Anchorage Election Commission ignores broken security seals, recommends no independent investigation on broken election
Following its hastily-called two-day “special meeting,” the Municipal Election Commission on Wednesday issued its report recommending that the Anchorage Assembly certify the bollixed April 3 municipal election and recommending against an independent investigation of the election’s numerous irregularities — including broken security seals.
Both The Mudflats and Bent Alaska previously reported on the Saturday (April 21) portion of the two-day special meeting conducted by the Municipal Election Commission to get information from voters and election workers about what they experienced and witnessed during the bollixed April 3 municipal election. (The Mudlats also reported on part 2 of that meeting held on Monday, April 22, after Deputy Clerk Jacqueline Duke had apparently been given a gag order.)
One of the good outcomes of the Saturday portion was, finally, the first mainstream media report on an issue that The Mudflats had broken nearly a week earlier: a report from election worker Wendy Isbell that Deputy Municipal Clerk Jacqueline Duke had directed election workers not to worry about broken security seals intended to protect memory cards from being tampered with. (Duke later confirmed to Brad Friedman of The Brad Blog that she had, in fact, given that instruction; see also Bent Alaska’s summary of the Mudflats and Brad Blog findings.)[caption id="" align="alignleft" width="363" caption="Casey Grove of Anchorage Daily News interviewing Jacqueline Duke on Saturday, April 21."][/caption]
And so Saturday night Casey Grove of the Anchorage Daily News reported Duke’s open acknowledgment of broken election integrity. Other reports mentioning the ballot box security issue soon followed — from Daysha Eaton of KSKA FM 91.1 and Kate McPherson of KTVA Channel 11. McPherson spoke with Ernie Hall, the Assembly member who last week took over from Debbie Ossiander as Assembly chair, who told her that he had instructed the chair of the Election Commission (Gwen Matthew) to look at the broken security seal issue.
But the Election Commission gave the issue scant attention when it issued its report yesterday afternoon. Here’s what they wrote on page 7 of the report:
A number of concerns were raised concerning the security and function of the Accu-vote machines. These machines, on loan from the State, are nearing the end of their 10 year life span, but mechanical problems have been minimal. This is a simple scan and count device with a paper trail if there is a question in any precinct. Results are a tabulated on a dedicated, stand alone server without access to the internet and with one administrator and official observer.
The security issue in question — broken security seals which were intended to prevent tampering with the AccuVote memory cards — is not mentioned. The Election Commission merely evades the question: the age of the machines and their mechanical state does not have anything to do with the security of the memory cards or what’s contained on them.
Why is the security of memory cards so important?[caption id="attachment_8089" align="alignright" width="264" caption="Accu-Vote memory cards (front & back)"][/caption]
First, because the AccuVote memory cards store all the information about the election: a description and the vote count for every candidate and proposition on the ballot. And second, because memory cards can be hacked — as demonstrated by Harri Hursti’s successful hack of a Diebold AccuVote memory card shown in the 2006 HBO documentary “Hacking Democracy.” A security analysis of an AccuVote optical scan (AV-OS) machine, conducted in 2006 after Hursti’s hack, states:
Memory card attacks are a real threat: We determined that anyone who has access to a memory card of the AV-OS, and can tamper it (i.e. modify its contents), and can have the modified cards used in a voting machine during election, can indeed modify the election results from that machine in a number of ways. The fact that the the results are incorrect cannot be detected except by a recount of the original paper ballots.
Harri Hursti’s attack does work: Mr. Hursti’s attack on the AV-OS is definitely real. He was indeed able to change the election results by doing nothing more than modifying the contents of a memory card. He needed no passwords, no cryptographic keys, and no access to any other part of the voting system, including the GEMS election management server. [p. 2; emphases in original]
The security analysis, completed on February 14, 2006, was conducted by computer experts at University of California, Berkeley as part of a thoroughgoing investigation of voting systems for the California Secretary of State in anticipation of the 2006 elections. The analysis confirmed the “Hursti Hack” shown in the HBO documentary, and found a total of 16 bugs that could be exploited by persons who wished to undermine election integrity. California nevertheless certified the AccuVote machines for use in 2006 with conditions based on the report’s recommendations of security and other risk mitigation procedures. (However, California decertified the AccuVote machines the following year after an even more thoroughgoing “Top to Bottom” review of voting systems.)
