This is Part 2 of a series. Here is Part 1.
I have questions.
Perhaps there are reasonable answers to my questions.
If I was employed by a County, I would want answers to these questions and as a voter, I expect that County officials at a minimum understand the answers and supervise the vendors.
Remember, we paid for these machines.
At the time of this writing, the video linked below is publicly accessible. It is also archived on the wayback machine. The way to read this article is to have one window open with the video running and another with these questions.
The questions asked below are only based on the features demonstrated, not every feature available for use.
Decide for yourself if they are worth asking…..
What additional question do you have?
Time stamp 0:00:00
What credentials were used to login into this tabulator? Are they group or individual credentials?
Why is VMWare loaded on this machine? What is the purpose? Is that part of the EAD certification?
Why is Explorer loaded on this machine? Is Explorer loaded on all tabulators and can it be used to search the internet?
Time stamp 0:00:40
What chain of custody exists around the compact flash (CF) used to load the files into the tabulator?
How is it verified that no malware exists on the CF prior to it being loaded on the Tabulator?
Time stamp 0:01:00
The admin is permitted access to the C: drive. Are there any restrictions in place to prevent any OTHER user from accessing the C: drive?
Can the admin or any other user make changes to any directory or files on the C: drive?
Does an audit log exist of user actions with respect to all directory and file manipulation?
Time stamp 0:01:20
What technical or procedural controls are in place by the vendor or County to ensure that 3 and only 3 files are copied to the config directory and that those are the correct and most recent versions needed?
Time stamp 0:02:20
In order to login as the admin of the tabulator a group password is used. How does the audit trail capture who the actual user was who logged in if group credentials are being used?
What chain of custody exists around the use of the admin key that is inserted into the tabulator?
How many times does the system permit entering the admin password before it locks and makes the user reset the password?
Time stamp 0:03:15
Why is it permitted for the user to configure the primary path and secondary path for storing the election data?
Why is it permitted for the user to BROWSE to the location, including networked locations, where election data will be stored?
Why is it optional to use the backup path (secondary)? Shouldn’t this be required?
What data validation exists to ensure that the primary and secondary path entered actually EXIST so that files are not LOST?
What controls are in place to ensure that once the election data files are created that they cannot be deleted via the File Explorer?
Time stamp 0:03:50
What procedural controls exist to ensure that the correct scan options are chosen for each tabulator?
Are the scan option choices written to a log in the election data file on the primary or secondary path?
Under what circumstances would the tabulator ever want to IGNORE stray marks or blank ballots? These options can be unchecked.
What controls exists to ensure that Primary election options are chosen for primary elections and ONLY for primary elections? Are machine errors generated which stop the tabulation process if the incorrect option is chosen?
If the stop on undervote/overvote for MAJOR contests is chosen, how does the tabulator distinguish between a major and non-major contest?
If single sheet scanning mode is ONLY for diagnostic purposes, why is the option made available for a GENERAL election? The tabulator “knows” at this point that this is a GENERAL election.
Why is it left up to the discretion of the admin to decide if MORE than one scan per batch is permitted, meaning they have the ability to add more votes to a batch after a STOP event?
Time stamp 0:08:30
If a tabulator is being used in the precinct, why would the configuration of that tabulator EVER permit scanning ballots WITHOUT the poll ID being specified to ensure that ballots from that precinct and ONLY that precinct are counted?
If the Poll ID is specified, does the machine create an error message if the user forgets to check the box on the scan options window specifying that ballots are linked to Poll IDs?
Time stamp 0:11:50
When the admin removes the iButton security key, the machine transitions to User Mode. Yet, the “User” is not required to login to start counting the vote. On top of that, there are no individual user credentials to KNOW who that user is who is running the tabulator. Does this sound like a SECURE system?
Why is the admin not required to log back in when the user is done? The admin iButton can be re-applied without requiring any login with a password.
Time stamp 0:12:40
The Supervisor (technician) mode provides higher level access than admin to a technician running diagnostics on the machine.
Why can a technician get access to all the admin functions related to running an election that have been previously loaded by the County or approved by the County?
Why aren’t options related to diagnostics the ONLY options available to the technician?
Timestamp 0:14:00
Why is the Display Batch Results, including the Zero report generated in Notepad and not a secure encrypted pdf that cannot be altered?
