Re: A Report from the Public Monitor of the CuyahogaCounty Board of Elections

From: Ron Olson <ron_at_caseohio_dot_org>
Date: Sat Feb 24 2007 - 13:44:35 CST



Thanks for posting this.


I wanted to make a point or two about electronic voting machines that are
not often discussed.


First, I live in Cuyahoga county and represent CASE Ohio as part of the
"Collaborative Public Audit" of the November election organized by the
Cuyahoga Public Monitor. The Jan 8 memo by the Monitor originated from
discoveries encountered during this audit. The results of our (rather
limited) audit are not public yet, but should be available soon. I have
also worked as an Election Day Technician responsible for the Diebold TSx
DRE's in May & Nov 2006 and made detailed studies of the poll worker manuals
and the official Cuyahoga security plan for Nov 2006.


The overarching problem that I see in Cuyahoga County is the amount of work
required to run an election with over 5,000 DRE's, and a separate Optical
Scan solution for absentee & provisional ballots completely overwhelms Poll
Workers and the BOE staff.


An excellent example is the security seals that Diebold will tell you are
part of the "many layers" of security. These are the numbered tamper tapes
that are applied to various parts of the equipment and manually noted on
logs. I estimate that there over 40,000 of these numbered seals required
in Cuyahoga county.


To maintain security all of these should be checked to make sure the seal
applied in one part of the process has the same number when the seal is
broken. Almost all the logging and checking is done by busy Poll Workers
with incomplete instructions, so many mistakes are made. I would be stunned
if anyone at the BOE checked the logs and if they did, they would probably
that discrepancies were just Poll Worker error. So, if someone broke a
seal, added fraudulent code, and resealed the machine with a different
numbered seal, the chances of detection are extremely small.


The same applies to the management of the GEMS and DIMSnet systems for
election results and voter registration. There are so many manual steps
required to keep everything in sync that mistakes get made.


In my experience as a Software Project Manager, it is always important to
strive for simplicity wherever possible in system solutions and the voting
solution in Cuyahoga is far too complex to be practical.




Ron Olson



-----Original Message-----
[] On Behalf Of
Joseph Lorenzo Hall
Sent: Friday, February 23, 2007 12:00 PM
To: OVC Discuss List
Subject: [OVC-discuss] A Report from the Public Monitor of the
CuyahogaCounty Board of Elections


(sorry for any cross-posting. -Joe)


