Below is a letter sent by Bruce Sims of San Diego to Secretary of State
McPherson.  It includes a detailed analysis of the usage procedures for
California submitted with the Diebold TSx application, showing where
the procedures violate California law, the settlement in Alameda
Superior Court Case RG03 128466, the 2002 Voluntary Voting Standards
(required in California) , accepted standards, etc.

------------------------------------------------------------

11/27/2005

Mr. Bruce McPherson
Secretary of State
Executive Office
1500 11th St.
Sacramento, CA 95814

Dear Secretary McPherson;

I'm writing and sending this ~Vmy review and comments on the
`California Use Procedures' associated with the certification hearing
of 11/21/2005- as I want to believe Nghia Nguyen Demovic, who says you
read all comments.  They are in addition to the comments already
submitted to you on 11/17/2005 regarding the voting system.
Unfortunately, my experience in interacting with your staff regarding
differing issues leads me to the perspective that they are arrogant,
incapable of seeing a bigger picture than their vested self-interests,
are sloppy in their analyses, and are unwilling to admit to their
mistakes. So I don't believe they will forward all comments on to you
that are submitted. 

First and foremost is the fact that these `final draft' `California
Use Procedures were NOT received at least 45-days prior to the 11/21
nearing as specified by the APPLICATION FOR APPROVAL OF A VOTING
SYSTEM OR SYSTEM COMPONENT. Either vendors comply with your office's
procedural specifications or such specifications do not mean
anything.

The 'Use' procedures posted on the SOS site spell out these 4
conditions explicitly: (as indicated in the settlement specified in
the Alameda Superior Court Case RG03 128466)
"The instructions necessary to configure a Diebold Election Systems,
Inc. (DESI) GEMS Server are described in the document "Instructions
for GEMS and EMP Configuration" and shall be implemented. The
instructions are written for a technician who has experience and
competency with using the Windows Registry Editor, Windows
Administrative Tool, and BIOS setup functions. The configuration
requirements are as follows:
1.) ALL network services and network ports are to be turned off,
except those EXPLICITLY required to run the GEMS software;
2.) the "autorun" feature in Windows is to be disabled;
3.) the boot order is to boot from the hard drive first; and
4.) the BIOS is to be password protected to prevent changes to the boot order.
If this procedure is implemented on a DESI California customer server, this
information must be communicated in writing to DESI's Compliance Officer no
later than one week after implementation. "

BUT the vendor goes on to talk about local area network connections re
firmware 2.0.12 on the high speed central tabulator and provides a
network diagram showing DHCP services being used (network services not
"explicitly required to run the GEMS software") AND two 'static ip'
addresses which is another example of a network service and network
port'. NEITHER are "explicitly required to run the
GEMS software", a DATABASE software program. 

The 'Use' procedures state:
"4. Election Setup and Definition
The following procedures are unique to California and should be set in
the GEMS database.
On TS options tab ~V Disable print Barcode
On OS options tab ~V Reject Overvoted races and All races blank voted
On OS options tab ~V Use report 195/196US and version 196
NO characters ("&%) shall be used in race or candidate names"

BUT the consultant's reports states as part of his 'Conclusions' ,
"4.  The ABasic Report file should be restricted to 195 US.abo, Version
1.15, and information provided to confirm the correct (unmodified)
file is in use." This, obviously, raises questions of what exactly was
tested by the Staff and Consultant. And given the large discrepancy of
version number -1.15 versus 196- it would appear as though the vendor
is intending to supply a system that has different software than that
which was tested. This was the original reason they're system was
decertified.

The 'Use Procedures' state:


4.5. Logic and accuracy testing of system and components
Testing of election logic involves both data testing - ensuring
accuracy of cast ballots, and system testing to ensure that data logic
is consistent as it is transmitted from one component of the system to
another - as it is downloaded onto memory cards, as ballots are cast,
and as results are uploaded to the GEMS host computer application.

-----------------This section's specifications do NOT specify ANY
error rate that must be achieved nor does the specifications of the
L&A test deck(s) meet the 2002 VSG standards for such ACCURACY
testing.

For AccuVote-TSx precincts
"In a polling location where there is only one AccuVote TSx ~V it is
advisable that the poll workers encourage other voters to use the TSx
unit in order to protect anonymity."

-------------------------------------This is nothing but marketing
hype and should be removed, especially in view that HAVA only requires
that ONE MACHINE PER PRECINCT be available for disabled voters. Voter
anonymity is not-and shouldn't be- tied to the usage of a machine.

