International Endowment for Democracy ���or��￁

Consumer Protection for Elections

November 2004

BREAKING NEWS: New information indicates that hackers may have targeted the central computers that are counting our votes.

Voting without auditing. (Are we insane?)

SEATTLE, WASHINGTON Nov 3 2004—Did the voting machines trump exit polls? There's a way to find out.

Black Box Voting (.ORG) is conducting the largest Freedom of Information action in history. At 8:30 p.m. Election Night, Black Box Voting blanketed the U.S. with the first in a series of public records requests, to obtain internal computer logs and other documents from 3,000 individual counties and townships. Networks called the election before anyone bothered to perform even the most rudimentary audit.

America: We have permission to say No to this. It is our right.

We call on every candidate not to concede. Don't play along. It is your right.

Among the first requests sent to counties (with all kinds of voting systems—optical scan, touch-screen, and punch card) is a formal records request for internal audit logs, polling place results slips, modem transmission logs, and computer trouble slips.

Such a request filed in King County, Washington on Sept. 15, following the primary election six weeks ago, uncovered an internal audit log containing a three-hour deletion on election night; "trouble slips" revealing suspicious modem activity; and profound problems with security, including accidental disclosure of critically sensitive remote access information to poll workers, office personnel, and even, in a shocking blunder, to Black Box Voting activists.

Black Box Voting is a nonpartisan, nonprofit consumer protection group for elections. You may view the first volley of Freedom of Information requests here below.

Responses from public officials will be posted in the forum, organized by state and county, so that any news organization or citizens group has access to the information. Black Box Voting will assist in analysis, by providing expertise in evaluating the records. Watch for the records online; Black Box Voting will be posting the results as they come in. And by the way, these are not free. The more donations we get, the more FOIAs we are empowered to do. Time's a'wasting.

We look forward to seeing you participate in this process. Join us in evaluating the previously undisclosed inside information about how our voting system works.

Play a part in reclaiming transparency. It's the only way.

Public Records Request - November 2, 2004
From: Black Box Voting
To: Elections division

Pursuant to public records law and the spirit of fair, trustworthy, transparent elections, we request the following documents.

We are requesting these as a nonprofit, noncommercial group acting in the capacity of a news and consumer interest organization, and ask that if possible, the fees be waived for this request. If this is not possible, please let us know which records will be provided and the cost. Please provide records in electronic form, by e-mail, if possible -

We realize you are very, very busy with the elections canvass. To the extent possible, we do ask that you expedite this request, since we are conducting consumer audits and time is of the essence.

We request the following records.

Item 1. All notes, emails, memos, and other communications pertaining to any and all problems experienced with the voting system, ballots, voter registration, or any component of your elections process, beginning October 12, through November 3, 2004.

Item 2. Copies of the results slips from all polling places for the Nov. 2, 2004 election. If you have more than one copy, we would like the copy that is signed by your poll workers and/or election judges.

Item 3: The internal audit log for each of your Unity, GEMS, WinEds, Hart Intercivic or other central tabulating machine. Because different manufacturers call this program by different names, for purposes of clarification we mean the programs that tally the composite of votes from all locations.

Item 4: If you are in the special category of having Diebold equipment, or the VTS or GEMS tabulator, we request the following additional audit logs:

a. The transmission logs for all votes, whether sent by modem or uploaded directly. You will find these logs in the GEMS menu under "Accuvote OS Server" and/or "Accuvote TS Server"

b. The "audit log" referred to in Item 3 for Diebold is found in the GEMS menu and is called "Audit Log"

c. All "Poster logs". These can be found in the GEMS menu under "poster" and also in the GEMS directory under Program Files, GEMS, Data, as a text file. Simply print this out and provide it.

d. Also in the Data file directory under Program Files, GEMS, Data, please provide any and all logs titled "CCLog," "PosterLog", and Pserver Log, and any logs found within the "Download," "Log," "Poster" or "Results" directories.

e. We are also requesting the Election Night Statement of Votes Cast, as of the time you stopped uploading polling place memory cards for Nov. 2, 2004 election.

