BBV: AZ awards HAVA contract to Diebold; call to action

Sorry to be the bearer of bad tidings, but as of last week, despite our best efforts, Arizona Secretary of State Jan Brewer (R) awarded Arizona's single source $53 million HAVA contract for opti-scan and DRE systems to Diebold, Inc.

Knocked me down for a bit but then I realized she may have played into our hands, because the award violates the state requirements published in the State's Request for Proposal (RFP). In it, a section on Security (item 5.4.7.3) asks: “Has the system experienced any security-related exposures? If so, describe the exposures and what corrections were made."

Consider:
A. The Diebold system has suffered security related exposure by having the GEMS source code copied off an unprotected Diebold website and spread all over the internet, and by having the undocumented and possibly illegal back door access and audit trail editing capabilities embedded in the GEMS source code exposed and widely published in the Harris reports.
B. The only acceptable correction to that sort of security exposure would be a rewrite of the code and a recertification to 2002 (as mandated by HAVA) standards.
C. There has not been sufficient time between the occurance of these security exposures and the award of the Arizona contract to allow for that rewrite of the source code and recertification. Therefore, either
D. Diebold did not disclose the security exposures as required by the RFP; or
E. Arizona Secretary of State Jan Brewer awarded the contract to Diebold knowing about the security exposures but not requiring adequate corrections. If this is the case, she is in violation of her oath of office to protect the voting franchise of Arizona citizens. If we give her the benefit of the doubt and say Diebold didn't disclose, then we have a $53 million dollar consumer fraud case.

The following quotes come from the website of Arizona Attorney General Terry Goddard (D):
http://www.attorneygeneral.state.az.us/
"Consumer Protection: Consumer fraud, as defined by Arizona law, is any deception, false statement, false pretense, false promise or misrepresentation made by a seller or advertiser of merchandise. In addition, concealment, suppression or failure to disclose a material fact may be consumer fraud if it is done with the intent that others rely on such concealment, suppression or nondisclosure. Merchandise may include any objects, wares, goods, commodities, intangibles, real estate or services....A private citizen can also bring an action for a violation of the Consumer Fraud Act within one year from the date the claim arises."

As an elected official, the Secretary of State is operating on my behalf (and the behalf of all Arizona citizens) in making the purchase of these machines and software to record and count our votes. That gives me all the standing I need (or any Arizona citizen needs) to lodge a consumer fraud complaint against Diebold, and request an investigation of how Secretary of State Brewer awarded the contract.

In either case, if Diebold did not disclose, or if they disclosed and did not correct, we find them engaged in "false statement, false pretense, false promise or misrepresentation made by a seller" as well as "concealment, suppression, and failure to disclose a material fact." These are offenses against the Arizona citizens on whose behalf these systems are being purchased. The only question is whether the Secretary of State was also deceived, or whether she became part of the deception of Arizona voters about the nature of the security exposures and flaws in the Diebold systems.

Last month, during the gasoline shortage in Phoenix, between three and four hundred complaints to the Attorney General about price gouging triggered a full investigation and the drafting and introduction of anti-gouging legislation.

It is my intention to do everything possible to generate more than that number of consumer fraud complaints against Diebold. If you are an Arizona citizen, you have standing to file the complaint. If you know anyone who lives in Arizona and who cares, they have standing to file a complaint. If you want to help, here is the link to the complaint form:
http://www.attorneygeneral.state.az.us/consumer/compformintro.html
Click on: INSTRUCTIONS FOR FILING A COMPLAINT FORM IN ENGLISH
It is a PDF file and you can print out the form. On the top right of the form it asks for Name, Address and Phone Number of the company you are complaining against. In this case it is:
Diebold, Incorporated
5995 Mayfair Road
P.O. Box 3077
North Canton, Ohio USA 44720-8077
1-330-490-4000

Fill out the rest of the form as appropriate (where not applicable just mark N/A) and where it asks you to detail your complaint, refer them to an attached page. What follows is wording you can use, printed on a page you will attach to the complaint form.

