North Carolina’s recent decision to certify new voting systems for use next year did not follow state law, according to a letter that a group of experts on election security and administration sent to the N.C. Board of Elections late Wednesday night.
North Carolina has been in the process of reviewing new voting systems for certification for over two years. The system that is currently in use across the state was certified in 2005.
The law requires a security review of the source code of all voting systems before they are certified for use in the state.
The letter states that there is no indication that the state, either through its own contractors or through required federal testing, reviewed the source code for the computers in the voting systems it recently certified.
The experts in question, including Duncan Buell, a professor of computer science at the University of South Carolina, reviewed testing documentation from the state and from the federal government.
“You read all of that, and it’s clear,” Buell said. “There was no source code review conducted. That would certainly seem to suggest that things are not in accordance with North Carolina law.”
The law details an extensive list of components to be reviewed, including “application vulnerability, application code, wireless security, security policy and processes … security organization and governance, and operational effectiveness.”
Some of these things could be covered by the federal review, according to an expert with the federal Election Assistance Commission, but without clarification on the testing requirements, it’s not clear if they are. The state board does not clarify these testing requirements in its voting system certification manual.
Even so, the law requires the state or an independent expert of its designation to do a review of “all source code made available by the vendor.”
The federal certification process reviews a minimum of 1 percent of source code, a rate that Buell said was not adequate for anything expected of a full source code review as has been conducted in other states.
“At the heart, it should not be the case that the testing and certification is just a whitewash that nobody cares about,” Buell said.
The purpose of the review is to ensure the security and accuracy of the technology used to count votes.
“These are not hypothetical concerns,” said Lowell Finley, former head of California’s voting systems technology and policy. “These are security concerns that have been borne out when the security testing has actually been done.”
Finley, who worked for the California secretary of state’s office as chief counsel and as deputy secretary of state for more than seven years, oversaw that state’s first major review of voting system source code in 2007. As a result of that review – looking at systems that had passed federal certification – California withdrew approval for most of the systems that were in place and created strict new rules for those that were left. That same federal certification standard is still used for voting machines approved today.
“Voting systems are complex computerized systems,” Finley said.
“They are vulnerable to attack and are where there’s a strong motivation to attack. It’s extremely important that fundamental review of the security of these systems is done and to truly understand whether a computerized system is secure or not, it requires examining the source code that runs the software in that system.”
North Carolina’s law requiring the code review was ahead of its time when it was passed in 2005, the letter states. But since the state has not bought new voting equipment yet, the legal requirements remain untested.
Delay in documentation
State Board of Elections member Stella Anderson put forward a motion last week asking for documentation of the source code review. She had heard of this problem from North Carolina voters and election integrity advocates Lynn Bernstein and Marilyn Marks.
The state Board of Elections is working to respond to Anderson’s motion “as soon as possible,” according to an email from NCSBE press secretary Pat Gannon.
According to Anderson, NCSBE staff is striving to provide that information by Oct. 1, when the board is next scheduled to meet.
That, according to Marks, is “way too long to wait.”
The state has very little time to put the new systems it certified on Aug. 23 into place before the 2020 elections.
In order for counties to buy the new equipment, each county’s board of elections needs to attend a demonstration of the voting systems, recommend one to their county commissioners for purchase, test that system in the October or November elections, then purchase and deploy them by the March 2020 primaries.
Counties are moving quickly to enter into multimillion-dollar contracts to purchase this equipment.
“What the state board is doing is irresponsible in letting these counties proceed as if they are going to go to contract and not letting them know that there is a serious black cloud over the certification,” Marks said.
Possibility of litigation
Marks, who is the executive director of the nonprofit election integrity watchdog Coalition for Good Governance, has sued other states over election law violations. Marks hopes the state Board of Elections will solve this problem without the need for litigation from organizations like her own.
“This is way too important to take a passive position on,” Marks said.
“But once you put things in the court system, it slows everything down. The board will not be in an easier place to make the prompt decisions they need to. Everything becomes much more formalistic. It becomes much harder to get the right things done quickly.”
Backup plan for 2020
If there is further delay in the rollout of the new systems, which is not certain, it could mean that North Carolina counties would be forced to run 2020 elections on equipment that has been in use in the county since 2005.
There is a short-term plan for that eventuality, according to Anderson. While most counties could simply keep the systems they have now, about a third of North Carolina counties – covering 2.4 million voters – use voting machines that will be taken out of circulation as of Dec. 1, 2019.
Those counties would be forced to go to all hand-marked paper ballots that are counted using scanners, just like the ones the rest of the state currently uses.
“We could certainly, as a state, get through the 2020 elections with the same kind of equipment in these 23 counties as is used in all these other counties,” Anderson said.
That solution could require the purchase or short-term leasing of voting machines.
The review of the source code in question is more than a technical matter, according to Buell. It also addresses public trust in the election.
“If there is a source code review and all these issues are dealt with, that increases voter trust,” Buell said. “If people hide behind weasel wording to avoid doing a source code review, I think people will wonder why.”
You can strengthen independent, in-depth and investigative news for all of North Carolina
Carolina Public Press is transforming from a regionally focused nonprofit news organization to the go-to independent, in-depth and investigative news arm for North Carolina. You are critical to this transformation — and the future of investigative and public interest reporting for all North Carolinians.
Unlike many others, we aren’t owned by umbrella organizations or corporations. And we haven’t put up a paywall — we believe that fact-based, context-rich watchdog journalism is a vital public service. But we need your help. Carolina Public Press’ in-depth, investigative and public interest journalism takes a lot of money, persistence and hard work to produce. We are here because we believe in and are dedicated to the future of North Carolina.
So, if you value independent, in-depth and investigative reporting in the public interest for North Carolina, please take a moment to make a tax-deductible contribution. It only takes a minute and makes a huge difference. Thank you!