Item 5: We are requesting every iteration of every interim results report, from the time the polls close until 5 p.m. November 3.

Item 6: If you are in the special category of counties who have modems attached, whether or not they were used and whether or not they were turned on, we are requesting the following:

a. internal logs showing transmission times from each voting machine used in a polling place

b. The Windows Event Viewer log. You will find this in administrative tools, Event Viewer, and within that, print a copy of each log beginning October 12, 2004 through Nov. 3, 2004.

Item 7: All e-mails, letters, notes, and other correspondence between any employee of your elections division and any other person, pertaining to your voting system, any anomalies or problems with any component of the voting system, any written communications with vendors for any component of your voting system, and any records pertaining to upgrades, improvements, performance enhancement or any other changes to your voting system, between Oct. 12, 2004 and Nov. 3, 2004.

Item 8: So that we may efficiently clarify any questions pertaining to your specific county, please provide letterhead for the most recent non-confidential correspondence between your office and your county counsel, or, in lieu of this, just e-mail us the contact information for your county counsel.

Because time is of the essence, if you cannot provide all items, please provide them in increments as soon as you have them, and please notify us by telephone (206-335-7747) or email ( as soon as you have any portion of the above public records request available for review.

Thank you very much, and here's hoping for a smooth and simple canvass which works out perfectly for you. We very, very much appreciate your help with this, and we do realize how stressful this election has been.

If you need a local address, please let me know, and we will provide a local member for this public records request. In the interest of keeping your life simple, we thought it best to coordinate all records through one entity so that you don't get multiple local requests.

We now have evidence that certainly looks like altering a computerized voting system during a real election, and it happened just six weeks ago.

MONDAY Nov 1 2004: New information indicates that hackers may be targeting the central computers counting our votes tomorrow. All county elections officials who use modems to transfer votes from polling places to the central vote-counting server should disconnect the modems now.

There is no down side to removing the modems. Simply drive the vote cartridges from each polling place in to the central vote-counting location by car, instead of transmitting by modem. "Turning off" the modems may not be sufficient. Disconnect the central vote counting server from all modems, INCLUDING PHONE LINES, not just Internet.

In a very large county, this will add at most one hour to the vote-counting time, while offering significant protection from outside intrusion.

It appears that such an attack may already have taken place, in a primary election 6 weeks ago in King County, Washington—a large jurisdiction with over one million registered voters. Documents, including internal audit logs for the central vote-counting computer, along with modem "trouble slips" consistent with hacker activity, show that the system may have been hacked on Sept. 14, 2004. Three hours is now missing from the vote-counting computer's "audit log," an automatically generated record, similar to the black box in an airplane, which registers certain kinds of events.


Here are the details about remote access vulnerability through the modem connecting polling place voting machines with the central vote-counting server in each county elections office. This applies specifically to all Diebold systems (1,000 counties and townships), and may also apply to other vendors. The prudent course of action is to disconnect all modems, since the downside is small and the danger is significant.

The central servers are installed on unpatched, open Windows computers and use RAS (Remote Access Server) to connect to the voting machines through telephone lines. Since RAS is not adequately protected, anyone in the world, even terrorists, who can figure out the server's phone number can change vote totals without being detected by observers.

The passwords in many locations are easily guessed, and the access phone numbers can be learned through social engineering or war dialing.

ELECTION OFFICIALS: The only way to protect tomorrow's election from this type of attack is to disconnect the servers from the modems now. Under some configurations, attacks by remote access are possible even if the modem appears to be turned off. The modem lines should be physically disconnected.

We obtained these documents through a public records request. The video was taken at a press conference held by the King County elections chief Friday Oct 29.

The audit log is a computer-generated automatic record similar to the "black box" in an airplane, that automatically records access to the Diebold GEMS central tabulator (unless, of course, you go into it in the clandestine way we demonstrated on September 22 in Washington DC at the National Press club.)

The central tabulator audit log is an FEC-required security feature. The kinds of things it detects are the kinds of things you might see if someone was tampering with the votes: Opening the vote file, previewing and/or printing interim results, altering candidate definitions (a method that can be used to flip votes).

Three hours is missing altogether from the Sept. 14 Washington State primary held six weeks ago.

