The strange case of the second database table

I admit to be just a tad confused by the explanation offered for the problem of the R. Whitey "typo" in Chicago.



OK, as most regulars know, I am not partisan to conspiracy theories and like to deal in hard facts. So. I wish to leave aside allegations of criminal/nefarious intent, and simply address my central question below.

I have some experience with relational database programming, but I am in no way an expert, (hardware is my forte). I have, back in the day, written a few programs, (tech support call database, repair database, etc), nothing complicated.

Now, if I were writing a program for a voting machine to tabulate votes, I would have two tables in the database. These tables would be "candidate info" (name, party affiliation, district/ward, office being sought, unique ID code), and the "actual votes", which would then be related to the first table (the "relation" relational database) by the "unique id code" which would be a common field of both tables. So, when you cast a vote, a TRUE value would be assigned to that unique id code in the "vote" table, which would then be related to a candidate, race, etc, in the "candidate info" table.

Again, I am very much oversimplifying here for the sake of discussion.

Now, in order to create a summary screen, the data values (votes and who they assigned to) have not yet been written to the "votes" table, i.e. cast. They are simply in memory, and I am performing a "lookup" of the data entered by the voter, and matched it to the candidates/races/referendum in the info table (before each election, all the candidate info would be entered, and the "vote" table zeroed out).

To re-iterate, as votes are entered (NOT cast) by the voter, they are assigned to temporary data values in memory, when the summary screen is called up, the temporary values are displayed, and the lookup performed to match the values with "candidate info" table.

Now, if I misspell a name, that misspelling is in the "candidate info" table, meaning EVERY time I do a lookup, whether to create the ballot page or the summary screen, the same typo will appear.

In order for the error to have occurred the way the election officials explained it, there would have to be TWO "candidate info" tables, one with the name correct used to create the ballot pages, and one where the name is incorrect used to create the summary screen.

Which makes no sense to me.

WHY create two tables to lookup candidate data? I cannot think of a single rational reason (that meets the standards of good programming practice of a "security critical" application) for intentionally doing this.

As I am not professional programmer, I throw this question out to programmers with more experience who may be able to enlighten me as to why this would be a logical and reasonable practice.

Now, if folks agree with my analysis, and state that they can see no reason for the second table, this leads to four possible scenarios:



IF (and I must emphasize, IF), I am correct in my observations, then I am more inclined to view #1 or #2 as the most probable answer, as it meets my criteria of "never be quick to ascribe to treachery what can be better explained by incompetence and/or stupidity".

Diebold's code certainly meets the criteria for this, since it has handled by many different programming teams as the code passed from company to company, with no one willing to "start over" since it would cost a lot of money to actually write secure code from scratch. This, of course, make the case, yet again, that voting code MUST be disclosed to competent professionals loyal to the public good before use in any election.

Reason #3 is possible, but less likely since it requires an even greater level of incompetence than normal.

Reason #4 is possible, but I would have to see solid evidence to move in that direction.

Your constructive thoughts and criticisms of my observation, please. I am posting this, but have to dash. I will be back on later to read your responses.

is that there shouldn't be any post-factory programming going on at all. All that should be done at the election site is configuration and loading in the lists of offices and candidates.

All that can be established is that there was a point of failure somewhere. Where, it is hard to say. Still, someone entered "Whitney" in one place and "Whitey" in another, if the reports are true. I would say that it is poorly coded from the factory, yet if successive people have access to the code after it leaves the factory then here is no saying with the information we have now where exactly the error occurred without getting to see some code.

Both incompetence and malice are possible explanations with what we know presently, and there is not enough information available to say which is correct.

the explanation, only whether my hypothesis is valid.

Even code written by Jesus and certified by the Holy Spirit would have to have race data entered each election.

My premise in this post is that the fact that his name is wrong on one screen, correct on another indicates two data tables. Absent someone postulating an explanation that renders this fact in a benign light (and I can think of none), it is prima facia evidence that the software is hinky (we know that, of course). A program that has two separate tables to enter candidate data should be presumed unreliable.

If my hypothesis is correct, it is one more piece of evidence, one more weapon in the war.

