Please see the Election Integrity Homepage for complete coverage and the latest news.
There are a number of take-away points in the testimony of Mr. Duniho. Here are some points that I found most important:
- Mr. Duniho was a senior programmer at the National Security Agency for 37 years.
- To Mr. Duniho's knowledge, insiders are responsible for 100% of election fraud. He has never seen an instance of an outsider 'hacking' an election, only those with licit access.
- Mr. Duniho sees no security risk from access to the database files from any party provided that the election is over. All election data in the database is unique to that election and provides no advantage in penetrating the security of future elections.
- Mr. Duniho thinks access to these database files are the next logical step in making elections in Pima county secure from manipulation, specifically, it is the only way to ensure oversight over elections insiders.
- Mr. Duniho authored an elections manual for Arizona county party chairmen to assist in enhancing the security of elections in their own counties as part of his work with the Democratic Party's Election Integrity Committee.
- MS Access on which GEMS is based has essentially no security for anyone with access to the computer on which it runs, making elections very vulnerable to insider manipulation, despite physical and process security measures adopted by the county at his suggestion.
- Review of the documentation of the election after the fact to look for anomalies is essential to security of elections. The parties acting in concert are the best agent to perform that task which would include the GEMS database, precinct registers, precinct reports, Windows audit logs, and all summary reports printed by elections personnel.
- Memory cards used for programming scanners and tabulators with ballot layout information contain interpreted language which violates federal standards and could pose a very serious threat to the security of elections if altered.
- Ballot rotation information (the algorithm used to rotate candidate positions on the ballots) contained in the database is critical to ensuring integrity of an election and confirming it has not been tampered with is crucial to oversight. The rotation information poses no security threat after an election is over and is in any case publicly available information.
- The database is the final and most comprehensive record of the election and is necessary to functional oversight of the election.
- On cross examination by Straub Mr. Duniho opined that the line of definition between data and code became rather blurry with the advent of object oriented programming (such as C++ in which Access is written). The database files sought have both parameters and vote totals and controls the layout of ballots. But Duniho emphasized that he believes the code actually resides in GEMS, not the databases: the database is the result of the GEMS program's operation.
- On cross examination by Straub, Mr. Duniho was asked if there was any commercially available software which does not have any security issues. Mr. Duniho opined that there was no commercial software available, but that Australia had developed transparent open-source software for its elections which he found suitable.
- On cross examination, Straub asked if Mr. Duniho considered access to the database another step in ensuring election integrity, and Duniho corrected him that it was not to ensure integrity (which is prospective in nature) but to confirm integrity (which is retrospective in nature). Proper security requires both ensuring and confirmation of integrity.
- On cross examination, Straub asked whether the hand count audit take care of the issue of fraud. Duniho denied that saying that until the public had access to the rotation codes in the database, there could be no assurance that there had been no manipulation.
- Judge Miller asked some thoughtful questions about macros in office software as a comparison to the SQL code in the databases. This propted Duniho to give a discussion on the development of programming concepts and how the distinction between code and data that might have seemed important in 1980, when the Arizona statutes at issue were written, made much less sense in today's object oriented programming.
Summary of testimony by Michael "Mickey" Duniho:
[Note: Thanks for the crucial assistance of David Safier in preparation of this summary. We're doing our best with a highly technical subject matter, so rely on this summary with care.]
Direct Examination by Bill Risner, attorney for the Pima County Democratic Party:
Duniho worked for the National Security Agency for 37 years as a linguist, cryptographer, computer programmer and computer analyst. He also taught people to use Microsoft Office, including Microsoft Access.
Duniho served was a Republican and served as a Republican Chief Election Judge (the equivalent of an inspector in Arizona) while in Maryland. When he moved to Arizona, he re-registered as an independent. When he became involved with the Pima County Democratic Party’s Election Integrity Committee, he re-registered as a Democrat.
He saw flaws in the physical security of Pima County elections. He met with Brad Nelson, Elections Director, and suggested some changes, many of which were implemented.
On 10/16/06, after the primary elections, Duniho sent a letter to Nelson discussing security issues needing improvement. Many of the improvements were implemented. He also listed remaining problems.
Some of the security changes made at the Democratic Party request were:
- Cables coming from the vote counting computers are exposed, so anyone can tell what they are connected to (Prior to this, some cables disappeared into walls with no indication where they went)
- Monitors for public viewing contain all the information that is on the operator’s computer monitor.
- Security cameras are in the computer room, the ballot storage room and the rooms that hold the vote machines that go out to the precincts.
- An electronic access control system allows only a limited number of people into the most secure areas.
- The area is scanned to make sure no wireless signals are present.
- The early board facility where the mail-in ballots are opened has an improved chain-of-custody system. (Previously, ballots were put in boxes sealed with packing tape, then loaded in a van and driven to the central elections building without any safeguards against boxes of ballots being removed and replaced. Now, each box has a tamper-revealing seal on top and bottom, and the numbers of the seals are faxed to the central elections building, and observers check the boxes against the numbers.)
