Analysis of the Response to FFEC Public Records Request

By: John Washburn

On December 4, 2006 the Florida Fair Elections Coalition (FFEC) submitted a Public Records Request[1] to the Florida Bureau of Voting System Certification (FL BVSC). The complete text[2] of the Public Records Request was quite lengthy, but it is easy to summarize. The FFEC asked the bureau to provide the cryptographic hash values[3] of the software components that compose the five voting systems certified for used in Florida. The resulting request was for hash values to the 101 software components listed on the Bureau’s website[4].

Cryptographic hash values[5] can be used to compare one collection of installed software to another collection of installed software in order to compare the two installations. The use of hash values allow for very fine comparisons of software configurations[6] without exposing copyrighted, trade secreted or patented intellectual property to unintended disclosure. If the lists of hash values are different, then the software install on the two system is certainly and provable different.

Since, there have been audits of two voting systems in Florida within the last 12 months, Florida Fair Elections Coalition is certain the Bureau of Voting Systems Certification has access to this very technical information. The first step in an audit procedure is to determine and identify the system under audit. For voting systems, this verification of the system under audit is doubly important as only systems certified by the Bureau of Voting Systems Certification may be used in Florida elections. Having an enumeration of the cryptographic hash values of the various software components of the five systems certified in Florida is necessary in order to confirm that a system used in an election is the system certified by the FL BVSC.

The response from the Florida Bureau of Voting Systems Certification was a CD-ROM disk containing five directories containing a total of 12 text files. The text files are essentially a list of filenames and the SHA-1 hash value[7] for each of the named files. A compressed ZIP Archive of this CD-ROM disk is provided here[8].

Florida Fair Elections Coalition asked me to review their original request and the response by the Florida Bureau of Voting System Certification and to comment on which records were produced and which records, if any, were not produced. The complete and detailed analysis of each of 101 requested records and the response provide by the State of Florida is also quite lengthy, but also easily summarized. Of the 101 items requested, 3 (items 1, 92 and 93) were fulfilled by the State providing a hash value to a specific software component. The State responded to 18 other requests (requests 29-33, requests 81-87, and requests 96-101) with the response that no such record is maintained by the state as such information is in the public domain. The State has not responded to the remaining 80 requests.

The 3 items for which SHA-1 hash values[9] were provided were:

• The cryptographic hash value for Global Election Management System Software (GEMS), Release Level 1-18-19
• The cryptographic hash value of the AVC Edge firmware version 4.3.320 as used on an AVC EDGE I (15" DRE) w/ Seiko printer
• The cryptographic hash value of the AVC card activator firmware version 4.3.320 as used with the AVC card activator, version D

For the remaining 80 cryptographic hash values requested, what the State of Florida provided was not the hash value of the specified software component requested but the hash value of the compressed archive which (presumably) contains the software component. The diagram below can help to illustrate this difference.

What Florida Fair Elections Coalition requested were the cryptographic hash values of the software components expected to be found in green boxes of a certified system. What Florida Fair Elections Coalition received as a response from the State of Florida were, instead, the hash values of the items found in the yellow circles. This is non-responsive because there is the possibility the voting system was upgraded or patched after installation. The process to upgrade or patch the voting machine software is represented by blue circles.

What Florida Fair Elections Coalition requested was the contents of the purple box as found in a reference installation from the certified installation CD-ROM’s. This list of the expected hash values of the certified systems could then be compared, at a later time, to the hash values actually found on an election system under audit. If the hash values differ, then it is certain the system under audit is not a system certified by the state.

Florida's Public Records Act[10] defines 3 actions as responsive to a public records request:

• No such record exists,
• The record exists but is exempt from disclosure, or
• Here is the requested record.

The response from the Florida Bureau of Voting Systems Certification to the FFEC 101 Public Records Requests breaks down as follows:

• 3 of the requested SHA-1 hash values were provided,
• 18 of the requests are for records which do not exist, and
• 80 of the 101 records requested received no response from the state, which, instead, provided different records than those requested.
  

