NEWS BULLETIN: The San Luis Obispo Election File Mystery. – The County Explain, Jim March and Bev Harris Analyse Sunday, 07 September 2003(PDT) By Bev Harris & Jim March
NEWS BULLETIN: The San Luis Obispo Election File Mystery.
COVERING NOTE FROM BEV HARRIS…
Please distribute to anyone you feel might be interested, publish on web sites if you like, with the caveat that this still an evaluation-in-progress. I think you’ll agree that the issues are interesting and somewhat important. This delves into minutia, but also provides answers that are hard to get in this secretive voting machine world.
TWO REPORTS: Bev Harris’s report , includes interviews with SLO officials on procedural items which effectively blow up Diebold’s defense to the Johns Hopkins University Report, which puts heavy emphasis on the physical security and security of election procedures used. Jim March’s report , focuses on specifics of connectivity — helpful, but take with a slight grain of salt, because I’m not sure I believe that GEMS cannot hook up to the Internet.
BEV HARRIS REPORT
The explanation for the SLO midday votes is that they were absentee votes, counted early. This has a plausible explanation, but also raises more questions.
In the GEMS database, it appears that only absentee ballots were counted, but in the Access database, it appears that polling place votes were also counted.
In the Access database, I’m finding 15,000 votes tagged as polling place votes, and about 285,000 tagged absentee. I need to review that more closely to see what’s what.
They also have a funky precinct system that I want to verify, because it sounds strange.
According to Julie Rodewald, the SLO elections registrar, they have "mail ballot" precincts and "polling place precincts." She told me how to tell which is which by the code number. Basically, anything that starts with CON is a polling place precinct.
She says that in the "mail ballot" precincts the voters do not have the option of going to a polling place, and can only vote by mail. It appears that about half the precincts in SLO County are mail-in only precincts. Has anyone ever heard of this? It is over 100 precincts. I mean, this is California, not Outer Mongolia.
Next, she says that for the polling place precincts, the votes are divided into "absentee" and "polling place" votes. She says that what is in the SLO database we have is the "absentee" votes for the polling place precincts only.
She says that the "mail ballot" precincts can only mail in their ballots, so they are all listed as "polling place" in the vote database. Now this is the kind of accounting that drives me nuts, because in proper accounting the thing you would NOT list them as is "polling place" votes since they are clearly mailed in ballots. You would ONLY list them as "absentee" or "mail ballot precincts."
Here’s what I’m looking at:
1) In MS Access SLO database, it tags absentee votes as "1" and polling place votes as "0" and there are clearly at least 15,000 votes with the "0" tag. This does not represent 15,000 voters — assume there are 10 contests you vote on, one voter would equal 10 votes the way this is set up. So, 15,000 votes would be about 1,500 voters.
Still, if there are ANY non-absentee votes, that blows up their security, doesn’t it?
(Maybe those "0" votes are from those "mail-in" districts?) No. I checked. Those are from polling place precincts. But this is so important I need to doublecheck for any other possible explanations.
– (DOH?) You have SLO County logging mail-in districts as polling place ballots.
– You have them saying "we count the absentee ballots early. She said it takes about 3 days, strange, they are just running them through their four central optical scan machines…)
– She says (DOH?) that they only counted the absentee ballots early, not the mail-in precinct ballots which they call polling place ballots but are actually mailed in. (Why wouldn’t they count ALL the mailed in ballots early? This makes no sense.)
2) Next, (DOH?) what are those votes marked with "0" polling place votes.
3) (DOH?) The reports they ran, she assures me, are a pre-election card status report. The name for the report in the audit log is this: "Central Count Status Report by Deck."
What it seems to do is this: They divide the absentee ballots into stacks of 50. They name each stack of 50. So you’ve got stack 1,2,3,4, etc. Then they run a report that labels the stacks of 50. Her explanation is that, that way if someone adds new card stacks pretending it was done earlier, stuffing the absentee ballot box, it will show up because they have a report of how many stacks of ballots there are. That’s plausible, and a good procedure to have.
The report does not say who got the votes.
(Doh?) One thing I noticed, unless I’m missing something, is that the report has exact numbers of 50 in every deck, there is no deck with a rag-tag remainder. It seems unlikely that the number of absentee votes that came in is exactly divisible by 50. Maybe they just leave the rag-tag remainder for later, when more come in.
