Please see the Election Integrity Homepage for complete coverage and the latest news.
Let me say this before anything else: Bryan Crane is not the villain of this story.
I don't know if he did anything wrong, and that's entirely beside the point in any case. The point is that anyone in Bryan Crane's position certainly could do something wrong - and we would likely never know. That's intolerable.
The point of this trial is not to prove that Mr. Crane, or anyone else, did anything improper or illegal - only that the opportunity exists. It is tempting to allow the appearance of impropriety, or the mere opportunity to do something wrong – both of which Democrats clearly are demonstrating in this trial – to shade into an accusatory lynching of a man’s character.
I don’t believe that there has been any evidence presented that proves to anywhere near a criminal degree of certainty that Mr. Crane or anyone else has committed a crime, or even behaved improperly. To be sure, there is evidence that is very troubling, even if all of the incidents the Democrats point to are adequately explained. And the only way to clear the air is get inside that database.
What is very troubling to many is how stubbornly Pima County officials have resisted the opportunity to reassure citizens concerned that their votes be honestly counted. That sort of stubborn intransigence strikes many as being consistent with how a guilty person reacts to an accusation; not by honestly trying to exonerate themselves by bringing forth all the facts, but by trying to withhold or "lose" critical evidence that could prove their guilt.
Only one thing is for certain - without access to the GEMS database files, the voters of Pima County haven't any hope at all of finding out that our vote is being manipulated if someone in Crane's position is less than honest.
I suspected that the testimony of Bryan Crane would prove pivotal in the case, but I might have underestimated his effect. His testimony could well prove to have been the deciding factor. One thing became undeniably clear: a person of less-than-perfect integrity and honesty in Mr. Cranes' position would be a serious threat to the integrity of our elections.
The point of good security is both to prevent wrong-doing and to catch the culprit if you can’t prevent him. The very nature of computer processing and counting of our votes means that we really do have to rely on the probity and integrity of the people who operate the system. We can keep people out pretty effectively, but you can't keep out those who are authorized. The best you can hope for is to be sure of catching them if they are doing something wrong; conservatives call that effective deterrence.
Trusting someone doesn’t mean that we shouldn’t check and be sure that our reliance is not misplaced. Our county officials seem to just want our trust, hold the checking.
There are several crucial points in Crane's testimony. These are the ones I found to be most important:
Crane severely damaged his credibility right out of the gate by refusing to recognize the fundamental security flaws in the design of GEMS as problematic because access to the computer to outsiders is now well controlled. It's as if he either can't imagine an insider manipulating an election (stupid), or simply won't admit that he imagined it all too clearly (Machiavellian). Finally forced to admit the obvious in redirect, that an unscrupulous operator could rig an election.
One of his most frequent phrases quickly became "I can't recall," especially when confronted with the details of allegations about improper procedures. Judges know exactly what that phrase means.
He had a MS Access manual in the count room the night of the RTA election. Considering how busy elections are, the explanation that he was researching how to solve an equipment issue for a future election seemed implausible.
The allegation that he was taking home GEMS data backups is denied, but his explanation that co-workers were confused as to what data he was taking isn't credible. His own assistant, who was trained to work on the same systems, seems unlikely to have been confused. No explanation offered why admin data would continue to be taken home even after there is a fire-proof safe available for election data.
Made implausible and patently fabricated explanations of the GEMS user log data showing unusual activity. Claims these were simply flukes or habits even though the interface is designed to ensure deliberation (must confirm actions).
Given the numerous accounts of Nelson getting summary reports during elections (and there is nothing wrong with that unless the information is shared to affect the election), Crane's flat denial he had ever given Nelson such reports or seen Nelson with such reports during a count is not just an obvious lie, but a useless one.
The most damning result of Crane's testimony to the County's case came with the questioning by Judge Miller. His questioning laid bare the implausibility of the security threats the County points to as justification for continued confidentiality.
- Information in the GEMS database would allow creation of memory cards to manipulate the vote at the scanner. But tamper evident seals would have to be defeated. Only elections insiders could get away with this exploit and only if the information were obtained before or during an election.
- Information in the GEMS database would allow creation of rigged ballots to fool voters into voting for the wrong choices. But a conspiracy of poll workers would be required to introduce the fake ballots, and the exploit could be more simply in Photoshop. Again the information would have to be obtained prior to or during the election.
- A party obtaining a GEMS database could make alterations and claim the official tally is incorrect on the basis of their copy. But all parties get the data and the claim would easily be dismissed. I term this the reputational suicide attack. Could also be defeated by issuing the database on read-only media with unique identifiers on the media.
After the flip is the full summary of Bryan Crane's testimony. Thanks to David Safier for his indefatigable assistance with these summaries. Please keep in mind these are not intended as transcripts, but condensed and paraphrased summaries...
