A Report from the Public Monitor of the Cuyahoga County Board of Elections

elections, certification/testing, reform, hacks, news, problems, friends, research, policy, legal

After the 2006 primary disaster in Cuyahoga County, Ohio, where tens of thousands of absentee ballots had to be hand-counted due to a printing problem, the County Board of Elections appointed a public monitor to oversee the conduct of elections. That public monitor effort is lead by Candice Hoke, a law professor at Cleveland State University's (CSU) Cleveland-Marshall College of Law and Director of CSU's Center for Election Integrity.

Cleveland's local Fox News broke a story today about a report from the public monitor on possible legal noncompliances at the Cuyahoga County Board of Elections (CCBOE) ("I-Team Investigates Election Security"). The Fox reporting focuses on a few serious issues raised by the report:

  • there was one administrative level of access and only one user account (admin) for the Election Management System (EMS) server used by five different people;
  • while two keys from different political parties are needed to open the ballot vault, these keys are stored side-by-side, on the same key ring, in an unlocked compartment;
  • the surveillance footage from the tabulation room was destroyed four weeks after the election, and;
  • a "cable" was mistakenly left attached to the EMS server before election day.

These things are serious from a physical and computer security perspective, but there's more to this story than simply these issues. I'd like to focus on what the report points out that wasn't highlighted in the Fox News story.

If you'd like to follow along, I'd suggest downloading the following documents:

  1. The only recently-released report from January 8, 2007 written by the public monitor ("RE: Monitor Report Possible Legal Noncompliance in the November 2006 Election" (PDF)), and;
  2. The letter dated February 15, 2007 from the CCBOE Board to the Ohio Secretary of State (SOS) requesting a technical expert to help evaluate the public monitor's report ("CCBOE Board Letter to Secretary of State Jennifer Brunner" (PDF)).

(Note: these documents originally resided here and here on the Fox News site. I've chosen to mirror them at the above locations just in case they eventually disappear from the Fox site.)

Let's start in reverse chronological order. The CCBOE letter asks the SOS for "assistance in identifying an independent Windows certified engineer to conduct a review of the report [...]" (emphasis added). They maintain that this help is needed because "neither the Board nor the Monitor has the technical certification to fully review the questions that have been raised in the report." First, as you will see below, I think the report stands well on its own as a testament to the high quality technical ability and scrutiny of the public monitor. Second, the report raises a lot of serious questions that are not purely technical, but relate to the difficulty that the CCBOE is having in following the letter of the law. Finally, it is clear from the request for a "Windows certified" technical expert that the CCBOE does not understand what this situation is in need of: forensics experts versed in both general principles of computer security as well as the specifics of Windows and, more importantly, Diebold Election Systems, Inc.'s (DESI) Global Election Management System (GEMS). If I were the CCBOE or the SOS, to get to the bottom of the myriad of issues brought forth by the monitor's report, I would want someone that new quite a bit about forensics, computer security and voting systems.

That brings us to the report itself. In addition to the issues highlighted by the Fox News team, there are a host of other irregularities that need further investigation. Here is a quick list of some of the less technical instances of possible legal noncompliance:

  • The DESI voter-registration product (DIMS) has a "merge records" function with a hair-trigger and no "Undo" ability. This seems to have contributed to a number of voters being dropped from the rolls. The CCBOE has still not put in place any remedial processes and DESI has yet to provide a fix.

  • There were a lot of problems in complying with Ohio's strict poll worker requirements (number per precinct, parties in precinct, etc.). Unfortunately, the DIMS registration product would often "scramble, delete or [loose]" information from voter registration records. Also, unknown errors in how DIMS reports these statistics per polling place resulted in the CCBOE erroneously believing it had met its staffing requirements and unfortunately turned away hundreds of interested poll worker applicants.

  • The intense pressure to prepare all the DRE machines leaves an inadequate amount of time for the polling place locations manager to ensure that polling places are meeting legal requirements including disability access.

  • There are unexplained large discrepancies between the number of people that signed poll books and the number of ballots cast in some polling places. Explanations might include:

    • people skipping the line to sign-in and voting anyway;

    • poll workers assigning the wrong precinct identifier to voters in polling places with multiple precincts, and/or;

    • people getting tired of waiting to vote after having signed in and fleeing the polling place.

  • Indicted (and now convicted) employees involved in charges of election fraud handled memory cards and voted absentee ballots, contrary to CCBOE claims that these individuals had been moved to non-sensitive duties. (Note: this is based on second-hand information, so may not be the case. It deserves some investigation, though.).