That is what I am trying to establish.

is that running an election via a reprogrammable-on-site electronic voting machine is a sure way of being completely unable to guarantee the integrity of the vote.

The only reason to do it this way - that makes any sense, anyway - is to enable electoral fraud. There is no other advantage to putting out poorly-programmed and easily-hackable voting machines. This is a system that is less complicated than what an ATM does and we have zero problem with sticking millions of those things all around the country, with rarely an error to be found with any of them - it's been 20 years since I've seen an ATM make a mistake, and most people probably never have. So there's really no excuse for these voting machines - machines fulfilling a purpose far more important than withdrawing money from a bank account - to be anything other than rock-solid and impregnable to manipulation.


Could there be two tables? There could. Or there could also be a change made to the program that was done in one place and not another. We don't know and can't know without firsthand investigation because the fundamental concept of these machines is flawed - and in my opinion, this is by design, not by accident.

The point of my post was to solicit any flaw in my hypothesis. If no one can point to a factual error in my reasoning, I will add this to the list of points I make, and pass it along to other activists.

In my seven years of activism on this issue, I have yet to see any evidence that fraud was INTENDED in the design. Sloppyness? Yes. Poor security? Absolutely. Greed winning out over prudence? Yep! CYA explanations and justifications? Everywhere. But actual evidence of fraud that will stand up in a court of law? Nope.

These are facts with which I can approach election officials and legislators. Approaching them with claims of conspiracies to throw elections gets me at best, a polite smile, and curt dismissal.

You offer one interpretation of the facts, I offer another. One gets me taken seriously and allowed access to the people who can change the system, the other gets me summarily dismissed.

This does NOT mean you are wrong, as your interpretation may be right. But if we are labeled as cranks, we can be ignored, and being ignored means nothing changes.

Your experience may vary, but this view has worked for me so far. I can prove the door to the vault is made of cardboard, that the combination is written on the back of the calendar in the lobby, and thus everyone can know it. I can't prove that these thing were done deliberately to facilitate a bank robbery. Wasting time on time on things that cannot be proven is simply a futile pursuit.

I stick to the facts I can prove.

There is no point to electronic voting OTHER than the opportunities it creates for fraud.

It doesn't create a cost savings, these machines and their maintenance is expensive.

It doesn't enhance the integrity of the process, in fact it does quite the opposite by eliminating the paper trail.

So why do electronic voting at all? Until and unless someone advances a reason that is sufficient to overcome the two negatives listed above, the only reasonable assumption is that it is to enable fraud, full stop.

It's pretty popular to say what you said. And it's wrong.

As well as being expensive, fraud prone, and mishap prone, OpScan will kick out results much faster than HCPB.

I'm not advocating for OpScan, I'm advocating the avoidance of hyperbole. It's hard to make a case after you've been laughed out of the room.

You can have paper ballots counted by a scanner without sacrificing accuracy or integrity, and with no substantial lack of speed. Speed isn't even a desirable trait in an election system. The desirable traits in an election system are accuracy and integrity. With either one missing you don't have an election, you have a charade.

The problem we are discussing here is the electronic casting of votes for electronic counting. No scanning involved if there's no paper trail. Problem is you have to just trust what the database says, with no other record to confirm it. If one can neither verify the count independently (as you could with scanned ballots, by using another scanner or by hand-counting) nor be assured of what code is actually running on the machines, then the election itself can be wholly manipulated by anyone with access to these machines.

You asked what was the purpose of using OpScan. I answered it. That really IS why election officials might want to use it. I don't like it. I'm not expecting you to like it. But that's why THEY want it.

Of course you can go accuse all of them of attempted fraud. That'll be a real conversation starter.

have a very naive view of how complex counting the votes in an election is. If we had simple UNIFORM ballots in all 3,000+ counties (each county makes its own rules, subject to state and federal standards), then an argument could be made for HCPA being the best method, but reality is quite different from ideal.

If I recall, in 2004 during the recall election of Gray Davis, the ballot ran 40+ pages. Heck my last ballot was 11x17, front and back and covered almost 30 races, bond issues, and such.

