Bev Harris: Inside Sequoia's Vote Counting Program
Money, Access, and Stunning Security Flaws — A Poor Recipe for Fair Elections
By Bev Harris – blackboxvoting.org
Tuesday March 31 2004
Section 18575 of the California Elections Code makes it illegal for anyone other than an election officer to handle, count, or canvass ballots:
Every person is guilty of a felony, and on conviction shall be punished by imprisonment in the state prison for two, three or four years, who at any election:
(a) without first having been appointed and qualified, acts as an election officer,
(b) not being an election officer, performs or discharges any of the duties of an election officer in regard to the handling, counting, or canvassing of any ballts.
This section provides that only authorized people, such as an election officer, may count votes. To the extent that an unauthorized person handles or counts votes, he or she is in violation of section 18575.
In Riverside County, California, I recently participated in the videotaping of a statement that causes me concern.
On election night, March 2nd 2004, two people who do not work for the County, Sequoia employees Michael Frontera and Eddie Campbell were observed to access the WinEds central tabulator during the middle of the count. At this time, approximately 8:50 on election night, about one-third of Riverside's 157 precincts had been counted. At that point, the count was such that an automatic runoff would have been required between Linda Soubirous, a candidate for County Supervisor, and her opponent, Bob Buster.
In the central count room of Riverside County at this time, no vote tabulation activity appeared to be going on. Two men were at the central tabulation terminals, the computers that add up all the votes from precincts around the county. Sequoia employee Michael Frontera was sitting at central tabulator terminal typing into the program, and Sequoia employee Eddie Campbell was standing next to him talking to him.
Riverside County has approximately 4,200 touch-screen voting terminals, placed into polling places around the county. The votes are stored on electronic ballot boxes — called memory cards, or cartridges. These cards began arriving and soon were piled up all over the counting room. They began inputting electronic ballot boxes into the central tabulator shortly after 9:00 p.m.
It seems plausible that the precincts reported earlier may have been mail-in precincts, or may have contained absentee votes, with the delay in the vote a result of waiting for the polling place ballot boxes to be driven in to the central counting office.
After the count resumed, the count for Bob Buster, which had been around 47 percent, rose methodically until it reached exactly the vote total needed to eliminate a mandatory runoff: 50 percent, plus 1 vote.
Precincts in / Bob Buster percentage
46 precincts / 47 percent
87 precincts / 49.12 percent
101 precincts, 49.89 percent
126 precincts / 50.22 percent (Amount needed)
144 precincts / 50.25 percent (no change)
157 precincts / 50.21 percent (no change)
The report I have on provisional ballots from all precincts, which were tallied later: Buster received 47 percent.
Recently, Registrar Mischelle Townsend made a peculiar statement. She said that she could see why people might rig slot machines, because there is money involved, but she could not imagine why anyone would have a motive to rig an election.
One of the most traditional motives for local, city, or county-wide election-rigging is to place candidates in office who will be kind to certain construction companies. I am not imputing any specific ties, or motives, to any candidate at all. However, to say that there is no motive to tamper with election results for the county supervisor positions is naive. Riverside County is one of the fastest-growing counties in the nation, with lucrative projects for new housing developments, and new industrial parks, going up for approval by county supervisors quite frequently.
Riverside County Supervisors make decision on projects whose cumulative value is in the hundreds of millions. Thus, we would expect the Registrar of Voters to take very careful precautions to make sure that the vote is honest, fair, and that the counting of the vote is transparent so that it can be trusted by candidates and the public.
Who are the men from Sequoia who accessed the central tabulator on election night, during the middle of the vote count?
Michael Frontera is a former Denver Elections Commission executive who took a position with Sequoia shortly after placing $6.6 million in Sequoia orders with Denver. Eddie Campbell is a Sequoia employee who lives in Denver.
What were they doing to the tabulator when Frontera was typing information into it?
I called Mischelle Townsend to ask this question, and she did call back, but I was in my car and could not take notes. I arranged to call her back shortly after 1:30 p.m., when she said she would be getting out of a meeting. I made four follow up calls, but she did not answer, and I called her office three times, but was told she is not there. I will keep this question open so that we can get an answer, and will update this site - (http://www.blackboxvoting.org) with Townsend's response.
I called Alfie Charles of Sequoia, three times, but he did not take my call. He e-mailed me to say that I must submit my questions in writing in order to get a response, a poor option for any journalist, as this does not allow you to ask any follow up questions or ask for clarification. I will keep this question open for Mr. Charles as well, and will update this site with his response.
Additional questions for Townsend and Charles:
1.When, how, and by whom were Frontera and Campbell "appointed and qualified" as elections officers? My fax number is 425-228-3965, and I will await the faxed documentation on this.