- A team of observers from the political parties observe the scanning of early ballots.
When Duniho made his suggestions, John Moffatt, Pima County's manager of strategic technical planning, was very cooperative in implementing suggestions. Nelson was reasonably cooperative. Bryan Crane, the elections division’s computer technician, was totally uncooperative. He resented the Democrat’s presence and wouldn’t talk with them.
The Democratic Party wants the database as another step in confirming the integrity of the elections. Viewing the databases will help prevent an insider from manipulating the data. Getting the day-to-day databases would confirm that the data was accurate and unchanged over the course of the vote counting process. Since MS Access has no security and opens the databases to anyone with access to the computer, looking over the audit logs and databases could indicate if someone did something to the vote totals they shouldn’t have.
Duniho has looked at the GEMS software that has been posted on the web, and he has looked at databases released to political parties in Alaska.
When Duniho saw the audit logs, he noticed that summary reports had been printed before the close of the election which contained exact vote totals in the various races to that point. The Democratic Party has requested to see all the reports that have been printed. The County has refused.
There is no risk in having the databases in the hands of any party.
Memory cards that go into the machines used in precincts are generated by GEMS. The cards tell the machines how to read the cards (where to find votes for certain candidates, etc.)
If someone got a copy of a database before an election was over, it would be possible to print ballots, and that could be a problem. However, the Democratic Party is asking to see the databases after the elections are over. Besides the parties can see the ballots before the election when the Logic and Accuracy tests are run.
In December, 2006, Duniho and others met with Moffatt to find out why the County wouldn’t give the Democratic Party the databases. Moffatt said that codes of candidates and races would be revealed. Duniho had already downloaded the codes from the Secretary of States’ public website. He showed them to Moffatt, who was amazed and had no idea where Duniho could have gotten the codes.
Databases are compacted from time to time to improve the efficiency of the database. This is especially important because Microsoft Access is not intended to be used with large databases. Duniho does not understand why, on November 2, 2006, early in the ballot counting process, the database was compacted, then it was never compacted again later in the process. If it was needed early, it seems it should have been needed even more later when more votes were added.
Getting the ballot formation information from databases after the election was over would be a good way to check that the ballot rotation system was being implemented properly. This would not give away Pima County’s ballot rotation system, since it is published by Diebold, so it is not a secret.
SQL statements are in the database, but they are not programming code.
The structure of the GEMS database is well known, so having a copy of the database would not give anyone new information about structure. A hacker could find all the information on the web.
To Duniho’s knowledge, 100% of computer election fraud is done by insiders.
Duniho has taken a lead role in developing a manual to be used by political party election observers across the state.
Cross examination by Christopher Straub representing Pima County:
Duniho agreed that:
Today’s databases store some of the software.
The database has parameters that allows it to program memory cards.
The databases requested by Democrats have parameters on them.
The databases have the ballot rotation system programmed into them.
When asked if the rotation system was in public domain, Duniho said it is.
Duniho agreed that the database contains information about design, logos, etc, which GEMS needs to perform its functions.
When asked if all certified election systems have security concerns, Duniho said that’s true of those in the U.S., but Australia uses a UNIX-based software that is on the web for all to see. He thinks that is the direction we should be going.
Duniho agreed that the improved physical security is good. He agreed the Democratic Party was given a number of documents that included summary reports, audit logs and Windows event logs.
Duniho agreed there is no evidence any elections were fraudulent or inaccurate.
When asked if the “Statement of Votes Cast” given to the parties gives them all the information they need, Duniho replied that it does not say how the computer produced the report.
Duniho agreed that the information he got from the Secretary of State’s site contained candidate and race codes but not ballot rotation information or other specifics.
Duniho agreed that other Arizona counties have less secure election processes than Pima County.
When asked if he was aware of any Pima County elections that were not fair, Duniho replied that he has questions about the 2004 presidential election and the Regional Transit Authority election, but he has no evidence of wrongdoing.
Redirect by Bill Risner:
Duniho created a list of suggestion for further security based on what is done in Tucson City elections:
- Ballots should be stored in the treasurer’s vault, not in the elections division.
- Nothing is taken out of the vault and the computer is never turned on without party observers present.
- The database is created from scratch every election, unlike Pima County, which modifies old databases for new elections.
Questions from Judge Miller:
When asked if Macros are stored in a Word document, Duniho said yes.
When asked if putting a Visual Basic routine in a document makes it a program within a document, Duniho replied that in today’s computer world, the distinction between programming and data has been so muddied, it isn’t discussed much among computer people. Today’s documents are filled with active bits of data. Today’s programmers wouldn’t be worried about the questions that are at the center of this case.
Follow up by Bill Risner:
Election rules say there can be no self-modifying code and no interpreted code. GEMS uses interpreted code.
Duniho wants to see the SQL codes in the databases to make sure they are what he expects them to be.