"During the week ending September 6, 2003, Arizona Secretary of State Jan Brewer awarded a $53 million single source contract for HAVA mandated voting machine systems and software to Diebold, Inc. This contract is being executed on my behalf as an Arizona citizen and taxpayer by the Secretary of State. In the Request for Proposal (RFP) that led to the contract award, a section on Security (item 5.4.7.3.) asks: "Has the system experienced any security-related exposures? If so, describe the exposures and what corrections were made." In fact, Diebold voting software has suffered two grievous security exposures. The source code for their GEMS vote counting software was posted on an unprotected Diebold website from which it was copied to numerous public locations across the internet. Subsequent investigations into the code revealed hidden back doors into the software and ways to change vote totals and alter the audit trail to erase any evidence of tampering built into the code. Full copies of the software with full instructions on how to exploit these security holes are available at:
http://www.equalccw.com/dieboldtestnotes.htm
The only acceptable correction for such security exposures would be rewriting the software and having it recertified to 2002 (as mandated by HAVA) standards. The time between the exposures and the award of the contract is not adequate for Diebold to have made necessary corrections. Therefore, either Diebold did not disclose the security exposures as required, or they did expose but the contract was awarded without any corrections. In either case, as an Arizona citizen, I find Diebold to be engaging in "false statement, false pretense, false promise or misrepresentation made by a seller" as well as "concealment, suppression, and failure to disclose a material fact."
The loss I will suffer if this contract is fully executed is my most precious civic possession; i.e., my vote. If I can not be even reasonably certain my vote is being counted accurately and without manipulation, my vote is rendered worse than meaningless, it becomes a charade to prop up illegitimately aquired power."

Sign the form, put it in an envelope with a stamp and drop it in the mail. I know it's a lot to ask, but if you live in Arizona and do it, you will be striking a blow for the preservation of our freedom.

I have spent months working this problem through the system, relying on appointed and elected officials to do something about it. Nothing has been accomplished, so now I am going public with the struggle. If you live in Arizona, or know anyone who lives in Arizona, I need your help on this. I am asking for your help. There aren't too many arrows left in the quiver and we're running short of time here.

Gordon25

Arizona's a swing state, too (with a competitive race shaping up in AZ-1).

This is insane!

It is one of the few options we have left but so far have found no one with the thousands of bucks necessary to try to get an injunction. All the progressive attorney's are too hard pressed financially to do it pro bono. If the Attoney General fails to act, it will be what we will have to focus on. (Damn, I hate fund raising.) We may not win this thing but Diebold's going to know they've been in a fight.
Gordon25

All the progressive attorney's are too hard pressed financially to do it pro bono.

Gordon, if anyone can convice a lawyer (or a couple of them) to get on this pro bono, it would seem to be you! I know a couple very good lawyers who are also progressive democrats, but they are in Minnesota and New York. Should I ask them if they know any in Arizona?

If I understand you right, you think you know how you might be able to turn this aside, but need some lawyers to help carry it out?

Seems lots of DUers should have lawyer friends/business associates, if they aren't a lawyer themselves. Have you tried posting a thread specifically asking for laywers in the title?

...ask them. Specifically in the Tucson area if possible, although Phoenix is only a couple hours away so there would be ok too.
"If I understand you right, you think you know how you might be able to turn this aside, but need some lawyers to help carry it out?"

Even just one would do. We need someone willing to take on filing a suit against the Secretary of State seeking an injunction preventing her from executing the contract as awarded based on the fact it was fraudulently awarded. Oh, and it would really be nice for it to be on a full or partial pro bono basis.

At its core, the basis of the argument is this: the State Request for Proposal asks that any "security-related exposures" which have occured with the offered system be disclosed along with any corrective actions taken. The security exposures which have occured (source code and hacking instructions on the internet) demand rewrite and recertification of software. They haven't had time to do that. Ergo, either they disclosed and the Secretary of State awarded them the contract without requiring correction, or they didn't disclose. In either case their actions fall under the definition of consumer fraud in Arizona.

Diebold would probably argue that "security related exposures" means actual proof that someone took advantage of security flaws in the code to fraudlently influence an election.

