Search

Election commission orders top voting machine vendor to correct misleading claims - POLITICO

abaikans.blogspot.com

The federal Election Assistance Commission has rebuked the nation’s top voting-machine maker over marketing materials that the panel says deceptively implied the company’s voting machines are EAC-certified.

The commission admonished Election Systems & Software over promotional literature and statements on its website that appear to assert, falsely, that voting machines the company sells with embedded modems have been sanctioned by the EAC under its testing and certification program. The statements put ES&S in violation of the EAC’s testing and certification rules, the commission wrote in a previously unreported March 20 letter to the company that POLITICO obtained, and directed ES&S to revise the literature and notify customers that the systems are not certified.

POLITICO reported earlier this year that the EAC was looking into the matter but hadn’t yet determined whether ES&S had violated its rules.

Some state laws require voting machines used in their jurisdictions to be certified by the EAC. That means that if jurisdictions in those states are using the noncertified systems, it could potentially put election officials in violation of their state law.

“The action by the EAC is welcome, but it’s not enough, vendors need to be held accountable for their deceptions and it’s time for Congress to exercise oversight of this industry to protect our democracy,” said Susan Greenhalgh, senior adviser on election security for Free Speech for People, an election integrity group that brought the issue to the EAC’s attention.

The EAC did not respond to a request for comment.

What the dispute is about: The issue involves ES&S’ DS200 precinct-based optical-scan machines, which come in two versions — one of which has an optional modem for transmitting results after an election.

The EAC certified the DS200 version without modem capability in 2009, but it has never certified the modem capability that comes with the second version, although the remaining components in that system are certified. In 2011, ES&S submitted a DS200 system with modem and network capability to the EAC for testing and certification, but after the testing lab created a protocol for evaluating this capability, ES&S withdrew those parts of the system from the testing plan; the remainder of the system was tested and certified without them in 2013.

ES&S markets the DS200 as an EAC-certified system, and in literature for the system it offers the modem capability as an optional feature — without indicating that the EAC has not certified this feature. Any component that is not EAC-certified and is added to an EAC-certified system effectively voids the certification of that system.

Under the EAC’s testing and certification rules, manufacturers can label a system EAC-certified only if the whole system is certified. “The certification of individual components or modifications shall not be independently represented by a Mark of Certification,” the EAC’s certification manual says. The rules also require that a company’s user manuals “warn purchasers that any changes or modifications to the system not tested and certified by the EAC will void the EAC certification of the voting system.”

How this came to light: Lawyers for Free Speech for People and another election integrity group — the National Election Defense Coalition — sent a letter to the EAC in January pointing out misrepresentations in the ES&S literature, as POLITICO reported at the time. POLITICO subsequently reported that the commission had opened a probe into the complaints, and that ES&S had updated one of its advertising brochures to remove references to the modem.

In one example the groups cited, marketing literature for the DS200 with an optional add-on modem is stamped with an “EAC certified” logo. And a diagram the company gave Rhode Island election officials in 2015 shows a DS200 system with an embedded modem among components marked as EAC-certified.

A different ES&S document submitted to Rhode Island states that the “modem transmission of results” is not EAC-certified, nor is the back-end server that receives the transmitted results. But the diagram suggests that the DS200 with modem is certified, while the cellular network the votes traverse after they leave the machine and the server receiving them are not certified.

What the commission found: The EAC agreed with the two election integrity groups and sent ES&S a letter in January indicating it was violating the EAC testing and certification program rules.

ES&S responded that it never meant to imply that the modem capability was certified, and said that regardless of what appears in the literature it always makes clear to states that the modem configuration is not EAC-approved. Nonetheless, the company agreed to remove all references to optional modems from its marketing documents.

But in a followup letter from the EAC on March 20, the commission indicated this was an insufficient remedy. It instructed the company to recall all misleading marketing materials already in circulation and to directly notify current and potential customers who received the “misrepresented information” that it had been inaccurate. It gave the company 15 days to do this.

“Failure to comply will result in the EAC publicly announcing that the voting system no longer complies with its original certification, and could include initiating decertification actions and/or suspension of manufacturer registration,” wrote Jerome Lovato, director of the EAC’s testing and certification program.

ES&S agreed to send a letter only to customers who use the DS200 with modems, informing them that the version is not EAC-certified, and to post a note to its customer portal advising the same. It indicated that the coronavirus could delay these efforts, though it would make “commercially reasonable efforts” to do this by April 15.

ES&S told POLITICO it sent a letter via email the first week of April to “all applicable modem customers (89 in total),” and posted a notice on its customer portal.

When asked, ES&S did not identify those 89 customers, saying it could not release specific information about customers without their permission. A spokesperson for the Wisconsin Election Commission, whose state is known to use DS200 machines with modems, told POLITICO it did receive the letter from ES&S in early April. Other jurisdictions known to have purchased DS200 systems with modems and contacted by POLITICO did not respond to inquiries.

Key background: This isn’t the first time ES&S has faced accusations of making fabricated or misleading assertions about its voting machines. In 2018, the company denied to The New York Times that it had ever installed remote-access software on any of its election management systems. But after being pressed by Sen. Ron Wyden (D-Ore.) about the matter, the company admitted it had installed the software on systems in at least 300 election jurisdictions. (The company has refused to identify which jurisdictions had the software.)

Election-management systems are critical components that are used to tally official results and in some cases program voting machines before each election. Remote-access software, which ES&S was using to access those systems over the internet or via modem for troubleshooting, exposed those systems to potential hacking by intruders.

Similarly, the company has long insisted, along with its election customers, that none of its voting systems ever connect to the internet. But researchers found what they believed to be more than three dozen ES&S systems connected to the internet, in a story published last year. Company diagrams showing the configuration of modem-enabled DS200 systems clearly depict the modems transmitting election results over the internet to ES&S election-management systems that also are connected to the internet.

Although ES&S has said the modems are secured and would prevent anyone from using them to hack the voting machines, the modem configurations have never undergone a security assessment by an EAC-approved lab to measure those claims.

ES&S told POLITICO it did obtain a security assessment this year from a Canadian-based security firm called Bulletproof Solutions. An ES&S spokesperson said the firm performed a penetration test of the DS200’s communication methods for transmitting election results — a penetration test involves attempts to hack or penetrate a system — and said that Bulletproof was “unable to penetrate any of the systems.”

An assessment done by a third-party company, however, is not transparent in the way that assessments done by EAC labs are. The labs follow a published protocol, and their reports are submitted to the EAC. ES&S declined to provide POLITICO with a copy of Bulletproof’s security report, saying it’s still in draft form and not ready for public release. The company spokesperson said they would have to look into why the company previously withdrew the modem transmission configuration from EAC testing and certification done on the DS200 in 2013.

What’s next: ES&S will play a major role in the November election. The company has previously said that more than 33,000 DS200 optical scan machines with modems are in use in 11 states and the District of Columbia but has never identified which jurisdictions this includes beyond D.C.

Let's block ads! (Why?)



"correct" - Google News
August 14, 2020 at 04:00AM
https://ift.tt/341wxhN

Election commission orders top voting machine vendor to correct misleading claims - POLITICO
"correct" - Google News
https://ift.tt/3d10rUK
https://ift.tt/35qAk7d

Bagikan Berita Ini

0 Response to "Election commission orders top voting machine vendor to correct misleading claims - POLITICO"

Post a Comment

Powered by Blogger.