Here is a copy of the GEMS audit log.

Note that all entries from 9:52 p.m. until 1:31 a.m. are missing.

One report that GEMS automatically puts in the audit log is the "summary report." This is the interim results report. We obtained the actual Sept. 14 summary reports, printed directly from the King County tabulator GEMS program, because we went there and watched on election night and collected these reports. These reports were also collected by party observers, candidates, and were on the Web site for King County.

Here are summary reports which are now missing from the audit log.

Note the time and date stamps on the reports. Note also that they are signed by Dean Logan, King County elections chief. We have the original reports signed in ink on election night.

What does all this mean?

We know that summary reports show up in the audit log.

There are other audit logs, like the one that tracks modem transmissions, but this audit log tracks summary reports.

Dean Logan held a press conference Friday morning, Oct. 29. Kathleen Wynne, a citizen investigator for Black Box Voting, attended the press conference and asked Dean Logan why three hours are missing from the audit log.

Here is a video clip

Logan said the empty three hours is because no reports were printed. OK. But we have summary reports from 10:34 p.m., 11:38 p.m., 12:11 a.m., 12:46 a.m., and 1:33 p.m. These reports were during the time he said no reports were run. Either the software malfunctioned, or audit log items were deleted. Because remote access through the modems is possible, the system may have been hacked, audit log deleted, without Logan realizing it.

Perhaps there are two of this particular kind of audit log? Perhaps this is an incomplete one?

Bev Harris called King County elections office records employee Mary Stoa, asking if perhaps there are any other audit logs at all. Mary Stoa called back, reporting that according to Bill Huennikens of King County elections, the audit log supplied to us in our public records request is the only one and the comprehensive and complete one.

Perhaps it is a computer glitch?

The audit log is 168 pages long and spans 120 days, and the 3 hours just happen to be missing during the most critical three hours on election night.

Diebold says altering the audit log cannot be done. Of course, we know a chimpanzee can't get into an elections office and play with the computer, but to demonstrate how easy it is to delete audit log entries, we taught a chimpanzee to delete audit records using an illicit "back door" to get into the program, Diebold told reporters it was a "magic show." Yet, Diebold's own internal memos show they have known the audit log could be altered since 2001!

Here is a Diebold memo from October 2001, titled "Altering the audit log," written by Diebold principal engineer Ken Clark:

"King County is famous for it" [altering the audit log]

Here is Dean Logan, telling a Channel 5 King-TV News reporter that there were no unexpected problems with the Diebold programs. This was at the "MBOS" central ballot counting facility in King County in the wee hours of Sept. 15, on Election Night.

Dean Logan on Election Night, Sept 14 2004

Note that he says there were no problems with modem transmission.

When we obtained the trouble slips, in a public records request -- documentation that indeed the modems were not working fine, we were accidentally given the access phone number for King County.

Were we so inclined, if we had simply kept this under our hat, we could take control of your central server on election night from our living room.

Here are the trouble slips showing problems with modems. Note that King County generously provided us with the "secret" information needed to hack in by remote access. We did redact the specific information that gives this information to you.

Here are more trouble tickets. One that is a concern: "OK to format memory card?" (This would wipe out the votes in the electronic ballot box.)

Election officials: Disconnect those modems NOW. If you don't: You gotta be replaced.
Reporters: Some election officials will lie to you. Show your kids what bravery looks like. Be courageous. Report the truth.
Citizens: Please help us by joining the Cleanup Crew. For now, e-mail to join, since our signup form has been taken out. Candidates: Make a statement. Do not concede on Election Night. Wait until audits and records can be examined.

HOW TO MONITOR THE CENTRAL TABULATOR: Black Box Voting developed these guidelines to help you create an audit log, which can then be compared with the FEC-required computer-generated audit log inside the computer.

Yes, this is a lot of stuff, and it might feel overwhelming, but whatever you can do—it is very much appreciated.