It seems the folks screaming the loudest from unconditional HCPB, are people who have never bothered to witness the process first hand.



You put your finger on the best way to keep change from ever occurring. People who run elections can get pretty shirty about being called crooks. Whenever I dealt with them I was always respectful, and tried to explain to them that while I trusted them, they should NEVER trust the vendors. If they insisted on trusting vendors, their own integrity would suffer. Since we were just coming off an election where they had gotten burned by a major machine failure that caused them lots of grief, public humiliation and money, they were receptive to that view.

The major problem I saw in the entire discussion was election officials getting too trusting of the vendors. Since in every election they worked with vendors to make things go smoothly, they kind of saw themselves on the same side. I did my damndest to disabuse them of this view.

A little too chummy with vendors. And the biggest reason, most really don't understand much at all about the gear.

Not a good thing. Still, audits are the only way to verify results. And THAT they can come to understand.

And the point I have tried to make for years. You can only change the system if you are taken seriously. If a person thinks HCPB are the answer, that person has not participated in the counting side of a modern election with a substantial number of multi-page ballots.

There is no point to electronic voting OTHER than the opportunities it creates for fraud.

This construes the existence of a criminal cabal which I have yet to see evidence of.

It doesn't create a cost savings, these machines and their maintenance is expensive.

It is far cheaper, and more accurate (with proper safe guards) than hand counting. Hand-counting a hundred million plus mutli-page ballots is neither. Sorry, but that is just the case. The more people handling ballots, the greater the chance for error, ballot damage, loss, etc.

Maintenance is expensive, but again, cheaper than the cost of the legions of people that would be required to hand-count.

It doesn't enhance the integrity of the process, in fact it does quite the opposite by eliminating the paper trail

I agree, which is why I do not support paperless voting systems, and have fought against it for years.

So why do electronic voting at all? Until and unless someone advances a reason that is sufficient to overcome the two negatives listed above, the only reasonable assumption is that it is to enable fraud, full stop.

I have had my arguments (quite heated at times) with election officials over the years, but I never met one who didn't take their job seriously, and try to execute it with integrity.

I am sure dishonest election officials exist, but they are in the distinct minority.

Again, if a person is serious about their intent to change things, they don't walk into an election official's office and call him a crook. People who have done that have yet to accomplish anything constructive.

I know I will not convince you of my view, so I'm sorry we couldn't come to a meeting of minds.

The cabal theory is that there is a Christian reconstructionist movement that does not believe in representative democracy. They have invested in the e-vote counting industry for the purpose of controlling the vote to advance their agenda without anyone being the wiser. I don't think it's necessary for there to be a religious (or fake religious) component to this, but be that as it may, how far fetched is this theory given some of what we've seen of this movement in other areas?

And if someone did want to control the vote, what would be better than to switch it at the source using concealed software-driven voting systems "accidentally" designed to make that possible?

If you look at the way a lever voting machine is constructed (yeah -- without a paper trail), it's obvious that such vote-switching exploits are not possible. So why do away with that, and substitute vote-switching computers that will take more resources and expertise than are currently available to effectively police?

I'm not claiming there is a vast conspiracy either. But if there were, I can't think of a better way to go about controlling the vote than the status quo -- and that includes mostly unaudited ballot scanners. Can you?

with a hypothesis of a cabal (corporate, religious, dominionist, political, etc).

I do not dismiss it as a possibility, I just dismiss it as unlikely given the hurdles required to accomplish it.

Even assuming that even a single vendor, say Diebold, wish to rig elections, they have many obstacles to overcome.

First off, the software on the machines is not uniform. Meaning that machines programmed for one county in one state, require alteration for another county in another state, since the laws governing ballots design, bond issues, etc, means you can't do "one size fits all".

Second, too many people have to be involved in the conspiracy in order for it to work. Local election officials often do the ballot programming, so they would have to be in on the fix. Otherwise, they will be the first ones to notice something is hinky.

