Please see the Election Integrity Homepage for complete coverage and the latest news.
Judge Michael Miller, in a carefully reasoned and balanced opinion, today ordered the release of the final MDB and GBF database files for the 2006 RTA election primary and general elections. The judge denied without prejudice access to every MDB and GBF file for the 2006 elections, which would include the RTA election, until and unless the plaintiffs can address remaining security concerns which might arise from that larger release.
For background and commentary on the case and why it is critical to election integrity, please see my earlier posts cataloged on the trial’s home post.
The immediate goal of the Democratic party – to be able to look closer at the final election databases – is satisfied by the ruling. But the broader goal of being able to look at a time series of backups for discrepancies or discontinuities that could indicate manipulation of the RTA election specifically is stymied for the moment. John Denker has some very useful additional commentary on the judge’s apparent strategy.
It is still unclear whether the judge will grant on-going injunctive relief to turn over the final database files from every election going forward. The denial of access to the entire series of database files indicates that the court may still need to be satisfied as to any remaining concerns about security resulting from on-going and multiple disclosures of this type of data before granting such an injunction.
The ruling will allow the Democratic party to perform the forensic analysis required to search for any evidence of wrong-doing. It will also allow the experts for the Democratic party to begin to more closely address the unquantified and unspecified potential security threats from the public disclosure of the data in these files claimed by the County. This access will be crucial in satisfying the court that there is little or no practical threat to elections integrity posed by this information being in the public domain. Once that task is
complete, broader public access to these files (the entire backup history of the election and that of future elections) can be secured.
There is no doubt that the factual findings of the court and this ruling are an resounding and unqualified victory for transparency in our elections process. However, there are further battles that must be fought: to access the entire time-series of backup database files, and to gain permanent injunctive access to the files of future elections without having to litigate each time.
As I digest the ruling and get feedback from the principals in the case, I will continue to update this post.
Here is Judge Miller’s ruling in PDF format: Download MillerRuling.pdf
UPDATE:
Having had a chance to digest the ruling fully and consult with Bill Risner, I have a few additional comments.
The bottom line is that the public will get access to the final databases in the 2006 RTA election primary and general elections and all future elections, though the timing of future releases remains indeterminate.
The possibility for getting all database versions throughout the election process remains open pending further demonstration that there is no security issue. To my mind, the judge has adopted the County’s burden shifting standards of ‘plausible’ or ‘possible’ security harms, when the legal standard requires that the County demonstrate a specific probable harm attendant to the release of a public record. However, I don’t think this final reservation will long stand in light of the factual findings the court announced in this ruling.
A question that comes up often is whether this ruling will be appealed by the Board of Supervisors. I think there is really only one person who know that answer to that question: Chuck Huckelberry. My recommendation is that if you are concerned about his decision whether to appeal, you should call his office and let him know how you feel about that possibility.
Detailed analysis of Judge Miller’s Under Advisement Ruling after the flip…
Election integrity activists around the country can take heart from
a number of Judge Miller’s factual findings. In such a document, each
paragraph (¶) is numbered for easy reference. If you have downloaded
the document, you can follow along by referencing the paragraph
numbering.
The judge acknowledges in his factual findings that GEMS is
fundamentally flawed as to security. In ¶11 Miller finds that, "The
GEMS-created mdb file can be opened using Microsoft Access. Data in the file can be manipulated. Password protection can be overwritten."
Miller also found that the GEMS software is unsuited to use in
elections. In ¶12, "Specifically, file integrity becomes less robust
(i.e. prone to crashing) when the database becomes too large. The data
may also become corrupted if it receives too many inputs, too quickly,
at one time (concurrency problems). These limitations are well known.
Microsoft has warned against using the mdb format for some critical
applications, such as election management software." (emphasis added)
These key findings undercut the legitimacy the certification process
confers on substandard software such as GEMS and validates the security
claims of elections activists. In ¶13 the judge puts a fine point on
it, stating, "The parties agree that "[t]here are significant security flaws with the architecture of the GEMS software."
Each of the expert witnesses endorsed that statement to one degree or
another." This finding of fact by the court is validation of what
elections activists have been claiming all along and should be alarming
to every voter whose vote is tabulated using GEMS or any other
tabulation software which also uses the JET database engine from MS
Access (as many certified tabulation systems do).
As I fully expected and anticipated in earlier commentary, the judge
dismissed quite handily the County’s contention that the database files
constituted elections programs that they could not divulge. In brief,
that entire line of defense was poppycock, and the judge treated it as
such, though of course he laid out his rationale for doing so in detail.
