PROPOSED CALIFORNIA ELECTION CODE CHANGES
1/24/2008
NEW SYSTEMS – APPROVAL, SECURITY
Questions:
Jerry Berkman, (510)547-0985, jerry@berkeley.edu
Michelle Gabriel, (510)444-4370, mwg@jmbaai.com
Jim Soper, (510)285-4857, somethoughts@aol.com
Summary:
19103 – refine specifications for voting systems escrow
19202 – add security, suitability, auditability to listed criteria
19205 – add security, suitability, logs, and auditability to listed criteria
19205.5 – restrictions on vendor activities, loosen vendor restrictions on election jurisdictions
19206 – standardize fees for certification testing
19207.5 – vendor CEO must ensure escrow corresponds to running system; penalty is felony (like North Carolina)
19214.5 – publish certification results on web
19215 – minor wording change
19251 – update name of testing/certification organization
Current Elections Code:
19103. (a) An exact copy of the source code for all ballot tally
software programs certified by the Secretary of State, including all
changes or modifications and new or amended versions, shall be placed
in an approved escrow facility prior to its use. No voting system
may be used for an election unless an exact copy of the ballot tally
software program source codes is placed in escrow.
(b) The Secretary of State shall adopt regulations relating to the
following:
(1) The definition of source codes for ballot tally software.
(2) Specifications for the escrow facility, including security and
environmental specifications necessary for the preservation of the
ballot tally software program source codes.
(3) Procedures for submitting ballot tally software program source
codes.
(4) Criteria for access to ballot tally software program source
codes.
(c) The Secretary of State shall have reasonable access to the
materials placed in escrow, under the following circumstances:
(1) In the course of an investigation or prosecution regarding
vote counting equipment or procedures.
(2) Upon a finding by the Secretary of State that an escrow
facility or escrow company is unable or unwilling to maintain
materials in escrow in compliance with this section.
(3) In order to fulfill the provisions of this chapter related to
the approval of voting systems.
(4) In order to verify that the software on a voting system,
voting machine, or vote tabulating device is identical to the
approved version.
(5) For any other purpose deemed necessary to fulfill the
provisions of this code or Section 12172.5 of the Government Code.
(d) The Secretary of State may seek injunctive relief requiring
the elections officials, or any vendor or manufacturer of a voting
machine, voting system, or vote tabulating device, to comply with
this section and related regulations. Venue for a proceeding under
this section shall be exclusively in Sacramento County.
(e) This section applies to all elections.
Proposed revisions:
19103.
(a) An exact copy of the source code for all ballot tally
software programs software used in voting systems and
voting machines certified by the Secretary of State, including
all changes or modifications and new or amended versions, shall be
placed in an approved escrow facility prior to its use. No voting
system may be used for an election unless an exact copy of the ballot
tally software programs source codes is placed in
escrow. The binaries and executables built from the source code,
all build scripts, and all tables needed to run the system, shall be
put in the escrow along with the source code prior to the use of the
system. Source for programs, which satisfy all the following
conditions, does not have to be escrowed:
(1) The program was
obtained from a vendor not related to the voting system vendor as a
binary or executable module.
(2) The voting system vendor does
not have access to the source.
(3) The program has not been
modified or customized in any way by the voting system vendor or the
supplying vendor or any other party.
(4) At the time of the
certification application, the program is readily available for
purchase and widely and primarily used for purposes other than
elections.
(b) The Secretary of State shall adopt regulations
relating to the following:
(1) The definition of source
codes for ballot tally software. Specifications of what
must be deposited in the escrow.
(2) Specifications for the
escrow facility, including security and environmental specifications
necessary for the preservation of the ballot tally software
program source codes.materials in escrow.
(3)
Procedures for submitting ballot tally software program
source codes.materials to the escrow.
(4)
Criteria for access to ballot tally software program source
codes.the materials in the escrow.
(c) The
Secretary of State shall have reasonable access to the materials
placed in escrow, under the following circumstances:
(1) In the
course of an investigation or prosecution regarding vote counting
equipment or procedures.
(2) Upon a finding by the Secretary of
State that an escrow facility or escrow company is unable or
unwilling to maintain materials in escrow in compliance with this
section.
(3) In order to fulfill the provisions of this chapter
related to the approval of voting systems.
(4) In order to verify
that the software on a voting system, voting machine, or
vote-tabulating device is identical to the approved version.
(5)
For any other purpose deemed necessary to fulfill the provisions of
this code or Section 12172.5 of the Government Code.
(d) The
Secretary of State shall make available the materials in the escrow,
except source code, to elections officials to allow them to check the
software on a voting system is same as that in the escrow.