According to the California Elections Code section 18564,
"Any person is guilty of a felony, punishable by imprisonment in a state prison for two, three, or four years who, before or during an election:...
(b) interferes or attempts to interfere with...ballot tally software program source codes..."
Thus, it certainly looks bad, and deserves a full written explanation, when a person who does not work for the County and is not even a resident of the state of California is typing instructions into the central tabulation program during the middle of a count on election night.
But could "typing into the computer" interfere with the software program source codes?
Now I'd like to share with you what we've found out about the WinEds program, the central tabulator program manufactured by Sequoia Voting Systems. In September 2003, this program was found on an unprotected Web site. Andy Stephenson and I have been working with computer programmers from New York, Wisconsin, the high-tech corridor of Washington State, and California, and we have obtained an analysis of this code.
First, an important caveat: When Stephenson and I attended the Logic and Accuracy test held in Riverside County in February, 2004, during the question and answer period, we were told that the WinEds software found on the Web had nothing whatsoever to do with the real software. The software, WinEds 2.6 build 200 was certified by NASED in September, 2001. Currently, according to Townsend at the L&A test, they use WinEds 3.0.
But what we found was that certain components of the WinEds software, which create security risks, are built into the very foundation of the program. My sources say that it is unlikely that these components have been eliminated, as that would require an extensive rewrite and would mean they'd have to scrap certain functions, like the drag and drop ballot creation program, altogether. So, after this section, I'll pose a few more questions for Alfie Charles and Mischelle Townsend.
Here is why it is so dangerous, based on what we examined, for any employee to type anything into the central tabulation program while an election is in progress:
1. The WinEds program we examined includes a large amount of "business logic," that is, stored procedures that can easily be manipulated. It is not necessary to get access to the central programming information at Sequoia Voting Systems headquarters to change these stored procedures — basically, you can change the source code itself that controls the commands given to the central tabulator.
This allows any county database administrator, or any Sequoia support rep, to change the source code that has been approved by the California Secretary of State and the Independent Testing Authority, and imperils the tabulation of votes that have already been cast.
Changing the stored procedures after votes have been cast can do just about anything you want. Using the program we examined, you could put in vote-shaving logic: Multiply this guy's votes times 1.05, and this other guy's votes times .95. Such a manipulation would pass canvassing and would probably even pass a spot check when ballot simulations were printed out one by one.
2. Changing the source code in the stored procedures does not require sneaking in a back door.
Simply by opening the program, you can open windows that give you access to replacing the code. Any county employee or support rep can execute the manipulations easily and with very little chance of getting caught. It takes only minimal computer expertise -- a few vocational training courses for Microsoft, for example, and you will have the knowledge needed to overwrite the commands in the central tabulator.
Therefore, allowing anyone -- even a county employee, but certainly, various support techs who live out of state -- to have access to the system and start typing things into it during a live election is poor election security procedure.
Andy Stephenson asked Townsend if she had any training at all in computer programming. She replied that her degree was in public administration. Townsend is not qualified, even if she is watching the people typing into the tabulator, to judge whether they are doing secure programming.
In this instance, neither Townsend nor anyone from Riverside County was observing what Frontera typed into the WinEds program during a live election, after vote-counting had begun. The entire election on March 2 in Riverside requires that we place our trust in Michael Frontera and Eddie Campbell, who may be the nicest of people, but at no point did the voters of Riverside approve of two guys from Denver getting control over 600,000 votes.
But there's more...
Riverside has a heavy hispanic population. The main part of the L&A test we observed did not test Spanish language ballots, and even if it had, there is no way to verify that the ballot definitions in the L&A test are identical to what was in the machines on election day.
In the WinEds program we examined, the Spanish language ballots can quite easily be altered so that the touch-screen records the vote for the opposite candidate than the voter intended. This works with foreign language votes only.
You do not need to go in a "back door" to flip the Spanish-language votes. It can be easily achieved by mapping the Spanish ballots to vote for Don when Spanish-speaking voters cast a vote for Ron.
The screen will indicate that they voted for Ron, but inside the machine, it will record the vote for Don, and there is no way whatsoever to verify that Hispanic voters' intent was correctly recorded, because there is no paper ballot.
In the WinEds program we examined, the code, when altered, defaulted to erase the manipulations upon closing the program. By creating ballots using the Spanish language manipulation, installing the ballots onto the touchscreens, then closing the program, our handiwork no longer existed when the program was reopened. Thus, if the Spanish-language manipulated code was used to load the polling place machines, then the program was closed, then reopened to load the ballots for the L&A test, the ballots would pass L&A while robbing Hispanic voters of their voice.
The WinEds program we examined uses VBA, an interpreted language which violates FEC standards. In fact, VBA can so easily be used to exploit a system that it is the weapon of choice for many viruses.