But if they do argue this, they will be forced to explain in court how having their source code on the internet with instructions on how to hack it and alter election results invisibly does not constitute a security related failure. It opens the door to bring up all the Diebold presentations in their bid submission regarding the security and safety of the system, and introduce into court under the "fair use" doctrine Jim Marsh so eloquently has summarized on his website all of the security flaws found in the code to date.

It's not a particularly easy case, but it is one that will get a lot of public backing, and the lawyer bringing the case can count on a lot of press coverage and looking like a hero because there is a whole list of Arizona officials detailed in my post above who have been educated on this issue and have failed to act.

Finally, I haven't posted a call asking for lawyers in the title, but that is a good idea.

Gordon25

It is difficult to find lawyers who can get their minds around this. Their is a complex interconnection of elements and disciplines required to get a handle on things.

And then, there is a worry about going up against big money, which appears to be behind this.

I spent hours today with two lawyers, with a headache after.

I spent months briefing four attorneys, and they are now really catching on. One is tops in english. Another is tops in science and computers, and is really out there. Another has a wit so pointed, you tend to look down when he speaks. Another is versatile.

And yet, these lawyers are after three others that didn't work out...

That's seven lawyers! And no help from the ACLU, which is oddly out of the picture.

And don't forget, the wheels of justice are slooooow,which is at odds with our "I want it now" culture.

Dan Spillane
Spillane vs. .........
King County Superior Court

Kudos to Gordon25 for giving AZ residents their voice in Democracy. I only wished I could participate myself, but am not an AZ resident.

Give your SOS a call if you haven't already.

Not in AZ but I'd sign on whole hog if I could.

Contact your local elections board give the all the details .
Contact them everyday if needed get heard ...

I wish AZ the best

Now I've got Brewer, Goddard, Johnson, Pearce, and Anderson to add to my calling list.

I'll start pounding the papers with letters, etc, and try to get the AZ Dem Party to care about this.

Sal in Mesa

How could the SOS pick a system with known vulnerability (The Hopkins Report) and still under investigation in Maryland? Did she expect SAIC to give Diebold thumbs up?

Regardless, it looks recklessly premature to grant the bid to Diebold with all of the above outstanding.

Apparently Brewer is trying to walk the fence because this statement was included with the press release <http://www.sosaz.com/releases/>.

"Secretary Brewer was heartened with the comprehensive solution put forward by Diebold Election Systems that includes optical scan tabulating and touch screen voting equipment for use in each polling place. However, Brewer is quick to point out that her State Plan adopted earlier this year, refrains from purchasing touch screen voting systems until 2005.

"Federal funding for touch screen voting is not expected until at least 2005, and I think we need to take a conservative approach to introducing this new voting technology," stated Secretary Brewer, "I want to bring all counties in Arizona onto a level playing field with optical scan, and work out the kinks with touch screens before we venture forward with other types of voting devices."

Montebank - You may be right. I've believed all along that the Rubin report was a straw man designed to distract attention from the far more greivous flaws in the GEMS vote counting software used for both the DRE's and the optical scan systems. These are the flaws Bev exposed in her original story on Scoop. If you've followed events, you probably noticed that Diebold posted a detailed, line by line response to the Rubin report. But to my knowledge they have never made a public response to Bev's reports. So Jan Brewer may be walking the public relations tight rope being stretched out for her by Diebold. If so, I don't envy her. There's no net and there's a mighty wind a comin'.

Gordon25

I fear this whole issue, and in particular, the accountability of those involved, is completely up in the air.

In a chaotic stage where ethically obscene things happen.

Hey, Sal, thanks for the help. More info for you. Below is the text of a letter we sent over a month ago. Also, see our committee report here:
http://www.pimademocrats.org/votingreport/votingintegrity.htm
Let me know if you get any media interest. I am trying the same here in Tucson. If we could get Jim Pederson on board it would sure help. Note our cc list on the letter.