The three reports run on Election Day were all the "Central Count Status Report by Deck." But why did they run these on Election Day? She says they weren’t counting absentee ballots on election day. So if you aren’t adding any new blocks of votes on election day, why do you run this report three times? They ran it at 7:23 a.m. and again at about 1:50 and then at 3:31 p.m.
5) She says they did not do a tally, just "Central Count Status Report by Deck." But they spent three days counting them. Maybe they count them but promise not to look at the totals? That could very well be.
6) (DOH?) She said "oh here, I have the report you have" and pulled out of their archive the exact same 3:31 in the afternoon SLO County vote file that we have. Jim March had sent her that file last week, however. Maybe she just opened the same file he sent her. But here’s the deal: This file, whether in GEMS or Access, gives you the vote tallies. If you look at the tallies in GEMS it shows up in the audit log (but it doesn’t show up for election day) That means they either didn’t look at the tallies on election day, or just used the easy-audit-erase method with the MS Access hack.
But by going in through Access, the tallies are right there in your face right there on Election Day.
She says she does not have MS Access on her computer.
7) She swears that the GEMS computer doesn’t hook up to the Internet. She gave me a description of how it works.
I asked her questions about the hookups with optical scan. Her answers to me matched those Jim March outlined below. I asked questions about the precinct modeming in. Her answers matched what Jim March reports.
Ad then I delved into Internet connections. Here’s where it got strange.
I told her I noticed that the results were posted on the web. She was quiet. I said "if you do a Google search for "GEMS" and "Election results" you get the same format, in counties all over the country, so obviously it comes out of GEMS. How does the GEMS report get on the Internet?"
Remember, she has insisted that her GEMS computer can’t hook up to the Internet.
She said that they convert it to a .pdf and then take it to a server that uploads it. Well, I’ve seen the pdf versions of GEMS, and the SLO Internet results are not a pdf. It is an HTML page.
Well we don’t use that, she said.
I asked her what the reporters are following. She said JResults is used for that, but it hooks up through a separate network and they all come watch it on a projected screen and yes, that is JResults.
I asked her how the information gets from her GEMS computer to the network with JResults for the reporters. She gave this explanation:
She said they put up a second computer next to her GEMS computer and transfer the information from her GEMS computer to the other computer, which is hooked up to the network and goes out elsewhere, every half hour or so.
(DOH?) Let’s examine human engineering on this. So, you have a system that, according to Diebold, and remember that "physical security" is one of their main defenses to the Hopkins/Rice report, the GEMS system is locked away in a secure office that no one can get into except the election supervisor and no one can touch that machine except the certified election supervisor.
So you have election night, with reporters milling around and petulant campaign managers asking irate questions and poll workers having little glitches and the phone ringing and in this environment:
The county supervisor remembers, every 30 minutes, to go into this private a physically secure GEMS room to remove a JResults file from her GEMS computer to a second computer sitting next to it. (JResults converts a RUNNING TALLY to web pages)
Next, you have a bunch of reporters sitting watching a screen, waiting for it to change every 30 minutes? Why do they sit and watch? Why not just get a printout every 30 minutes? Why not go out for coffee and do something else and just pop in every 30 minutes when the update is due? What are they "watching?"
I have a question for reporters: What do you watch in San Luis Obispo County?
8) I have a problem with this: The Audit Log clearly names the file created at 3:31 p.m. and the name it gives is this:
SLOprimary030502.gbf But the file on the FTP site has been renamed: SLOprimary030502-ORIG.gbf
This is an interim report taken partway through election day. Why was it placed on a Diebold web site labeled "ORIG" — and what was changed so that apparently an identical file was not the "ORIG?"
9) She says that she did not put the files on the FTP site and none of her staff did either.
The file had the password "Sophia." She says that a Diebold employee named "Sophia" was there that day.
(DOH?)Now on this GEMS computer with its lack of Internet connectivity and its highly touted physical security, kept in a locked room that no one but the sworn official election official can get at, how did a file get put into a zip file, passworded with "sophia" and get put on the Diebold Internet FTP site?
Thank you for listening, and good day.
