Illegal Access to Possibly Illegal Tabulation?

Following are two issues concerning illegal access and possibly illegal tabulation that can be raised involving Clear Ballot, plus one way to uncover illegal/unauthorized access to tabulated results with the Clear Ballot system.

• 1. Tabulation occurs as ballots are scanned
• 2. Scan server can be directly accessed by admindb
• 3. Activity Logs can be used to disclose illegal activity/unauthorized access

Tabulation

According to state law tabulation cannot happen until after 8PM on election day.
RCW 29A.40.110
“Processing incoming ballots.
(1) The opening and subsequent processing of return envelopes for any primary or election may begin upon receipt. The tabulation of absentee ballots must not commence until after 8:00 p.m. on the day of the primary or election. …”

According to ClearVote 2.1 ClearCount Functionality Description, 3.4 Activating a ballot-counting device:
“In the ClearCount system, activating the ballot-counting device takes place when the scanner operator scans the first batch of ballots, starting with its target card. As cards are scanned on a ScanStation, the Tabulator instance counts and records the votes.”

This means that tabulation occurs when the ballots are scanned prior to election day and up to 8PM on election day seemingly in violation of the law. The following documentation deals with a feature in the tabulation software that is used to claim that tabulation doesn’t occur until after 8PM on election day.

ClearCount Election Administration Guide:

“1.3.14 Displaying vote totals.
The ClearCount system automatically disables the display of vote totals when you create an election.
To display vote totals:

1. Access the Election Administration page and locate the election with the totals you want to display.
2. In the Display Vote Totals column, click the current setting (disabled). The Allow Display of Vote
   Totals dialog appears.

3. Click the Display Vote Totals drop-down list and select Enabled. A message asks if you are sure you want to display vote totals.

4. Confirm that you want to display vote totals by entering your password and clicking Save. A confirmation message appears at the top of the Election Administration page. Only the ClearCount web reports are affected by this setting. See the ClearCount Reporting Guide for more information.”

Now mind you, that feature can arguably be used to claim that tabulation isn’t done until after 8PM on election day as the featured is disabled by default. However, technically tabulation is done when scanning occurs, as is clearly indicated in the already pointed out above ClearVote 2.1 ClearCount Functionality Description manual, and is arguably in violation of the above mentioned RCW on tabulation. Furthermore, some problems with relying on this feature is that it only requires one admindb to enable the feature at any time pre-election day. Also the tabulation of pre-election day scanned ballots resides on the scan server and therefor incentivizes hackers and nefarious vendor/election employees to gain access to the scan server.

Directly Accessing Scan Server

According to ClearCount Election Preparation and Installation Guide, 3.4 Hardening the ScanServer computer:
“The ScanServer computer is an Ubuntu Linux server that is configured as an appliance. After the ClearCount software has been installed, there is no need for any direct access to the ScanServer computer (other than during a support call with Clear Ballot). All normal pre-election, election, and postelection access to the ScanServer computer is by remote connection from the ScanStation computers or election administration station computers, all of which are running on authenticated Microsoft Windows workstations.

The Ubuntu Linux operating system requires at least one administrator account. Clear Ballot conforms to this requirement by allowing jurisdictions to create an administrator account with a password of their own choosing. Clear Ballot requires that the password that is created during installation be secured. The administrator account is never used, except as needed by Clear Ballot to diagnose a problem or reinstall the software. (Reinstallation completely replaces the software. All accounts initialized by the installation procedure must be recreated.) To verify compliance with this no-use policy, logins and logouts to the Linux server, if any, are recorded to the web activity log.

Clear Ballot recommends that you institute a policy of recording all logins to the ScanServer computer using the ScanServer Access Log located in the ClearCount Election Administration Guide. If any unexpected logins to the ScanServer computer appear in the web activity log, the system might be compromised. Alert the appropriate authorities for your jurisdiction and investigate the nature of these unexpected logins. To completely harden the ScanServer computer, you must restrict access to the BIOS.”

Also ClearCount Functionality Description 1.4.6.1 Linux system monitoring states:
“The ScanServer creates a default Linux administrative account during installation. As documented, this account should be used only if the jurisdiction is instructed to do so by Clear Ballot Technical Support for debugging purposes. This account is not required or used for normal electoral tasks.

The ClearCount web activity log captures events related to the ScanServer, including a user opening or closing a session or any authentication failure. To monitor ScanServer access in the web activity log, the user sorts on the Source column and looks for Linux entries.”

In the last paragraph of “3.4 Hardening the ScanServer computer” the ScanServer Access log that it mentions is a paper log for tracking logins directed by Clear Ballot technical support since according to the above documentation that is the only time the scan server should be directly logged into. If that is the case, it would be easy to identify when the system is being compromised as long as the ScanServer Access Log is being faithfully recorded. However even if the log is not being kept at all, it should still be relatively easy from the web activity log mentioned above to identify unauthorized access since direct access should only happen on rare occasions.

Web Activity Log

From above cited ClearCount Election Administration Guide: 1.3.14 Displaying vote totals:

• “4 … Only the ClearCount web reports are affected by this setting. …”

From above cited ClearCount Election Preparation and Installation Guide, 3.4 Hardening the ScanServer computer:

• Second paragraph. “… To verify compliance with this no-use policy, logins and logouts to the Linux server, if any, are recorded to the web activity log.”
• Third paragraph. “… If any unexpected logins to the ScanServer computer appear in the web activity log, the system might be compromised. …”

Web Activity Log Example

The table above gives an idea of what the log looks like. For Display Vote Totals from the message in the Message column it’s clear that the log is detailing when the feature is turned on or off. So if the featured is turned on any day before or on election day before 8PM that would possibly show illegal activity.

However, for direct access to the ScanServer the message is a bit cryptic and would need some investigation as to what exactly the log is detailing about direct access to the ScanServer.

In light of the issues raised above along with the myriad of other issues that have been documented in this website and from other investigations concerning the use of machines to conduct elections, it seems evident that people around the nation should join together and make their voices heard to get rid of the arguably highly vulnerable machine centered election system and to go back to one day in person voting with small precincts with only limited exceptions for absentee ballots.

Read about other concerns we have with the machines HERE and HERE.