Posts

,

Another Husted Dirty Trick In Ohio: Secretary of State’s Office admits direct reporting function of untested election software

by Gerry Bello and Bob Fitrakis
November 5, 2012

Citizen concerns about untested software have multiplied since the Columbus Free Press broke the news that Ohio Secretary of State Jon Husted’s office installed uncertified and untested software on the central vote tabulation machines in up to 39 counties in the state.

Memos circulated amongst senior staff at the Ohio Secretary of States’ indicate that they consider this skirting of Ohio Election Law is justified because the software does not directly tabulate or communicate actual votes. Their statements to the mainstream press reveal a different set of facts about the software and a different justification.

In statements to the theGrio, NBC’s political blog, SOS spokesman Matt McClellan said the software is to “assist counties and to help them simplify the process by which they report the results to our system.” and that it was deemed experimental because “It is a pilot project that we’re doing with about 25 counties or so. So it’s not statewide, but it is a pilot project we’re trying.”

Ohio election law does not allow software or hardware to be used in election until it has been tested or certified by the Ohio Board of Voting Machine Examiners unless it is experimental. The confidential internal memos indicate that this software was never tested because of claims that it is not involved with the tabulation or communication of votes. Reporting election results from county tabulation systems to the secretary of state’s office, which is the purpose of this software as explained by McClellan, is in fact communication of votes.

The potential federal illegality of this software has been hidden from public scrutiny by the Secretary of State’s Election Counsel Brandi Seske. In a September 29 memo, Seske wrote, “Please see the attached letter from Matt Masterson regarding de minimis changes – one submitted by ES&S and one by Dominion Voting Systems. He has reviewed and approved the changes.” “De minimis” is a legal term for minute. Federal election regulations have a very specific definition of de minimis. This definition was clarified to all state level agencies in a federal Elections Assistance Commission memo dated February 8, 2012 entitled “Software and Firmware modifications are not de minimis changes.”

Ohio election law provides for experimental equipment only in a limited number of precincts per county. Installing uncertified and untested software on central tabulation equipment essential affects every single precinct in a given county. Nowhere in the memos circulated by Seske, nor in the contract, is the software called “experimental.”

The Secretary of State’s office has given one questionable justification to its own Board of Voting Machine Examiners and another to the public.

The contract provides for testing, performed jointly by the counties and the vendor within 30 days of the software being installed. This testing was required to be independent and overseen by the Board of Voting Machine Examiners, as required by Ohio law.

McClellan told theGrio “I’m not sure the exact timeline of that [the installation and testing], but I know we’ve been working with the counties for the past couple of months on getting these in place, testing them to make sure they work properly, and working with the vendors as well.”

This uncertified and untested software could easily malfunction and corrupt votes on the central tabulation machines, thus destroying any electronic record of the actual votes by citizens. This “experimental” software, as outlined in the contract, has no security protocols. A “man in the middle” attack, like the one that stole the Ohio election for George W. Bush in 2004, could be directly facilitated by this untested and uncertified software installation.

The Secretary of State’s office has used every legal contortion to avoid the use of science and the possibility of public scrutiny of this possibly illegal software. The Free Press will continue to report on this story as it develops.


Gerry Bello is the chief researcher at the Columbus Free Press. He holds a degree in computer security from Antioch College. Bob Fitrakis is the Editor of the Free Press. He holds Ph.D. in Political Science and a J.D. from the Moritz College of Law at Ohio State University.

/by
, , ,

The Free Press confirms installation, secret justification of uncertified last minute election tabulation reporting software in Ohio


by Gerry Bello and Bob Fitrakis
November 2, 2012

The Free Press has obtained internal memos from the senior staff of the Ohio Secretary of State’s office confirming the installation of untested and uncertified election tabulation software. Yesterday, the Free Press reported that “experimental” software patches were installed on ES&S voting machines in 39 Ohio counties. (see Will “experimental” software patches affect the Ohio vote?).

Election Counsel Brandi Laser Seske circulated a memo dated November 1st renewing the already shaky justification for installing software made by Election Systems and Solutions on vote tabulation equipment used in 39 Ohio counties. The letter to Ohio Secretary of State personnel Matt Masterson, Danielle Sellars, Myra Hawkins, Betsy Schuster, and Ohio’s Director of Elections Matthew Damschroder, clarified the dubious justification for not complying with the legal requirements for the examination of all election related equipment.

Seske begins by explaining what she purports to be the purpose of the software patch: “Its function is to aid in the reporting of results that are already uploaded into the county’s system. The software formats results that have already been uploaded by the county into a format that can be read by the Secretary of State’s election night reporting system.”

According to the contract between the Ohio Secretary of State’s office and ES&S, this last minute “experimental” software update will supposedly transmit custom election night reports to the Secretary of State’s office from the county boards of elections, bypassing the normal election night reporting methods.

In order to justify this unusual parallel reporting method, Seske explains “It is not part of the certified Unity system, so it did not require federal testing.” This attempt to skirt federal and state law from one of the most partisan Secretary of State offices in the nation ignores basic facts of how modern information systems function.

Seske continues “Because the software is not 1) involved in the tabulation or casting of ballots (or in communicating between systems involved in the tabulation or casting of ballots) or 2) a modification to a certified system, the BVME [Board of Voting Machine Examiners] was not required to review the software.” These claims are factually unsound. The software, although not communicating actual ballot information, facilitates communication between systems upon which votes are tabulated and stored. Although the software purports to not modify the tabulation system software, it is itself a modification to the whole tabulation system. This is why certification and testing is required in all cases.