JIM MARCH REPORT
I’ve been on the phone with Bev and the SLO County Registrar, Julie (and her techies), who have also been talking to Bev. First, SLO is adamant that the data in question is the absentee ballot votes. Granted, there’s no good reason for those to have gotten up to the Diebold site!
By Julie’s count, the data file contains 28% of the total vote, which she thinks sounds about right in terms of absentees. We’ll be checking on that ourselves but for now, I believe her.
Based on today’s phone conversations, a clearer picture of the hardware situation at SLO County is emerging – along with where to look for security holes.
"Sophia" could have gotten the GEMS data out of the system via a CD-Burner – there IS one attached to the GEMS box.
SLO is running optical scan versus touchscreen but there’s some evidence that the vote tally process works the same way. At a minimum, both run GEMS but we think the modem pool operates the same way:
At SLO County, the GEMS computer contains a 16-port serial interface card known as a "Digiboard". Four of the cables from there go to a set of four optical scan machines used for absentee ballot entry; the rest go to a bank of modems.
Most of the time, these modems are turned off. Approximately the same time the polls close, the modems are turned on for a period of 1.5 to 2 hours. During that time, polling stations dial in and report their results.
Diebold supplies the Digiboard, the GEMS computer and performs the MS-Windows installation for that system. Diebold employees have been on-site; the phone numbers for that bank of modems is information generally available to office staff, and would be known to the Diebold installation/support crew.
Therefore, here’s how the security falls apart:
1) We know that the GEMS database itself is utterly wide open to tampering with a standard copy of MS-Access – no passwords whatsoever, and an internal structure *designed* to defeat the most method whereby an honest Registrar hand-checks – precinct spot-checking.
See, GEMS stores all the vote data internally in three places. We don’t know what the third "table" is for, but we understand the first two: ask GEMS for info on a particular precinct, and the data comes out of one table, ask for countywide totals and it comes out of another. GEMS doesn’t tell you that it’s doing this, but it also doesn’t check to make sure the two tables are the same (by default, they are).
Open the same data file in MS-Access, and the multiple tables are apparant. Edit the "countywide totals" by adding the same number of votes to one candidate as you take from another, and no audit trail of this is created, no password is required, and the only way to catch it is to hand-total all precincts.
See also this page for downloadable functional GEMS code, sample data sets and the instructions necessary to try this yourself:
2) Having supplied the Windows communications drivers, it would be easy to "hack them" to allow passworded access to the machine from another PC across that connects via the modem/digiboard link during the 2 hour window. County staff would never know.
3) Since MS-Access is a multi-user database design, you can screw with the votes with MS-Access while GEMS is running happily away. The MS-Access software need not run on the GEMS PC, only on the remote "pirate computer" dialing in. Total length of time needed to alter a race: about 10 – 15 minutes. Tops. Password needed: none. Audit trail left: zilch.
Now, if SLO County is stupid enough to buy touchscreens, it gets worse. Proper hand recounts of a particular precinct will be impossible. Doing so countywide, likewise out of the question – it’d be difficult enough now, impossible under touchscreen (no paper trail).
Now for the punchline: remember the third copy of all the data internal to the GEMS datafile? The one we don’t know what it’s there for?
Well that makes it impossible to "zero the vote" before the election, without firing up MS-Access – because there’s no user interface in GEMS that shows the contents of that table. And if you load MS-Access on the GEMS machine so you can go find it that way and make sure it’s zeroed, you no longer have a certified installation.
I can demonstrate ALL of the above bits except the (admittedly theoretical) external access to the machine via modem. I can for certain prove that a county registrar or staff, should he or she walk up to the GEMS box with an MS-Access (usually in "Office Pro") CD in hand, can do whatever he wants to the vote totals without ever getting caught. While I do NOT think they’d do that (although I’m a LOT less certain about onsite Diebold staff like Sophia Lee!), GEMS therefore fails the mandate put on the SecState’s office in Elections Code 19205 to certify "tamper-proof systems".
Given a printout of the directory structure on the GEMS box, I can possibly learn if the Windows comm drivers are factory-stock or not. Which is why I will be pushing for that via the PRAR in Alameda.
Pre-Order your copy of Black Box Voting today…
For more background and live news links on this news subject see also Scoop’s Special Feature – A Very American Coup…