Please see the Election Integrity Homepage for complete coverage and the latest news.
Judge Michael Miller, in a carefully reasoned and balanced opinion, today ordered the release of the final MDB and GBF database files for the 2006 RTA election primary and general elections. The judge denied without prejudice access to every MDB and GBF file for the 2006 elections, which would include the RTA election, until and unless the plaintiffs can address remaining security concerns which might arise from that larger release.
For background and commentary on the case and why it is critical to election integrity, please see my earlier posts cataloged on the trial's home post.
The immediate goal of the Democratic party - to be able to look closer at the final election databases - is satisfied by the ruling. But the broader goal of being able to look at a time series of backups for discrepancies or discontinuities that could indicate manipulation of the RTA election specifically is stymied for the moment. John Denker has some very useful additional commentary on the judge's apparent strategy.
It is still unclear whether the judge will grant on-going injunctive relief to turn over the final database files from every election going forward. The denial of access to the entire series of database files indicates that the court may still need to be satisfied as to any remaining concerns about security resulting from on-going and multiple disclosures of this type of data before granting such an injunction.
The ruling will allow the Democratic party to perform the forensic analysis required to search for any evidence of wrong-doing. It will also allow the experts for the Democratic party to begin to more closely address the unquantified and unspecified potential security threats from the public disclosure of the data in these files claimed by the County. This access will be crucial in satisfying the court that there is little or no practical threat to elections integrity posed by this information being in the public domain. Once that task is complete, broader public access to these files (the entire backup history of the election and that of future elections) can be secured.
There is no doubt that the factual findings of the court and this ruling are an resounding and unqualified victory for transparency in our elections process. However, there are further battles that must be fought: to access the entire time-series of backup database files, and to gain permanent injunctive access to the files of future elections without having to litigate each time.
As I digest the ruling and get feedback from the principals in the case, I will continue to update this post.
Here is Judge Miller's ruling in PDF format: Download MillerRuling.pdf
UPDATE:
Having had a chance to digest the ruling fully and consult with Bill Risner, I have a few additional comments.
The bottom line is that the public will get access to the final databases in the 2006 RTA election primary and general elections and all future elections, though the timing of future releases remains indeterminate.
The possibility for getting all database versions throughout the election process remains open pending further demonstration that there is no security issue. To my mind, the judge has adopted the County's burden shifting standards of 'plausible' or 'possible' security harms, when the legal standard requires that the County demonstrate a specific probable harm attendant to the release of a public record. However, I don't think this final reservation will long stand in light of the factual findings the court announced in this ruling.
A question that comes up often is whether this ruling will be appealed by the Board of Supervisors. I think there is really only one person who know that answer to that question: Chuck Huckelberry. My recommendation is that if you are concerned about his decision whether to appeal, you should call his office and let him know how you feel about that possibility.
Detailed analysis of Judge Miller's Under Advisement Ruling after the flip...
Election integrity activists around the country can take heart from a number of Judge Miller's factual findings. In such a document, each paragraph (¶) is numbered for easy reference. If you have downloaded the document, you can follow along by referencing the paragraph numbering.
The judge acknowledges in his factual findings that GEMS is fundamentally flawed as to security. In ¶11 Miller finds that, "The GEMS-created mdb file can be opened using Microsoft Access. Data in the file can be manipulated. Password protection can be overwritten." Miller also found that the GEMS software is unsuited to use in elections. In ¶12, "Specifically, file integrity becomes less robust (i.e. prone to crashing) when the database becomes too large. The data may also become corrupted if it receives too many inputs, too quickly, at one time (concurrency problems). These limitations are well known. Microsoft has warned against using the mdb format for some critical applications, such as election management software." (emphasis added)
These key findings undercut the legitimacy the certification process confers on substandard software such as GEMS and validates the security claims of elections activists. In ¶13 the judge puts a fine point on it, stating, "The parties agree that "[t]here are significant security flaws with the architecture of the GEMS software." Each of the expert witnesses endorsed that statement to one degree or another." This finding of fact by the court is validation of what elections activists have been claiming all along and should be alarming to every voter whose vote is tabulated using GEMS or any other tabulation software which also uses the JET database engine from MS Access (as many certified tabulation systems do).
As I fully expected and anticipated in earlier commentary, the judge dismissed quite handily the County's contention that the database files constituted elections programs that they could not divulge. In brief, that entire line of defense was poppycock, and the judge treated it as such, though of course he laid out his rationale for doing so in detail.
The court's findings contextualize the security risks that the defendants claimed would be posed by release of the database files. Those risks are recounted in ¶25 and ¶26. Miller points out that those risks are cabined by the physical security measures adopted by the County being strictly maintained. In other words, the risks are theoretical, but not practical unless the County is not doing its job.
