Election Administration Using Voting Machines Part 5 & 6 of 6
This is final installment of a series. Here is Part 1, Part 2 and Part 3 & 4.
I have questions.
Perhaps there are reasonable answers to my questions.
If I was employed by a County, I would want answers to these questions and as a voter, I expect that County officials at a minimum understand the answers and supervise the vendors.
Remember, we paid for these machines.
At the time of this writing, the videos linked below are publicly accessible. It is also archived on the wayback machine. The way to read this article is to have one window open with the video running and another with these questions.
The questions asked below are only based on the features demonstrated, not every feature available for use.
Decide for yourself if they are worth asking…..
What additional question do you have?
Timestamp 0:00:00
What credentials are used to login into the machine where the Results Transfer Manager is located? Group or individual?
Before a compact flash (CF) is inserted into the reader, what technical controls are in place to ensure the CF is not infected with malware?
Timestamp 0:01:00
What credentials are used to login into the Results Transfer Manager app itself to configure a transfer point?
In the transfer points window, there is a TCP/IP type server listed. Is this a server on the intranet?
Can this TCP/IP server be an external server?
Timestamp 0:01:50
What controls are in place to ensure that results are NOT being transferred automatically to a TCP/IP server during an election when the local jurisdiction does not permit it?
Why are CVR, logs and images available for automated transfer through RTM if they are intended to be transferred manually?
Timestamp 0:02:40
Why aren’t additional login credentials required to transfer results every time a NEW CF is plugged into the machine?
Where are the machine activities for RTM logged including who transferred results and what the destination of those results was?
Timestamp 0:03:00
Why would the use be permitted to transfer results to the County that are not official results?
What prevents a user from using , say a fake compact flash that is not certified as being official election results, and transferring those results to the county?
Timestamp 0:03:30
What prevents a user from deciding to transfer results MANUALLY and NOT use the preconfigured automated transfer settings?
What prevents the transmission of MALWARE to the remote server if it were to exist on the CF?
Timestamp 0:00:00
What credentials are required to OPEN the Results Tally and Reporting interface?
Why are group credentials used to load an Election Project?
What would prevent a person from loading the wrong Election Project that they had “nefariously” created?
Are all of the actions taken by the admin recorded in a log or in an audit trail?
Timestamp 0:02:00
What technical or procedural controls exist to prevent an admin from misconfiguring the project settings?
If the settings are misconfigured, does the system warn the user to configure the tally parameters correctly? Such as choosing “raw results” when it should not be chosen?
Timestamp 0:03:00
What is to prevent a user from indicating that all tabulators are closed when in fact, there are tabulators still counting in the precincts?
Once the tabulators are indicated as being closed, what is to prevent a user from re-opening the tabulators and starting the tally procedure again?
Timestamp 0:04:30
Using the card management option to obtain results, what are the procedural or technical controls that ensure that the cards used are the CORRECT cards from the tabulators?
What technical controls exist to ensure that the cards do not have malware on them prior to being inserted into the tally software?
What controls are in place to prevent a user from resetting a memory card on the load results menu when tallying final election results?
Why would it be OPTIONAL, to load the ballot images and machine logs to the County as the official results? If the user forgets to check the box, these will not be uploaded from the cards.
Timestamp 0:05:50
If ballot images and log files ARE required to be uploaded (why wouldn’t they be) ONLY the PRIMARY card has those data, not the backup card. Why does the “backup” card not have a complete “backup” of the election.
Why is there no indication or reconciliation that results from a tabulator have been uploaded ALREADY in the RTR? What would prevent a user from re-uploading another set of results after the tabulator has been closed?
Timestamp 0:07:30
When loading results from directories for central tabulators, what is to prevent the user from BROWSING to the wrong directory? Or a networked directory?
What is to prevent a user from not choosing ALL of the batches when loading results from a central tabulator since the files are being loaded manually?
What is to prevent a user from reloading a set of results from a previously loaded batch?
Why is it optional to load images and log files from the central tabulators results?
Why does the user have to manually reload the results for each results type from a batch (results, images and logs)? In other words, why can’t the user upload all results, images and logs for a batch or multiple batches at the same time?
Timestamp 0:10:20
What technical controls exist to ensure that the Automatic Result Loading is configured correctly and is at a minimum, pointing to the correct directory to pull results from?
Is the name of the person who configured the directory written to an audit trail?
Timestamp 0:11:50
What would prevent a user from loading results via the automated method, then stopping the automated upload and reloading the same results with a manual method? In other words, would the manual method OVERWRITE the automated results upload?
Timestamp 0:14:00
When results are manually set to Validated and Published using the results and tally reporting, what is the validation logic that runs on the files? What does validated mean?
What credentials are required to be able to validate and publish results?
What reconciliation controls exist to ensure that all results that need to be published from all precincts are actually published?
Timestamp 0:16:00
When rejecting results, why is not required to indicate WHO is rejecting the results and provide a reason written to an audit trail about why those results have been rejected?
Why are REJECTED results permitted to be deleted, particularly because there was no reason provided as to why they were deleted in the first place?
Timestamp 0:20:00
How are manually entered election results tied back to the actual results from the tabulator? What proof from an audit-ability stand point is attached to the record of manual entered results to show they matched that actual results.
Why is there is no authentication associated with the entry of manual results?
Why is it not required that a reason be entered as to why results were manually entered?
Timestamp 0:23:00
When adding qualified write in names, why am I presented with the option to delete candidates who are NOT write ins and were originally added to the election project?
What is the consequence of deleting a non-write in candidate from the list of candidates?
Timestamp 0:26:00
Why does the system over right the prior backup instead of making an incremental backup?
What is to prevent a user from going to the C: drive and deleting the backup file all together?
If a backup file is deleted or over written, why is there no record of who ran that option?
Timestamp 0:30:00
When purging results after an election, why is there no confirmation step that the election has been backed up?
Why is there no authentication required to purge election results?
Why is there no technical control in place to ensure that all backups have been made prior to purging election data?
What controls are in place to ensure that the PURGED data actually matches in total the actual last made backup of the election?
Why is PURGING permitted in any event? It would be simple enough, for example, to make the election READ ONLY and mark it as COMPLETE?