The court’s findings contextualize the security risks that the
defendants claimed would be posed by release of the database files.
Those risks are recounted in ¶25 and ¶26. Miller points out that those
risks are cabined by the physical security measures adopted by the
County being strictly maintained. In other words, the risks are
theoretical, but not practical unless the County is not doing its job.
The judge dismisses one of the go-to security threats of the
County’s trial team: the reputational suicide exploit – doctoring the
mdb file and then claiming that it is the real election results
following an election. The judge is diplomatic in dismissing this
scenario as a security threat, but his disdain is apparent even if his
words are temperate. In ¶29, "First, the printout of election results
produced by GEMS has no security artwork… and could be easily
duplicated with any word processor. This possibility exists independent
of disclosure of the mdb file. Second, persons not designated as
elections personnel could not credibly claim that the election results
they proffer are more valid than the results prepared from the secure,
elections computer. Moreover, even such an attempt would likely result
in a criminal investigation regarding fraud."
In a nutshell, the judge’s conclusion maps to Bill Risner’s
contention that anyone who tried this would have to "high-tail it outta
town." It’s worth noting that the first exploit the judge mentions was
not developed at trial and the judge’s realization
of this fact is a strong indication of his mastery of the testimony and
technical issues involved.
Slightly more worrying is the further finding in ¶29 that "Plaintiff
concedes that the release of the mdb files immediately after the polls
close is neither practical or appropriate. Release of the mdb file days or even weeks after the election significantly reduces the concern that valid election results could be challenged with an altered mdb file." Unfortunately, such a delay also significantly reduces the possibility of challenging the result of a manipulated election.
There is a five day window in which to contest an election under
Arizona law (Title 16, Chapter 4, Article 13, §16-671-678, time period
specified in §16-673).
One would have to have at least a good faith basis on which to believe
that the election outcome had been illegally altered to file an action
in contest. Too long a delay in providing access to the mdb file
from an election could preclude the forensic analysis needed to form
such a well-founded belief.
Unfortunately, I foresee continued mischief by the County in trying
to forestall the timely release of future election’s mdb files based on
these findings in Judge Miller’s ruling.
Finally, the Judge addresses the amorphous and undefined unknown
threats which the County claims could be posed by release and
dissemination of many copies of the database files.
Essentially, the concern is that if an malicious party were to have
access to a series of database files from different jurisdictions and
over the course of many elections and many different stages of the
count process, a clever miscreant might find an exploit not foreseen by
security designers.
The Judge has the good sense to recognize in ¶30 that "This
potential problem returns to the concerns noted above regarding
counterfeit ballots, memory cards, and substituted mdb files. Plaintiff
correctly points out that the risk of counterfeit items or
reverse-engineering is primarily a concern if a perpetrator can
physically substitute ballots, memory cards, or electronic
transmissions with contaminated copies." The judge earlier found such
threats can be addressed through diligent physical and process security
measures, and thus are manageable unless the County is negligent in the
administration of elections.
However, the Judge goes on in ¶31 to address "attacks on electronic
election systems that no one has anticipated." Problematically in my
view, the Judge analogizes the database files to the drawing of a building
and finds "unlimited access to the drawings increases the likelihood
that a potential intruder could find and exploit a security flaw not
know by those responsible for security."
This is problematic for several reasons. First, the analogy is inapt.
The drawing of the building in this scenario would be the source code
for the GEMS software, not the database files it produces. The most
leverage for an unforeseen exploit comes from access to the program’s
source code, which is entirely under the control of Diebold, and not at
issue here. The sort of overview of the program’s operation which is
implied by the analogy of a building’s architectural plans cannot be
provided by any number of databases created by the program. The Judge
has made a significant, and likely quite harmful, misstep in analogical
reasoning.
The Judge concludes ¶ 31 by stating "Although it is difficult to
quantify an unknown – but plausible – threat, this consideration must
be weighed against the Plaintiff’s interest in the mdb files." No, it
must not be. The Judge is simply wrong on this point, in my view.
The second problem presented by ¶ 31 is that the judge has bought
into is a subtle, but insidious attempt throughout the trial by the
County to shift the burden of proof onto the plaintiffs. The
defendant carries the burden of proof to show that the public interest
(in this case, security) outweighs the public interest in access to
the public record. By creating a nebulous category of unknown threats,
it becomes incumbent on the plaintiff to assuage any such unknowns and
counter such concerns without knowing what they might be. By simply
throwing the unknown threats on the scale as a legitimate security
concern, the defendant (and now the Judge) has in essence presented the
plaintiff with an irrefutable presumption that there are, in fact,
unknown and specific security threats attendant to release of the data.