Among the security recommendations made in the UC Berkeley report:
[I]f the AV-OS is used, strong procedural safeguards should be implemented that prevent anyone from gaining unsupervised or undocumented access to a memory card, and these procedures should be maintained for the life of all cards. Such controls might include a dual-person rule (i.e. no one can be alone with a memory card); permanent serial numbers on memory cards along with chain-of custody documentation, so there is a paper trail to record who has access to which cards; numbered, tamper evident seals protecting access to the cards whenever they are out of control of county staff; and training of all personnel, including poll workers, regarding proper treatment of cards, and how to check for problems with the seals and record a problem. Any breach of control over a card should require that its contents be zeroed (in the presence of two people) before it is used again. [page 4; emphases added]
Later in the report:
All of this information on the memory cards is critical election information. If it is not properly managed, or if it is modified in any unauthorized way, the integrity of the entire election is possibly compromised. It is therefore vital, as everyone acknowledges, to maintain proper procedural control over the memory cards to prevent unauthorized tampering, and to treat them at all times during the election with at least the same level of security as ballot boxes containing voted ballots. [page 9; emphasis in original]
But scant attention was paid to proper procedural control in Anchorage’s April 3 election. Here again is Brad Friedman’s conversation with Jacqueline Duke (substantially similar to the version reported several days later in the Anchorage Daily News):
Duke confirmed to me that she had instructed poll workers not to worry if security seals on memory cards are found broken when setting up machines on Election Day.
“They come sealed in the Accuvote cases and often times in transit they bust off because they’re the flimsiest pieces of plastic ever,” she told me. Sometimes that leads poll workers to “freak out.”
She tells them that if they “open the case and can obviously tell the broken seal was from transport, you do not have to be worried. There are more in your supplies.”
Duke instructs the workers to “re-seal it, and then run the zero report tape” to “confirm that your poll count is zero.”
Poll workers “freaking out” over broken security seals actually indicates poll workers who are properly concerned about breaches in security. Broken seals should have been reported, and proper steps taken to investigate. The issue came to light from election worker Wendy Isbell seeing a security seal that had been — as she told the Anchorage Daily News — “evenly cut,” but there’s no telling how many security seals might have been broken or cut, but re-sealed with the extra seals the Municipal Clerk’s office supplied to election workers.
Note also that “running a zero report tape” from the machine is not the same as actually “zeroing” the contents of the memory card itself. The “Hursti Hack” test election shown in the “Hacking Democracy” documentary ran a zero report tape — which failed to detect the hack. No more so will zero report tapes in Anchorage detect manipulations to an memory card if someone has hacked it.
Duke also confirmed to Brad Friedman that election workers had voting machines in their homes for several days prior to the election:
When I asked Duke if she’d seen Hacking Democracy she flatly stated “no.”
“We don’t talk to them [poll workers] about conspiracy theories or about how Diebold machines were hacked.”
She insisted the memory cards were not accessible during the election, so no “voters” could possibly access them during the day.
“No one has access to the memory cards,” she explained. “Only the Municipal Board staff, the Testing Board and then, theoretically, they are locked after that.”
She then confirmed that the Accuvotes are sent home for days before the election with poll workers, who have unfettered access to the machines and the memory cards before transporting them to the polls on Election Day. [emphasis added]
On the issue of “voting machine sleepovers,” Friedman told me in an email yesterday:
California requires that machines be federally certified before they can be used in an election. If not federally certified, they are not legal to use.
After the Leon County, FL hack seen in “Hacking Democracy” (also known as the “Hursti Hack”), the U.S. Election Assistance Commission put use conditions in place for those machines. If the use conditions weren’t meant, the machines were not considered as federally certified.