"The AccuVote VIBS is designed for use by voters with a wide variety
of disabilities":

---------------------This whole section reads like a marketing
brochure from the vendor and needs to be re-written to address usage,
not promote the vendor's products.

From AccuVote DRE precincts section: "In order for that ballot to be
retrievable, the provisional voter is processed and assigned a voter
ID number. The voter's provisional ID number is stored in the voter
access card by the poll worker along with the voter's precinct and
ballot style information. The voter proceeds to the AccuVote-TSx
Ballot Station, inserts the voter access card, votes and casts the
ballot, and returns the voter access card for re-use by the polling place.
The provisional ballot is recorded but not added to the result totals.
Should the provisional voter's ballot be determined to be eligible for
counting by the Election Board during the post election canvass, it
would be identified in the election system by the provisional voter's
ID number, and retrieved and added to the election result totals."

--------------------This violates the 'secrecy of the ballot'
provisions of the Election Code.

Section 5.7. Closing the polls and vote reporting: "While holding the
YES and NO button on the front of the AccuVote at the same time,
insert the Ender Card into the AccuVote. This will initiate the FINAL
Results Tape that will print automatically. If the tape does not
print, call the Election Official immediately. The printed tape will
include both the ZERO TOTALS TAPE and the FINAL RESULTS TAPE. The
precinct board shall tear the tape from the AccuVote and return it to
the Election Official as specified."

---------------------This needs to reflect the need for two copies of
the ZERO TOTALS TAPE and the FINAL RESULTS TAPE, one for the Election
Official and one to be posted at the precinct.

"The AccuVote-OS Central Count may be configured with multiple
AccuVote-OS Central Count units linked to the GEMS server in either
the local area network configuration or using Windows Remote Access
Server RAS)."

-------------------Again, the vendor is ignoring the court order so
that they may present a system that appears to be more than it
actually is; iterating, neither a local area network nor a RAS Server
is explicitly required to run the GEMS software. GEMS is a DATABASE
and does not need such communication facilities to 'run'.

There are NO procedures mentioned or described to address the system
vulnerability described by "Note that the Central Count Server console
is modeless, that is, it may be accessed at the same time as the GEMS
main window. The election status cannot be changed as long as the
console is active." How is such monitored if the 'window' where the
election status is shown is hidden? What can be done to the system
when the election status is 'not active'?

E.C. 14310 states, "(c) (1) During the official canvass, the ELECTIONS
OFFICIAL shall examine the records with respect to all provisional
ballots cast."

------------------- But the "Use Procedures" do not address this
restriction at all.

Nor do the Procedures indicate how Provisional vote tallying
associated with this system integrate with the Election Code
specification "(d) The Secretary of State shall establish a free
access system that any voter who casts a provisional ballot may access
to discover whether the voter's provisional ballot was counted and, if
not, the reason why it was not counted."

In the Use Procedures section "8.10. Backup and Retention of election
material", the memory/pcmcia cards are not specifically mentioned and
must be, per Dept. of Justice rulings and admittance by the Secretary
of State's staff that such cards are used to tabulate votes. Nor do
the Procedures address the security needed to store such cards in a
secure manner for the time references specified by law.

The 'Use Procedures' "Election Security Plan" states "Election
Officials shall verify and submit a statement to the Secretary of
State that no DAO capable program has been installed or resides on
GEMS server. DAO programs include but are not limited to MS EXCEL, MS
ACCESS, and other Visual Basic programs designed to work with Direct
Access Objects."

----------------------------Again ~Vas I have mentioned this in an
election complaint-  this is an impossible task for Election Officials
because this voting system relies upon Microsoft's Windows Operating
system in the GEMS Server and Internet Explorer is integral to the
Windows Operating System and IS a "DAO capable program".  There are
multiple 'hacking' programs that use the Internet Explorer to access
the database engine used for GEMS.

Yet, again, the vendor ignores the terms of the court ordered
settlement and references networking in the "Election Security Plan";
"All network connections, including the GEMS network, should be
local."  Such network connections are NOT "explicitly required to run
the GEMS software. GEMS is a DATABASE and does not need such
communication facilities to 'run'."

