RALEIGH (June 7) – The rules proposed by the State Board of Elections for the first independent review of election system software will prevent a meaningful source code review and security examination of the system, said Joe Garcia, Libertarian Party of North Carolina chair.

As chair of a recognized political party, Garcia is one of a handful of key stakeholders with the authority to conduct an independent security review and source code examination of the state's electronic voting systems. (N.C.G.S.163-165.7(f)(9)).

According to the state board, this information "includes proprietary and highly sensitive information for certified voting systems, including source codes for voting machines and election management systems and their software."

The LPNC requested the review in December 2021. "Before granting the request, as required by law, the State Board of Elections said it needed to write rules for the review, even though the law has been on the books since 2005,” commented Garcia. Even though the law is nearly 20 years old, the state board never wrote rules on how to implement it.

First-ever request

“Apparently, since neither the Democrats nor Republicans ever asked for a review, the State Board didn’t think it was important,” Garcia speculated. “We do.” 

"The rules they propose would restrict a meaningful source code review and security examination of the system," Garcia continued. "Many of the proposed rules overstep the authority of the State Board of Elections and would prevent a full source code review and examination and hinder a security review."

The State Board of Elections suggests restrictions that would limit who may review the source code, which software tools they can use, limit where the inspection may take place, and place an unrealistic two-week limit on the work.

"They are also trying to limit a request for a source code review to every two years," said Garcia, "a limitation not in the law."

"We've all seen the detrimental effects a lack of confidence in election outcomes has had on our society and our democracy," Garcia noted. "Elections are only successful if the electorate has confidence that election officials certified the rightful winners. Transparency, not proclamations, is what will grow that confidence."

Confidence in Elections Act

State legislators understood this when they unanimously passed the Confidence in Election Act of 2005. One of the provisions allows for the State Board of Elections, the State Information and Technology Department, county commissioners, and state chairs of recognized political parties to conduct a source code review and examination and a security review of any electronic voting system in North Carolina.

The electronic voting systems undergo U.S. Elections Assistance Commission certification. An independent test lab looks at them to ensure they meet state requirements. But not all source code must be reviewed and examined. 

Garcia noted that electronic voting systems are essentially computers, and computers are notorious for having bugs, being glitchy, and sometimes being hacked. Electronic voting systems are black-box computers and do not instill confidence.

The LPNC consulted with experts, including Dr. Duncan Buell. He recently retired from the University of South Carolina Department of Computer Science and Engineering and is a former South Carolina county election official. Dr. Buell is the project lead for the review appointed by the LPNC.

"After considering their comments and drawing on my experience in the New York Police Department's computer crimes squad, our consensus is that some rules are too restrictive to allow for a meaningful review," Garcia said. "Many go beyond the authority of the State Board of Elections, and the non-disclosure agreement leaves no way for any vulnerabilities to be addressed and corrected."

The LPNC submitted an extensive list of expert comments and recommendations to the State Board of Elections through their rules-making portal. Read them here.

Rulemaking process

Any state agency proposing a rule must first publish the rule and allow for a 60-day public comment period. The public comment period for these rules ended May 31.

Once the 60-day period is complete, the state board may take into account the comments and amend the proposed rules before adopting them, and then must submit the rules to the Rules Review Commission. An agency may not adopt a rule that differs substantially from the proposed form published as part of the public notice until the adopted version has been published in the North Carolina Register for an additional 60-day comment period.

When final action is taken, the adopting agency must file the rule with the state Rules Review Commission within 30 days of the adoption. The rule does not become effective until the first day of the month following the month the rule is approved by the RCC. If the commission receives 10 or more written objections to the rule, the rule must be sent to the General Assembly for action. 

The meeting of the RRC is scheduled for June 19, 2022.