When San Diego violated those conditions by sending them home on “sleepovers”, the machines became effectively decertified under California law in the bargain.
We are trying to determine if Alaska law or the Anchorage Municipal Code requires voting machines used here to be federally certified, which would affect the legality of “voting machine sleepovers” at Anchorage and Alaska elections. But whether or not legal in Anchorage, the practice clearly goes contrary to sound security practices and ensuring the integrity of elections.[caption id="attachment_8088" align="alignright" width="620" caption="Diebold AccuVote optical scan voting machine. Security seal on memory card is at lower right."][/caption]
What, then, can be said about the Election Commission report? Simply this: that its members are out of their depth when it comes to AccuVote memory card security. Brad Friedman spoke with commission chair Gwen Matthew last week, too:
Prior to her new role she was Chair of Anchorage’s Accuvote Testing Commission “for probably five or seven years.” She told me that had not read any of the security reports on the myriad vulnerabilities of the Diebold voting system. She hadn’t seen Hacking Democracy either. She had no concerns whatsoever about broken seals on memory cards.
“They are kept in a locked room. Only the staff has access to them. It would be virtually impossible for someone to go in there and pop the seals,” she explained.
She had no concerns about “the staff” having access either, apparently. Nor about the voting machine “sleepovers”.
Neither, apparently, did any of the other “eight registered voters with past election experience who currently reside in the Municipality” who make up the Election Commission. They didn’t even land in the ballpark in addressing security questions: again, the age of the machines and their mechanical condition has nothing to do with the security of the memory cards or what’s contained on them.
Nor did Assembly Chair Ernie Hall when he talked with KTVA reporter Kate McPherson on Monday:
Hall also said there will be a full investigation into reports that the security seal on some Accuvote machines were broken.
“I’m aware of that and I’ve asked the chair of the Election Commission to make sure they look specifically into that, which may involve testing some of the machines after the fact.”
It’s not the machines at issue: it’s the memory cards whose security was breached. Again, from the UC Berkeley security analysis:
Memory card attacks are a real threat: We determined that anyone who has access to a memory card of the AV-OS, and can tamper it (i.e. modify its contents), and can have the modified cards used in a voting machine during election, can indeed modify the election results from that machine in a number of ways. The fact that the the results are incorrect cannot be detected except by a recount of the original paper ballots. [emphasis added]
An independent investigation — completed by May 3?[caption id="" align="alignright" width="300" caption="Assembly chair Ernie Hall being interviewed by Corey Allen-Young of KTVA Channel 11 before the April 24 Anchorage Assembly meeting."][/caption]
On Monday, Ernie Hall said he hoped to announce the name of the independent investigator at Tuesday night’s Assembly meeting. But at the Assembly meeting itself, Hall said that he couldn’t yet announce the name as a contract was still being negotiated. Then Wednesday (yesterday), the Election Commission released its report, which includes the recommendation that the election be certified at a special meeting of the Assembly next Thursday, May 3. The commission also recommended against an independent investigation — although giving no rationale for this recommendation.
Since then, media reports and information from other Assembly members indicate that Hall still intends to hire an independent investigator — probably a retired judge. But he has still not announced who it will be, and as far as I know the Assembly has not yet authorized funds for a contract. Yet Hall is saying he wants the investigation to be completed in time for the May 3 special Assembly meeting — just one week away.
As hastily conducted as the Election Commission’s investigation was, the independent investigation promised to be just as hastily conducted, and just as inadequate, if it goes along the timeline Hall is suggesting. The broken security seals, after all, is a very large question: for a complete investigation, the independent counsel would need to familiarize him or herself with the security reports on Diebold AccuVote optical scan machines that the Municipal Clerk’s office, the AccuVote Testing Commission, and the Election Commission have remained blissfully ignorant about. From the UC Berkeley report, at least (and there are many other such security reports), it’s pretty clear that a hand recount of at least some of the physical ballots is in order, and the independent investigator may need also to make recommendations on that.