---

[1]http://www.flsenate.gov/statutes/index.cfm?App_mode=Display_Statute&URL=Ch0119/ch0119.htm

[2]http://www.washburnresearch.org/archive/FFEC-PPR-20061204/FFEC-OriginalPPR.pdf

[3]http://en.wikipedia.org/wiki/Cryptographic_hash_functions

[4]http://election.dos.state.fl.us/votemeth/systems/countysys.asp

[5]http://en.wikipedia.org/wiki/Cryptographic_hash_functions

[6]http://en.wikipedia.org/wiki/Software_Configuration_Management

[7]http://en.wikipedia.org/wiki/Sha-1

[8]http://www.washburnresearch.org/archive/FFEC-PPR-20061204/FL-BVSC-ResponseCDROM.zip

[9]http://en.wikipedia.org/wiki/Sha-1

[10]http://www.flsenate.gov/statutes/index.cfm?App_mode=Display_Statute&URL=Ch0119/ch0119.htm

PDF Version

Does Ciber Testing Affect Wisconsin?

The story in the New York Times that Ciber Labs has been barred from certifying election equipment under the EAC interim certification rules raises the question above in the title:

Does Ciber (non) Testing Affect Wisconsin?

The answer is yes, but it is too early to tell how and to what extent. Here are the systems affected:

The following is from the Voting Equipment page found on the WI SEB web site at:

Ciber Labs tested the following elements of systems now approved for use in Wisconsin.

• Unity Election Management Suite, version 2.4.3 of the ES&S system approved under the NASED # N-1-02-21-21-002
• Unity Election Management Suite, version 3.0.1.0 of the ES&S system approved under the NASED # N-1-02-21-21-005
• Unity Election Management Suite, version 2.5 of the ES&S system approved under the NASED # N-1-16-22-22-001
• Unity Election Management Suite, version 3.0 of the ES&S system approved under the NASED # N-1-16-22-22-001
• Global Elections Management System (GEMS) software, version 1.18.24 of the Diebold Election Systems Inc. system approved under the NASED # N-1-06-22-22-001
• WinEDS Election Management software version 3.1.012 of the system from Sequoia Voting Systems approved under the NASED # N-1-07-22-22-002

Ciber Labs tested no element of the following systems now approved for use in Wisconsin

• Populex Digital Paper Ballot Voting System, version 2.3. All elements of the system were tested by SysTest, LLC. On an unrelated note apparently, no NASED number has been issued yet for this system as required for this system by Wisconsin regulations.
• Vote-PAD. Since Vote-PAD is not electronic it outside of the scope of the certification process for electronic systems.

It is unknown which, if any, elements Ciber Labs tested for the following system now approved for use in Wisconsin

• VotWare DRE Voting System: firmware release version 5.0.4.1; Ballot Builder v. 5.0.4.1g; Surevote DRE v.5.0.4.1g; EMSTools v.5.0.4.1h, and related system components. Apparently, no NASED number has been issued yet for this system as required for this system by Wisconsin regulations.

Ciber SHOULD have tested the following PC application, but instead the State of Wisconsin accepted a software test report from Wylie, the NASED hardware test lab.

• VC Programmer 4.6.1 of the Diebold Election Systems Inc. system approved under the NASED # N-1-06-22-22-001

Ciber Not Given Interim Accreditation, Part 1

The story in the New York Times that Ciber Labs has been barred from certifying election equipment under the EAC interim certification rules simultaneously stuns me and frustrates me. That Ciber has not been performing the work it was contracted to do is very old news to me. It is somewhat frustrating to see this breathlessly reported as something new. The thing that stunned me, though, was that the Ciber portion of the Ciber/Wyle team failed to meet the requirements of the EAC interim accreditation. How can that be?

In this, the first of a two articles I will discuss the interim certification process of the EAC. I will endeavor to make this rather dry topic interesting. The second article will discuss the lack of work by the Ciber/Wyle team which I documented over the 18 months ago here in Wisconsin.

EAC Interim Process

Any discussion of the EAC Interim Accreditation process, unfortunately, cannot begin unless you first discuss the two accreditation processes it is between. The first process is the NASED qualification process administered by the private trade group, the National Association of State Election Directors, and the second is the yet-to-be-implemented National Voluntary Lab Accreditation Program (NVLAP) accreditation process to be administered by the Election Assistance Commission with substantial support from the National Institute of Standards and Technology (NIST). The additional rigor from the EAC/NIST program would mean its initial accreditation of labs would not be available until September 2006 at the soonest. The interim certification process was adopted as a bridge for the time between the end of the NASED qualification program and the beginning of the EAC/NIST program.

For each of these accrediting bodies: NASED and EAC/NIST there are two things to be certified/accredited:

1. Voting Systems. A given voting system is certified if it adheres to some standard.

2. Testing Labs. A given laboratory is accedited to test voting systems if its credentials and competence of laboratories are shown to meet accreditation standards.

This article focuses solely on this second form a certification: the accreditation of the testing labs.