It is not fair for the Court to accept unknown threats as a
specific and genuine threat which is to be weighed against the public’s
interest. It is burden-shifting and it is harmful to the public
interest for the Court to indulge such scare-mongering fantasies and
treat mere conjecture and the inherent caution of security
professionals as evidence of a threat.
The Judge seems to recognize the ephemeral nature of these unknown
threats in his disquisition on the Alaska mdb in ¶33. He discusses
Professor King’s (the County’s expert) apparent ignorance of the
release of the Alaska database prior to the trial, though that release
has occurred over a year previous. "The context and implications of how
he learned about this development are revealing," finds the Judge.
Indeed, a national consultant on this software with a specialty in
security issues and research staff backing him that regularly searches
for emerging issues in elections security, and he learned of this only
from involvement with this case?
Yet the judge none-the-less puts great stock in Professor King’s
opinion that "multiple mdb files from various jurisdictions might be
necessary to provide confirming data that would enable a computer
hacker to map the structure of the GEMS-created mdb file." Considering
King’s ignorance of the Alaska release, he seems not to be concerned
enough to be actively monitoring the situation or trying to anticipate
such a threat. Even if accepted at face value, the threat posed is to
‘map the structure of the GEMS-created database,’ the threat of which
has already been found to be cabined by good physical and process
security measures to prevent counterfeiting attacks. There is nothing
here to suggest any novel threats of a sort not already addressed.
In the end, Judge Miller simply deferred to the supposed expertise of the County’s expert witness,
Professor King. Judge Miller specifically chooses the word ‘opined’ in
the following finding, "Plaintiff’s expert witnesses opined that there
is nothing in multiple copies of the mdb files that would be of such
incremental value that there would be an increased risk if Pima County
disclosed all its mdb files. Plaintiff’s experts are extremely
knowledgeable in computer security and computer programming, but none
of them have the hands-on experience with the GEMS program possessed by
the Defendant’s witness."
This is perhaps the cruelest blow. One must assume that by ‘hands-on
experience’ the Judge means access to the GEMS source code, because
clearly they all have had access to and experience with use of the GEMS
software, and all are well-acquainted with the data structures the
program creates. The main difference in their experience with the
software is that Professor King was given the source code of GEMS in
escrow by Diebold, the plaintiff’s witnesses were not. To hold that
additional level of access granted by Diebold as the deciding factor in
choosing which expert to credit, when combined with the testimony of
Professor King, which clearly establishes that he was merely
speculating as to threats, is misguided and a poor proxy for the
credibility of their claims.
The result of this burden shifting on unknown threats and the
unaccountable elevation of the County’s expert, Professor King, is ¶33
wherein "The Court finds that the risk of releasing multiple, but not
identical, versions of a database file with a similar structure poses
an unknown risk that hackers could use the files to contaminate valid mdb files. The risk arising from the release of mdb files has not been quantified or assessed with any precision. This known-but-unquantified
risk, coupled with the possibility of failure in the physical security
of elections equipment, cautions against unlimited release of mdb
files. The court concludes that releasing a large number of mdb files
at this time does not protect the interest of the State in valid
elections."
I fully expect that Judge Miller will demand that the County more
clearly specify what the risk may be from release of multiple files
when the Democratic party re-urges the record request. I think that it
is very likely at that time, when the County is unable to produce
anything more concrete that Judge Miller will drop this reservation and
order a full release of all mdb files.
I guess I’m just not as cautious as the Judge, which is why he’s the
judge, I suppose. The ruling does stretch credulity significantly at
several points in order to come to this cautious resolution. But in the
end, it is likely only a way-point to granting the Democratic Party
everything it has asked for. If I can clearly see the weaknesses in the
reasoning, so too can Judge Miller, and I’m sure he has good prudential
reasons for stretching in order to reach his conclusion in this fashion.
It is heartening to see that the Judge decided to end his findings
with praise for the role that the Democratic Party has played in urging
improvements in elections security and concluding that "the public
interest will benefit from the continued involvement of Plaintiff in
reviewing election management software." That vindication is the
strongest praise the bench could reasonably be expected to confer on
the citizen activists driving the enterprise of election integrity.
Discover more from Blog for Arizona
Subscribe to get the latest posts sent to your email.