# A Report from the Public Monitor of the Cuyahoga County Board of Elections
After the 2006 primary disaster in Cuyahoga County, Ohio, where tens
of thousands of absentee ballots had to be hand-counted due to a
printing problem, the County Board of Elections appointed a public
monitor to oversee the conduct of elections. That public monitor
effort is lead by [Candice Hoke][1], a law professor at Cleveland
State University's (CSU) [Cleveland-Marshall College of Law][2] and
Director of CSU's Center for Election Integrity.
Cleveland's local Fox News broke a story today about a report from the
public monitor on possible legal noncompliances at the Cuyahoga County
Board of Elections (CCBOE) ([*"I-Team Investigates Election
Security"*][3]). The Fox reporting focuses on a few serious issues
raised by the report:
*   there was one administrative level of access and only one user
account (`admin`) for the Election Management System (EMS) server used
by five different people;
*   while two keys from different political parties are needed to open
the ballot vault, these keys are stored side-by-side, on the same key
ring, in an unlocked compartment;
*   the surveillance footage from the tabulation room was destroyed
four weeks after the election, and;
*   a "cable" was mistakenly left attached to the EMS server before
election day.
These things are serious from a physical and computer security
perspective, but there's more to this story than simply these issues.
I'd like to focus on what the report points out that wasn't
highlighted in the Fox News story.
If you'd like to follow along, I'd suggest downloading the following
1.  The only recently-released report from January 8, 2007 written by
the public monitor ([*"RE: Monitor Report Possible Legal Noncompliance
in the November 2006 Election"* (PDF)][4]), and;
2.  The letter dated February 15, 2007 from the CCBOE Board to the
Ohio Secretary of State (SOS) requesting a technical expert to help
evaluate the public monitor's report ([*"CCBOE Board Letter to
Secretary of State Jennifer Brunner"* (PDF)][5]).
*(Note: these documents originally resided [here][6] and [here][7] on
the Fox News site. I've chosen to mirror them at the above locations
just in case they eventually disappear from the Fox site.)*
Let's start in reverse chronological order. The CCBOE letter asks the
SOS for "assistance in identifying an independent **Windows
certified** engineer to conduct a review of the report [...]"
(emphasis added). They maintain that this help is needed because
"neither the Board nor the Monitor has the technical certification to
fully review the questions that have been raised in the report."
First, as you will see below, I think the report stands well on its
own as a testament to the high quality technical ability and scrutiny
of the public monitor. Second, the report raises a lot of serious
questions that are not purely technical, but relate to the difficulty
that the CCBOE is having in following the letter of the law. Finally,
it is clear from the request for a "Windows certified" technical
expert that the CCBOE does not understand what this situation is in
need of: forensics experts versed in both general principles of
computer security as well as the specifics of Windows and, more
importantly, Diebold Election Systems, Inc.'s (DESI) Global Election
Management System (GEMS). If I were the CCBOE or the SOS, to get to
the bottom of the myriad of issues brought forth by the monitor's
report, I would want someone that new quite a bit about forensics,
computer security and voting systems.
That brings us to the report itself. In addition to the issues
highlighted by the Fox News team, there are a host of other
irregularities that need further investigation. Here is a quick list
of some of the less technical instances of possible legal
*   The DESI voter-registration product (DIMS) has a "merge records"
function with a hair-trigger and no "Undo" ability. This seems to have
contributed to a number of voters being dropped from the rolls. The
CCBOE has still not put in place any remedial processes and DESI has
yet to provide a fix.
*   There were a lot of problems in complying with Ohio's strict poll
worker requirements (number per precinct, parties in precinct, etc.).
Unfortunately, the DIMS registration product would often "scramble,
delete or [loose]" information from voter registration records. Also,
unknown errors in how DIMS reports these statistics per polling place
resulted in the CCBOE erroneously believing it had met its staffing
requirements and unfortunately turned away hundreds of interested poll
worker applicants.
*   The intense pressure to prepare all the DRE machines leaves an
inadequate amount of time for the polling place locations manager to
ensure that polling places are meeting legal requirements including
disability access.
*   There are unexplained large discrepancies between the number of
people that signed poll books and the number of ballots cast in some
polling places. Explanations might include:
   *   people skipping the line to sign-in and voting anyway;
   *   poll workers assigning the wrong precinct identifier to voters
in polling places with multiple precincts, and/or;
   *   people getting tired of waiting to vote after having signed in
and fleeing the polling place.
*   Indicted (and [now convicted][8]) employees involved in charges of
election fraud handled memory cards and voted absentee ballots,
contrary to CCBOE claims that these individuals had been moved to
non-sensitive duties. (Note: this is based on second-hand information,
so may not be the case. It deserves some investigation, though.).
*   Some non-citizens and immigrants lacking green cards have handled
ballots and performed tasks assigned to "unaffilated" political party
status, despite that they cannot vote nor register to vote. Also, for
individuals that do not have a "green card", they may be more
vulnerable and susceptible to coercion and intimidation.
All this being said, the entire second half of the report focuses on
technical and security issues. This is where the hard work and real
technical ability of the public monitor and her staff really shines
The report first points out that, contrary to a court order and SOS
directive, absentee ballot vote reports were printed the day before
election day. That is to say that while a court allowed the CCBOE to
begin scanning in absentee ballots early, before election day, it
stipulated that no one should have access to those results until after
the polls closed on election day. However, the facts show that someone
violated this order by printing results reports that would have shown
aggregate results for these early scanned absentee ballots. What's
more strange is that the GEMS audit log shows no results reports
printed while the Windows System Log shows 7 such reports printed. As
GEMS audit logs are easily manipulated without a password, this could
indicate that the individual who violated the court order attempted to
hide their tracks. What use would this information be? It could be
used to target certain precincts on election day in a very close race
or inform other types of tampering with vote results.
Further, a network cable, used to program optical scanners in the
basement over the network, was mistakenly left attached to the GEMS
server over night one night. It is unknown what types of network
connections, if any, were made to the GEMS server during this period
of time. One anomaly, however, did appear: the GEMS clock, which had
been reasonably correct before had been set forward 11+ hours.
In terms of other networking vulnerabilities, a "jump drive" flash
memory module was used to ferry results reports from the GEMS server
to the web server on election night but this piece of hardware was
never certified nor examined. To reduce the possibility of a malicious
attack through this channel, the monitor recommended that they burn
CDROMs. This suggestion was rejected.
Unfortunately, the Windows Security Events log only shows one entry:
cleared by an administrator on December 8, 2005. There were no
security events relating to data security recorded at all in 2006. It
appears that the manufacturer cleared this log and then configured it
so that *it would not* log security-relevant events. This is
unfortunate as it would help to piece together some of this puzzle.
Finally, there were significant interaction problems between GEMS and
DESI's JResults server, a Java-based results reporting tool. While
running these two applications concurrently, the monitor observed
"several troubling occurrences". It is unclear if JResults has ever
been certified and under what conditions it should be running while
GEMS is running.
**Bonus:** It appears (from page 34 of the PDF) that future versions
of GEMS will operate not on a JET/MS Access database but using SQL.
Probably Microsoft SQL.
Joseph Lorenzo Hall
PhD Student, UC Berkeley, School of Information
OVC-discuss mailing list

OVC-discuss mailing list

= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Wed Feb 28 23:17:24 2007

This archive was generated by hypermail 2.1.8 : Wed Feb 28 2007 - 23:17:27 CST