Washburn's World

My take on the world. My wife often refers to this as the WWW (Weird World of Washburn)

My Photo
Name:
Location: Germantown, Wisconsin, United States

I am a simple country boy transplanted from the Piehl Township in northern Wisconsin to the Milwaukee metropolitan area who came down "sout" in 1980 for college and have stayed in the area since.
If this blog is something you wish to support, consider a donation.

Thursday, March 22, 2007

ES&S is Late to Deliver

As of this morning at 10:00 am March 22, 2007, ES&S has yet to delivery election materials to its customers in Clark and Taylor Counties here in Wisconsin. I just finished speaking with, Gayle Vatne, Deputy clerk of Clark County, Wisconsin.

ES&S has not delivered any PEBs for the iVotronics used in 43 of the 44 municipalities of the county.

ES&S has not delivered any memory cards used by any of the scanners used in the county.

ES&S has not delivered all of the paper ballots ordered.


I spoke with Bruce Strama, County Clerk for Taylor County, Wisconsin at 4:00 pm on March 21, 2007.

ES&S has not delivered any PEBs for the iVotronics used in the 27 municipalities of the county.

ES&S has not delivered any memory cards used by any of the scanners used in the county.

ES&S has the paper ballots ordered.


Both clerks expect the missing election materials to be delivered by Friday, March 23, 2007. But, from my phone calls on Monday, March 19, 2007, the clerks were expecting ES&S to deliver the missing election materials by yesterday, Wednesday, March 21, 2007.

[update: The materials were finally delivered on noon, Friday, March 23, 2007. The belated functional testing required by WI 5.84 is scheduled for today, tomorrow, and Wednesday. The exact times and locations vary by municipality] I hope 7 to 10 days is sufficient time for there to be an error-free test as required by statute.

Tuesday, March 20, 2007

Diebold Accuvote TSx DREs Fail Spectacularly

The Diebold AccuVote TSx, like those used here in Washington county, Wisconsin, were discovered to have a failure rate of between 23% and 38% in Montgomery County, Ohio.

The failure here is very noteworthy because the failure is the failure of the AccuVote TSx to accurately record the ballot within the invisible computer memory. This was not a failure of the poorly designed toilet paper VVPAT printer. This was not a failure within the insecure GEMS server. This was not data corruption created by the unstable Microsoft JET database used by GEMS. This was a failure of the AccuVote TSx DRE to accurately translate the screen touches of the voters (testers) into invisible, electronic ballots stored within the flash memory of the AccuVote TSx.

Here is the source: from the Daytona Daily News of March 20, 2007. The variance in the percentage of failure is whether you count the number of failed machines as 28 (initial count) or only the 14 returned to Diebold Election systems, Inc. for repair.

Of course according the ESI report on the AccuVote TSx on printed page 118 (page 123 of the pdf file), there is a 1 in 4 chance (26% actually) that an invisible ballot stored in the flash memory of the AccuVote TSx DRE will be accurately copied to the removable memory cards. It is the electronic ballots stored on the removable memory cards from which all reports (both local and later from the GEMS server after uploading) will be generated.

I will say it again, for the benefit of the municipal clerks in my county and Ms. Jaszewski, County Clerk of Washington County. I am not opposed to using technology in elections. I am opposed to using unreliable and untested technology in a something as mission critical to the American Republic as an election.

One is forced to ask the question: "Is AccuVote a proper name for this error prone product line?"

Thursday, March 15, 2007

Smooth Undervoting In Sarasota, FL

It turns out there may be an explanation as to why Florida congressional district 13 (FL CD-13) in Sarasota, Florida received so many undervotes relative to other races on the iVotronic terminal. 

Page 23 of the FSU security analysis of the iVotronic firmware states: (emphisis mine)

6.2.1.1 Investigate Reports that the Display Was Slow to Respond to Touch.

Overview. We consider a scenario in which technical impacts from slow touch screen response may unintentionally prevent the voter's selection from registering during the vote selection process, but not during the review cycle. 