Pima County Democratic Party
Committee on Pima County Electronic & Computerized
Vote Counting Procedures & Safeguards
c/o Pima County Democratic Party Headquarters
4639 E. 1st St., Tucson, AZ 85717
August 10, 2003

Representative Ben Miranda
Democratic Ranking Member, Judiciary Committee
Arizona House of Representatives
1700 W. Washington Street, Ste. H
Phoenix, AZ 85007-2844
Attachments:
A. Request for Proposal: OCR and DRE Voting Equipment -- Statewide: Solicitation No.: AD030150
B. Hopkins Report (http://avirubin.com/vote.pdf)
C. Harris Report (http://www.scoop.co.nz/mason/stories/HL0307/S00065.htm)
D. Report on Pima County Electronic Vote Counting Procedures & Safeguards (http://www.pimademocrats.org/votingreport/votingintegrity.htm)
E. Certification process problems
F. Hopkins response to Diebold rebuttal. (http://avirubin.com/vote/response.html)

Dear Representative Miranda,
We are writing to express our deep concerns about the Request for Proposal: OCR and DRE Voting Equipment -- Statewide: Solicitation No.: AD030150 (Attachment A), and to recommend urgently needed legislative changes in Arizona election law to improve election security. Submissions for the RFP were due July 28, 2003, and the systems to be purchased are slated to be in place and operational by the February 2004 Presidential Primaries. Hence, these matters are timely and important.
There are four areas of concern:
1. Currently there are no election systems available that comply with the 2002 Federal Election Standards.
2. Diebold, Inc. is a finalist bidder on the RFP. Two recently released reports have exposed serious security holes in the Diebold election software already in use in Arizona and now being offered in response to the RFP.
3. Legislative reform of Arizona election law is urgently needed to ensure the integrity of future Arizona elections.
4. Emergency measures are required to protect the integrity of any elections conducted on Diebold software in the near term.
Allow us to discuss these issues in turn.
1. Lack of Compliance with 2002 Federal Election Standards. The RFP states that the new equipment and software must comply with the 2002 Help America Vote Act (HAVA). HAVA adopted, as voluntary guidelines, the 2002 Federal Election Standards. The list of election systems found on the National Association of State Elections Directors (NASED) web site only includes systems qualified under the old 1990 standards, which are obsolete, especially with respect to election security. There are currently no systems available that comply with the 2002 Federal Standards. It makes no sense for the State of Arizona to pay tens of millions of dollars for software that is not state-of-the-art and does not comply with the latest standards.
2. Diebold Election Software Security Flaws. HAVA RFP item 5.4.7.3, concerning security, asks: “Has the system experienced any security-related exposures? If so, describe the exposures and what corrections were made." The Hopkins Report (Attachment B) and the Harris Report (Attachment C) have recently exposed serious security flaws in Diebold election software. Both studies came about because of a security failure at Diebold that resulted in software source code and other supporting files being available for months on an unprotected Internet web site. Although the site has since shut down, the software was copied to numerous public sites.
The Hopkins report focuses on Direct Recording Electronic (DRE) touch-screen systems, revealing multiple serious security flaws. Diebold issued a rebuttal but the Hopkins researchers say it often misses the point and does not address many of the report’s most serious findings. (See Attachment F: Hopkin’s Response to Diebold rebuttal). Diebold admits that some of the problems described in the original Hopkins report do exist with the system.
The Harris report addresses the Global Election Management System (GEMS) software used at multiple locations in Arizona in conjunction with Diebold’s optical scan system. The Harris Report found hidden backdoors, multiple sets of vote total “books” being kept, and code containing a way to change the audit trail. An audit trail is supposed to automatically log any activity and any change, and is promoted by Diebold as proof its system is secure. The inclusion of code to allow one to alter the vote totals and erase any evidence of having done so, is so far out of compliance with NASED standards and basic programming security protocol that its mere presence calls for an official investigation into how the Diebold system ever got certified in the first place.
Diebold has not issued any statement on the Harris report.