What would prevent a user from altering the Notepad report?
Timestamp 0:16:00
If there are recommended batch sizes for optimal performance of the machine, why are there NOT data validation rules in place to PREVENT entering a number LARGER than the machines recommended range?
Timestamp 0:17:20
Why is it permitted to DELETE the scans of any BATCHES of ballots? Wouldn’t it be a better design, to INACTIVATE or QUARANTINE the prior scans? These are official election records after all.
Timestamp 0:16:45
The trainer here states that when scanning ballots that “the wrong one’s” can be scanned or “the ballots can be bypassed”. The solution is to have a manual reconciliation sheet.
Why is it necessary to have a MANUAL process for a simple reconciliation of ballots counted instead of having an automated report that is error free?
How is it possible that the system is not designed to scan “the wrong one’s” or accidentally “bypass counting”?
Timestamp 0:18:00
The scanner scans faster than the tabulator software can count. Therefore, if there is an exception, like write in candidate, more ballots have gone through the scanner than have been counted.
Why isn’t the software designed to count and scan at the same rate so that the user does not have to manually count back the number of ballots that need to re-processed through the system?
What types of technical controls are in place to ensure that more or less ballots cannot be re-processed?
What happens if the scanner detects an exception but upon review of the ballot, no exceptions are detected by the poll worker, either because the scanner did not function correctly OR because the poll worker did not see the exception on the physical ballot (ie, looking at the wrong ballot, visually missed the exception, etc)?
Because the buffer is about 5 ballots, the software is NOT configured to detect MORE than one exception at a time in the buffered group. Therefore the same buffered group has to be scanned multiple time to detect exceptions within the same buffered group.
Why is the software NOT configured to detect more than one exception at a time?
Why is it possible for an admin to potentially disenfranchise a voter by setting the flag to “disregard an ambiguous mark” and thus have the machine ignore a mark which a manual adjudication may actually count as a vote?
Why is it possible to run different batches with different settings than the prior batch? This effectively treats the counting of ballots differently for different groups from batch to batch.
Timestamp 0:34:00
Why is it possible to delete a batch of scanned ballots? This makes it impossible to reconcile that the user has made a mistake by retaining a record of what batch and poll ID has been scanned, to ENSURE that it is re-scanned later, unless a manual paper ballot control sheet is used?
Timestamp 0:43:00
The final reconciliation is based on the number of ballots to be scanned in the precinct and the number of ballots actually scanned. There is no verification that the VOTES were counted correctly in the batch. Why isn’t a vote verification included as part of the batch verification?
Timestamp 0:45:30
Why are there no technical controls to prevent a poll worked from rescanning a batch of ballots that have already been scanned?
Why is permitted for an operator to DELETE the version of an election PROJECT throughout the day and replace it with a prior version, should an operator make a mistake and accidentally accept a bad batch?
What is done with official election data backups that are made throughout the day and saved to an external drive?
What is to prevent a poll worker from deleting the entire election project without having a backup copy?
What is to prevent a poll worker from restoring the incorrect backup of an election project directory?
What is to prevent a poll worker from clearing the recycle bin on the machine and losing an incorrectly deleted election project?
What is to prevent a poll worked from renaming any of the directories in the project which would render the machine not usable?
Timestamp 0:50:00
What is to prevent a poll worker from restoring the incorrect election project from a backup, then CLOSE the tabulator and send the results to TALLY without all of the batches counted?
Why is it permitted that the poll worker can browse the results folder and “accidentally” delete a batch of results or replace the results with a copy from the backup folder?
Timestamp 0:52:00
What is to prevent the poll worker from uploading different TALLY files to the local accumulation system and the County, since the poll worker is manually copying and pasting data for this step?
Timestamp 0:54:00
Why is it permitted for a user to manually configure a report header? What controls are in place to prevent the user from misconfiguring a report header?
After a report header is configured on the report, it opens in NOTEPAD. What is to prevent a poll worker from editing the report in NOTEPAD?
Timestamp 0:59:00
What technical controls exist to prevent a poll worker from deleting a previous election project prior to restoring a new election configuration file on the tabulator?
thank you for your posts. Interesting stuff! Keep up the good work.