- A notebook and pen. Preferably a notebook with a sewn binding, if you can find one. Do not take notes on a computer.
- A cell phone
- Binoculars
If you can, also bring these:
- A camera
- A small tape recorder
- A video camera, with a zoom lens if possible

Note that some counties will require you to turn off your video camera during the entering of passwords, a valid request. You should, however, be able to videotape the rest. Don't pull your camera out right away. Avoid confrontation by leaving your video camera in the bag—better yet, a purse. Pull it out only when there is an event of significance.


You can't be effective if you make assumptions or let others intimidate you.
- Don't let others make you feel dumb.
- Make no assumptions about security. It might be worse than you expect.
- Don't count on the accuracy of anything other people tell you, even if they work for the county or the vendor.
- About party observers, techies, or lawyers: Remember that they have not examined the actual software or setup, and they are operating on assumptions, hearsay, or in some cases, may be trying to misdirect your attention.
- Vendor contracts prohibit county officials from examining their own software. Elections officials may just be repeating what someone else (the vendor) has told them.

YOUR ROLE AS AN OBSERVER: CREATE YOUR OWN AUDIT LOG so it can be compared to the real audit log.

Write down the following. For every event, write the date, time, including minutes.

1. NAMES & AFFILIATIONS: Get the names of everyone there. Find out affiliation.

2. WHERE ARE THE COMPUTERS: Establish the number and location of all vote tabulation computers. They call them different things: tabulators, servers. What you want is the computer that adds up all the votes from everywhere in the county.
- Some counties have only one. If there are more than one, find out where each one is. If there is more than one tabulator, ask if they are networked together and find out if any of them are in places you can't observe.

3. SYNCHRONIZE YOUR WATCH with the central vote-tally computer. Ask officials to tell you the time on the computer. If more than one, ask for the time of each and the ID number of each.

log the date and time, to the minute, in this format:
Nov. 02 2004 11:25 p.m.
Nov. 03 2004 01:15 a.m.


People: Ask names and affiliations for, and log the START and STOP time for:

a. Who accesses the terminal (the keyboard and screen)
b. Who sits at the terminal
c. Who accesses the server (the computer the screen is hooked up to)
d. Who enters and leaves the room

COMPUTER ACTIVITIES: Log the START and STOP time for the following events and write down the name of the person involved:

a. Putting disks, CDs, or any other item in the computer
b. Taking disks, CDs, or any other item out of the computer
c. Uploading disks, CDs, or any other item
d. Viewing a preview of a report
e. Putting a report on the Web, even if this is done from another computer
f. Printing a report
g. NOTE WHAT'S ON THE SCREEN: Use binoculars to view the screen.
- Note upload icons.
- Use binoculars to read and record error messages. Note the time.
- Note indicators of processes, when a status bar shows how much is left to do

- Watch to see if the program suddenly disappears from the screen (a program crash) or any system error message appears. If so, note the time and other details, and see below for how to record system crashes.
- Get the date and time and note who was at the computer
- Note whether any results were being transmitted or uploaded at the time the crash occurred.
- Did the crash take down the whole computer or did it just close the tabulator program unexpectedly.
- Log all activities and conversations that occur just after the crash. If have a tape recorder, leave it in your purse, now is the time to turn it on. But keep making notes regardless of whether you have tape, and trust your gut. What you think might be important is probably important.


i. Note when, where, and who feeds ballot data into the computer in the central office. Describe what they are feeding the cards into, where the items are located, who does it, and when.


- Note what kind of data storage device is used to move data around. You are looking for floppy disks, CDs, USB keys (about the size of a pack of gum).
- Note where they get the disk from originally (whether it was from the machine, meaning it could have a program or data on it already, or out of a package of new disks).
- Track the chain of custody: Where it is taken, and have someone watch it when taken to any other machine, note what programs you can see on the other machine
- Note whether (and what time) it comes back and if it is put into the machine again.
k. Moving the results: They have to move the results somehow. Ask questions about their procedures.
- Is someone coming and going every hour or so with paper results?
- Are they moving results to the Internet with a floppy or CD or USB key (looks like a little piece of plastic, about the size of a piece of gum)
- If no one is leaving the machine to post the results, chances are they are doing this at the computer, meaning they are probably hooked up to a network or the Internet. Ask questions about the details and record what they say, and the name of the person who says it.
l. If you see somebody open a web page or they do something that lets you know there has been Internet access, write it down.


