In today’s Washington Post, Jonathan Krim reports on a new effort by the e-voting machine vendors to do … something or other. The article, which is titled “Voting-Machine Makers to Fight Security Criticism”, doesn’t quite say what they’re planning to do. The following two paragraphs come the closest to revealing their plans:

Electronic-voting-machine companies announced yesterday that they are banding together to counter mounting concerns about whether their machines are secure enough to withstand tampering by hackers.

…

The leading voting-machine companies, which argue that their systems are safe, have yet to put forward any proposals on addressing the concerns. But under the umbrella leadership of the Information Technology Association of America, the industry hopes to foster conversation that includes security experts, academics, local elections officials, and the National Institute of Standards and Technology, the federal agency overseeing technical standards.

In other words, although they “have yet to put forward any proposals”, they hope to have some conversations with people. Amusingly, the chairman of the ITAA calls this “an inflection point in the history of voting in this country.”

You’ve really gotta wonder how a non-story like this got onto page 2 of a major newspaper.

The Ohio Secretary of State has announced the results of a study his office commissioned, which examined four e-voting systems. If you have been following this issue, you won’t be surprised to hear that the study found many flaws in the systems. Each system had at least one “high risk” problem.

In addition, a study of the vendors’ quality assurance methods led to a decision to “ask vendors to implement industry standard security and quality practices and procedures.”

Diebold has filed a court document promising not to sue people for posting the now-famous memos, and withdrawing the DMCA takedown notices it had sent previously. It’s a standard-issue lawyer’s non-surrender surrender (“Mr. Bonaparte, having demonstrated his mastery of the Waterloo battlefield, chooses to withdraw at this time”), asserting that “[u]nder well-established copyright law” Diebold could win an infringement suit, but that Diebold has decided anyway not to sue, given that it no longer has any realistic hope of suppressing distribution of the memos.

Diebold’s filing also contains this interesting sentence:

Diebold has informally encouraged the students to refrain from publishing passwords, source codes, information protected by employees’ privacy interests, and trade secret-type information, none of which is essential for purposes of criticism.

Some of these things certainly are essential for criticism. Diebold’s source code, for instance, is the most precise description of how their technology works, so it has obvious relevance to criticism of the technology’s security or reliability. Trade secret information includes facts about the failure history of the product, which are also highly relevant.

I’m not saying that it is always legal or ethical to publish companies’ source code or trade secrets, no matter what the circumstances. But in this case, some code and some trade secrets are essential for criticism, and Diebold’s assertion to the contrary doesn’t pass the laugh test.

[Link via Larry Lessig.]

Donna Wentworth at Copyfight points to the fine print in the recent e-voting edict from California Secretary of State Kevin Shelley, which says this:

Any electronic verification method must have open source code in order to be certified for use in a voting system in California.

Many computer scientists have argued that e-voting systems should be required to have open source code, because of the special circumstances surrounding voting. Is that what Mr. Shelley is requiring?

I’m not sure. His requirement applies to “electronic verification method[s]” and not explicitly to all e-voting systems. What exactly is an “electronic verification method”? Mr. Shelley’s directive uses this term in reference to the report of a previous task force on e-voting.

So what does the task force’s report say? Surprisingly, the report refers to “electronic verification” methods at several points, but I couldn’t find any specific mention of what those methods might be. This is particularly odd considering that the task force members included computer scientists (including David Dill and David Jefferson) who are more than qualified to understand and write about any “electronic verification” methods, even if only to summarize them or give examples.

It looks as if there might be a hidden layer to this story, but I can’t figure out what it could be. Can anybody help out?

[Correction (1:50 PM): corrected the spelling of Kevin Shelley’s last name.]

California Secretary of State Kevin Shelley will announce today that as of 2006, all e-voting machines in the state must provide a voter-verifiable paper trail, according to an L.A. Times story by Allison Hoffman and Tim Reiterman.

This is yet another sign that the push for sensible e-voting safeguards is gaining momentum.

[Link credit: Siva Vaidhyanathan at Sivacracy.net.]