Posts

by Gerry Bello and Bob Fitrakis
November 5, 2012

Citizen concerns about untested software have multiplied since the Columbus Free Press broke the news that Ohio Secretary of State Jon Husted’s office installed uncertified and untested software on the central vote tabulation machines in up to 39 counties in the state.

Memos circulated amongst senior staff at the Ohio Secretary of States’ indicate that they consider this skirting of Ohio Election Law is justified because the software does not directly tabulate or communicate actual votes. Their statements to the mainstream press reveal a different set of facts about the software and a different justification.

In statements to the theGrio, NBC’s political blog, SOS spokesman Matt McClellan said the software is to “assist counties and to help them simplify the process by which they report the results to our system.” and that it was deemed experimental because “It is a pilot project that we’re doing with about 25 counties or so. So it’s not statewide, but it is a pilot project we’re trying.”

Ohio election law does not allow software or hardware to be used in election until it has been tested or certified by the Ohio Board of Voting Machine Examiners unless it is experimental. The confidential internal memos indicate that this software was never tested because of claims that it is not involved with the tabulation or communication of votes. Reporting election results from county tabulation systems to the secretary of state’s office, which is the purpose of this software as explained by McClellan, is in fact communication of votes.

The potential federal illegality of this software has been hidden from public scrutiny by the Secretary of State’s Election Counsel Brandi Seske. In a September 29 memo, Seske wrote, “Please see the attached letter from Matt Masterson regarding de minimis changes – one submitted by ES&S and one by Dominion Voting Systems. He has reviewed and approved the changes.” “De minimis” is a legal term for minute. Federal election regulations have a very specific definition of de minimis. This definition was clarified to all state level agencies in a federal Elections Assistance Commission memo dated February 8, 2012 entitled “Software and Firmware modifications are not de minimis changes.”

Ohio election law provides for experimental equipment only in a limited number of precincts per county. Installing uncertified and untested software on central tabulation equipment essential affects every single precinct in a given county. Nowhere in the memos circulated by Seske, nor in the contract, is the software called “experimental.”

The Secretary of State’s office has given one questionable justification to its own Board of Voting Machine Examiners and another to the public.

The contract provides for testing, performed jointly by the counties and the vendor within 30 days of the software being installed. This testing was required to be independent and overseen by the Board of Voting Machine Examiners, as required by Ohio law.

McClellan told theGrio “I’m not sure the exact timeline of that [the installation and testing], but I know we’ve been working with the counties for the past couple of months on getting these in place, testing them to make sure they work properly, and working with the vendors as well.”

This uncertified and untested software could easily malfunction and corrupt votes on the central tabulation machines, thus destroying any electronic record of the actual votes by citizens. This “experimental” software, as outlined in the contract, has no security protocols. A “man in the middle” attack, like the one that stole the Ohio election for George W. Bush in 2004, could be directly facilitated by this untested and uncertified software installation.

The Secretary of State’s office has used every legal contortion to avoid the use of science and the possibility of public scrutiny of this possibly illegal software. The Free Press will continue to report on this story as it develops.


Gerry Bello is the chief researcher at the Columbus Free Press. He holds a degree in computer security from Antioch College. Bob Fitrakis is the Editor of the Free Press. He holds Ph.D. in Political Science and a J.D. from the Moritz College of Law at Ohio State University.


by Bob Fitrakis and Gerry Bello
October 31, 2012

Why did the Ohio Secretary of State Jon Husted’s office, in an end run around Ohio election law, have “experimental” software patches installed on vote counting tabulators in up to 39 Ohio counties? Voting rights activists are concerned that these uncertified and untested software patches may alter the election results.

During the 2004 presidential election, the Free Press reported that election officials observed technicians from the ES&S voting machine company and Triad computer maintenance company installing uncertified and untested software patches on voting machines in 44 Ohio counties prior to the election. Software patches are usually installed to “update” or change existing software. These software patch updates were considered suspect by election protection activists, in light of all the voting machine anomalies found during the 2004 election in Ohio.

The Free Press has learned that Election Systems and Solutions (ES&S) installed the software patches that will affect 4,041,056 registered voters, including those in metropolitan Columbus and Cleveland (click here for spread sheet from verifiedvoting.org).

A call to the Ohio Secretary of State’s office concerning the software patches was not returned by publication deadline. Previously, the Free Press requests for public records, including voting machine vendor contracts, have been stonewalled by Office Secretary of State John Husted’s office through his public records officer Chris Shea. Through other channels, the Free Press has obtained and has posted the possibly illegal full contract online here (see page 17).

The contract calls for ES & S technicians and county poll workers to “enter custom codes and interfaces” to the standard election reporting software just as was done with the controversial 2004 Ohio presidential election.

Last minute software patches may be deemed “experimental” because that designation does not require certification and testing. Un-certified and untested software for electronic voting systems are presumably illegal under Ohio law. All election systems hardware and software must be tested and certified by the state before being put into use, according to Ohio Revised Code 3506.05. By unilaterally deeming this new software “experimental,” Secretary of State Husted was able to have the software installed without any review, inspection or certification by anyone. ES & S, for their part, knows that this software will not be subject to the minimal legally required testing as stated in the contract on page 21 (Section 6.1).

The contract specifically states that this software has not been and need not be reviewed by any testing authority at the state or federal level. Yet, it is installed on voting machines that will tabulate and report official election results, which Ohio law forbids. Based on the Free Press reading of the contract, this software is fully developed, being referred as versions 2.0.7.0 and 3.0.1.0. Thus the only thing making this software “experimental” is the fact that it has never been independently certified or tested.

In preparation for the upcoming general election in late April, the Free Press began requesting public records from all 88 counties in Ohio in order to build a broad database of every vendor and piece of equipment used in the state of Ohio. Aside from some minor delays, all 88 county jurisdictions have complied.

However, the office of the Ohio Secretary of State however, has not complied with any requests for lists of equipment, contracts with vendors, schedules of payment and even the identities of the vendors. The Free Press’ public records requests, under ORC 149.43 (The Public Records Act) have been ignored by Chris Shea, presumably acting on behalf of Secretary of State Jon Husted. Now that the Free Press has obtained the contract, it seems clear that the secretary of state’s office was hiding these last minute “experimental” uncertified software installations.

On page 19 of the contract, terms require the various county boards of elections to purchase additional software from ES & S if they are not compatible with this new “experimental” statewide tabulation and reporting system. This unfunded mandate clause illegally bypasses individual counties rights to make their own purchasing determinations.

The controversial software will create simple .csv files like those produced by spreadsheet programs for input into the statewide tabulation system. According to the terms of the contract, data security is the responsibility of each local board of elections: “…each county will be responsible for the implementation of any security protocols” (see page 21 of the contract).

Most county boards of elections do not have their own IT departments and are reliant on private partisan contractors to maintain and program the electronic voting systems. These piecemeal implementations of security protocols would also be untested and uncertified.

Voting rights activists believe this whole scheme may create a host of new avenues of attack on the integrity of the electronic vote counting system. The untested and uncertified “experimental” software itself may be malware. Public trust in the electronic vote counting system has emerged as the key issue in the Ohio presidential election.

The Free Press will be updating this breaking story as more information is obtained and analyzed, so stay tuned. The story for now is that the Secretary of State in the key swing state in the 2012 presidential has installed “experimental” uncertified and untested software to count a large portion of the Ohio vote.