NASED Process

The NASED process for testing equipment has been in place since the mid-1990’s and is documented here. Unfortunately, this is the only extant document which describes how ITA labs are accredited by NASED. There was a link at testimony which describes how SysTest became an ITA. But this document of testimony is now a dead link. Like many things regarding electronic voting; the truth is a trade secret. The short answer is no one in the public, and certainly no elected official, knows what if any qualifications, are required to be a NASED ITA lab. The only people who may know are the labs themselves, R. Doug Lewis of the Election Center and the members the NASED Voting Systems Board. The Election Center connection is important because initially the Election Center and Mr. Lewis administered the machine qualification process. Later, the EC joined with NASED in ITA testing. Prior to 1998 NASED merely republished the results produced by the Election Center . This re-publication policy was in place in November 1998 as found in the footnote. By December 2003 the qualification of machinery was administered by the Election Center under the auspices of NASED. Again the relevant information is in the footnote. At some point prior to December 2004, lists of certified systems drop any links between the Election Center and NASED.

So, in summary, the accreditation process to become an NASED/Election Center ITA lab is unknown or at least published in a very limited way. You will have to ask the Election Center and the NASED Voting Systems Board for answers to these questions.

EAC/NIST Process

The accreditation process for labs to test voting machinery under the EAC/NIST program is very well documented. The acronym for the labs changes from ITA to VSTL which stands for Voting Systems Testing Laboratory. The process to become a VSTL under the National Voluntary Lab Accreditation Program (NVLAP) is described in detail on the NVLAP page of the NIST website. And how the labs are to conduct testing in order to certify election machinery is described in the NIST Handbook 150-22 and the EAC VSTL manual.

Back to the EAC Interim Process

The initial accreditation under the EAC/NIST process has to date (January 7, 2007) yet to be completed for even a single lab that applied back in August of 2005. Thus, the EAC interim certification processeses is critical. These interim rules will be in place for some unspecified time to come.

So, what does is take to become accredited as a test lab under the EAC interim certification process? Not much.

Here is the document defining the EAC interim process for the certifying of election machinery. Paragraph A covers the accreditation of testing labs during the interim period.

Provide for interim accreditation of National Association of State Election Directors (NASED) accredited Independent Test Authorities (ITA).

The procedure for this interim accreditation is documented in the EAC Interim Accredited Test Lab information published by the EAC in August 2006:

Specifically, the requirements for interim accreditation are in paragraph 3.

Prior to accreditation review, the labs were required to submit documentation to EAC providing information on the laboratory, including their organization, their quality program, and their parent organization. EAC also required a completed EAC Certification of Laboratory Conditions and Practices document (Attachment 1).

This is the only documentation there is. This is only slightly better than the documentation available from the NASED/EC process for accrediting ITA labs.

To get interim accreditation from the EAC all a lab needs to do is:

1) Be a NASED ITA.

2) Tell the EAC who the lab is

3) Tell the EAC what is the lab’s quality assurance program

4) Tell the EAC which larger organization the lab is a part of

5) Sign a form entitled: Certification of Laboratory Conditions and Practices.

6) Pass some unspecified accreditation review

There is no documentation available though on what this review consists of or if it consists of anything at all.

Here are some questions for the EAC on the matter of interim certification.

1. Is the review process mentioned in paragraph 3 documented anywhere?
2. If so, where is this documented?
3. If not, why is this not documented?
4. Remember this review process, if it exists, is NOT the same process defined under the NIST/NVLAP program but something else generated by the commissioners of the EAC.
5. Is this undocumented review what Ciber failed to pass?
6. Or is the failure more fundamental? Did Ciber refuse to sign the required Certification of Laboratory Conditions and Practices?
7. If the failure by Ciber was related to the undocumented review process, what was the nature of the failure?
8. Was there more than one item of failure?
9. Where is the report on this review?
10. Who performed the review and when?

Given the elementary and pro forma nature of the EAC interim accreditation process how did a NASED ITA of more than 10 years fail? Hopefully the answer to this question and those above are not considered a trade secret as so much of election administration in the past 5 years has been declared.

Ciber Not Given Interim Accreditation, Part 2

The story in the New York Times that Ciber Labs has been barred from certifying election equipment under the EAC interim certification rules simultaneously stuns me and frustrates me. That Ciber has not been performing the work it was contracted to do is very old news to me. It is somewhat frustrating to see this breathlessly reported as something new. The thing that stunned me, though, was that the Ciber portion of the Ciber/Wyle team failed to meet the requirements of the EAC interim accreditation. How can that be?

