After my story about the ES&S memo posted yesterday I heard from someone in Florida who sent me a copy of a second ES&S letter, this one sent to David Drury, who oversees voting system certifications for the state's Division of Elections. ES&S sent the correspondence on December 15 as state officials and Florida State University's SAIT Lab were preparing to conduct two examinations to test voting systems used in Sarasota county last November and do a source code review of the software. The testing was done to try to determine the reason that some 18,000 ballots didn't have any vote cast in the 13th Congressional District race.
The letter is a detailed list stating what the testing reports should and should not say. In the letter, ES&S refers to its list as "guidelines," but the instructions are extensive -- running a page and a half -- and make some pretty strong demands. Among them, that the report should make (the quotes are ES&S's):
* No statements about possible "vulnerabilities"
* No statements about the "style" of the source code
* No statements commenting on the use of less desirable techniques, instructions, or constructs
* No statements regarding conformance to source code standards of any type or kind
* No statements regarding ES&S hardware or software engineering practices or design methods
* No statements regarding the use of preferred or non-preferred data structures, data types, data formats, databases, storage methods
* No statements rendering opinions on security techniques employed or not employed
* No statements discussing presence or absence of cryptography or other security methods and techniques
The part about security techniques appears several times.
Anyone following the e-voting issue will recall how researchers examining machines made by Diebold in 2003 discovered the company had used outdated and insecure encryption techniques and had hard-coded a password into the code. Someone might say that ES&S is simply concerned about the security of the machines if descriptions about encryption used in its code is revealed. But the prohibitions against discussing desirable or undesirable constructs and "source code standards of any kind" give the impression that ES&S might be just as concerned that their programmers might be found to have overall bad coding practices.
The list goes on, with this statement at the end of it:
"The review is not a search for doubt, but rather needs to be a search for conclusive evidence of error or fraud. If no conclusive evidence is found then all other statements are not necessary."
The letter then says the testers should take for granted -- actually, the wording is a bit stronger and says that they must assume -- before they come to any conclusion about the machines that:
* All of the voting equipment and materials have been physically secured as they should be
* Physical chain of custody of the equipment and materials has never been compromised
* Only the best election administration practices and procedures have been employed with these systems
The source who sent me this noted that the Florida State University testers didn't completely adhere to this list of guidelines since they did discuss possible scenarios and vulnerabilities in their report. They dismissed them all as being a cause of the undervotes, however. As I mentioned in my last post, a couple of computer scientists are examining the FSU and Florida state reports and are expected to publish a paper on their take of the reports.
You can read the 3-page letter here, here, and here.
UPDATE: David Wagner, part of the FSU team that examined the source code, spoke with me about the letter and said his team never saw it and that no one tried to influence what they could and could not write in their report. You'll find his comments to me here.
Fascinating. I'll have a post up soon about the extent to which the SAIT report comports to these guidelines. For one, they say,
"No statements discussing the use or manner in which system passwords are used, constructed or stored."
Then, if you look at the last page of the SAIT report, it says,
"Each of the other passwords mentioned above is fixed and hard-coded into the source code. They are the same for all iVotronic machines in the country, and likely to be known to every election official who manages elections on an iVotronic machine. They can never be changed, without changing the firmware on the iVotronic machine. This represents poor practice."
I'll have a post in an hour or so on my blog about the extent to which the report actually "obeys" any of this.
Posted by: joe | Mar 24, 2007 at 07:20 PM