- Note whether people look worried or stressed. Log the time it begins and the time it ends and who they are.
- A now a word about "wranglers." Some elections offices appoint a person—sometimes a party observer they are chummy with—to act as "wranglers." They identify any person who might ask troublesome questions, and if an event occurs that could cause embarrassment, the appointed wrangler then goes over to distract the observers. Really. This is an elections procedure in some jurisdictions. They actually call it a wrangler.
- If someone comes over and engages you in conversation, look around, and see if officials have suddenly congregated into an office or people are huddling over a computer. See if you can find out what you are not supposed to see.
- Log behavior that is distracting, noting the time and person.
- Log time and people involved in other distraction events, for example: The lights suddenly go out; a fire alarm goes off; someone spills something, loud noises, someone knocks something over.


Each state has a public records act, but in most cases, you can get records you ask for if you are nice. Here are important records you'll want:

1. Get a copy of each INTERIM RESULTS REPORT. Stand guard over what you have. If someone comes in to remove or "replace one with a better copy" hang onto the first and take the replacement, marking it. Make sure all interim reports are time-stamped by the computer. If they aren't, note the exact time you see them appear.

2. Request the COMPUTER AUDIT LOG for Oct. 29-Nov 2 (actually, it is important to get the printout BEFORE YOU LEAVE that night. It will only be a few pages, and can be printed from the vote-tally program's menu.

3. Ask for a copy of all the POLLING PLACE RESULTS SLIPS. These are sent in with the results cartridges. Try to get copies before you leave that night. If they won't give copies to you then, put in a public records request and ask how soon you can pick them up.

4. Ask for a copy of THE UPLOAD LOGS. These are on the computer and can be printed out on election night. They list each polling place and the time results were uploaded.

5. There are ADDITIONAL LOGS in the Diebold GEMS programs you can request: From the GEMS folder "data", ask for the poster logs. There may be folders in the GEMS "data" directory titled "download", "log", "poster" and "results". Ask for copies of these logs.

6. Here's a report that is very long but incredibly important and valuable. Ask if you can have the ELECTION NIGHT DETAIL REPORT—the precinct by precinct results as of the time all memory cards are uploaded from all precincts. Depending on the system, they'll call it different things—in Diebold, it is called the Statement of Votes Cast (SOVC) report.

7. Let us know which REPORTS THEY REFUSE to give you on Election Night. We can then put in Freedom of Information (public records) requests formally.

Once we have your observation log, and the records you obtain on Election Night, we can start matching up events and data to audit for anomalies.

Post information in the county and state at BlackBoxVoting.ORG. If the site is hacked out, come back as soon as it is up and post the information.

Thank you, and let's have an orderly election.

Now, there is a film crew who has been brave enough to capture what's really going on:

THIS IS THE ONE: Here's the film that's breaking new ground on voting machine investigations. Includes never before seen footage and information:

download 30 minute preview of the upcoming feature film.

NOTE: Please give your attention to the real film by the real investigators: Russell Michaels, Simon Ardizzone, and Robert Carrillo Cohen—they are the real deal. (Someone who ran off with a portion of the proprietary footage has been pitching a similarly named, inferior production which is missing most of the good stuff.) By the way, we've worked with most of the documentary producers out there, and Russell Michaels, Simon Ardizzone and Robert Carrillo Cohen are in a class by themselves—In my opinion, they are the only filmmakers who have been doing real, in-depth, long-term in-the-field investigations on this issue -- Bev Harris.


- Don't concede: Candidates, make a statement about voting without auditing. Hold off on your concession until the canvass is done
- Gotta be replaced: If your county melts down into litigation, hold officials accountable if they chose to ignore warnings and failed to mitigate risks with preventive actions (like disconnecting telephone modems).

Note that most voting machine problems will be found between Nov. 3-12, during the canvass, and a few weeks later, when public records requests are obtained.

Democracy Library

Shopping is the best place to comparison shop for Buy north face fleece clearance sale.Find great deals for Cheap North Face Jackets Clearance.