E-voting vendors often argue that their systems must be secure, because they have been tested by “independent” labs. Elise Ackerman’s story in Sunday’s San Jose Mercury-News explains the depressing truth about how the testing process works.
There are only three labs, and they are overseen by a private body that is supported financially by the vendors. There is no government oversight. The labs have refused to release test results to state election officials, saying the results are proprietary and will be given only to the vendor whose product was tested:
Dan Reeder, a spokesman for Wyle, which functioned as the nation’s sole testing lab from 1994 to 1997, said the company’s policy is to provide information to the manufacturers who are its customers.
It’s worth noting, too, that the labs do not test the security of the e-voting systems; they only test the systems’ compliance with standards.
SysTest Labs President Brian Phillips said the security risks identified by the outside scientists were not covered by standards published by the Federal Election Commission. “So long as a system does not violate the requirements of the standards, it is OK,” Phillips said.
A few states do their own testing, or hire their own independent labs. It seems to me that state election officials should be able to get together and establish a truly independent testing procedure that has some teeth.
To the best of my knowledge the income statement for The Election Center has never been published. It is true that one outright donation of $10,000 by a vendor has recently come to light, but that is not to say that there were not others, and I’d be surprised if there were not. In any case The Election Center must derive other income indirectly from vendors, e.g. from the trade show floor space it provides to vendors at conferences.
to Cypherpunk: what social process is more important to democracy than elections? If we get one thing right, should it not be this?
As well, I wonder: What would the states need from the vendors to ensure security of their machines? Source code? Design documentation? Hardware documentation?
Granted, as Saltman has said, it’s the system combined with the machines that could cause problems.
You wrote: “It seems to me that state election officials should be able to get together and establish a truly independent testing procedure that has some teeth.” Better yet, the states could get together and develop their own voting software and make it open source. Then they would get lots of people auditing it for free.
I think you have slightly twisted the facts here. “There are only three labs, and they are overseen by a private body that is supported financially by the vendors.”
In principle, the labs are overseen by the National Association of State Election Directors, a quasi-governmental organization. In practice, NASED does not have the resources to do the oversight itself, so it has delegated the task to The Election Center, a private training organization for elected officials. Of the Center’s $462,000 budget, up to $10,000 came from donations by the vendors. This is a very small contribution but your wording makes it sound like the vendors are running the testing labs.
More seriously, The Election Center is no longer involved with the process as of last year, meaning that the labs presently have no effective oversight. But that doesn’t fit the facts of your tidy foxes-running-the-henhouse story.
The larger problem is that the federal election standards are somewhat obsolete and that enforcement of them was never funded. That’s the real story here.
As far as the use of independent testing labs, I can say from experience that this is the norm in other areas of security certification. These testing companies are paid by the vendors whose products they are evaluating. Theoretically the testors are overseen by the federal government, but I wouldn’t be surprised if the facts are much the same as in the election case, with a lack of funding for this theoretical oversight process making the testing labs effectively autonomous, and financially beholden to the companies who are their clients.
The truth is that almost no social process can withstand sufficient scrutiny. You have turned your attention to election machines and found major problems. You could do the same in any other part of life.