In this, the second of two articles, I will discuss the poor workmanship of the Ciber/Wyle team, which I documented during the summer of 2005 here in Wisconsin. The first of these two articles discussed the interim certification process of the EAC and questions how it was even possible for Ciber to fail in its bid for certification.

NASED/EC Independent Test Authorities

Ciber labs is part of a network of three testing laboratories called Independent Test Authorities (ITA). For 10 years, under the auspices of the Election Center (EC) and then later under the those of the National Association of State Election Directors (NASED), the vendor-funded research conducted by the ITA labs has been cited as evidence that voting machinery sold in the United States is fit for use in election administration. The statement has been repeated many, many times but two specific examples are illustrative.

November 4, 2003 of Market Watch from Down Jones.

Mark Radke, director of the Diebold Election Systems unit, rejects charges that the company's systems are flawed or that politics could affect how it writes software. The company's equipment is certified by election officials before use, he said, and is subject to rigorous testing before, during and after the voting process

January 2005 from News Forge:

North Carolina's Board of Elections relied on reports from the Independent Testing Authority (ITA), which has OKed systems and software that have been problematic in the past.

The primary complaint with the independent test authorities has been that they are not. Vendor-funded labs operating under strict non-disclosure agreements (NDA’a) are not independent. The qualifications and authority of Shawn Southworth of Ciber (a company previous known as Nichols Research, PSI Net, and Metamor) has been repeatedly questioned. And there are years of evidence showing that the expected testing has not been done. Not independent, Not an authority. Not doing the testing, this is why Independent Test Authorities are not.

A History of Failing to Test

As I stated there has been much evidence dating back to 1997 that the "ITA" labs have not been testing voting software well. Here is an abbreviated list.

November 1, 2004 from Wired News

Last year [2003], computer scientists found that the Diebold system still possessed the same flaws Jones had flagged six years earlier [in 1997], despite subsequent rounds of testing.

December 22, 2005 from S&R News

One study this July tested 96 Diebold TSx DREs with AccuView printers and logged 34 separate system failures. The machines were tested for “5.33 hours in a setting designed to emulate a real election,” according to a report by the Voting Systems Technology Assessment Advisory Board. “The 34 failures broke down into 14 printer jams and 20 software failures. ... For some of the failures, the machine reported a fatal error and was unable to proceed. Other failures left the machine stuck, hung, or frozen in some state and unresponsive to voter input.”

Research performed on behalf of the Secretary of State of Ohio in 2003 and later in 2005 found numerous problems, all of which were missed by the vendor-funded "ITA" labs.

Research by the State of California in September, 2004 also found problems missed by the Ciber/Wyle team of "ITA" labs. A later study published on February 14, 2006 by the California Voting Systems Technical Advisory and Assistance Board (VSTAAB) stated:

“[The system] had not been subjected to thorough testing and review by” the national ITA which had approved the system in 2005.

No discussion of the "ITA" labs failure to test voting machine properly would be complete without mentioning ‘interpreted code’ -- which allows uninspected, ad-hoc programming to control the software. Interpreted code is expressly banned by both the 1990 and 2002 standards for voting systems, yet for years the test labs filed to detect, or failed to report ,the presence of this prohibited code. The dangers of the presence and use of this prohibited form of programming were demonstrated in Leon County under election night conditions on December 13, 2005 by Harri Hursti, testing the system at the request of the Leon county Supervisor of Elections. In this demonstration, the interpreted code misrepresented the election results so that the correct result of 6 No and 2 Yes was misreported as 1 No and 7 Yes.

Vote Trust USA has proposed a different, more effective testing frame work because of the failure of the NASED ITA testing process.

The Wisconsin Experience

While it is interesting to note the "ITA" testing failures from around the country, the main question is how does this affect us, the voters? The Elections Board of the State of Wisconsin (WI SEB) relies heavily on the assurances from the ITA labs. This reliance is so heavy that Wisconsin does no state-based testing other than to hold a mock election for each of the three types of Wisconsin elections: Partisan Primary, General Election, and Presidential Primary Election. There is no independent review such as performed by California, Ohio, or Pennsylvania. The reason is quite simple. The WI SEB does not have the funds to have such testing done on its behalf.

Because of the experiences with the Ciber/Wyle team of "ITA" labs and NASED system N-01-06-22-22-001, several members of the board mentioned in the November 30, 2005 meeting that while the ITA process was clearly suspect, the board was in no position to rectify the situation.