The judge dismisses one of the go-to security threats of the County's trial team: the reputational suicide exploit - doctoring the mdb file and then claiming that it is the real election results following an election. The judge is diplomatic in dismissing this scenario as a security threat, but his disdain is apparent even if his words are temperate. In ¶29, "First, the printout of election results produced by GEMS has no security artwork... and could be easily duplicated with any word processor. This possibility exists independent of disclosure of the mdb file. Second, persons not designated as elections personnel could not credibly claim that the election results they proffer are more valid than the results prepared from the secure, elections computer. Moreover, even such an attempt would likely result in a criminal investigation regarding fraud."
In a nutshell, the judge's conclusion maps to Bill Risner's contention that anyone who tried this would have to "high-tail it outta town." It's worth noting that the first exploit the judge mentions was not developed at trial and the judge's realization of this fact is a strong indication of his mastery of the testimony and technical issues involved.
Slightly more worrying is the further finding in ¶29 that "Plaintiff concedes that the release of the mdb files immediately after the polls close is neither practical or appropriate. Release of the mdb file days or even weeks after the election significantly reduces the concern that valid election results could be challenged with an altered mdb file." Unfortunately, such a delay also significantly reduces the possibility of challenging the result of a manipulated election.
There is a five day window in which to contest an election under Arizona law (Title 16, Chapter 4, Article 13, §16-671-678, time period specified in §16-673). One would have to have at least a good faith basis on which to believe that the election outcome had been illegally altered to file an action in contest. Too long a delay in providing access to the mdb file from an election could preclude the forensic analysis needed to form such a well-founded belief.
Unfortunately, I foresee continued mischief by the County in trying to forestall the timely release of future election's mdb files based on these findings in Judge Miller's ruling.
Finally, the Judge addresses the amorphous and undefined unknown threats which the County claims could be posed by release and dissemination of many copies of the database files.
Essentially, the concern is that if an malicious party were to have access to a series of database files from different jurisdictions and over the course of many elections and many different stages of the count process, a clever miscreant might find an exploit not foreseen by security designers.
The Judge has the good sense to recognize in ¶30 that "This potential problem returns to the concerns noted above regarding counterfeit ballots, memory cards, and substituted mdb files. Plaintiff correctly points out that the risk of counterfeit items or reverse-engineering is primarily a concern if a perpetrator can physically substitute ballots, memory cards, or electronic transmissions with contaminated copies." The judge earlier found such threats can be addressed through diligent physical and process security measures, and thus are manageable unless the County is negligent in the administration of elections.
However, the Judge goes on in ¶31 to address "attacks on electronic election systems that no one has anticipated." Problematically in my view, the Judge analogizes the database files to the drawing of a building and finds "unlimited access to the drawings increases the likelihood that a potential intruder could find and exploit a security flaw not know by those responsible for security."
This is problematic for several reasons. First, the analogy is inapt. The drawing of the building in this scenario would be the source code for the GEMS software, not the database files it produces. The most leverage for an unforeseen exploit comes from access to the program's source code, which is entirely under the control of Diebold, and not at issue here. The sort of overview of the program's operation which is implied by the analogy of a building's architectural plans cannot be provided by any number of databases created by the program. The Judge has made a significant, and likely quite harmful, misstep in analogical reasoning.
The Judge concludes ¶ 31 by stating "Although it is difficult to quantify an unknown - but plausible - threat, this consideration must be weighed against the Plaintiff's interest in the mdb files." No, it must not be. The Judge is simply wrong on this point, in my view.
The second problem presented by ¶ 31 is that the judge has bought into is a subtle, but insidious attempt throughout the trial by the County to shift the burden of proof onto the plaintiffs. The defendant carries the burden of proof to show that the public interest (in this case, security) outweighs the public interest in access to the public record. By creating a nebulous category of unknown threats, it becomes incumbent on the plaintiff to assuage any such unknowns and counter such concerns without knowing what they might be. By simply throwing the unknown threats on the scale as a legitimate security concern, the defendant (and now the Judge) has in essence presented the plaintiff with an irrefutable presumption that there are, in fact, unknown and specific security threats attendant to release of the data.
It is not fair for the Court to accept unknown threats as a specific and genuine threat which is to be weighed against the public's interest. It is burden-shifting and it is harmful to the public interest for the Court to indulge such scare-mongering fantasies and treat mere conjecture and the inherent caution of security professionals as evidence of a threat.
The Judge seems to recognize the ephemeral nature of these unknown threats in his disquisition on the Alaska mdb in ¶33. He discusses Professor King's (the County's expert) apparent ignorance of the release of the Alaska database prior to the trial, though that release has occurred over a year previous. "The context and implications of how he learned about this development are revealing," finds the Judge. Indeed, a national consultant on this software with a specialty in security issues and research staff backing him that regularly searches for emerging issues in elections security, and he learned of this only from involvement with this case?
Yet the judge none-the-less puts great stock in Professor King's opinion that "multiple mdb files from various jurisdictions might be necessary to provide confirming data that would enable a computer hacker to map the structure of the GEMS-created mdb file." Considering King's ignorance of the Alaska release, he seems not to be concerned enough to be actively monitoring the situation or trying to anticipate such a threat. Even if accepted at face value, the threat posed is to 'map the structure of the GEMS-created database,' the threat of which has already been found to be cabined by good physical and process security measures to prevent counterfeiting attacks. There is nothing here to suggest any novel threats of a sort not already addressed.