As I have said MANY times. Yes, the machines CAN be tampered with, and if they are, it will be an insider (someone with complete access to the machines and an understanding of their own local elections), in other words, the same folk who tampered with elections in the past. That said, they major danger is, in my opinion, not a cabal bent on altering elections, but crappy code, causing inaccurate results, which we have dozens of examples of. But a vote lost to fraud and a vote lost to a Windows crash is equally lost.

And I agree that the problem with these machines that discerning criminal intent from incompetence would be pretty difficult, if not impossible. But, again, I have been out in the field, talked to election officials from dozens of locals, and worked a few elections, watching the machine AND, more importantly, the people at work. I have found the machines troubling, but the people honest.

The one thing I learned that if you are going to FIX this problem, rather than simply rant about it on the web (and NO, that was NOT a dig at you) you can't start the discussion by calling the people you hope to persuade of your concerns, "crooks". It tends to piss them off, and they dismiss you and refuse to take anything you say seriously.

If you bring up the hole "elections are going to be rigged using voting machines" meme, they ignore you as a crank. When you bring in expert after expert, and demonstrate that the machines have SERIOUS reliability problems, they CAN'T dismiss you.

The machines should undergo RIGOROUS oversight to make sure they function correctly and that they are hard to tamper with. An ideal attitude would be the way Nevada handles slot machines.

Some people obsess about their safety on an airplane. Some worry about terrorist conspiracies, bombs, hijackins, and kamikaze fanatics. There possibilities are REAL, and no rational person ignores them.

However, if you die during air travel, your most likely cause of death will be:

1) Car crash on way to or from the airport.

2) Heart attack at some point in the trip.

3) Human error by the pilot, ATC, or ground crew.

4) Mechanical structural failure of the aircraft.

5) Collision with another plane while on, or near the ground.

Those five reasons will account for 99%+ of actual deaths while traveling by air. The chance of terrorist getting you is the LEAST of your worries.

Yes, voting machine could be tampered with. If tampering occurs it will be highly likely that it is done at a local level, rather than a state or national level. But the far greater threat to accurate elections with these machines comes from the fact that many of the run under Windows, with code written by clueless programmers with little understanding of good programming practices.

The NYC Board of Elections had a choice between ES&S and Sequoia/Dominion (now also Diebold))/Smartmatic/Hugo Chavez op scans.

ES&S offered the City a feature that would obviate the need to enter a password on their scanners. They also offered a feature that would DISPLAY the password on a screen on the scanner when it was entered. These features would have substantially reduced the security of the scanners by obviating the need to know the password and by allowing the password, if actually used, to be stolen by observers.

These features were part of a rating system used by the NYC Board of Elections, even though they would not be legal in the State of NY according State regulations. The higher rating as a result of their inclusion is one reason ES&S got the NYC contract.

So what we have here is an attempt by a vendor to sell their product by undermining its own security, such as it is.

Now imagine a group of corrupt election officials (perhaps not even affiliated with one another), and other insiders and outsiders, who would have access to such a voting system. Would they want a system that's relatively tamper-resistant, or a system that's as hackable as possible? Maybe they're not corrupt, but they're too lazy to manage the fucking passwords! But the point is, there are election officials out there who don't give a shit about I.T. security and they may encourage vendors to weaken security to make their jobs easier -- or to make it easier to rig some elections.

When a lack of security becomes a selling point for a voting system, we are in BIG trouble. And those who would be tempted by these unlocked doors would be waiting to exploit them, whether they're part of an organized cabal or not.

I have described the best system we can get, now it is up to activists in NY and NYC to go the their election officials and press to get such systems. The solution we have managed in NC is not perfect, and it requires continued vigilance to avoid back-sliding or shortcuts (Thankfully we have Joyce McCloy on the job here).

But at least we have a system that is orders of magnitude more secure than what you just described.

The system you describe is insecure, and thus highly vulnerable to tampering/error. The only way this will change is by activism at the state and local level. These things don't change themselves, and folks can either complain about it, get involved and change it, of let someone else change it.

...but the offer to provide them was made by the vendor.

If there were some evil election officials who wanted to rig elections, the vendor might be inclined to cooperate with them too.

