It appears that the Board of Supervisors meeting on Tuesday 8 January 2008 will include discussion of election integrity issues, including whether to appeal Judge Miller's ruling. It seems that there are some crucial facts that have been left out of the discussion so far. At trial, some crucial questions were not asked, and other crucial questions elicited demonstrably false answers. Executive summary: In the interests of good governance, the county should not appeal Judge Miller's ruling. Indeed, the county should cheerfully release the databases for each and every election, right after the election is completed. The county has been getting some spectacularly bad advice on this subject. The claims that "harm" might ensue from releasing old databases are demonstrably untrue. See below. Discussion: We need to distinguish /completed/ from /uncompleted/ elections. There are innumerable good reasons why the database for any given election should not be released until after that election is completed. Now, since the judge has only ordered the release of long-completed elections, any discussion of uncompleted elections is a red herring, an unhelpful distraction. At trial there was a lot of confusion about this. Red herrings were discussed at length. Let's try to avoid that in the future. If you want to call this a "compromise", go ahead. The compromise is that uncompleted election databases are secret, whereas completed election databases are public records, open to public inspection. Another crucial point that got short shrift at the trial was /mitigation/ of risks. By way of analogy: everybody knows that walking around town puts you at risk of being hit by a car. But there are common-sense things you can do to mitigate the risk. For instance, using the sidewalk is better than walking down the middle of the road. The so-called "risks" discussed at trial are in the same category: if the risks seem large it is only because the county has magnified the risks by doing foolish things. Simple, common-sense procedures would reduce the risks to negligible levels. At the trial, John Moffatt summed up his testimony in terms of three concerns: 1) Reverse engineering, so as to facilitate an attack. 2) Fake ballots. 3) Fake reports, so as to "call into question" the integrity of the election. Let's discuss these points. 1) Dr. Moffatt's testimony about reverse engineering was highly misleading. His experience of reverse engineering is evidently limited to hiring somebody to reverse engineer something. In contrast, I have first-hand experience reverse engineering computer hardware and computer software, including the security features of an operating system. I also have experience "forward" engineering, including designing and implementing highly secure networked computer systems for AT&T. A reverse engineering project, if it were wildly successful, would reproduce the source code of the system, and would reproduce the user manual. But this is crazy. The GEMS source code and user manual are already available on the web. Reverse engineering would be completely pointless. Another argument that leads to the same conclusion starts with the observation that there are, at last count, something like 37 known ways to attack the GEMS system. Why would anybody need a 38th way? Reverse engineering would be completely pointless. Furthermore, any attempt to carry out such an attack is predicated on having either physical access or network access to the Diebold machines, and it is now county policy to prevent such access. Therefore reverse engineering is an imaginary attack, which could cause only imaginary harm. We should also note that databases from several other jurisdictions are already widely available. So the incremental effect of releasing old Pima databases would be negligible. It is important to note that there have been no reports of harm in other jurisdictions when old databases have been released. All in all, there is not the slightest reason to think that releasing databases from completed elections would be even slightly harmful. In fact it would be helpful, as discussed below. 2) Dr. Moffatt claimed that somebody could use the GEMS software and "the" database to print blank ballots. Well, for starters this is another red herring, blurring of the distinction between the /current/ database and the old databases, and therefore has no relevance. Secondly, it would be quite feasible (indeed easy) for a voter to photograph a ballot early on election day (using a cell-phone camera or whatever) and then produce innumerable blank ballots using an ordinary laser printer. What's more, as Dr. Moffatt himself pointed out, candidates and others get an advance look at the layout of the ballot. He said that an attacker, using the GEMS database could generate ballots "in less than a day". Gimme a break. An attacker without GEMS and without the database could generate ballots in less than an hour. Therefore this threat, in addition to being irrelevant, is impractical and immaterial. He claimed that using Photoshop to change the ballot would not work. He said the timing marks were too "critical" and that scanners were too imperfect. First of all, I don't believe that. For starters, each Accuvote-OS machine itself contains an ordinary scanner, so if scanners were really a big problem and if timing were really critical, the Diebold machines themselves would be so unreliable as to be unusable in practice. Secondly, even if what he said about the timing marks were true, his conclusion that home-made ballots could not be used as the basis of an attack is manifestly untrue; the very facts he claims prevent an attack would actually enable an attack. All an attacker needs to do is print up a batch of plausible-looking ballots with defective timing marks, and send them to a precinct where he wishes to suppress the vote. It is not necessary in this scenario to get the timing marks just right; it suffices to get them wrong! 3) Dr. Moffatt claimed that somebody could use the GEMS software plus "the" database to print fake election result reports. That claim is completely preposterous. Openness does not produce this kind of fakery; indeed, openness is the best defense against this kind of fakery. What would the attacker do with his beautiful fake report? Who could he give it to? Who would believe it in preference to the open, official results on the County web site? Nobody! The fake report would not withstand even a moment's scrutiny. As Daniel Patrick Moynihan was fond of saying, everybody is entitled to their own opinion, but they're not entitled to their own facts. He said this would allow the possibility that the election would be "called into question". This is yet another preposterous argument. The elections have already been called into question! For starters, we have a report on Pima County letterhead, over the signature of the Pima County Administrator, available on the Pima County web site, saying that the election process could have been hacked and that even a moderately skillful hacker would have gone undetected. What could be more damning than that? Pima County has already called the election into question. Also the Pima County library contains dozens of books that describe in some detail how the 2000 and 2004 elections were stolen. Pima County has already called the election into question! The best way -- indeed the only way -- to begin restoring public confidence is to have more openness. *) I'm skipping some additional instances of demonstrably incorrect testimony. ========= Another point that was blurred at trial is the distinction between security and secrecy. Passwords require secrecy, but programs and methods should not require secrecy. It has been known for 125 years that if your procedures manual must be kept secret, your procedures are no good. (This is called Kerckhoffs's principle.) Yet another crucial distinction concerns /insider/ attacks versus /outsider/ attacks. As pointed out by Mickey Duniho, in 100% of known attacks against election computers, the attack was perpetrated by insiders. Persons who have been granted some degree of access to the process have abused their privileges. Therefore we need oversight, such as public access to the databases of completed elections. This is crucial because it helps deter insider attacks. It seems very peculiar that the county is willing to spend millions of dollars on measures to deter outsider attacks, while /opposing/ measures to deter insider attacks. Summary: In the interests of good governance, the county should be /encouraging/ citizens to scrutinize the old election databases. Releasing the old databases would be in some ways good and in no ways bad. The supervisors have been told releases might cause "harm", but that's just not true.