  • Some non-citizens and immigrants lacking green cards have handled ballots and performed tasks assigned to "unaffilated" political party status, despite that they cannot vote nor register to vote. Also, for individuals that do not have a "green card", they may be more vulnerable and susceptible to coercion and intimidation.

All this being said, the entire second half of the report focuses on technical and security issues. This is where the hard work and real technical ability of the public monitor and her staff really shines through.

The report first points out that, contrary to a court order and SOS directive, absentee ballot vote reports were printed the day before election day. That is to say that while a court allowed the CCBOE to begin scanning in absentee ballots early, before election day, it stipulated that no one should have access to those results until after the polls closed on election day. However, the facts show that someone violated this order by printing results reports that would have shown aggregate results for these early scanned absentee ballots. What's more strange is that the GEMS audit log shows no results reports printed while the Windows System Log shows 7 such reports printed. As GEMS audit logs are easily manipulated without a password, this could indicate that the individual who violated the court order attempted to hide their tracks. What use would this information be? It could be used to target certain precincts on election day in a very close race or inform other types of tampering with vote results.

Further, a network cable, used to program optical scanners in the basement over the network, was mistakenly left attached to the GEMS server over night one night. It is unknown what types of network connections, if any, were made to the GEMS server during this period of time. One anomaly, however, did appear: the GEMS clock, which had been reasonably correct before had been set forward 11+ hours.

In terms of other networking vulnerabilities, a "jump drive" flash memory module was used to ferry results reports from the GEMS server to the web server on election night but this piece of hardware was never certified nor examined. To reduce the possibility of a malicious attack through this channel, the monitor recommended that they burn CDROMs. This suggestion was rejected.

Unfortunately, the Windows Security Events log only shows one entry: cleared by an administrator on December 8, 2005. There were no security events relating to data security recorded at all in 2006. It appears that the manufacturer cleared this log and then configured it so that it would not log security-relevant events. This is unfortunate as it would help to piece together some of this puzzle.

Finally, there were significant interaction problems between GEMS and DESI's JResults server, a Java-based results reporting tool. While running these two applications concurrently, the monitor observed "several troubling occurrences". It is unclear if JResults has ever been certified and under what conditions it should be running while GEMS is running.

Bonus: It appears (from page 34 of the PDF) that future versions of GEMS will operate not on a JET/MS Access database but using SQL. Probably Microsoft SQL.

Coding for policy, regulating design

elections, blogging, open source, secrecy, privacy, berkeley, p2p, friends, policy, DRM, usability, legal, education, iSchool

Deirdre Mulligan (my mentor and grant supervisor) is leading a reading group here at the School of Information concerning the embedding of values in policy and policy-sensitive design. Feel free to follow the discussions we have on the blog: "Coding for Policy, Regulating Design".

Here's a description of the course:

This course is intended to acquaint Berkeley graduate students with literature from a range of disciplines that considers whether, when and how to embed policy in technical systems. The course will draw on theoretical literature about embodying values in technology design, consider the various entry points available for influencing technological design in the direction of policy or social values, and through case studies identify and imagine mechanisms for determining when technology should be viewed as ?policy-making? and how various actors ? technologists, policymakers, endusers ? can participate in decisions about what policies the technology enables.

The course welcomes students with a variety of backgrounds, including technical computer science and engineering students and law and social science students interested in understanding the opportunities and challenges present in embedding policy in technical systems.

Thoughts on Senate Rules Hearing Today on E-Voting


There is a very important hearing in the Senate Committee on Rules and Administration. You can listen along here. I'll update this post with my thoughts as the hearing progresses. Audio courtesy of VVF here: Hour 1, Hour 2.

The first panel is Sen. Nelson (D-FL) and Rep. Holt (D-NJ). It's pretty funny to listen to ranking member Bennet (R) say that he was confused by the ballot design and that "they really should get the marketing department in to design these screens". Of course, that might be better than the "nerds writing the code designing the screens" but it also might not be better. It's usability and user-centered design, people!

Senator Feinstein just said, "I'm going to ask the GAO and NIST to do a top to bottom analysis of the machines in FL-13." Whoa.

David Becker of PFAW seems to be going for the most-said-in-five-minutes award. :)

Brit Williams just said that there has been no hacking of voting systems in 43 years of their use because "they are not connected to the internet". With all due respect, that's pretty naive. I definitely agree with him that we need to devote more resources to training pollworkers.

Dan Wallach is very good -- both tactical and strategic -- at testifying. He used a question answer response to head off discussion of the Princeton virus hack (which we'll here Connie McCormack talk about erroneously later).

