While innuendo and rumors swirl around the “new” revelations regarding Diebold’s commercial-off-the-shelf (COTS) security flaws, a bright light is shining on information that had been posted on the Internet well over a year ago, by Vince Lipsio, a computer scientist from Florida.
Vince's involvement with voting system standards began by answering a call by the Institute for Electrical and Electronics Engineers (IEEE) for volunteers to establish an international standard for voting equipment. As a native of Florida active in local politics, a member of the IEEE's Standards Association, and a software engineer with experience in life-critical systems, Mr. Lipsio took on the job with enthusiasm.
But while reviewing components of the 2002 Federal Election Commission (FEC) standard used in the drafting of the IEEE standard, Vince noticed a blanket exemption for COTS products. His reaction to the exemption was simply that this meant these standards could not be taken seriously for their stated purpose; rather, they could only be some sort of bureaucratic cynical pacifier (aka, "smoke and mirrors") so that the FEC could claim to be doing something while, in fact, it was not doing anything useful. Vince's prior experience with medical electronics, aviation and other standards, was that COTS is given no exemption, but it may be unit tested only once before being used in multiple products.
Because of the COTS exemption and other concerns, Vince Lipsio formally issued the following statement
(and an additional statement
) to the U.S. Election Assistance Commission (EAC) in December of 2004.
Back in the IEEE standards committee, Vince Lipsio and Rebecca Mercuri
had been appointed as co-chairs of a Special Task Group (STG) to resolve COTS-related issues in the draft being prepared to be sent to the EAC as input to the Help America Vote Act (HAVA) guidelines that were concurrently being composed. It was the intention of the COTS sub-committee to replace the blanket exemption from review of COTS hardware and software with a more stringent review. The sub-committee spent considerable time and developed a policy that more appropriately handled COTS, such that situations like the one recently described involving Diebold, and their examining authority, CIBER, would nearly certainly not have occurred. As the IEEE did not deem it necessary to post the results from the COTS STG on the Standards Association website, Mr. Lipsio put the group's information on his own server