Diebold Election Audit Logs Defective

mtrachtenberg writes "Premier Election Solutions' (formerly Diebold) GEMS 1.18.19 election software audit logs don't record the deletion of ballots, don't always record correct dates, and can be deleted by the operator, either accidentally or intentionally. The California Secretary of State's office has just released a report about the situation (PDF) in the November 2008 election in Humboldt County, California (which we discussed at the time). Here's the California Secretary of State's links page on Diebold. The conclusion of the 13-page report reads: 'GEMS version 1.18.19 contains a serious software error that caused the omission of 197 ballots from the official results (which was subsequently corrected) in the November 4, 2008, General Election in Humboldt County. The potential for this error to corrupt election results is confined to jurisdictions that tally ballots using the GEMS Central Count Server. Key audit trail logs in GEMS version 1.18.19 do not record important operator interventions such as deletion of decks of ballots, assign inaccurate date and time stamps to events that are recorded, and can be deleted by the operator. The number of votes erroneously deleted from the election results reported by GEMS in this case greatly exceeds the maximum allowable error rate established by HAVA. In addition, each of the foregoing defects appears to violate the 1990 Voting System Standards to an extent that would have warranted failure of the GEMS version 1.18.19 system had they been detected and reported by the Independent Testing Authority that tested the system.'"

can we at the very least sue them

[Trepidity]

for providing a defective product?

Re:can we at the very least sue them

[MrKaos]

So, it's the customer's fault that a defective system was used, not the vendor's.

I guess that means people should keep that in mind when they see a Diebold ATM. Who knows how much it might debit your account when you withdraw funds.

Re:Fraud

[TheGratefulNet]

life sentence.

seriously. one of the purposes of jail is to send a CLEAR MESSAGE that behavior such as this is not to be tolerated.

and no hiding behind corp names - individuals at the top of the company should do jail time. no debate about that - they must directly feel the pain for the LOSS OF DEMOCRACY we suffered.

200 yrs ago, give or take a few, people would be HANGED for this for treason. how is this not treason?

I don't agree with hanging but I do agree with a 20+ year jail sentence. let the CEO's of the world know that there are some things that are so holy, you JUST DON'T MESS WITH THEM. democracy and fair voting is such a fundamental thing.

a message should be sent. mandatory jail time with 20 years min. drug offenders who do FAR less damage to society are doing this today; why not punish REAL criminals for a change?

Re:Fraud

[Ethanol-fueled]

We should change the laws to hold devices used in state and federal elections to similar or same standards as life-critical medical devices.

In which case the engineers who signed off on the thing and any executives who knowingly pushed defective gear out the door would be punished and sanctioned.

"Hold a voting machine to similar standards as critical care life-support? that's ludicrous!", some might say. But if a corrupt group of politicians could rig the machines to get into power and (hypothetically, of course) start a war and that would cause many more deaths than some spurious bug in some medical equipment.

How hard can it be?

[I'm+not+really+here]

How hard can it be to build a foolproof system? I mean, come on! Why not do something like this:

• computer voting system
• Scantron copy is printed out for manual verification by the voter (with the selected candidate's name printed directly on the scantron sheet for easy verification, along with an "overlay" that shows the names above the scantron vote column for more certain verification), and dropped into a lockbox if confirmed to be accurate
• voter selects button on screen stating that he/she has confirmed his/her vote. This prints a second, identical Scantron, which is dropped into a second locked box.
• System has two CDR drives in it (not CD-RW)
• As each vote is confirmed by the voter, the data for that vote is burned to each CDR (in triplicate or whatever for error correction), with no method for marking deletes - once the vote is cast, it is cast (that's what the "confirm or start over" mechanical button should be for)
• Each CDR tray is set such that ejecting the CDRs drops one into the same lockbox as the scantrons, and the other into the same lockbox as the scantrons which were reviewed by the voters manually
• Finally, when the voting is complete, each lockbox is sent to a different counting station, unlocked in front of many witnesses, run through the scantron, and verified against the CDR.
• If the margin of error is greater than 99.95% or whatever their acceptable limit is, then the scantrons at that station are manually counted, using the printed names , not the scantron letter value, as the printed names are what the voter verified
• Same thing happens at the other station

Results are determined thus:

There are 6 counting methods available in this scenario (2 CDRs, 2 scantron auto reads, and (if needed) two manual reads).

All that needs happen is that 4 of the 6 counts match up. CDRs are almost guaranteed to match up, so that's two (and if they don't match up, there has been some type of tampering or system failure, and we move from the CDRs into the Scantrons). After that, if the two scantron autoreads match up to the CDRs within the margin of error, then we know that the votes were counted correctly (3 items were not reviewed by the voter, but those 3 items match up with the voter reviewed cards). If, after looking at these four counting options, we do not have four matches (One of the scantron autoreads doesn't match the other three, or one of the CDRs is corrupted or unreadable, etc.), we do the manual counts. If we do not have 4 matching counts at this point, the votes are not valid, and a revote is required.

Yes, this is an "armchair" analysis, and I'm sure has some holes in it, but how in the heck is an Access Database with VB triggers any better than this armchair analysis?