(d)(e) The Secretary of State may seek
injunctive relief requiring the elections officials, or any vendor or
manufacturer of a voting machine, voting system, or vote-tabulating
device, to comply with this section and related regulations. Venue
for a proceeding under this section shall be exclusively in
Sacramento County. (e)(f) This section
applies to all elections.
SECTION 19202
Current Elections Code:
19202. Any person or corporation owning or being interested in any
voting system or part of a voting system may apply to the Secretary
of State to examine it and report on its accuracy and efficiency to
fulfill its purpose. The Secretary of State shall complete his or
her examination without undue delay.
Proposed Revision:
19202. Any person or corporation owning or being interested in any voting system or part of a voting system may apply to the Secretary of State to examine it and report on its accuracy, security, suitability, auditability, and efficiency to fulfill its purpose. The Secretary of State shall complete his or her examination without undue delay.
SECTION 19205
Current Elections Code:
19205. The Secretary of State shall establish the specifications
for and the regulations governing voting machines, voting devices,
vote tabulating devices, and any software used for each, including
the programs and procedures for vote tabulating and testing. The
criteria for establishing the specifications and regulations shall
include, but not be limited to, the following:
(a) The machine or device and its software shall be suitable for
the purpose for which it is intended.
(b) The system shall preserve the secrecy of the ballot.
(c) The system shall be safe from fraud or manipulation.
Proposed Revision:
19205.
The Secretary of State shall establish the specifications for and the
regulations governing voting machines, voting devices, vote
tabulating devices, and any software used for each, including the
programs and procedures for vote tabulating and testing. The criteria
for establishing the specifications and regulations shall include,
but not be limited to, the following:
(a) The machine or device
and its software shall be suitable for the purpose for which it is
intended.
(b) The system shall preserve voter privacy and the
secrecy of the ballot.
(c) The system shall be safe from fraud or
manipulation.
(d) The system shall be accurate.
(e) The
system shall be secure.
(f) The system shall create suitable logs
and be auditable.
SECTION 19205.5 (new section)
Proposed New Section:
19205.5 The vendor shall agree in writing prior to any certification decision that:
(a) The vendor will perform diagnostics in California for all problems with the voting system. If any parts are sent out of California or if the system is accessed from outside California, first all local data shall be erased. However erasure shall be performed only after election certification and subject to any other legal requirements.
(b) All employees of the vendor who operate, patch, log in to, modify, configure, or in any other way interact with the election system or part of the election system after logic and accuracy testing is completed and before both final certification of the election and all recounts, contests, and court cases are resolved shall satisfy the requirements for poll workers in that county, shall sign an oath, and may interact with the machines and system only at the expressed direction of the elections official, and that these interactions will be logged and that this log will be available for public inspection at the elections official's office and on the elections official's web within three days of the interactions.
(c) Any vendor employee who interacts with the system as described in Subsection (b) of this Section shall sign a declaration that he or she has not, is not, and will not do anything, which may effect the integrity of the election and results. The declaration shall be signed before the elections official or a designated member of the elections official’s permanent staff. The declaration of the vendor staff member shall be in substantially the following form:
State of California
County of _________.
I do hereby solemnly declare that I will support the
Constitution of the United States and the Constitution of the
State of California, and that I have not and will not do
anything which could effect the integrity of the election or the
results and will not be in violation of the directions of the
elections official of this County for the election to be
held on ____, 20__. _______________________________________
Signed: ______________________________
(Signature)
Signed in the presence of ______________________________
on ________________, 20__.
(d) Use and distribution of files containing data for an election in California may be restricted only by the discretion of the elections official and state and local laws and shall not be restricted due to trade secret or proprietary claims of vendor. Examples include, but are not limited to, files containing vote totals, files containing ballot images, ballot definition files, etc. The vendor shall provide the state, county, and public with the format of data in these files. The elections official is free to run programs using these files as input, subject only to state and local law. It is vendor’s responsibility to make sure that no proprietary or trade secrets data or source is mixed with election data in files.
(e) Vendor agrees any county using vendors voting system can do any testing they want, including allowing others to test the system without violating any warranty or license.
SECTION 19206
Current Elections Code:
19206. For the purpose of assistance in examining a voting system
the Secretary of State may employ not more than three expert
electronic technicians at a cost to be set by the Secretary of State.
The compensation of the electronic technicians shall be paid by the
person or corporation submitting the machine or device.
