The Little Hoover Commission issued its recommendation Wednesday to the governor and the Legislature as part of an ongoing examination of election security and accuracy that began in 2018. Other recommendations in the new report include changing the vote auditing system, enhancing the training of elections officials statewide, and spelling out standards for compliance audits.
But the key element of interest to the tech industry is the open-source recommendation.
“The commission found that California currently relies on a for-profit model of developing election infrastructure, and its limitations leave equipment designers and manufacturers without the financial incentive to create security upgrades for existing models,” the report states. “The commission recommends that the state invest in and adopt an open-source elections system. …”
The commission acknowledges that for the state’s 58 counties, which buy voting technology only infrequently, “the limitations of a for-profit model of developing election infrastructure in California are straightforward.” That, the report said, is because:
- “The customer base is tiny: There are only 58 potential customers, who historically have only purchased new voting equipment every couple of decades.”
- “The cost to sell in California is high: California does not charge applicants a fee for certification, but equipment manufacturers are expected to cover the costs of the process, which is extensive.”
- Manufacturers who update their voting systems must periodically re-complete the testing and certification process.
The commission acknowledges that shifting from commercial software to open-source code would require the state to create “a governance framework.”
“There are different models of open-source systems, and the model election experts often recommend may be familiar to many in the IT industry as a shared source system,” the commission writes. “This means that the source code is freely available for anyone to inspect, but only authorized individuals may change the code. The ‘shared source’ nomenclature is closely associated with a type of licensing by a software company, however, so some, including the commission, use the broader ‘open source’ terminology to prevent confusion. Any open-source system adopted by California, then, would be available to security researchers, ‘white hat’ hackers who try to exploit a system so they can report security concerns, students, election officials, and anyone else interested, while only the Secretary of State’s Office or its designee would be able to modify the code.”
Currently, “open-source applications typically involve the software that manages election systems or individual components within it,” the report adds. “The Department of Defense, however, currently is working on open-source election hardware, which would protect itself against security threats such as users who try to tamper with the equipment.”
The commission cites several reasons to shift from proprietary products to open-source code:
- “It’s more transparent.”
- “Transparency promotes security.”
- “It is cheaper.”
- “It is versatile.”
“The Department of Technology asks state agencies to use open-source software when possible and to make their custom code available as open source when practical to decrease duplicative costs, reduce vendor lock-in, improve security, and facilitate information sharing.”
The commission’s report, including an overview and an executive summary of its findings, can be found online.