Without detailed public disclosure of the full nature and extent of these security breaches, and detailed proof of successful implementation of remedies, we strongly believe that Diebold’s bid should be disqualified. Further, we believe Diebold software currently in use in Arizona should be temporarily decertified until fully re-qualified under 2002 Federal Standards. Any elections required prior to such replacement could be issued special permits from the SoS to use the current Diebold system if the emergency security measures described below are used.
Further, in light of questions and concerns raised in this letter, we strongly recommend a thorough review of all vendor proposals with respect to election security and integrity, the rejection of any not producing voter-verified paper ballots, and the delay of any procurements until vendors and testing authorities can demonstrate the integrity of their systems.
3. Legislation Needed to Improve Security. Our report on election safeguards in Pima County (Attachment D) called for certain legislative reforms. We feel those listed below are the minimum required to ensure the integrity of the vote in future Arizona elections in the face of the new threats and challenges posed by technological developments.
A) Arizona law (ARS 16-444, A6) requires electronic voting systems to record votes on a paper ballot. Legislation is needed to require that the ballot be voter-verified. With the optical scan system, the ballot is already voter-verified, but this would not be the case with a DRE device (touch screen), unless it prints a paper ballot that is then voter-verified on the spot and placed in a secure box to be used for manual counts and recounts. Without a voter-verified paper ballot, there is no way to do a valid recount, electronic or manual.
B) Make the voter-verified paper ballot the legal document of record in all elections. Currently, ARS Title 16 makes the machine count the document of record.
C) Require manual counts in a sufficient number of precincts to establish a high likelihood of detecting scanning and counting errors, or fraudulent manipulation. This would probably entail a count of no more than ten to fifteen percent of the precincts.
D) Allow candidates to obtain manual counts and/or recounts at their own, or their campaign’s, expense.
Items C and D provide strong disincentives to electronic tampering. It is worth noting that Rep. Holt (D-NJ) introduced H.R. 2239, the Voter Confidence and Increased Accessibility Act of 2003 which would amend HAVA to require a paper record of votes, bans the use of undisclosed software, and calls for mandatory hand counts in a small fraction of jurisdictions. It now has 29 co-sponsors.
4) Emergency Measures for Near Term Elections. Tucson has city elections coming up in September and November. Other cities in Arizona using Diebold systems may be facing similar elections. It is important to safeguard the integrity of these elections as best we can. Although we believe the existing Diebold software should not have been certified, and that, in the wake of recent public disclosures about its flaws, it will almost certainly have to be decertified, we believe there is a way to work around the deficiencies in the near term. The following two procedures plug the holes we know to exist, and if implemented, will provide an acceptable temporary measure of election security:
For each polling place and each candidate or issue in each race, compare the polling machine paper summary tally with the final output of the GEMS system (equivalent to a canvass). This procedure checks GEMS as well as the electronic communications between polling places and GEMS.
Perform manual ballot counts in a small fraction (say 10-15%) of polling places to validate the polling machine summary tallies. This procedure checks the optical scanner and its vote accumulation software. With these two measures, we can significantly increase the chance of detecting tampering.
Recent reports on Diebold software have shown weaknesses in software security, but more importantly, they have revealed weaknesses in the procedures set up to certify election software (See Attachment E). Arizona voters can no longer be sure any NASED-qualified election system is secure and accurate. Such a state of affairs calls out for prompt and thorough reform.
Without decertification of Diebold software and recertification to 2002 Federal Standards, and without legislative reform as called for in our report, along with significant reform of the certification process; the emergency measures we are suggesting here equate to no more than a temporary fix at best. The lure of the treasure we are trying to keep safe is very strong. Do we really want to trust our national heritage to jury-rigged election systems? And do we really want to spend tens of millions of taxpayer dollars on inferior products?
We urge expeditious action on these matters. Please contact us for additional information.

