Good state, bad state

Massachusetts decides to adopt open standards for its computer systems:

[State Administration and Finance Secretary Eric] Kriss said the state’s decision was driven by a desire to reduce licensing fees but also “by a philosophy that what the state has is a public good and should be open to all,” Kriss told The Associated Press. He characterized the decision as the “most visible concrete action by a state government” to move toward open standards.

Bravo, MA! (Link via slashdot.)

Meanwhile, Maryland decides that an easily exploitable electronic voting system that has no effective audit trail and can be remotely and untraceably manipulated by any teenager with a grudge and a copy of MS Access, is good enough for them, and lies about a report they commissioned:

Following an independent review and security analysis managed by SBE and Maryland’s Department of Budget and Management, SBE has deemed the Diebold AccuVote-Touch Screen Voting System acceptable. The announcement was made at a press conference today in Annapolis, Maryland.

This announcement directly refutes a report, “Analysis of an Electronic Voting System,” which had been issued in July 2003 by Johns Hopkins University and Rice University computer scientists, claiming that the Diebold voting equipment is vulnerable and susceptible to fraud. As stated in the September 23, 2003 State of Maryland Diebold AccuVote-TS Voting System Security Action Plan, issued by Linda H. Lamone, Administrator of the Maryland SBE, the Diebold AccuVote-TS system selected by the Board is fully and readily capable of meeting the security requirements with minor modifications, and with appropriate administrative and operations controls.

(My emphasis.) In fact, the report does anything but refute the Hopkins study.

In the course of this Risk Assessment, we reviewed the statements that were made by Aviel. D. Rubin, professor at Johns Hopkins University, in his report dated July 23, 2003. In general, SAIC made many of the same observations, when considering only the source code. While many of the statements made by Mr. Rubin were technically correct, it is clear that Mr. Rubin did not have a complete understanding of the State of Maryland’s implementation of the AccuVote-TS voting system, and the election process controls or environment. It must be noted that Mr. Rubin states this fact several times in his report and he further identifies the assumptions that he used to reach his conclusions. The State of Maryland procedural controls and general voting environment reduce or eliminate many of the vulnerabilities identified in the Rubin report. However, these controls, while sufficient to help mitigate the weaknesses identified in the July 23 report, do not, in many cases meet the standard of best practice or the State of Maryland Security Policy.

My emphasis again. Translation from consultant weasel words: Rubin is right, this system is fundamentally flawed. It is flawed at its core; lucky for you, Maryland, that so far you have had the good luck to follow procedures that have helped you to avoid exposure to some of these flaws. Note that the flaws are still there. And still will be, even after Maryland does all of the things SAIC has advised them to do. They can build all the walls they want, dig moats, fill them with alligators, starve the alligators and give them prosthetic electrified teeth; the castle will still be made of balsa wood and twine. Enjoy never knowing if your vote counts, Marylanders.

Why are these stories related, you ask? Because the only reason that there has been a Diebold inquiry is that researchers stumbled upon the voting machine source code on an unsecured ftp site. Without access to the code, no one would have known how insecure these machines are—at least, not until they were used to steal an election so brazenly that it was impossible to miss.

Again: without access to the code, we would not know how insecure these machines are. That’s why the Massachusetts initiative is so important. MA recognizes that transparent government is essential to the public good, and in the era of software, transparent government needs open standards and open source. You can’t have a civil society without a free press. You can’t have rule of law if citizens can’t know the law. And you can’t have democracy if they don’t know that their votes count.

Filed under: politics