Brit Williams just said that the quintessential voting system is electronic with a robust paper trail... Sen. Nelson asked, "Should we be using these systems until we have such a system ready?" Brit Williams said, "Ideally, No. But the reality is that we have an installed base."

Connie McCormack just said, "The best track record in terms of accuracy matching votes to voter intent is from electronic machines." I don't know what data she has that compares cast votes to voter intent... I don't think it exists.

I have little respect for those -- McCormack -- who finagle extra time in Congressional hearings.

MVP for this hearing goes to Warren Stewart. Near the end, ranking member Bennett said something along the lines of, "You can't commit fraud on a DRE because all the results come in at the same time." I was aghast when I heard that... that is fundamentally naive in so many ways that it wouldn't be intellectually interesting to enumerate them; Bennett is obviously a lost cause. Warren, however, responded with, "Someone with access to the central tabulators can just as easily commit fraud on those systems, if not more easily." Bennet seemed to discount this remark and asked Connie Schmidt and Connie McCormack for their opinions on Warren's statement. They both essentially said, "Yes, you have to protect the central systems no matter how much you trust your staff."


chilling effects, family, policy

Death comes for us all.

Most of us will not be able to choose the time, place and form of its coming. Fewer of us will have the luxury to not see it coming. It is a strange aspect of humans that some consciously decide to take their own lives and I, frankly, don't understand it.

How does the Agony a mother feels for a child that has committed suicide compare to a mother who's child was suddenly taken by accident or murder? I can imagine it is an agony that is deeper, more raw and full of painful self-doubt.

Please, consider every interaction that you have with another human. Consider that we're in this thing called life together. Consider that, above all else, you can best help the ones you care about. And, by the way, don't freakin' kill yourself.

My cousin, Miriam, took her own life on Sunday. I hadn't seen her since she was in her early teens. She was a PhD student of 23 working towards a degree in computer science.

Report on Voting in Kazakhstan

elections, reform, standards, news, secrecy, politics, friends, policy

(I promise no Borat jokes.)

Think we have it bad in terms of electronic voting here in the US? Well, in Kazakhstan, you can sell your vote and the standards for e-voting machines are a state secret.

Doug Jones recently posted the Final report ("Republic of Kazakhstan Presidential Election (4 December 2005) -- OSCE/ODIHR Election Observation Mission Final Report") in his electoral observation mission with the Office for Democratic Institutions and Human Rights (ODIHR) of the Organization for Security and Co-operation in Europe (OSCE). In addition to the e-voting-specific snippets below -- highlighting lack of ballot secrecy and secrecy of standards -- I was suprised to see just how difficult it is to have a fair election in Kazakhstan.

As in 2004, the use of an optional four-digit control code generated by voters was a major concern. The purpose of this code is to make it possible for a voter to check if his or her vote was recorded correctly, by consulting a control protocol which lists all control codes next to the name of the candidate for whom the corresponding vote was recorded. While this feature is intended to build public confidence in the e-voting system, the control code, if provided to a third party, would show how a voter voted. This opens the potential for violation of the secrecy of the vote as well as intimidation. The use of a voter-verified paper trail as described above would eliminate the need for the control code.

The certification and testing process of the ?Sailau? system still lacks transparency. A private company assessed the system prior to both this election and the 2004 elections. The company indicated that the voting system and its major components were tested to standards which are a state secret. It is, therefore, not possible to assess the appropriateness of these standards. While many aspects of the system do permit auditing, it is not clear whether there is a routine audit process which would allow the identification of problems in a timely manner in order to improve the conduct of future elections. Neither the event logs nor redundant records from the precincts are apparently subject to routine audit. The CEC and its Information Technology Centre staff could not answer all technical questions about voting cards and voting terminals, which suggests that contractors providing these components have been operating with excessive autonomy and insufficient guidance from the CEC.

Contact / Help. (cc) 2021 by Joseph Hall. blog software / hosting.
Design & icons by N.Design Studio. Skin by Tender Feelings / Evo Factory.
And a few words about the structure of the eye . Everyone " retina ". Especially often we hear it buy clomid online in the phrase " retinal detachment ." So what is the retina ? This - the front edge of the brain, the most distant from the brain part of the visual analyzer. The retina receives light first , processes and transforms light energy into irritation - a signal that encodes all the information about what the eye sees . The retina is very complex and in their structure and function . Its structure resembles the structure of the cerebral cortex. The shell of the retina is very thin - about 0.14 mm.