BILL ANALYSIS Ó AB 829 Page 1 Date of Hearing: April 9, 2012 ASSEMBLY COMMITTEE ON ELECTIONS AND REDISTRICTING Paul Fong, Chair AB 829 (Fong) - As Introduced: February 21, 2013 SUBJECT : Election management systems. SUMMARY : Requires a copy of the source code of an election management system to be deposited into an approved escrow facility. Specifically, this bill : 1)Defines an "election management system," for the purposes of this bill, as a system that is used by a county in the state of California to track voter registration or voter preferences, including, for example, a voter's vote by mail status. 2)Requires the vendor of an election management system, no later than January 31, 2014, and annually thereafter, to cause an exact copy of the source code for each component of the election management system, including complete build and configuration instructions and related documents for compiling the source code into object code, to be deposited into an approved escrow facility. Requires the vendor to place source codes into escrow for each version of the election management system in use in a county in the state. 3)Requires the Secretary of State (SOS) to adopt regulations relating to the following: a) The definition of source code components of an election management system, including the source code for all firmware and software of the election management system. Requires the firmware and software to include commercial off-the-shelf or other third-party firmware and software that is available and able to be disclosed by the vendor of the election management system; b) Specifications for the escrow facility, including security and environmental specifications necessary for the preservation of the election management system source codes; c) Procedures for submitting the election management system AB 829 Page 2 source codes; d) Criteria for access to the election management system source codes; and, e) Requirements that the vendor include the build and configuration instructions and documents in the materials deposited in escrow, so that a neutral third party may create, from the source codes in escrow, executable object codes identical to the code installed on the elections management system. 4)Permits the SOS reasonable access to the materials placed in escrow, under the following circumstances: a) In the course of an investigation or prosecution regarding the election management system equipment or procedures; b) Upon a finding by the SOS that an escrow facility or escrow company is unable or unwilling to maintain materials in escrow in compliance with the provisions of this bill; and, c) For any other purpose deemed necessary to fulfill duties as required under existing law. 5)Permits the SOS to seek injunctive relief requiring the elections officials, approved escrow facility, or any vendor or manufacturer of an election management system to comply with the provisions of this bill. Provides the venue for a proceeding under this bill will be exclusively in Sacramento County. EXISTING LAW : 1)Requires an exact copy of the approved source code for each component of a voting system and a ballot marking system, including the complete build and configuration instructions and related documents for compiling the source code into object code, to be deposited into an approved escrow facility. 2)Requires the SOS to adopt regulations relating to the following: AB 829 Page 3 a) The definition of the source codes for a voting system and a ballot marking system; b) Specifications for the escrow facility, including security and environmental specifications necessary for the preservation of voting system and ballot marking system source codes; c) Procedures for submitting voting system and ballot marking system source codes; and, d) Criteria for access to voting system and ballot marking system source codes. 3)Permits the SOS reasonable access to the materials placed in escrow under the following circumstances: a) In the course of an investigation or prosecution regarding vote counting or ballot marking equipment or procedures; b) Upon a finding by the SOS that an escrow facility or company is unable or unwilling to maintain materials in escrow in compliance with state law; c) In order to consider the examination and approval of a voting system or a ballot marking system; d) In order to verify that the software on a voting system, voting machine, vote tabulating device, or a ballot marking system is identical to the approved version; and, e) For any other purpose deemed necessary to fulfill requirements under existing law. 4)Permits the SOS to seek injunctive relief requiring the elections officials, approved escrow facility, or any vendor or manufacturer of a voting machine, voting system, vote tabulating device, or ballot marking system, to comply with existing law. Requires the venue for a proceeding to be exclusively in Sacramento County. FISCAL EFFECT : Unknown AB 829 Page 4 COMMENTS : 1)Purpose of the Bill : According to the author: Each county elections office uses an election management system to perform critical functions during the conduct of an election. For instance, election management systems are used to track voter registration and voter preferences, such as a voter's