), and the industries manage to make deals such that patent owners practice non-discriminatory licensing, even to their direct competitors.

    2. My understanding is that patents, at least in the U.S., must name all of their inventors, each of whom has full rights to license the patent independent of any of the others. If an auditor made a significant contribution to something later patented, and was not named as a co-inventor, the patent risks being invalidated in court.

    • “he industries manage to make deals such that patent owners practice non-discriminatory licensing, even to their direct competitors.”

      Even to upstarts? Or only to established members of their cartel?

      Last time I checked, you can’t find a DVD player that will let you easily skip directly to the movie. There must be consumer demand for such a feature. If it is lacking, it can only be because of stifling of competition of some sort or another at the supply side.

      If those making DVD players are required to “quality fix” their wares to be accepted into the exclusive club of those who have licenses, it’s not “non-discriminatory”, any more than if they were required to price fix, or if no newcomers were allowed in at all.