Good News for New York

The Process is Working

New York State’s new voting systems are failing certification testing. The two systems undergoing testing for use in 2009 are showing large numbers of defects against New York requirements, have as yet unresolved design and manufacturing issues, and during the initial stages of my source code review I found a software back door that would allow a rogue program to load from an inserted memory card. What’s not to like?

Now, you may be thinking that these all sound like bad things. And of course, on one level they absolutely are. As I’ve written about in earlier posts, what gall vendors have providing New York’s voters with such flawed equipment, sold at astronomical prices, and which have apparently not undergone basic quality assurance testing before being shipped. So what’s the good news? The good news is that we’re identifying problems prior to use in an election - the machines are failing New York’s tests.

Unlike the situation in so many other states, where inadequately tested machines are approved by private companies working for system vendors with no independent review, New York State has changed the rules of the game. Here, we require rigorous testing to the highest standards. Here, we have independent review of not only the machine vendors, but of the vendor performing the testing. Here, we have a Citizens Advisory Committee which has access to the systems and provides advice and analysis to the State Board. Because of this, New York State will not use these machines until such time as they meet the standards required by law and regulation. In other words, the process is working.

There are three reasons why New York’s certification process is breaking new ground: high regulatory requirements, independent review of the machine and testing vendors, and independent review of the source code by citizens.

High Regulatory Requirements – New York requires compliance with the Federal Voluntary Voting System Guidelines (VVSG) of 2005. While far from perfect, using the 2005 guidelines as the standard is a far higher bar than the vendors have ever had to meet before. And as we are now seeing, they came ill prepared to meet it. Clearly they thought the process in the Empire State was going to be business as usual – throw any old iron over the wall, keep the testing and results secret, and ignore any problems found. They are now finding out that’s not the way it works here.

Independent Review of the Testing Process – New York is not simply accepting the results reported by SysTest, the vendor performing testing for the state. One of NYVV’s recommendations adopted by the state in 2006 was for an independent review of the certification process. The State Board contracted with NYSTEC (New York State Technology Enterprise Corporation) a private, not-for-profit technology company. To date, NYSTEC has analyzed, critiqued and improved test plans, has pushed for strict interpretation of VVSG requirements, and has not been shy about challenging the business-as-usual practices of the testing vendor. I have not agreed with every opinion that NYSTEC has issued, but all in all I think they are taking the role of independent review very seriously and performing it well. This review of SysTest’s performance for New York is vital, especially when the questionable practices of this testing vendor are now coming to light.

Independent Review of Source Code – As a member of New York’s Citizen Election Modernization Advisory Committee (CEMAC) I have access to all technical data provided to the State by the vendors, including the proprietary source code. As the only CEMAC member with a software development background, I’ve begun an independent review of the software source code provided to the state. Now, there is a caveat here – I am doing this review alone. In the few other states where source code reviews have been performed entire teams of programmers have been appointed. And believe me, a team is what is really needed. A single person can’t possibly review all the source code of the two systems being tested here in the allotted time, so what I can accomplish will be limited. However, within 8 hours of beginning my code review I found two major problems, neither of which had been caught by SysTest, the vendor performing the ‘formal’ source code review! Because I’m under a non-disclosure agreement, I can’t reveal publicly more than has been disclosed in the August 4 State Board of Elections meeting [the discussion takes place from 14:50 to 18:07 on the recording] – that one of the problems I found is a software backdoor which under certain conditions would allow a rogue program to be loaded from a memory card while bypassing all internal security controls. I of course immediately report any problems I find to the State Board, SysTest, and NYSTEC, and I’ll insist that these, and any subsequent problems I find, be fixed.

Is New York’s process perfect? Of course not, there’s lots we could improve. But it’s still a far tougher regimen than any other state has attempted before, and the fact that we are identifying problems before the new systems are allowed to be used, and not after, is good news for New York.

2 Responses to “Good News for New York”

  1. Hi Bo! Thanks for all your amazing work! The “men-behind-the-curtain” have not gone away. The key to stopping them is bipartisan citizen activism and complete
    transparency. Best of Luck! Rick Schwab

  2. If it were not for the unselfish dedication of “Bo” most of us caring voting public would still be in caves trying to rub two sticks toghter.

    Well, maybe not that primitive, there would still be darkness though.

Discussion Area - Leave a Comment

You must be logged in to post a comment.