What led them to their conclusion? It was my attempts to verify that the Wisconsin certification process was being followed. The state certification process is documented in the administrative rules found in ElBd 7. Here is a short chronology of my investigation from 2005.

I requested the "ITA" reports delivered by the vendor to the State Elections Board as required by ElBd 7.01.

Details here

I was told "ITA" reports are a “trade secret” and thus exempt from disclosure under Wisconsin’s Open Records act.

Details here, here, here, and here

A redacted version is made available and it is discovered the ITA report is incomplete and is missing elements required by the 2000 VVSG.

Details here and here

The issues regaring the incomplete and missing reports were taken up by the board.

Details here, and here.

While the State Election Board denied Diebold's application on November 30, 2005, the system was later approved for use during 2006.

What I discovered in the "ITA" reports submitted to the State Elections Board by the State of Wisconsin were:

1. Neither Ciber nor Wyle provided in any of the reports the system identification as required under section 8.7.1 of Volume I of the 2002 VVSG. This system identification is called a physical configuration audit (PCA) and the inclusion of the PCA is required by Appendix B of the 2002 VVSG. This means it is impossible to tell which system the reports apply to.
2. Wyle labs created the ITA report for the application called "VC Programmer". The problem with this is that Wyle labs is only authorized to test hardware and the firmware executed on that hardware. VC Programmer is an application program which runs on a standard desktop computer.
3. Neither Wyle nor Ciber produced a report for the application called "JResultsClient".
4. The Ciber report was so short and incomplete it is impossible to tell what if any testing was done or more importantly how such testing was done.
5. The NASED number, N-1-06-22-22-001, for the systems was issued on June 27, 2005 but the ITA reports were not completed until August 4, 2005. This means the NASED number was issued before the NASED Voting Systems Board had recieved the test results.

In conclusion, the failure of the NASED ITA system in general and the particular failures of Ciber Labs (in all of its prior incarnations) to perform adequate testing of voting machines is a problem stretching back for more than a decade. This means that voting systems have been approved by "ITA" labs and state election officials have relied upon those approvals. Because of this elections have been held using voting equipment which has never been adequately tested.

How this actually may have affected us, the voters, is anybody's guess.

November 2, 2004 evidence is with MPD

I received a phone call from Rick Frohling of the US Attorney's office that the evidence siezed by the FBI is stored with the Milwaukee Police Department.

All the poll books, registration cards, ballots, inspectors reports, poll tapes are all being secured in the MPD evidence warehouse.

I hope so. I would hate to think this evidence might "go missing" when it comes time to return the election materials to the proper, legal custodians in a month.

Electonic Voting: The Truth is a Trade Secret

I have created several items on the cafe press in order to fund this blog and my ongoing research into voting equipment.

If you would like a T-Shirt, Coffee Mug, hat, or Bumper Sticker with the tag line,


Electronic Voting: The Truth is a Trade Secret


you can get it get it here. Ten percent of the sale price will go to fund this site an my e-voting activities.

November 2, 2004 Still Under Investigation

On November 27, on WISN Milwaukee City Police Chief Nannette Hegerty stated that the Joint Task force investigating the election fraud perpetrated during the November 2, 2004 in the City of Milwaukee was complete. I challenged this. I have been actively looking for the final report from this task force. The investigation by this task force has interrupted my investigation, has been used as the pretext by the WI SEB to not process my election complaint, and has delayed the production of more than 600 records I requested from the City Election Commission.

Upon calling the FBI, the Milwaukee County DA, the Milwaukee City Police department, the hot line for the Joint task force, I got the run around. FBI agent David Gore was unsure of the investigation status but was adamant the evidence (ballots, poll books, registration cards, etc.) where held by the office of the Milwaukee County DA. The DA records officer, James Martin was equally adamant the election material was not held by the Milwaukee county DA. The MPD never returned my calls.

This prompted me to make a formal open records request of the Milwaukee Police department for the final report of the task force. And to make the request more clear I included a copy of the preliminary report released in May 2005.

Today I received confirmation from the office of the US Attorney for Eastern Wisconsin that the investigation “just finished” and the final report should be available within 30 days.

It seems suspicious that just as someone makes an open records request, the final report is suddenly “almost done”.

My question is where did the evidence go and when will it be returned so my election complaint can finally go forward and Greg Borowski, Owen, SteveGG can possible resume OUR investigations into and open records requests regarding the City of Milwaukee fraud fest conducted from October 1, 2004 to to November 2, 2004.

Where is the evidence from the November 2 2004 election right now? I have yet to get a straight answer to that question.