In the end, Judge Miller simply deferred to the supposed expertise of the County's expert witness, Professor King. Judge Miller specifically chooses the word 'opined' in the following finding, "Plaintiff's expert witnesses opined that there is nothing in multiple copies of the mdb files that would be of such incremental value that there would be an increased risk if Pima County disclosed all its mdb files. Plaintiff's experts are extremely knowledgeable in computer security and computer programming, but none of them have the hands-on experience with the GEMS program possessed by the Defendant's witness."
This is perhaps the cruelest blow. One must assume that by 'hands-on experience' the Judge means access to the GEMS source code, because clearly they all have had access to and experience with use of the GEMS software, and all are well-acquainted with the data structures the program creates. The main difference in their experience with the software is that Professor King was given the source code of GEMS in escrow by Diebold, the plaintiff's witnesses were not. To hold that additional level of access granted by Diebold as the deciding factor in choosing which expert to credit, when combined with the testimony of Professor King, which clearly establishes that he was merely speculating as to threats, is misguided and a poor proxy for the credibility of their claims.
The result of this burden shifting on unknown threats and the unaccountable elevation of the County's expert, Professor King, is ¶33 wherein "The Court finds that the risk of releasing multiple, but not identical, versions of a database file with a similar structure poses an unknown risk that hackers could use the files to contaminate valid mdb files. The risk arising from the release of mdb files has not been quantified or assessed with any precision. This known-but-unquantified risk, coupled with the possibility of failure in the physical security of elections equipment, cautions against unlimited release of mdb files. The court concludes that releasing a large number of mdb files at this time does not protect the interest of the State in valid elections."
I fully expect that Judge Miller will demand that the County more clearly specify what the risk may be from release of multiple files when the Democratic party re-urges the record request. I think that it is very likely at that time, when the County is unable to produce anything more concrete that Judge Miller will drop this reservation and order a full release of all mdb files.
I guess I'm just not as cautious as the Judge, which is why he's the judge, I suppose. The ruling does stretch credulity significantly at several points in order to come to this cautious resolution. But in the end, it is likely only a way-point to granting the Democratic Party everything it has asked for. If I can clearly see the weaknesses in the reasoning, so too can Judge Miller, and I'm sure he has good prudential reasons for stretching in order to reach his conclusion in this fashion.
It is heartening to see that the Judge decided to end his findings with praise for the role that the Democratic Party has played in urging improvements in elections security and concluding that "the public interest will benefit from the continued involvement of Plaintiff in reviewing election management software." That vindication is the strongest praise the bench could reasonably be expected to confer on the citizen activists driving the enterprise of election integrity.
1. Unrelated to this case, it would be instructive to perform a comparison of the source code filed with the SOS to the source code for the same elections that presumably are backed up at the Pima Co. Elections dept.
The equivalent of a "diff" command or use of similar software to determine exact equality is all that is needed. The two are expected to be identical, since there should be no reason for altering the source code subsequent to its being filed with the SOS. This should be done for all elections starting with several elections prior to the employment of Brad Nelson by Pima Co. Elections dept.
2. If, as implied by the ruling, SQL queries are resident in the .mdb files, then all of these "add-on" SQL queries that are not part of the standard GEMS application should be thoroughly reviewed to ascertain what each query does, when each was executed, and the resulting output. Special attention should be given to any query that does a write (add or update) to any .mdb file (as opposed to read- and print-only).
3. Since 2 elections in 2006 seem to be acceptable to judge Miller to be released per this opinion, why not use the RTA and General elections (i.e., substitute the RTA for the 2006 primary)? Presumptive incentive to predisclose, or even manipulate, election result data is much higher for the RTA election than for the Primary election. Unusual database activity would be more likely to occur in an election that is more highly contested and had greater consequences based on the election results. The Pima County Democratic Party should consider asking judge Miller to substitute the RTA files for the 2006 Primary files.
Posted by: T. Stephen Cody | December 19, 2007 at 09:33 AM
I just wanted to send out a few quick mea culpas:
1) sorry for the misstep saying the RTA data would be released. I misrecalled the date of the RTA election as being contemporaneous with the 2006 general election and it was instead held mid-year.
2) sorry for the inordinate number of spam filterings. If you get a message that your post has been spam filtered, just drop me a note at mbryan@gmail.com to let me know and I'll be sure sure to pull it out of the spam folder. Typepad is working with a new system that is turning out to be a little hypersensitive. I will have regular commenters trained in very shortly if you just keep commenting.
3) Stephen makes a very good point here that if it were the number of mdb files in the wild that concerned the judge, he would have served the public interest better by just releasing the RTA database instead of the primary and general databases.
Posted by: mbryanaz | December 19, 2007 at 02:05 PM