Maybe the vendor would go so far as to suggest to the officials, off the record, that the officials could have the power to rig elections if they chose the vendor's products. Maybe some officials would be corrupted by that if they weren't corrupt before. They might give in to temptation.

There are lots of possibilities. In the NYC case, I think it was just a matter of convenience and laziness trumping security, but who knows?

We don't have any real activists here. Now that we can have op scan instead of DREs, no one gives a shit about election integrity anymore because they've been misinformed about the security of scanners, the need for hand counts (real audits), etc.

So it won't be the usual activist types that will fix this. It will be some election officials who don't want the power to rig elections, and who take their responsibility to certify results very seriously. And they will have to prevail in the courts against other election officials who are towing party lines, vendor lines, and who just want to trust the machines. It could be the most important but least reported story of our time.

If you enter a candidate's name in GEMS for example, at first the ballot text will automatically match the database record of the name. But after that, the ballot text can be edited with no corresponding change to the database record of the candidate's name. So you could easily have candidate "Whitey" in the database and "Whitney" on the ballot (or vice versa) at the same time (or Bush in the database and Kerry on the ballot for that matter).

Now, this applies to optical scanners as well as DREs, since they are both programmed by GEMS. This is why I don't see what's so attractive about ballot scanners. They are as hackable as touchscreens and rarely does anyone check scanner tallies by counting enough of the paper ballots to prove that this sort of thing, or worse, didn't happen. But I digress.

What's interesting about the case you cite is that it implies that the summary screen of the DRE is using different "ballot text" to represent the candidate's name than the "ballot" itself (although of course both the ballot and the summary are just screens and not paper ballots). I wonder if, instead of the ballot text (which is easily editable), the summary screen uses the database record of the candidate's name (including any typos, abbreviations, etc.). If so, then these DREs may be somewhat more transparent than we've been assuming. For example, you'd have a hard time programming them to switch votes from Kerry to Bush by editing the ballot text without the voters knowing (and there have been cases where this has been reported on summary screens!).

The state of IL also has VVPATs. So the question arises as to what name was printed on them, doesn't it? Does it match the one on the summary screen, or the touchscreen ballot? And how about the names on the poll tapes? Any misspellings there? Presumably, the poll tape has to show the database record name because it's reporting vote tallies for each candidate.

:hi:

yours or mine, we have a problem.



Such a change would persist as long as the machine had power, if I am understanding your explanation. We still have two tables with candidate info, even if one is stored in memory and one on disk.

Well any system of vote counting can't operate without audit checks.

In NC random audits are required by law at the end of the election to check electronic count versus a hand count. If a discrepancy found and verified, this triggers more check of other machines. When the electronic and paper count disagree, the paper count is assumed accurate, and is the official count, unless it can be determined that the paper ballots were tampered with.

No system is perfect, but with proper safeguards, OpScan is the best solution we have.

Please outline the safeguards for us.

Thanks

1) The code must be available to election officials for certification.

2) It must be a criminal offense to use code that was not certified.

3) A statistically significant number of random audits must be conducted after the election in which electronic totals are compared to hand-counted totals. In the case of discrepancies between digital counts and manual counts, an expanded audit is mandated to discover the scope of the discrepancy and determine the reason. In the case of any difference between digital counts and manual counts, the manual count shall be presumed accurate, unless evidence of ballot tampering can be demonstrated.

Those basic criteria will give the best balance between automation and the errors inherent in hand-counting complex paper ballots. It maintains a tangible ballot, while streamlining the counting process. The audit process is a check against tampering with digital counting.

Until someone comes up with a better idea, that addresses the realities of elections with an electorate in the hundreds of millions, this is the best compromise.

Number one is a waste of time. It matters what code is actually on the machine, not what's suppossed to be thewre.

Number two is good. I'd call election fraud treason. (I hope that's not hyperbole).

Real audits would be great. I agree.

Thanks

#1 has serves two purposes. It allows the state to spot dodgy code from the outset. Second, you can't determine that a change has occurred in the code on election day, if you don't have something to compare it to.

Before the election:



Unless we have #1, we can't determine if #2 has violated. So, I must respectfully disagree that it is a waste of time.