And that’s only only one of the many questions still dogging this broken election. The ACLU of Alaska on Tuesday provided the Assembly with a list:
Generally, based on the information we have received to date from the Clerk’s Office, press reports, and our Voter Hotline, we recommend the Counsel review, at a minimum:
1. The scope of voter disenfranchisement – how many voters were unable to vote through no fault of their own, including:
a. The cause(s) of rampant ballot shortages;
b. Verifying the number of ballots printed and the distribution process;
c. The procedures utilized by the Clerk’s Office for determining precinct ballot allocation;
d. Systems of contact for troubleshooting and for addressing emergency on-site needs;
2. Ballot security issues, including:
a. Reports of broken seals on optical scanners; and
b. A hand-count and comparison to voting machine reports of a random selection of precincts (5 to 10) to verify the accuracy of the election reports; and
3. Any evidence of intentional voter misconduct, for example:
a. Evidence of voting by individuals not resident in the Municipality of Anchorage; and
b. Evidence of attempts by non-registered voters to register and vote on the same day.
(Note that the ACLU is also slightly off-track with regard to the security issued with the voting machines: it’s not the optical scanners, but the memory cards, whose security was breached. And because the clerk’s office provided election workers with extra seals that, if used, disguised the fact there there were breaches, there’s no telling how many memory cards in how many precincts were affected.)
- Write to your Assembly members: you can reach all of them at once by emailing firstname.lastname@example.org.
- Come to the special Assembly meeting on Thursday, May 3 and demand that the Assembly do the right thing.
See also Bent Alaska’s full reference page to the April 3 election.
- 14 Feb 2006. “Security Analysis of the Diebold AccuBasic Interpreter” by David Wagner, David Jefferson, Matt Bishop, Chris Karlof, and Naveen Sastry (Voting Systems Technology Assessment Advisory Board, University of California, Berkeley).
- 17 Apr 2012. “Baked Alaska: Yet Another Election Crashes and Burns in The Last Frontier” by Brad Friedman (The Brad Blog).
- 21 Apr 2012. “Voters, poll workers detail spring election problems: Broken seals on ballot boxes, four-hour wait for ballots among complaints” by Casey Grove (Anchorage Daily News).
- 23 Apr 2012. “Election Fallout Continues: Assembly chair says election will not be certified Tuesday” by Kate McPherson (KTVA Channel 11 News.)
- 24 Apr 2012. “MOA April 3 Election: Scope of Issues to be Investigated; Appointment of Independent Special Counsel,” letter from Jeffrey Mittman, American Civil Liberties Union of Alaska, to Ernie Hall, Chair, Anchorage Municipal Assembly.
Election Commission report
- 25 Apr 2012. Assembly Memorandum AM 2012-231: “Certification of Regular Municipal Election of April 3, 2012″ by Municipal Election Commission.
- 25 Apr 2012. “Election Commission finds 1/2 of precincts ran out of ballots; recommends no investigation” by Kyle Hopkins (Alaska Politics Blog, Anchorage Daily News).
- 25 Apr 2012. “Election Commission Makes Recommendations For Muni Election Problems” by Daysha Eaton (KSKA FM 91.1 Anchorage Public Radio).
- 25 Apr 2012. “Commission Outlines Electoral Troubles, Rejects Calls for Outside Investigation: Calls precinct shortages an ‘unintended error’” by Kirsten Swann (KTVA Channel 11 News).
- 25 Apr 2012.“Anchorage Election Commission Issues Report on City Election” by Christine Kim (KTUU Channel 2 News). Includes video with reactions to the report which contains some material not in the print version of the story.
- 25 Apr 2012.“Commission recommends no further inquiry into election: Assembly chairman, ACLU and overseer still want it reviewed” by Kyle Hopkins (Anchorage Daily News).
- 25 Apr 2012. “Municipal Election Commission Releases Report – Let the Whitewashing Begin!” by Jeanne Devon (The Mudflats).