The rough outline of those legal battles is further complicated by the contracts some states have entered into with the election-tech companies. For instance, take Michigan — the pivotal battleground state that President Donald Trump won in 2016. Under a 10-year contract signed with Hart InterCivic in 2017, the state agreed not to “attempt to access or derive any source code” used by the company. In a similar agreement with Dominion, Michigan “agree[d] not to reverse engineer or otherwise attempt to derive the source code” of the company’s software, and forfeited its right to transfer its license for Dominion’s software to third parties.
Contracts and licensing agreements are one of a few ways companies prevent outsiders from looking at their proprietary code. The Digital Millennium Copyright Act is another. Section 1201 of that federal law may block anyone besides the source code owner from accessing and viewing copyrighted source code, even if it’s for the purpose of gauging the security of those systems.
For researchers like University of Michigan computer science professor J. Alex Halderman, that presents a real obstacle.
“I’ve studied machines several times that came up on eBay after state governments decommissioned them,” said Halderman. “Once, in 2005, I got to study another voting machine because an anonymous source gave us one and our lawyers were convinced we would be allowed to study it.”
What Halderman and others are trying to prove is that these machines are secure. But some election technology companies say giving researchers access to their software is a security risk in itself.
Voatz, a technology firm that sells mobile voting systems, recently filed an amicus brief to the Supreme Court arguing that opening up its software to well-meaning third parties invites bad actors to exploit the system.
“If a security vulnerability is widely disseminated publicly and prematurely, it can expose software platforms and their users to malicious attacks, as ill-intentioned hackers can take advantage of such vulnerabilities prior to the development of any patch,” the brief said.
There are other ways to ensure security besides opening the door to hackers. One option is certifying technology equipment through the Election Assistance Commission, which also tests systems for functionality and accessibility. But Halderman says its testing program is weak.
“That level of testing is very superficial from a security standpoint,” Halderman said. “There’s now been many, many dozens of studies by academics and other independent researchers of voting machines in the U.S., virtually every one of which passed the EAC testing before it was found to have vulnerabilities by other testers.”
Federal auditors do get to inspect parts of voting-machine software, but the goal is to evaluate functionality, not quality, according to Eddie Perez, a former Hart InterCivic executive who now works with the Open Source Election Technology Institute to advocate for publicly owned voting systems.
“It’s a little bit like a mechanic looking under the hood of a car and saying, ‘The carburetor is indeed driving the piston, and that’s driving the crankshaft that makes the wheels go,’” said Perez. “But that’s not the same thing as the mechanic saying, ‘This is the best-quality car that I’ve ever seen and it’s a Mercedes, not a Yugo.’”
Getting that sort of third-party certification is critical to building public trust in an election’s outcome, said Perez. Without it, the public might have a hard time trusting election officials or election-technology companies — both of which could hypothetically produce an audit that protects their own interests.
Dominion and Hart InterCivic did not respond to repeated requests for comment for this article. ES&S told POLITICO its systems have been inspected by third parties, but it’s unclear if those audits were paid for by the company and if the findings were made public.
“ES&S has been participating in an industry effort to craft a vulnerability disclosure program that works for both security researchers and the elections technology industry,” a company spokesperson said. That program invites findings from researchers about possible vulnerability in its digital products, even though ES&S “does not give authorization to test state and local government election related networks or assets.”
Asked why it frequently places its products under intellectual protection, ES&S had a simple answer: “It’s common practice for businesses to protect their intellectual property.”
Which, to election security experts, is precisely the problem.
“What is so secret about the way these machines are counting our votes?” asked Halderman. “That’s the question that everyone should be asking when we’re told that the software is copyrighted.”