Hypothesis. If a voter is able to interact with the touch screen in a sequence that causes the screen to display a candidate selection that does not match their most recent touch, it may cause the voter to misinterpret their selection for that race. Specifically, consider a situation where a voter touches a vote box twice in rapid succession. If the software delays updating the display in response to the second touch for some reason, after a very short period the voter may accept the first display response as conclusive, and due to the delay (if it exists) the voter might not notice the delayed update in response to the second touch. It is also possible that the second touch would cause the candidate to be deselected after having been selected.

Similarly, we consider a situation where a voter touches a vote box and waits patiently for her vote to display for a few moments before assuming her touch was not detected and touching the screen again. If the first touch is recorded and if the display is updated only after the second touch, the voter may accept the first display response as conclusive, while a delay (if it exists) could cause later display of the second recorded touch that the voter may not notice.

These scenarios are consistent with reports by some voters that they voted for a candidate, but noticed their vote was not registered when they reviewed their selections on the summary screen.

The remainder of section 6.2.1.1 goes on to dismiss this as a possible cause of the undervotes for two reasons; no support for such delay could be found in the inspected source code and such delays would have been present in other races.

The reason for the FSU team to dismiss this hypothesis as a cause has now been refuted by ES&S itself. The vendor of the iVotronic acknowledges delays in displaying selections are indeed a known defect of the iVotronics software. Here are comments from ES&S itself on this point:

In the Aug. 15 letter, ES&S regional account manager Linda Bennett says "after a number of inquiries" ES&S verified that voting machines were showing slow response times. They pinpointed the problem to a "smoothing filter" that delayed selections after a voter touched the screen.

"In some cases, the time lapse on these consistent reads is beyond the normal time a voter would expect to have their selection highlighted," Bennett writes in the letter. "The delayed response to touch may vary from terminal to terminal and also may not occur every single time a terminal is used."

So, such presentation delays do in fact exist. Moreover the delay is intermittent and of varying length. The first of the FSU contra-indications is refuted

The question then is why only this race, FL CD-13? Actually, exceptional numbers of undervotes were NOT limited to just the FL CD-13 race. Any race in the state where the iVotronic displayed a short race at the top of the screen and longer race below had very high undervote rates. Other counties had similar ballots screens (e.g. Attorney General), where a 2 person race with no write-in was placed at the top of the screen of a page with two races. In all of these counties, such races had undervote rates eight to ten times the undervote rates of found among absentee ballots for the same race in the same county.

How Smooth Undervoting may Happen

Consider the sequence of events below. Steps 1,2, and 3 are from Kitty Garber of Florida Fair Elections Coalition

1)      I touch the screen for Jennings or Buchanan. Because of the display delay in the iVotronic caused by the smoothing function there is no apparent response.

2)      I then touch the screen again for my candidate. This inadvertantly de-selects my candidate selection.

3)      The X now appears, but, this is deceptive. The X is in response to my first touch (candidate selection) not my second touch (candidate de-selection). Because of the display delay caused by the smoothing filter, the appearance of the X is actually in response to my first touch.

4)      Because there are two races on the page my attention is immediately diverted to the race below, Governor for the State of Florida. Because of this change in attention I do not notice the X disappear from the FL CD-13 race. This is the delayed reaction to my second touch (de-selection). The delay is caused by the smoothing filter. 

a.)       Two things are happening together. First, there is a significant delay (in machine terms) between my second touch for the FL CD-13 race and my touching the ‘Next Page’ button. This is because I am examining my choices for Governor on the lower portion of the page. Because I am pausing on the Governor's race, there is time for the many disabled buttons used for navigation and selecting Gubernatorial candidates to become active and begin accepting input (touches) again. Second, the response to my second touch which de-selects (removes the X from) my choice in the FL CD-13 race occurs outside the center of my attention. Again, I am examining my choices for Governor.

5)      The iVotronic enables input in the other touch areas on screen because processing on the first race is now completed.

6)      I touch a selection for a Gubernatorial candidate. Until the X for the second race appears, the button, “Next Page” is disabled and unresponsive to touches. Two possibilities present themselves at this juncture.

a.       If the delay is still present, the “Next Page” button is disabled until the X appears by my choice for Governor. This delay from the the smoothing filter may frustrate me. In my frustration over the disabled "Next Page" button, my attention might now shift to the whole ballot screen again. At this point I may notice my selection in the FL CD-13 race has apparently gone missing.

b.      If the intermittent delay caused by the smoothing function has disappeared, then the iVotronic transitions to the next page of the ballot, and I do not notice the absence of a selection in the FL CD-13 race.