vote by mail status. Consequently, election management systems, much like voting systems, play a critical role in the conduct of an election. Existing law requires voting system vendors to place their source code in an escrow facility. This requirement ensures the security of the voting system and protects these systems from unauthorized tampering. In addition, this requirement was created with a practical purpose in mind to ensure that state and local jurisdictions have access to voting system materials if the vendor who produced that system goes out of business. AB 829 protects the integrity of our state's elections by mirroring the source code requirements already in place for voting system vendors. Additionally, AB 829 ensures state and local jurisdictions have reasonable access to the source code material placed in escrow in order to investigate potential election law violations and to ensure counties can continue to conduct elections if a vendor goes out of business. 2)Top-to-Bottom Review and Access to Source Code History : In 2007, the SOS conducted a "top-to-bottom review" (TTBR) of several voting machines certified for use in California. The purpose of the review was "to determine whether currently certified voting systems provide acceptable levels of security, accessibility, ballot secrecy, accuracy and usability under federal and state standards." One of the key components of the TTBR was a review of the source code of each voting system. At the time, state law only required the source code for a ballot tally software program to be deposited in an escrow facility. However since 2004, it had been the practice of the SOS to require voting system vendors to provide all voting system source codes to the SOS upon request as a condition of voting system certification. AB 829 Page 5 Additionally, as part of the voting system certification process, voting system vendors are now required to provide the SOS with a copy of the source code for all software and firmware components of the voting system. Similar to the process undertaken as part of the TTBR, all new voting systems that are submitted for certification to the SOS undergo a source code review. However, during the TTBR one voting system vendor initially did not provide the SOS with a copy of the source code for review. After the SOS attempted to retrieve the source code for that voting system from the escrow facility in which it had been placed, the vendor provided the voting system source code to the SOS. 3)History of the Escrow Requirement : While the requirement that the source code from a voting system be placed in escrow primarily has become a tool in ensuring the security of voting systems, that requirement was created with an additional practical purpose in mind - ensuring that state and local jurisdictions would have access to voting system materials if the vendor who produced that system went bankrupt. As part of the voluntary standards for computerized voting systems that were adopted by the Federal Elections Commission (FEC) in 1990, the FEC recommended that states adopt procedures for escrowing voting system software and documentation for all voting systems. As part of the implementation plan for the 1990 voting system standards, the FEC noted that the escrow process contained multiple benefits, including that jurisdictions would have "guaranteed access to all deposit materials as a last resort in the event a vendor's business fails." The FEC also noted that, in the event of an election dispute or litigation, the escrow process would allow for "verification of software used in an election against the clean archival copy" of the source code that was placed in the escrow facility. California enacted its requirement that voting system source code be deposited with an escrow facility by AB 986 (Mountjoy), Chapter 235, Statutes of 1989. According to a floor analysis of that bill, the requirement was adopted, in part, in anticipation of the "adoption . . . of voluntary federal standards which [would] require an escrow system for software programs." AB 829 Page 6 4)Previous Legislation : SB 1376 (Perata), Chapter 813, Statutes of 2004, allowed the SOS to have "reasonable access" to the source code placed in escrow under certain specified circumstances and allowed the SOS to seek injunctive relief requiring any vendor or manufacturer of a voting machine, voting system, or vote tabulating device to comply with the requirements relating to the placing of source codes in escrow, among other provisions. AB 2758 (Krekorian), Chapter 198, Statutes of 2008, required a copy of the source code for all components of a voting systems, instead of just for the ballot tally software, to be placed into an escrow facility. AB 1929 (Gorell), Chapter 694, Statutes of 2012, established processes and procedures for the review and approval of ballot marking systems, including requiring the source code for all ballot marking systems be deposited into an approved escrow facility. REGISTERED SUPPORT / OPPOSITION : Support Opposition Secretary of State Debra Bowen (Sponsor) None on file. California Association of Clerks and Election Officials California Common Cause Analysis Prepared by : Nichole Becker / E. & R. / (916) 319-2094