The Secretary of State may require the person or corporation
submitting the machine or device to deposit sufficient funds to
guarantee the payment of the examination charges. The Secretary of
State may deposit the funds in an appropriate treasury trust account
and, within 30 days after his or her report of examination, draw a
refund check to the credit of the person or corporation for any
amount in excess of costs.
Proposed Revision:
19206. For the purpose of assistance in examining a voting system the Secretary of State may employ not more than three expert electronic technicians at a cost to be set by the Secretary of State.
The
compensation of the electronic technicians shall be paid by the
person or corporation submitting the machine or device.
The Secretary of State may
require the person or corporation submitting the machine or device to
deposit sufficient funds to guarantee the payment of the examination
charges. The Secretary of State may deposit the funds in an
appropriate treasury trust account and, within 30 days after his or
her report of examination, draw a refund check to the credit of the
person or corporation for any amount in excess of costs.
The Secretary of State shall set a fee for applying for certification of a voting system. This fee shall on average cover the costs of examining a voting system and processing an application. The Secretary of State may adjust the fee once each fiscal year. The applicant shall pay the fee to the Secretary of State. If the application is rejected and the applicant reapplies, the applicant shall pay the fee again.
SECTION 19207.5 (new section)
Proposed New Section:
19207.5. (a) The chief executive officer of the vendor shall sign a sworn affidavit that the source code and other material in escrow is the same being used in its voting systems in this State. The chief executive officer shall ensure that the statement is true on a continuing basis.
(b) The vendor shall promptly notify the State Board of Elections and the county board of elections of any county using its voting system of any decertification of the same system in any state, of any defect in the same system known to have occurred anywhere, and of any relevant defect known to have occurred in similar systems.
(c) Penalties. Willful violation of any of the duties in subsection (a) of this section is a felony. Substitution of code or binaries into an operating voting system without notification as provided by subdivision (b) of this section is a felony.
SECTION 19214.5
Current Elections Code:
19214.5. (a) The Secretary of State may seek all of the following
relief for an unauthorized change in hardware, software, or firmware
to any voting system certified or conditionally certified in
California:
(1) Monetary damages from the offending party or parties, not to
exceed ten thousand dollars ($10,000) per violation. For purposes of
this subdivision, each voting machine found to contain the
unauthorized hardware, software, or firmware shall be considered a
separate violation. Damages imposed pursuant to this subdivision
shall be apportioned 50 percent to the county in which the violation
occurred, if applicable, and 50 percent to the Office of the
Secretary of State for purposes of bolstering voting systems security
efforts.
(2) Immediate commencement of decertification proceedings for the
voting system in question.
(3) Prohibiting the manufacturer or vendor of a voting system from
doing any elections-related business in the state for one, two, or
three years.
(4) Refund of all moneys paid by a locality for a compromised
voting system, whether or not the voting system has been used in an
election.
(5) Any other remedial actions authorized by law to prevent unjust
enrichment of the offending party.
(b) Prior to seeking any measure of relief under this section, the
Secretary of State shall hold a public hearing. The Secretary of
State shall give notice of the hearing in the manner prescribed by
Section 6064 of the Government Code in a newspaper of general
circulation published in Sacramento County. The Secretary of State
also shall transmit written notice of the hearing, at least 30 days
prior to the hearing, to each county elections official, the
offending party or parties, any person that the Secretary of State
believes will be interested in the hearing, and any person who
requests, in writing, notice of the hearing.
(c) The decision of the Secretary of State, to seek any relief
under this section, shall be in writing and state the findings of the
secretary. The decision shall be open to public inspection.
Proposed Revision:
19214.5. (a) The Secretary of State may seek all of the following
relief for an unauthorized change in hardware, software, or firmware
to any voting system certified or conditionally certified in
California:
(1) Monetary damages from the offending party or parties, not to
exceed ten thousand dollars ($10,000) per violation. For purposes of
this subdivision, each voting machine found to contain the
unauthorized hardware, software, or firmware shall be considered a
separate violation. Damages imposed pursuant to this subdivision
shall be apportioned 50 percent to the county in which the violation
occurred, if applicable, and 50 percent to the Office of the
Secretary of State for purposes of bolstering voting systems security
efforts.
(2) Immediate commencement of decertification proceedings for the
voting system in question.
(3) Prohibiting the manufacturer or vendor of a voting system from
doing any elections-related business in the state for one, two, or
three years.
(4) Refund of all moneys paid by a locality for a compromised
voting system, whether or not the voting system has been used in an
election.
(5) Any other remedial actions authorized by law to prevent unjust
enrichment of the offending party.
