[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Legalities of breathalizer firmware source code vs. voting machines [Risks Digest 24.14]

To: <cvv-discuss@xxxxxxxxxxxxxxxxx>
Subject: Legalities of breathalizer firmware source code vs. voting machines [Risks Digest 24.14]
From: "Pete Klammer" <pklammer@xxxxxxxxxxx>
Date: Wed, 4 Jan 2006 22:05:57 -0700
Delivered-to: mailing list cvv-discuss@coloradovoter.net
List-help: <mailto:cvv-discuss-help@coloradovoter.net>
List-post: <mailto:cvv-discuss@coloradovoter.net>
List-subscribe: <mailto:cvv-discuss-subscribe@coloradovoter.net>
List-unsubscribe: <mailto:cvv-discuss-unsubscribe@coloradovoter.net>
Mailing-list: contact cvv-discuss-help@coloradovoter.net; run by ezmlm
Organization: Klammer Family
Reply-to: <PKlammer@xxxxxxx>
Thread-index: AcYRjVFgzS9P9RfnTs2UziCRWz18fAAAYm8AAAlufCA=

FYI ...
--
Pete Klammer, P.E. / ACM(1970), IEEE, ICCP(CCP), NSPE(PE), NACSE(NSNE)
3200 Routt Street / Wheat Ridge, Colorado 80033-5452
(303)233-9485 / Fax:(303)274-6182 / Mailto:PKlammer@xxxxxxx
 "Idealism doesn't win every contest; but that's not what I choose it for."
-----Original Message-----
From: RISKS List Owner
Sent: Wednesday, January 04, 2006 4:51 PM
Subject: [RISKS] Risks Digest 24.14

RISKS-LIST: Risks-Forum Digest  Wednesday 4 January 2006  Volume 24 : Issue
14

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
(comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public
Policy

***** See last item for further information, disclaimers, caveats, etc.
*****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/24.14.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

[...]
------------------------------

Date: Thu, 29 Dec 2005 09:43:06 -0500 (EST)
From: tanner andrews <tanner@xxxxxxxxx>
Subject: Re: The drunks may save our election system (RISKS-24.14)

db-) [if drunk drivers an see code, why can't voters?]

  ** First, let me be clear that I am not a lawyer.  This
  ** is a political opinion piece, not legal advice.

Distinguish the drunks, who are entitled by law to ``full information'',
State v. Muldowny and Pitts, 871 So.2d 911 (Fla. 5DCA 2004) (discussing
Fla. Stat. 316.1932(1)(f)(4)), from the voters who have no obvious similar
entitlement.

1. Muldowny and Pitts prevailed under a theory that they had
a right to discovery in their respective criminal cases.
The court agreed, criticizing the box as ``a mystical
machine'' in the absence of source: it simply inhaled
breath samples and spat out a report of guilt.

The burden in a criminal case is on the state to show that the machine was
certified.  Because the firmware is an essential component of the machine
(perhaps the single most important, and easiest to change), they were
entitled to see the code and verify that it was as certified.  Failing that,
of course, you can have a ``Wizard of Oz'' effect, where the man behind the
curtain presses a secret button and the machine says ``drunk''.

2. Voter cases are different.  They obviously cannot rely on a discovery
theory as in _Muldowny_ because the ptfs would not be charged with any
crime.  Standing can probably be had by having an affected voter file a
protest; a losing candidate would be the obvious ptf.  However, the barrier
is that the ptf must have knowledge of actual fraud, and must swear to it.

This gives rise to a chicken-and-egg problem.  How is the voter to know of
the fraud without inspecting the machine?  And how is the voter to gain
access to inspect the machine, absent knowledge of fraud?

The _Muldowny_ defs attacked the certification of the machine, in part.  The
statute required that the machine be certified, _Muldowny_ at 913
(discussing Fla. Stat.  316.1932(1)(a)), and material changes would require
new certification.  The defs wanted to show that the machine as used was not
the same as was certified.

The voter ptf will have to show that the use of uncertified equipment
affected the outcome.  Courts are reluctant to overturn elections.
Beckstrom v. Canvassing Board, 707 So.2d 720 (Fla. 1998) (gross negligence,
but no fraud, so affirming result preserving election); Boardman v. Esteva,
323 So.2d 259 (Fla. 1975).

Following _Beckstrom_, the ptf will have to show actual fraud in the
handling of the votes in order to prevail.  This will be a higher hurdle
than it might appear.  In _Beckstrom_, the supervisor of elections allowed
Vogel supporters to ``correct'' ballots that were incorrectly marked for
Beckstrom.  This was held to be gross negligence but not fraud.

I would expect that a pre-load, as was demonstrated in Leon, might qualify
as actual fraud.  A pre-load is where one sets the number of votes for one
candidate to +N and for the other to -N, such that the total is still zero.
The negative count rolls over, of course, during the course of the day.

3. An alternative theory is to attack under Fla. Stat. 119.07 (Public
Records law).  Ballots are inspectable as public records, though the
conditions of inspection are onerous.  It could be argued, though likely
without success, that the machines' guts are public records as well.

A public record is (1) a record (2) made or received (3) during the course
of official business.  Adv. Op, David Wagner re: Legal Bills,
Fla. AGO-2000-7; Shevin v. Bryan, 379 So.2d 633, 640 (Fla.  1980).
Certainly the ballots qualify on all elements.

It seems likely that the machines are made or received during the course of
official business.  But do they qualify as records?

The supervisor of elections never receives the source code, and I do not
believe that the Department of Elections does either.  It is hard to see it
as a public record on that basis.

Could we at least see the machine code?  I don't think this theory works,
either: if it did, we could all have a copy of Windows for the cost of
reproduction, assuming they use the same at City Hall.

If that theory works, how about embedded devices?  Could we require the road
department to open up and let us dump the code out of computer-based
surveying equipment?

The essential quality of being ``a record'' is missing in these cases.  The
machine code in the voting machine, or in the desktop computer, or in the
surveying equipment, is not a record: it is not the preservation and
transfer of knowledge.  It is more analogous to the power steering arm of a
car: it is there to perform a function, not to convey knowledge; the
engineering knowledge embedded in it is there only for the purpose of
accomplishing the function.

Accordingly, I would not expect a Public Records attack to open up the
source for the machines.

4. The analysis changes if the device uses any GPL code.  In such a case,
delivery of the device necessarily implies delivery of the object code, and
the licensing terms require that copies of the source be made available to
anyone to whom the object is given.

The Supervisor of elections would be entitled, under the GPL, to the source
code of a machine using GPL code in its deliverables.

An entity cannot defeat public records inquiry by reposing custody in a
third party.  Times v. St Pete, 558 So.2d 487 (Fla.  1990).  The interested
person may go to the Supervisor's office and require that a record of that
office be produced.  Such an attack seems likely to prevail, though the
litigation may be expensive and time-consuming.

5. It seems unlikely that a voter could use _Muldowny_ to open up the code
to black box voting machines.  Nor is a general public record challenge
likely to work, unless the machine uses GPL code.

------------------------------

Prev by Date: Re: Vote-PAD, cheap, accessible voting on paper
Next by Date: (Fwd) Additional comments on Boulder County RFP #4717-06 for election system
Previous by thread: Re: WI to require paper ballot, open-source voting systems
Next by thread: (Fwd) Additional comments on Boulder County RFP #4717-06 for election system
Index(es):
- Date
- Thread