In Snohomish County, Washington, county auditor Bob Terwilliger admitted on the Mike Webb radio show that one of his employees did a patch on his Sequoia touch screen system. Later, at a League of Women Voters meeting, Terwilliger said that this patch was only to change a font.
However, because of the way the WinEds program is constructed, you can put programming in so that when you do a simple thing like change a font, it changes the way the vote is recorded.
You simply go into the font definition code, cut and paste your own into it -- code which can have nothing whatsoever to do with fonts -- and voila! Whenever someone innocently changes a font in a report, behind the scenes the program does something else.
"None of the critics is giving any credence to the extensive system of checks and balances that we employ."
Mischelle Townsend, Registrar of Elections, Riverside County, California
On March 4, two days after the election, still in the middle of the count, while 5,000 absentee ballots were being counted, with only 72 votes separating two candidates from a mandatory runoff, Sequoia employee Eddie Campbell was observed outside the building by two citizens, Art Cassel and Brian Floyd. Campbell pulled a memory card out of his pocket.
"Let's see if this will work," he said to a County employee named Paul Shook. He then went into the central counting room. Floyd followed him, demanding to know what was on the card. The card looked exactly like an electronic ballot box card, but Campbell refused to say what was on the card, or give his name when asked, but did admit that he doesn't work for the county.
Campbell then went into the central tabulation room and a Riverside County employee named Brian Foss logged him onto the central tabulator with his (Foss's) password. According to Cassel, Foss then left the room. Campbell touched a handful of central tabulator machines, apparently entering the password belonging to Brian Foss. He reportedly took the card that had been in his pocket, and uploaded information into the machine. Campbell took the card back, put it in his pocket, told Floyd and Cassel that it was his "personal" card, and left the building with it, got on a plane and flew out of the state to Denver.
According to the California Elections Code section 18502, it is most likely illegal to interfere with the manner or timing of counting votes.
In addition to questions about the legality of what Campbell did, here are two obvious problems with the above:
1) Using someone else's password defeats the purpose of the event log, or audit log. Eddie Campbell will show up as Brian Foss.
2) Leaving the state with a card that uploaded data into a live election tabulator during the middle of an election is outrageous. That card needed to be retained by the County of Riverside, at least until the election was certified and recounts were settled.
According to California Elections Code section 18564, leaving the state with that card was illegal. Section 18564, 2.:
Carry away or destroy ballots
A person may not carry away ballots...
"Every person is punishable by a fine not exceeding one thousand dollars ($1,000), or by imprisonment in the state prison for 16 months or two to three years, or by both the fine and imprisonment, who: ...
(d) adds to or mixes with, or attempts to add to or mix with, the ballots polled, any other ballots, while they are being counted or canvassed or at any other time ...,
(e) carries away or destroys, attempts to carry away or destroy, or knowingly allows another to carry away or destroy, any poll list, ballot container, or ballots lawfully polled or who willfully detains, mutilates, or destroys any election returns
(f) removes any unvoted ballots from the polling place before the completion of the ballot count."
Although this section appears to prohibit people from physically carrying ballots away or attempting to physically destroy ballots, a court may extend it to punish people who electronically remove items involved in counting elections from a mechanical voting tabulation device.
Mischelle Townsend, when questioned on March 4, first said that Eddie Campbell was not authorized to work on the central tabulation machines, but when employee Brian Foss admitted that he had logged Campbell in, Townsend reversed herself and said Campbell did have authorization. At issue:
- According to California law, Campbell certainly did not have authorization if there is no documentation of when, who, and how he was formally "appointed and qualified" to act as an election officer.
- According to any reasonable security protocols, Campbell should not log himself into the central tabulator during a live election using someone else's identification.
- According to California law, Campbell should not have introduced or uploaded any data into the machine, and it would be illegal for him to leave the state carrying evidence of what he put in the machine, especially if it contained votes or affected how votes were counted.
More about Townsend
According to the Los Angeles Times
"Riverside County Registrar of Voters Mischelle Townsend illegally accepted travel and lodging from the supplier of the county's electronic voting system, according to a complaint filed Tuesday with the state's Fair Political Practices Commission.
"Townsend, however, contends that the accusations stem from a paperwork mix-up.
"Riverside County was the first large jurisdiction in the nation to switch to electronic voting, and used it in the 2000 presidential election. Townsend has often been quoted about the system's accuracy. "...Townsend [also] failed to file conflict-of-interest forms from 1998 to 2002 and failed to disclose the source of her husband's income, charges she denies.
"'I submitted a form every year,' Townsend said. 'I have filled them out each year. I will research our files to see if it was mistakenly filed internally.'"
However, though Townsend indicates this travel reimbursement was to participate in a news show, one report indicates that she was actually participating in a paid advertisement for Sequoia.
