CNET también está disponible en español.

Ir a español

Don't show this again

Hamilton on Disney Plus Lunar eclipse Prime Video Watch Party Comic-Con Funko Pops iOS 14 preview Cyberpunk 2077

North Carolina defends e-voting certifications

Watchdog groups say the state "illegally" certified systems built by two e-voting vendors.

It has been a turbulent week for electronic voting systems in North Carolina.

Watchdog groups say the state "illegally" certified systems built by two e-voting vendors just days after one admitted it couldn't meet stringent new laws about disclosing its source code. Meanwhile, a voting-systems manager defended the decision to award the contracts.

At the heart of the issue are new rules, issued by the state's board of elections in October, that require all e-voting vendors applying for contracts with the state to deposit "all software that is relevant to the functionality, setup, configuration and operation of the voting system" and the names of all programmers responsible for its creation with a third-party "escrow agent" approved by the state government.

The rules were aligned with actions taken this summer by the state legislature, which passed changes to election laws that set new standards for e-voting machines and decertified all the state's existing systems. Those changes came in response to glitches encountered by one of the state's counties during the 2004 presidential elections, resulting in the loss of more than 4,500 votes.

The premise isn't new: Federal election officials also have broached the idea of requiring vendors to make their source codes accessible to state election boards. The idea is that officials can compare the hash code--that is, a sort of fingerprint for a piece of software that changes when any line of code is altered--from escrow-deposited software with software they receive for their voting machines to verify that it has not undergone tampering.

But Diebold, an Ohio-based company that also makes automatic teller machines, filed a court complaint objecting to the requirements. It insisted that not all of its code could be turned over because some of it belonged to third parties, such as Microsoft, which would be loathe to disclose it and already store it in their own separate escrow accounts.

"We don't know how we'd provide source code for Windows CE or whatever third-party vendor it may be," David Bear, a spokesman for the company, said Friday, noting that the company already puts its proprietary code in an escrow account that can be made accessible to those who require it. "It's like buying a computer at Best Buy: You don't own Microsoft Word; you license the use of it."

On Monday, a judge in Raleigh, N.C., dismissed that complaint, saying Diebold and others could be subject to penalties for not complying with the new law. That's why the Electronic Frontier Foundation, which filed a brief encouraging the court not to give Diebold special treatment, found it baffling that a mere three days later, the State Board of Elections announced it would certify Diebold anyway.

"The Board of Elections is required to review all of this code for security purposes before they certify it," said Matt Zimmerman, an EFF attorney. "If by some miracle they've actually complied with the statute, sometime between Monday and Thursday they've reviewed millions of lines of code for security, accuracy and integrity purposes."

Keith Long, a North Carolina voting systems manager, insisted that there was "nothing tricky" going on. First of all, he said, the Board of Elections didn't need to review all of the code again on its own because it made use of reports by an independent testing authority authorized by the federal government to run tests on e-voting software.

And second, after polling the companies that had submitted bids and discovering that none of them could reasonably hand over third-party software code, the Board of Elections decided at the last minute that it would allow the companies to be certified as long as they provided the state with the outside escrow locations of all the codes. They have until Dec. 22 to do so.

"This is an extra step the board has decided to put in to strengthen the law that we have to work with," Long said.

Bear said uncertainties remained within the company, which operated machines in 20 North Carolina counties during the last election cycle: "It's sort of in an area where we've got this law that obviously everyone wants to live by, and the state wants to enforce, but it seems difficult or unenforceable as it stands right now."