7)      I continue to vote on other ballot pages.

8)      The review screen is presented without a selection for FL CD-13.

a.       If I notice this, I am directed to a different page than the original ballot page. This second, different page is called the re-vote page. The re-vote page only contains the FL CD-13 race. On this single purpose screen I can correct the absence of a vote in the FL CD-13 race. The ballot is then cast with a vote registered for the FL CD13 race.

b.       If I do not notice the absence of a selection for FL CD-13 on the review screen, then the ballot is cast with no vote cast in the FL CD-13 race.

It is the combination of four things which causes the FL CD-13 race in particular to have a high undervote rate;

1)      The intermittent delay in displaying the response to a screen touch

2)      The fact that touching the touch screen twice is interpreted as no vote cast.

3)      The presentation of the races on the screen properly diverts my attention to the next race so I am less likely to notice the de-selection of my selected candidate in the FL CD-13 race.

4)      The presence of the second race below delays any later touch on the screen. The delayed processing of my touches in the FL CD-13 race complete while I am considering the race for Governor. In the time it takes me to consider my choices for Governor, the disabled touch areas for gubernatorial candidates and the disabled “Next Page” button have now become enabled.

This hypothesis explains why the smoothing filter would confine itself to these pages with two races on them. The FSU team acknowledges the smoothing filter could be the cause if an explanation can be offered as to how the problem would confine itself to one race. This acknowledgement is on page 48 and states:

8.4.9 The touchscreen smoothing filter caused the undervote.

A smoothing filter is a mathematical procedure for damping transient touch screen effects such as the voter altering the position of her finger or changing the pressure exerted by the finger on the screen. The allegation has been floated on Internet newsgroups that the iVotronic touch screen filter could have caused the undervote. No explanation has been offered how the effect would confine itself to a single race on a single screen. The touch screen filter does not act differently on different screens.

Contraindications:

        TEST CONFIRMATION

        CVR CORRESPONDENCE

        FULL RECORDING

        FLORIDA UNIQUENESS

        Other races would have been affected but were not.

None of the contra-indications above would be present under my hypothesis with the possible exception of the first contra-indication. The contra-indications and why they do not apply:

1)      I am unconvinced the State Bureau of Voting System Certification covered this in their flawed post-election testing.

2)      The Cast Vote Record (CVR) would correspond. There was indeed no selection for FL CD-13.

3)      The full recording would be correct. The race was actually de-selected by the voter by a second touch.

4)      This smoothing filter defect is not unique to Sarasota county nor is it unique to Florida. It only seems unique because of the exquisite visibility of the FL CD-13 race.

5)      Other races are affected. But because of the one race per page nature of subsequent iVotronic pages the smoothing filter defect does not result in an undervote. The smooting filter defect merely results in an irritating user experience.

More investigation is needed to confirm or deny this hypothesis. This scenario should be tried on an iVotronics system used in Sarasota, which has not received the recommended upgrade from ES&S that repairs the smoothing filter defect.

Credit goes out to Susan Pynchon and Ellen Theisen whose sharp and critical questioning of me helped to make this hypothesis as clear and simple as possible and, yet, encompass all information known to the public at this time.


PDF Version

WinEDS does not Comply With 2002 VVSG

On Tuesday, March 13, 2006 I was finally able to confirm that WinEDS is routinely shipped with source code and a compiler and the presence of the compiler is required by Sequoia. The source code is the SQL programming in the Transact-SQL language and the compiler of this source code is Enterprise Manager.

During the audit of the Pinellas County, Florida primary election last year, it was discovered the county was using to Enterprise manger to directly manipulate the Microsoft SQL database under the WinEDS application. The question which I could not confirm until yesterday was whether Sequoia REQUIRES the purchase and installation of the SQL compiler, Enterprise Manager, or not. The purchase orders from Waukesha County, Wisconsin confirm Sequoia requires the complete set of Microsoft SQL database administration tools (Eneterprise manager, Query analyser, etc.) be installed as a requirement of WinEDS. In Waukesha county, the WinEDS application runs on the same physical machine as these database adminstratin tools.