This last section was what caused Diebold to pack up and leave NC.

I may accomplish nothing else in my life, but that section of the law was my contribution to the fight for fair and honest elections.

You can't know if a "change" has occurred without an adequate office. The rest is window dressing.

Seems to me some are sortof hypnotized with this issue since Diebold's code was found on the web and found to be dubious at best. But with all the distraction about source code, who is really thinking about exploits that occur down stream?

And I'm not trying to be deliberately obtuse, I am not getting it. :)

First, I'm surprised that you didn't know how GEMS works. Wasn't this covered in Bev's book? (I must confess I've never read it.) Haven't you ever downloaded a copy of GEMS to see for yourself? It'll scare the heck of you if you do.

I don't know if ES&S's crap works the same way, but I suspect it does.

Now, if that much damage can be done just by tweaking the ballot programming, knowing the source code buys us very little. Source code is not the way to steal particular elections because for one thing, it's NOT election-specific! So while it's nice to know the source code to see if it has any bugs (which is not really possible to know because of its complexity), or if it has been changed since certification (actually that should be the object code that runs on the machines, hopefully included in the "other material in escrow" in your law), none of this protects the configuration files and hence, the vote, from tampering with the configuration files.

Source-code obsession is what Wilms is talking about. But the ballot programming that existed at the time the votes were cast is what determines how the votes got counted, in addition to the compiled source code. Source code itself tells us very little and it doesn't tell us anything about what the compiler did to it.

The above is why you need to do hand counts and audit the configuration files.

Kelvin, does that make sense to you?

Quoting from the statue as written (NC GS § 163‑182.2. Initial counting of official ballots. :



What part did I miss?

...until the NEXT election!

Please correct me if I'm wrong. WillYourVoteBeCounted would know.

Sorry. Yes, this falls under the heading of "constant vigilance" for backsliding and cheating. Joyce is working on it and the IRV mess, and trying to see if NCVV can be turned into a 501(3)(c).

Even when you get a law on the books, it is a constant fight to see it adhered to. People are always looking for shortcuts, and ways to bend the law.

But op scan may end up being the best solution we'll have left.

NC's audits are very limited. Only one contest; escalation in the event of discrepancies is done in the NEXT election! Come on Kelvin, you can do better than that!

Why not create (or maintain an existing) system that doesn't allow the damn vote switching in the first place? Instead we have to spend our time trying to convince legislators and election officials to prove that the vote switching is not happening. That's not how I plan to spend my golden years!

The bottom line is, we'll trust the software and we're expected to LIKE it too (by showing up to vote).

Meanwhile, the operation of GEMS I've described has nothing to do with the volatility of memory. The ballot text can be edited at will after its initial entry.

The ballot text is part of the database too, and it's on the hard drive. Then it goes on the memory card of the DRE, which is non-volatile. The ballot text, and what I call the "database record" of the candidate's name, are both part of the database.

One self-correction though: The database record of the candidate's name can be edited too! In fact both the record and the ballot text can be edited before downloading them to the voting devices, but the point is, they only have to match each other the very first time the record is entered in GEMS. After that, they can appear as anything.

The poll tape should display the database record; the ballot screen should display the ballot text. The summary screen is anyone's guess, but I'd imagine it should match the ballot text and so should the VVPAT.

So it would be nice to know how Whitey's name was spelled on the poll tapes, wouldn't it?

Certainly, this system is HIGHLY exploitable, but none of this should be news to you after 7 years, should it?

HCPB is not impossible. No matter what size the ballot is, tabulating via HCPB is entirely possible - just need more people per ballot for counting. I have participated in HCPB before. It is not rocket science, the sort and stack method incorporates a 100% audit on the spot before ballots leave the premises.

You have not gone into any detail as to why you are so dismissive about HCPB

Fraud is not the only possible reason for pushing electronic voting -- how about GREED? Badly designed and poorly implemented programs are CHEAPER than good ones. I can undercut anyone's bid if you don't insist that the system actually work!

Fraud may not be the motivation behind the electronic voting scam. But the unverifiable proprietary systems we have certainly facilitate it.