The Mercury News
E-voting companies store software in national library,
but scientists remain concerned
October 26, 2004
SAN JOSE, Calif. - Addressing sharp criticism from computer scientists, the nation's largest voting machine companies are submitting millions of lines of code to the National Software Reference Library, potentially shedding light on the secret software used in elections.
But executives at the voting machine makers said Tuesday they would not submit their most valuable data - their proprietary source code. And they might not provide the library with copies of software patches, updates and upgrades.
Computer scientists said the conciliatory gesture wouldn't help ensure the integrity of next week's presidential election, ...
"This is a step in the right direction," said Doug Jones, associate professor at the University of Iowa Department of Computer Science. "I just wish these steps had been taken earlier. I say hooray, but it's a long-term benefit with some pretty glaring caveats."
Executives from the largest equipment makers in the United States - Election Systems & Software, Sequoia Voting Systems, Diebold Election Systems and Hart InterCivic - announced Tuesday that they had already submitted many versions of the software that will be used to tally votes next week. The library, run by the National Institute of Standards and Technology, also holds proprietary code from Microsoft, Oracle and other technology giants.
Executives acted at the request of the U.S. Election Assistance Commission, a 1-year-old federal agency created through the Help America Vote Act.
EAC Chairman DeForest Soaries Jr. acknowledged that the data was far from complete. But he said the companies' ongoing submissions could eventually make election software more transparent to computer scientists, who want "open source" voting software that can be independently inspected.
"There's an old saying that the journey of 1,000 miles begins with a step," Soaries said. "We don't see this as the end-all of electronic voting security."
Scientists were pessimistic, ... No technology on the market today allows an election official to check software code that's already been installed and used on an individual voting machine and compare it to the software code stored in the library, noted library director Barbara Guttman.
Avi Rubin, technical director of the Information Security Institute of Johns Hopkins University, called the program "meaningless."
Companies submit data to the library on CD-ROMs, but the public cannot view the actual code. Instead, library technicians convert data into a mathematical algorithm known as a "hash" - the digital equivalent of a fingerprint.
Election supervisors can compare the hash on software they're about to install to the hash in the library. If the fingerprints don't match, they know the software is not the same one certified by an independent testing authority.
... The voluntary library project could make it easier for states to catch such problems - but only if supervisors check fingerprints, said Stanford University computer scientist David Dill.
ON THE NET
National Software Reference Library: www.nsrl.nist.gov