Summary of testimony by Bryan Crane
Direct Examination by Bill Risner, attorney for the Pima County Democratic Party.
Bryan Crane primarily runs the election computer and has since 1995. He has operated a computer using GEMS software since 1996.
In 1996, a vendor went back on a promise to write a system to merge two vote counts from different voting systems. Crane combined the totals by taking the GEMS database from the vote counting computer to the computer in his office on floppy disks. He devised a program to combine totals. He used Microsoft Access to combine the information. The information was not put back in the GEMS computer. It was put into an Excel spreadsheet.
In a February, 2007, Crane said he knew of no security issues with GEMS. He has since become aware of security issues.
Asked if the ability to change database files as he did in 1996 is an indication of a security risk, Crane replied that risk is about who has access to the computer.
There is no way Crane knows about to access the GEMS computer from the outside.
GEMS allows for individual IDs, but Pima County chose not to use them, because Crane is the primary programmer, so he was the one who printed reports.
Crane didn’t recall printing summary reports on May 11, 2006, when early ballots were being counted for the RTA election. If he did print the reports, he does not recall the reasons.
In 2006, Crane began using “cards cast reports” instead of summary reports to count the number of ballots that had been entered into the computer, because some people thought the use of summary reports was troublesome.
Asked if he was aware the GEMS manual says to use cards cast reports when the ballots were still being counted and to only use summary reports before the counting begins and after the polls closed, Crane said yes, but he was following Arizona procedures.
Risner read from Crane’s February, 2006, deposition, where Crane said he ran summary reports to check the vote counts.
Risner read from questioning of Crane by the state Attorney General’s office, where he said he ran the reports to confirm columns were being read properly by the scanners. He said he did this kind of testing regularly in the past.
Crane agreed that the Logic and Accuracy tests were in part for column placements, and some of the summary reports printed before the end of the election were to check that. They were printed for lots of reasons.
During the night of the RTA election, Crane was looking through a Microsoft Access Manual in the vote counting room to help him program a bar code system with a time stamp included.
Question and answer (paraphrased, not direct quotes)
Q: Can an observer watching the scanning of ballots see if the ballots are being counted accurately?
A: We have gone through all the testing.
Q: Can observers see what is actually on the database?
A: Through reports, yes.
Q: But all they can see is what the computer prints out. No one can know if what’s going on inside the computer is accurate.
A: We know through testing.
Q: But the output of the testing is based on how the computer is programmed. Are you aware that Microsoft warns against using JET for large databases?
A: Yes.
Cross examination by Deputy Pima County Attorney Christopher Straub.
Crane served in the navy where he had top secret security clearance. He understands what security means.
He’s worked with GEMS for ten years to set up elections. [Crane goes through a long explanation of what it takes to set up elections.] Testing takes a week. Pima County does one of the most intensive testing procedures in the nation. [Crane describes testing procedures in detail.] We do all this because we want to guarantee 100% accuracy.
For the 2006 primary, Crane had to create 1600 ballot styles. Ballots look different in different precincts. It takes a great deal of time to do this. To save time in future elections, Crane uses old databases, clears out old information and puts in new information. If he released the databases, he would have to start from scratch each time.
Crane took home backups from the elections server which has poll worker information and other election information. Possibly when people heard him say he was taking a backup home, they thought he meant from the GEMS server.
Prior to 1999, Crane did take home DAT tape backups from the GEMS server, but when they got a fire safe in 1999, he stopped the practice. During that time, he never took home backups between the time voting started and when the polls closed. He continued to take election server backups home after 1999. This was done once annually. He continues to take those election server backups home.
Crane never took a backup tape from the GEMS server and uploaded it again. He did sometimes over-write the backup on the elections server.
Crane never altered or worked on an election from a home computer or anywhere else. He never altered an election.
Though the Secretary of State doesn’t require backups of election databases, Crane does it for thoroughness.
On May 10, 2006, at the end of the first day of counting early ballots for the RTA election, Crane backed up the database. The next morning, he was tired and when he did a Save As command, instead of changing the name to Day 2, he left the earlier name. It was an error for him to hit Save before changing the file name. The error is in the audit log the Pima County Democratic Party saw. The error led to an investigation by the State Attorney General’s office and lots of derogatory comments from the Democratic Party.
Crane prints summary reports before ballots are counted. He has never given a summary report to a political party representative before the legal release time, nor to anyone with an interest in election results, including county officials.
Crane repeats in greater detail about studying the Microsoft Access Manual in the vote counting room the night of the RTA election to try and learn how to put a time stamp on the scanners he was using. He never used Access after the election began to modify anything in the GEMS database.