According to Townsend's disclosure form for 1996, which she filed on April 1, 1997, Lawrence E. Townsend Jr., who is listed as her spouse, lists his source of income as Maximus, and his position is listed as Vice President of Maximus. Maximus is listed in the Ohio RFP sales proposals for Hart Intercivic voting systems.
- The public relations firm for Sequoia in Riverside, O'Reilly, also has ties to County business. The extent of these ties, and the ethics of representing both the vendor and the client, are currently being investigated.
According to investigator Joe Lucsko, a past board of supervisor filing indicates that Riverside County negotiated away part of the assets of its contract for the Sequoia voting system for 1,500 extra smart card devices. Maximus does make smart card devices, and where they came from (and, hopefully, who got the commission) will soon come out. Regardless of where they came from, one has to wonder what those 1,500 smart card devices are doing during live elections, what security procedures are followed to ensure that they aren't in a back room somewhere making duplicate smart cards.
So, Alfie Charles and Mischelle Townsend indicated they want to see the questions before answering them. Well, here they are. I'll print answers that are responsive and properly documented.
Heck, I see no reason to hog this story: If you are from the press, ask away, I'll include the phone numbers here for you: Mischelle Townsend, cell 909-818-4012; Alfie Charles, cell 559-280-9638, office 510-875-1283.
Questions for Mischelle Townsend:
1. Did Maximus or any company related to it provide smart card devices for Riverside County at any time?
2. Does your husband still work for Maximus?
3. Where are your financial disclosure documents from 1998 through 2002? (I look forward to receiving faxed copies: 425-228-3965)
4. Can you tell me about your relationship with O'Reilly PR agency, which does work for Sequoia Voting Systems, and also describe any work done by O'Reilly for any Riverside County entitites?
5. Have any County funds been used to pay the O'Reilly PR agency?
6. Have you expended any County funds on "public education" activities, and if so, did these "public education" efforts promote Sequoia Voting Systems? What are the names of any entities that received these funds?
7. Was the count suspended at all on March 2?
8. Did Frontera and/or Campbell touch the central tabulator on March 2, 2004? If so, what did they do and who gave permission?
9. Did Campbell touch the central tabulator on March 4? If so, what specifically did he do, and did he have your permission?
10. What version of the WinEds program were you running on March 2 and afterward?
11. Can you obtain answers from one of the tech employees for Riverside: Is it true that foreign language ballots can be re-mapped in WinEds?
12. What comment do you have about the security procedures you are using when you allow Mr. Foss's password to be used by Eddie Campbell, thereby having Foss, instead of Campbell, show up in the event log?
13. Will you share a printout of the entire event logs from each of the central tabulators with public watchdog groups?
Questions for Alfie Charles, Public Affairs Director, Sequoia Voting Systems
1. First, Mr. Charles seems to want me to cover a Sequoia press release issued last November. I'll do so, but only if Mr. Charles answers these questions first, which (given our lack of proper auditing even when there is a paper ballot) are of critical importance to Sequoia's election security. Let's see how forthcoming Sequoia is with these security-related questions first:
2. What is the written policy for Sequoia employees touching live elections tabulations after votes have been cast? Can you fax this written policy to us? 425-228-3965. Waiting eagerly.
3. The ballot definition program in your WinEds program uses VBA, an "interpretive language" which is prohibited by the FEC standards. Does WinEds still use VBA for any of its functions? Which versions have used VBA in the past, and which versions still do?
4. Foreign language ballots are particularly vulnerable in the WinEds program that we examined. Is this still the case, or, if not, will you provide the official release notes from later versions of WinEds that indicate this security flaw has been corrected?
5. Why was the function built into the WinEds program which defaults to new code self-destructing when you close out the file? Is this function still in your software? Isn't this particularly dangerous if anyone enters information into the WinEds program during live vote-counting?
6. Isn't it insecure to include stored procedures that can be overwritten in the central tabulator software? How does the ability to overwrite source code for key functions square with the requirement to have your source code reviewed and certified prior to use, with any modificaitons approved ahead of time? Is business logic still present in the current WinEds programs? If not, will you provide the formal release notes that show that this flaw was corrected?
7. We found, and this was corroborated by the CompuWare report, which we assume uses a later version of WinEds, that it is possible to overwrite information in your central tabulator program without a password by using ODBC connections. Sequoia promised to fix that. Can you provide the release notes to show that these specific problems have been corrected, and when, and also provide the date that this improvement was implemented in Riverside California and Snohomish County, Washington?
Look forward to your responses.
For more background and
live news links on this news subject see also Scoop's
Special Feature – A Very American Coup…
Read The Book…Support The Cause - Order Your Copy Today
For more background and live news links on this news subject see also Scoop's Special Feature – A Very American Coup…