TAKE ACTION

ACCESS TO VOTING SYSTEM INFORMATION 

Your input is needed on Board of Elections Proposed Rules to Access Voting System Materials

It is critical that the State Board makes changes to the proposed code and that we overwhelm them with comments.

Your input to the State Board of Elections is vital to allow the review and examination of the voting systems to secure our votes.

The deadline for comments is May 31. Comments can be submitted

Online: Rulemaking Public Comment Portal

Email: [email protected]

Mail: Attn: Rulemaking Coordinator, 6400 Mail Service Center, Raleigh NC 27603-1362

 

See info at the end of this email regarding a virtual public hearing at 10 a.m. on April 27 and other virtual meeting scheduled for April 6 and 7.

 

You may consider using the information below to submit your comments.  Please provide much needed guidance to the State Board of Elections.

 

The material below is organized with current law on the topic in red, links to the full proposed code are in blue, sections of the proposed Administrative Code that is being questioned are in italics. Comments on the proposed code are in bold.

 

G.S. 163-165.7(f) (9) Notwithstanding G.S. 132-1.2, procedures for the review and examination of any information placed in escrow by a vendor pursuant to G.S. 163-165.9A by only the following persons:

  1. State Board of Elections.
  2. Department of Information Technology.
  3. The State chairs of each political party recognized under G.S. 163-96.
  4. The purchasing county

 Each person listed in sub-subdivisions a. through d. of this subdivision may designate up to three persons as that person's agents to review and examine the information. …

 

Proposed 08 NCAC 04 .0308 AUTHORIZED ACCESS TO VOTING SYSTEM INFORMATION IN ESCROW

https://s3.amazonaws.com/dl.ncsbe.gov/Rulemaking/2022_04_01/08%20NCAC%2004%20.0308%20Authorized%20Access%20to%20Escrow%20Materials%20(published%20on%20NC%20Register%20040122).pdf

 

  1. Alternative 1  ____________________________________________________________________

  

COMMENT

I oppose the proposed Administrative Code changes since they limit what the General Statute already specifies. 

If there are to be any restrictions, they should come from the Legislature and be included in the General Statutes. 

 

  1. Alternative 2  ______________________________________________________________________
  2. Proposed 08 NCAC 04 .0308

(a) The State chairs of each political party recognized under G.S. 163-96 shall be granted no more than one request for review and examination of a certified version of a voting system every two years.

(b) Authorized Persons. Only authorized persons may review and examine the information placed in escrow by a voting system vendor. For the purpose of this Rule, "authorized person" means a person who: (1) Is an agent:

 (A) designated by majority vote in a public meeting by the State Board or a purchasing county's board of commissioners;

(B) designated in writing by the chair of a political party recognized under G.S. 163-96; or

(C) designated in writing by the Secretary of Department of Information Technology.

 

No more than three people may be designated by an authorized entity under G.S. 163-165.7(f)(9).

 

COMMENT-

Overall your proposed changes are more restrictive than the law and run contrary to the demands for more transparency in government.

  1. The law provided for 4 “persons” shown as (a), (b), (c) and (d) while the proposed Administrative Code appears to include only 3 shown as (A), (B) and (C). I suggest being consistent with the law and include 4 “persons”.
  2. The law allows for each “person” to designate up to 3 agents while the proposed Administrative Code only allows 1 request for review/examination every 2 years.  If there are up to 3 agents allowed, 1 review/examination should be allowed for each agent.  Review/examinations should be allowed annually.

 

  1. Proposed 08 NCAC 04 .0308

(4) (1) The information in escrow shall be made available by the vendor on up to three computers provided by the vendor (one for each potentially designated agent under G.S. 163-165.7(f)(9)) that are not connected to any network and are located within a secure facility designated by the State Board of Elections.

 

COMMENT- There should not be any restriction on which PCs or other equipment that can be examined.  Putting restrictions on this is the same as a “Risk Limiting Audit” which neither limits risk nor is an audit.

 

  1. Proposed 08 NCAC 04 .0308

(5) Any review performed pursuant to this Rule shall occur during regular business hours and shall last no longer than two work weeks.

 

COMMENT - If there can be up to 3 agents per “person”, there should be at least 3 weeks of review allowed.

 

 

  1. Proposed 08 NCAC 04 .0308

(b) Authorized Persons. Only authorized persons may review and examine the information placed in escrow by a voting system vendor.

(2) The computers must be air-gapped and shall not be connected to a network, and any feature allowing connection to a network shall be disabled.

 (E) … No authorized person may attempt to connect the computers used in the review to any network.

 (4) Authorized persons are permitted to perform manual source code review and use code analysis tools, as provided in Subparagraph (1) of this Paragraph, to analyze the source code. This source code review shall be performed using "read only" access and any authorized person shall not interact with or perform testing of the software components.

COMMENT

Regarding the definition of review and examine, a voting system cannot be reviewed and examined without opening the computer systems' enclosures for visual inspection by a qualified engineer, or without running it and without looking at its configuration settings (All of them), including the configuration of voting software and the Host Operating System on each and every server, workstation, laptop, tablet, removable storage device, remote computing or control device, networking and security device and computing peripheral devices that are part of the voting system or that connect to the voting system or that in any way protect or secure the voting system. Such inspection MUST allow detailed audit of ALL associated security configuration elements, including security policies and rules. Opening the door to a room and letting someone "glance" at a device is NOT a review and examination.