[A lengthy discussion about whether programs are stored in the database files. A state statute defines programs as all information needed to process ballots at polling stations. Crane believes the databases contain programs as defined by the statute. The Secretary of State puts out guidelines that further define databases as programs.]
Someone with a database, GEMS software and sufficient knowledge could use it to create or change a memory card.
Redirect by Bill Risner.
Robert Evans was Crane’s assistant around 2004. Risner asked if Evans understood the difference between the server and an electronic computer. Crane agreed he probably did.
Ballots contain timing marks that tell the scanners how to read the ballots. The private company, Runbeck (sp?), that prints the ballots, delivers them to the elections office with no chain of custody.
Crane agreed that if someone with less impeccable character than he were the sole operator of the computer, there is a possibility of manipulating an election.
Risner reminded Crane that, after he over-wrote the backup from May 10 on the morning of May 11, he immediately created two summary reports. Risner asked if, to write over a backup, you would have to insert a CD. Crane replied no, we back up from the server. Risner asked if you could make a CD backup, put it in your bag and take it home. Crane answered, I haven’t, but you could.
Crane said he had never given Brad Nelson a copy of a summary report from the time the counting began until the end of an election. He also said he had never seen Nelson with a summary report during the counting of elections.
[Long discussion of the meaning of the terms program, database and documentation.]
Crane had a crop scanner he used for a few days. He used it for good motives, to see if it was possible to alter memory cards as he had read on in a report. He felt it couldn’t do it what the report said it could.
Judge Miller’s Questions.
Crane said he was trained on computer software in high school, in the Navy (in 1986), at community college, and he learned a lot on his own.
He trained on hardware in the Navy, at community college and on his own.
When the backups are sent to the Secretary of State before the election, they contain an image of everything on the GEMS server.
No information ever goes from the elections server to the GEMS server. Information to GEMS comes through keyboard, scanner, or modems sending vote information from the polls. In the future, the machines at the polls will be carried into the vote counting room and have the votes loaded through serial ports.
About 20 backup databases are generated for every election. Only one database file is created for the election.
The largest vote database file Crane has seen is over a gig. It’s that large because of data garbage stored by Microsoft Access. When a file is that big, a compression is done. First Crane creates a backup, then he compresses the backup.
Crane uses old databases to create new databases, because starting from scratch is very time consuming, especially when you’re going from the primary to the general election, when much of the information is the same.
If the database from the primary is given to the political parties after the counting is over but before the general election, since lots of information is similar, someone could use it to create memory cards, putting random information on the cards, or ballots, which could create mayhem in the election.
Asked how someone could corrupt memory cards created by the county, Crane said they couldn’t, but people could create their own cards, pop the seal on the machine and replace the card.
Asked if that would take physical intrusion into the secured machines, Crane admitted it would.
Counterfeit ballots could be created, since the database shows the timing marks on the ballots. If you requested a real ballot, you could use the timing marks to create your own ballot to stuff in the ballot box. The box could only be stuffed if two or more poll workers participated in the scheme.
Asked if a voter would have to participate for a counterfeit ballot scheme to work, Crane said someone could slip a counterfeit to an unwitting voter that could be created to flip votes or something like that.
Asked if GEMS databases from other jurisdictions are in the public domain, Crane said yes, in Alaska. That could cause a problem if someone has the file and the program and saw the structure of the election, which could allow them to create problems.
Asked if that had ever happened, Crane said, not to his knowledge.
Asked if he had ever opened a database file in Microsoft Access, Crane said yes. He agreed that such a database could be altered.
Crane has not seen GEMS source code, only executable source code.
Asked if database files ever have to be compiled, Crane said no, and he has never compiled any.
Questions from Bill Risner.
Asked if the counterfeit ballot scheme would mean the counterfeit would have to go in the ballot box, Crane said yes. Asked if the hand count audit would pick up the discrepancy if that precinct was audited, Crane agreed that it would.
Questions from Christopher Straub.
Crane says he came up with the counterfeit ballot scenario from operating GEMS.
Other counties have worse security than ours. We have some of the best.
The GEMS computer is solitary, not connected to anything else.
When modems are no longer used to send vote data from polling places, the machines will be driven to the vote counting room.
Question from Bill Risner.
When asked if a mail-in ballot scanned into a computer could be altered in Photoshop, Crane said yes.
Judge Miller’s questions.
Crane acknowledged there are significant flaws in GEMS software. As long as the computer is secured, the main weakness is that someone could use Microsoft Access. But if you can’t get to GEMS, there are no security risks.
Asked if he is not concerned with security risks to GEMS but is concerned with security risks from the database, Crane replied that the database is secure so long as we are the only ones who have it.
Crane has never seen a database become corrupted on its own. He is not concerned that Microsoft Access is not robust enough to handle election software.
Recent Comments