(b) Prior to seeking any measure of relief under this section, the Secretary of State shall hold a public hearing. The Secretary of State shall give notice of the hearing in the manner prescribed by Section 6064 of the Government Code in a newspaper of general circulation published in Sacramento County and publish notice of the hearing electronically as described in Section 18. The Secretary of State also shall transmit written notice of the hearing, at least 30 days prior to the hearing, to each county elections official, the offending party or parties, any person that the Secretary of State believes will be interested in the hearing, and any person who requests, in writing, notice of the hearing.
(c) The decision of the Secretary of State, to seek any relief under this section, shall be in writing and state the findings of the secretary. The decision shall be open to public inspection. The decision shall be published on the Web in accordance.
SECTION 19215.
Current Elections Code:
19215. (a) The Secretary of State may seek injunctive relief
requiring an elections official, or any vendor or manufacturer of a
voting machine, voting system, or vote tabulating device, to comply
with the requirements of this code, the regulations of the Secretary
of State, and the specifications for voting machines, voting devices,
vote tabulating devices, and any software used for each, including
the programs and procedures for vote tabulating and testing.
(b) Venue for a proceeding under this section shall be exclusively
in Sacramento County.
Proposed Revision:
19215. (a) The Secretary of State may seek injunctive relief requiring an elections official, or any vendor or manufacturer of a voting machine, voting system, or vote tabulating device, to comply with the requirements of this code, the regulations of the Secretary of State, and the specifications for voting machines, voting devices, vote tabulating devices, and any software used for each, including, but not limited to, the programs and procedures for vote tabulating and testing.
(b) Venue for a proceeding under this section shall be exclusively in Sacramento County.
SECTION 19251
Current Elections Code:
19251. For purposes of this article, the following terms shall have
the following meanings:
(a) "Accessible" means that the information provided on the paper
record copy from the voter verified paper audit trail mechanism is
provided or conveyed to voters via both a visual and a nonvisual
method, such as through an audio component.
(b) "Direct recording electronic voting system" means a voting
system that records a vote electronically and does not require or
permit the voter to record his or her vote directly onto a tangible
ballot.
(c) "Voter verified paper audit trail" means a component of a
direct recording electronic voting system that prints a
contemporaneous paper record copy of each electronic ballot and
allows each voter to confirm his or her selections before the voter
casts his or her ballot.
(d) "Federal qualification" means the system has been certified,
if applicable, by means of qualification testing by a Nationally
Recognized Test Laboratory and has met or exceeded the minimum
requirements set forth in the Performance and Text Standards for
Punch Card, Mark Sense, and Direct Recording Electronic Voting
Systems, or in any successor voluntary standard document, developed
and promulgated by the Federal Election Commission, the Election
Assistance Commission, or the National Institute of Standards and
Technology.
(e) "Paper record copy" means an auditable document printed by a
voter verified paper audit trail component that corresponds to the
voter's electronic vote and lists the contests on the ballot and the
voter's selections for those contests. A paper record copy is not a
ballot.
(f) "Parallel monitoring" means the testing of a randomly selected
sampling of voting equipment on election day designed to simulate
actual election conditions to confirm that the system is registering
votes accurately.
Proposed Revision:
19251. For purposes of this article, the following terms shall have
the following meanings:
(a) "Accessible" means that the information provided on the paper
record copy from the voter verified paper audit trail mechanism is
provided or conveyed to voters via both a visual and a nonvisual
method, such as through an audio component.
(b) "Direct recording electronic voting system" means a voting
system that records a vote electronically and does not require or
permit the voter to record his or her vote directly onto a tangible
ballot.
(c) "Voter verified paper audit trail" means a component of a
direct recording electronic voting system that prints a
contemporaneous paper record copy of each electronic ballot and
allows each voter to confirm his or her selections before the voter
casts his or her ballot.
(d)
"Federal qualification" means the system has been
certified, if applicable, by means of qualification testing by a
Nationally Recognized Test Laboratory and has met or exceeded the
minimum requirements set forth in the Performance and Text
Standards for Punch Card, Mark Sense, and Direct Recording Electronic
Voting Systems most
recent effective Voluntary Voting Systems Guidelines, or in any successor voluntary standard document, developed and promulgated by the Federal Election Commission, the Election Assistance Commission, or the National Institute of Standards and Technology.
(e) "Paper record copy" means an auditable document printed by a
voter verified paper audit trail component that corresponds to the
voter's electronic vote and lists the contests on the ballot and the
voter's selections for those contests. A paper record copy is not a
ballot.
(f) "Parallel monitoring" means the testing of a randomly selected
sampling of voting equipment on election day designed to simulate
actual election conditions to confirm that the system is registering
votes accurately.