Sincerely Yours,
Pima County Democratic Party
Committee on Electronic and Computerized Vote Counting Procedures and Safeguards

(names deleted because I don't have permission to post them)

CC’s:
Arizona Governor Janet Napolitano
Arizona Attorney General Terry Goddard
Arizona Secretary of State Jan Brewer
Arizona State Director of Elections
California Secretary of State
Chairman, Arizona State Democratic Party
Chairman, Pima County Democratic Party
Pima County Recorder
Pima County Director of Elections
Pima County Board of Supervisors
Tucson Director of Elections
Tucson City Council

These machines were not "mandated". If I read HAVA correctly, congress has agreed to partially finance the cost of buying these in counties where old style machines are still being used. Most of the news articles I see say either they were "required" or "mandated". If your SOS is implying that AZ has to do this to be in compliance, then she/he misleading the public. The 2003 budget has only 1.3 billion for this project. The 2004 budget amount is to go for "training". Lesson to be learned from Bush Admin is they never fund what they promise and the counties are going to wind up with a bill they can't afford to pay for machines they don't need.
You need to insist that the agreement for these be made public.
The counties are going to get stiffed on this and no one will realize it until the SOS has gone on to be a Senator or Rep.
Talk money to the voters.....it seems to be the one thing they all can understand.

:argh:

...in Arizona because the state legislature passed the state HAVA legislation which would have qualified the state for the federal money, but the Republicans attached an ammendment requiring two pieces of picture ID at the polls to be allowed to vote. On the basis of that, Governor Napolitano (D) vetoed the bill, forcing the state to appropriate the fifty-three million out of the state general fund. No federal money coming this way. That makes it even more personal to Arizonans because it is all their tax money being spent at a time of desperate budget shortfalls and social program cutbacks. You are right about the money, and that is what I will be stressing with the press. A fifty three million dollar waste of tax payer money. I learned a long time ago, if you want something covered in the paper you need one or more of six things: big money, big names, violence, sex, wrongdoing or conflict.

Gordon25

I will put this out on my email list... ASAP


Double damn !!!

Peace
DR

That's great Desertrose. PM me if I can help in any way. By the way, see my post above with the letter we sent out for more ammunition.

Gordon25

Incredible work and great legal follow-through.

Thank you again and keep us posted Gordon.

:kick: FINALLY out of the 700 club - thought I was going to be there forever..

yesterday to give to a state Rep here. I thought it was so well done and explained things better than I could. Will give it to him this week and tell him he best get on the ball before our SOS makes the same mistake.

:kick:

...you might want to pass on the text of the letter in my post above to Sal316: "Welcome aboard". It was an attempt to reduce the concerns to a three page letter for legislators, and contains some information on the Harris and Rubin studies which broke after our report was written. Thanks for what you are doing.
Gordon25

Thanks, Gordon
Will pass it on....

But we have to never give up on this. YOU know how important it is.

Eloriel

Please identify.

Dan

...our committee report here:
http://www.pimademocrats.org/votingreport/votingintegrity.htm

Don't know whether or not we've met.

Gordon25

I've bookmarked this thread to do followup tomorrow.

Thanks for the heads up.


:dem:

...I will presume on my former acquaintance with Terry G and write him a letter.

MY Pima YD's saved his dad's election to State Democratic Chair, O those many years ago, (I think '82).

Keep it kicked.

you might get some activist people willing to help who don't read DU.

Post it there. The more places we can get it out the better.
Thanks.
Gordon25

it went first to Global News, but someone moved it over to local news where more eyeballs will see it.

http://arizona.indymedia.org/

http://arizona.indymedia.org/news/2003/09/12077.php

This will get us a lot more attention I'm sure. Got some more things cooking. If they turn out I'll try to get Arizona IndyMedia some kind of scoop. You want to be the correspondent on the story? If so, PM me and I'll fill in some details.
Gordon25

keep this kicked
:kick:

Peace
DR

Kick!

for more AZers.

:kick:

Just contacted friends in Green Valley, Patagonia and surrounding area - they are just getting their feet, wet but are mad as hell.

...get them all together some evening in the Green Valley or Patagonia area (assuming they are interested) I would be happy to drive down and spend a couple hours getting them fully briefed on the issue. Can also refer them to our committee report online here:
http://www.pimademocrats.org/votingreport/votingintegrity.htm
Thanks for you help.
Gordon25

requirements are sufficiently rigorous, since it is basically impossible to certify that a computerized black box can do anything reliably. Your specific proposal is excellent.

the Harris and Rubin reports provide evidence that Diebold misrepresented it's product as secure. Depending on how a state's consumer fraud law is written, that could well be enough basis to file a consumer fraud complaint.

Gordon25