This is a violation of 6.4.1(e) or the 2002 Voting System Standards. Here is the letter I sent to the county clerk and the staff of the Wisconsin State Elections Board.

WinEDS violates both the 2002 VSS1 and 2005 VVSG2 because the presence of Microsoft Enterprise Manager constitutes a compiler of the SQL programming invoked by WinEDS. The presence of compilers and programming source code is expressly forbidden by both the 2002 and 2005 versions of the national standards. Further, I speculate, none of the SQL programming source code incorporated into the WinEDS application was submitted for software review by the ITA labs.

Here is a comparison of Access 2000, Microsoft SQL Desktop Edition, and SQL Server Enterprise.

http://msdn2.microsoft.com/en-us/library/ms811092.aspx

The relevant excerpt for MSDE and the SQL programming in a stored procedure is:

Stored procedures exist as permanently compiled objects in MSDE. Precompiling reduces the overhead required for execution. Stored procedures can accept and return data. Stored procedures can also be used to group complex SQL statements. The contents of stored procedures may be hidden from applications.

In Microsoft’s own words MS SQL Server stored procedures, user-defined functions, and triggers are a programming language; Transact-SQL3. http://msdn2.microsoft.com/en-us/library/aa214299(SQL.80).aspx. The relevant excerpt is:

Stored procedures in SQL Server are similar to procedures in other programming languages in that they can:

  • Accept input parameters and return multiple values in the form of output parameters to the calling procedure or batch.

  • Contain programming statements that perform operations in the database, including calling other procedures.

  • Return a status value to a calling procedure or batch to indicate success or failure (and the reason for failure).

You can use the Transact-SQL EXECUTE statement to run a stored procedure. Stored procedures are different from functions in that they do not return values in place of their names and they cannot be used directly in an expression.

I will put aside for the moment the question of whether the SQL programming source code of WinEDS was ever presented for source code review the ITA testing labs as required by the 2002 and 2005 Voting System Guidelines. The presence of Microsoft Enterprise Manager is a separate violation of both the 2002 and 2005 Voting System Guidelines because the presence of the Microsoft Enterprise Manager on the WinEDS server is a violation of paragraph 6.4.1(e) of the 2002 VSS (http://www.eac.gov/election_resources/v1/v1s6.doc) and paragraph 7.4.1.(e) of the 2005 VVSG (http://www.eac.gov/VVSG%20Volume_I.pdf ). The cited paragraph reads (emphasis mine):

After initiation of election day testing, no source code or compilers or assemblers shall be resident or accessible.

The presence of Enterprise Manager allows for the examination, alteration and recompilation of the SQL programming of the stored procedures, user-defined functions, and triggers used by the WinEDS application. In Waukesha, Enterprise Manager is both resident and accessible.

The application code in WinEDS executes whatever SQL programming is behind the name for the stored procedure regardless of whether that SQL programming is the same as the SQL programming initial installed or SQL programming which has been altered between the time of installation and the time the procedure name was invoked during the administration of an election. The technical term for this feature is late-binding4. Here is Microsoft on the topic late binding of SQL programming: http://msdn2.microsoft.com/en-us/library/ms191436.aspx. The relevant excerpt is: (emphasis mine)

They[,stored procedures,] are named code allowing for delayed binding.

This provides a level of indirection for easy code evolution.

Evolution here means changes to the behavior of WinEDS AFTER state certification.

What is particularly problematic with WinEDS installation of Enterprise Manager is that it is completely unnecessary. Either Microsoft SQL Desktop Engine or its replacement, SQL Server 2005 Express Edition Overview5, could be used instead. The use of either of these other MS SQL Server compatible options would prevent the SQL programming of WinEDS to be changed in the field. This is because the SQL programming would be pre-compiled in Oakland, CA and an on-site compiler (Microsoft Enterprise Manager) would be unavailable in Waukesha, WI.

3http://msdn2.microsoft.com/en-us/library/aa299742(SQL.80).aspx. Notice particularly the inclusion of IF.. ELSE, WHILE, CONTINUE, BREAK and EXECUTE programming elements.