Just as in 2004, the Ohio Secretary of State’s office has enabled the possibility of a “man in the middle” attack. This software, functioning on a network through which votes are transmitted could act to intercept, alter or destroy votes from counties where it is not even installed, hence the “man in the middle” nickname.

On September 19, the last minute contract between ES&S and the Ohio Secretary of State’s office was inked. Within a week, Seske wrote “He [Matt Masterson] has reviewed and approved the changes.” Masterson is the Deputy Director of Elections. After Masterson’s approval, Seske acted to bypass the Ohio Board of Voting Machine Examiners required review.

“Pursuant to the board’s policy, each change will be approved unless three members of the BVME request a meeting to review a change within 15 days of today’s date. Given the proximately of the upcoming election, please let me know as soon as possible whether you will be requesting a meeting to review the changes,” wrote Seske.

Government reports such as Ohio’s Everest study document that any single change to the system could corrupt the whole voting process.

An unelected, partisan group of attorneys appears to have conspired to install election software without testing and certification that they are professionally unqualified to pass judgment upon. These types of last minute installations of software patches on voting machines are considered suspect by knowledgeable and experienced election protection attorneys, in light of all the voting machine irregularities exposed during the 2004 election in Ohio.

——————-

Gerry Bello is the chief researcher at the Columbus Free Press. He holds a degree in computer security from Antioch College. Bob Fitrakis is the Editor of the Free Press. He holds Ph.D. in Political Science and a J.D. from the Moritz College of Law at Ohio State University.

/by

Will “experimental” software patches affect the Ohio vote?


by Bob Fitrakis and Gerry Bello
October 31, 2012

Why did the Ohio Secretary of State Jon Husted’s office, in an end run around Ohio election law, have “experimental” software patches installed on vote counting tabulators in up to 39 Ohio counties? Voting rights activists are concerned that these uncertified and untested software patches may alter the election results.

During the 2004 presidential election, the Free Press reported that election officials observed technicians from the ES&S voting machine company and Triad computer maintenance company installing uncertified and untested software patches on voting machines in 44 Ohio counties prior to the election. Software patches are usually installed to “update” or change existing software. These software patch updates were considered suspect by election protection activists, in light of all the voting machine anomalies found during the 2004 election in Ohio.

The Free Press has learned that Election Systems and Solutions (ES&S) installed the software patches that will affect 4,041,056 registered voters, including those in metropolitan Columbus and Cleveland (click here for spread sheet from verifiedvoting.org).

A call to the Ohio Secretary of State’s office concerning the software patches was not returned by publication deadline. Previously, the Free Press requests for public records, including voting machine vendor contracts, have been stonewalled by Office Secretary of State John Husted’s office through his public records officer Chris Shea. Through other channels, the Free Press has obtained and has posted the possibly illegal full contract online here (see page 17).

The contract calls for ES & S technicians and county poll workers to “enter custom codes and interfaces” to the standard election reporting software just as was done with the controversial 2004 Ohio presidential election.

Last minute software patches may be deemed “experimental” because that designation does not require certification and testing. Un-certified and untested software for electronic voting systems are presumably illegal under Ohio law. All election systems hardware and software must be tested and certified by the state before being put into use, according to Ohio Revised Code 3506.05. By unilaterally deeming this new software “experimental,” Secretary of State Husted was able to have the software installed without any review, inspection or certification by anyone. ES & S, for their part, knows that this software will not be subject to the minimal legally required testing as stated in the contract on page 21 (Section 6.1).

The contract specifically states that this software has not been and need not be reviewed by any testing authority at the state or federal level. Yet, it is installed on voting machines that will tabulate and report official election results, which Ohio law forbids. Based on the Free Press reading of the contract, this software is fully developed, being referred as versions 2.0.7.0 and 3.0.1.0. Thus the only thing making this software “experimental” is the fact that it has never been independently certified or tested.

In preparation for the upcoming general election in late April, the Free Press began requesting public records from all 88 counties in Ohio in order to build a broad database of every vendor and piece of equipment used in the state of Ohio. Aside from some minor delays, all 88 county jurisdictions have complied.

However, the office of the Ohio Secretary of State however, has not complied with any requests for lists of equipment, contracts with vendors, schedules of payment and even the identities of the vendors. The Free Press’ public records requests, under ORC 149.43 (The Public Records Act) have been ignored by Chris Shea, presumably acting on behalf of Secretary of State Jon Husted. Now that the Free Press has obtained the contract, it seems clear that the secretary of state’s office was hiding these last minute “experimental” uncertified software installations.

On page 19 of the contract, terms require the various county boards of elections to purchase additional software from ES & S if they are not compatible with this new “experimental” statewide tabulation and reporting system. This unfunded mandate clause illegally bypasses individual counties rights to make their own purchasing determinations.

The controversial software will create simple .csv files like those produced by spreadsheet programs for input into the statewide tabulation system. According to the terms of the contract, data security is the responsibility of each local board of elections: “…each county will be responsible for the implementation of any security protocols” (see page 21 of the contract).

Most county boards of elections do not have their own IT departments and are reliant on private partisan contractors to maintain and program the electronic voting systems. These piecemeal implementations of security protocols would also be untested and uncertified.

Voting rights activists believe this whole scheme may create a host of new avenues of attack on the integrity of the electronic vote counting system. The untested and uncertified “experimental” software itself may be malware. Public trust in the electronic vote counting system has emerged as the key issue in the Ohio presidential election.

The Free Press will be updating this breaking story as more information is obtained and analyzed, so stay tuned. The story for now is that the Secretary of State in the key swing state in the 2012 presidential has installed “experimental” uncertified and untested software to count a large portion of the Ohio vote.

/by