"The specifics for understanding and implementing these items can be
obtained from your Diebold representative."
---------------------------This would indicate the vendor is fostering
dependence on itself; such steps -not explicit values associated with
the steps- must be public knowledge; only by public examination of the
steps the vendor is describing can the public be assured that such
steps effectively address the goals specified:
"10.2.1. Essential and non-essential services and ports
· All network services and network ports are to be turned off, except
those explicitly required to run the GEMS software; (again, GEMS is a
DATABASE and does not need such communication facilities to 'run'.)            
· the "auto run" feature in Windows is to be disabled;
· the boot order is to boot from the hard drive first; and
· the BIOS is to be password protected to prevent changes to the boot
order;

The 'Use Procedures' under "Security of Votes" states "Ballot Tally
Software ~W Ballot Tally software for early voting shall be escrowed
according to Chapter 6 of Division 7 of  the California Code of
Regulations." 

BUT there is not any such 'Division 7' (the CCR's are all prefaced as
'Title' and there is not a Title 6 in the CCR's; http://ccr.oal.ca.gov/ ).
Perhaps more to the point, The Secretary of State has already stated
how such software is to be escrowed and this document does not
reflect that decision.

Additionally, the 2002 Voting Systems Standards Guidelines that
Secretary McPherson has indicated MUST be implemented by any new
voting system application for certification state:
"2002 VSG Section 4.2.2 Software Integrity
Self-modifying, dynamically loaded, or INTERPRETED code is PROHIBITED,
except under the security provisions outlined in section 6.4.e. This
prohibition is to ensure that the software tested and approved during
the qualification process remains unchanged and retains its
integrity. "
6.4(e) states, "After initiation of election day TESTING, no source
code or compilers or assemblers shall be resident or accessible."

The Diebold PCMCIA/memory card architecture relies on interpreted
code, executing logic on the memory card by passing memory card code
through the interpreter. This is confirmed by the vendor and the
Secretary of State's Staff report. Unless the Secretary of State was
intentionally misleading the public when he announced that all new
system applications would meet these guidelines, it appears as though
the vendor does not listen to what the Secretary of State mandates.

In a strange bit of irony, the 2002 Voting System Standards
Guidelines
promulgated by the Federal Election Commission sets a failure
tolerance so low that 10 percent of the voting machines are allowed to
fail on the first day of use. Would you buy a TV set if you knew there
was a 10 percent chance it would stop working the first day? This is
good use of taxpayer money?

The 2002 Voting Systems Standards Guidelines, Section 4, Software
Standards, sub-section 4.2.1 states "Software associated with the
logical and numerical operations of vote data SHALL USE a high-level
programming language, such as: Pascal, Visual Basic, Java, C and C++.
The requirement for the use of high-level language for logical
operations does not preclude the use of assembly language for
hardware-related segments, such as device controllers and handler
programs. Also, operating system software may be designed in assembly
language."

And one does not need to be a computer expert to understand that
ANOTHER item forbidden in the 2002 Voting Systems Standards
Guidelines, "nonstandard computer language" is being used. Diebold
decided to make up its own language, calling it "AccuBasic." Only
Diebold uses it, no one else in the world. The ITA' s defenders
explain that the AccuBasic language is similar but different to the
C++ computer language. That's like saying French is Portuguese
because the languages are "similar."

Between the failure of the vendor to adhere to the rules and
regulations associated with an APPLICATION FOR APPROVAL OF A VOTING
SYSTEM OR SYSTEM COMPONENT,
The lack of sufficient testing to ensure the system meets the 2002
Voting Systems Standards Guidelines for accuracy as well as the
system being in violation of the same guidelines,
The AVPM not being easily accessible or viewable,
The AVPM being based on thermal paper which is very susceptible to
heat alteration,
The continued arrogance shown by the vendor in ignoring the settlement
terms of the Alameda Superior Court Case RG03 128466,
The rejection of the system by disabled advocates in the November 21st
hearing, 
The rejection of the system by ALL voting activists,
The inability of the system to meet HAVA guidelines for disabled
access,
The discrepancy noted with the ballot files (.abo files) between the
consultants specifications and what the vendor specified in the
'Final draft' of the 'Use Procedures,
And the lack of the 'Use Procedures' to fully address usage
all scream that this is not a system to be foisted upon the citizens
of California. And given the Vendor's ignoring of the 'rule of law'
as evidenced by the settlement regarding the usage of uncertified
software and ongoing ignoring of the settlement conditions specified
by that court case, this is a vendor that should be banned from doing
business in California as it has shown it's inability to be trusted
as an honest purveyor of goods and services.

Bruce Sims
San Diego, CA 92116