Terms of 'Independent' State Run Audit, Source Code Review Dictated by Voting Machine Company to Florida State Election Director Prior to Tests of Failed Touch-Screen Voting Systems from Contested Jennings/Buchanan Election!
By Brad Friedman on 3/24/2007, 6:02pm PT  

The private voting machine company which manufactured the touch-screen hardware and software used during Sarasota, Florida's contested District 13 Congressional election between Christine Jennings (D) and Vern Buchanan (R) sent a letter in December of 2006 to David Drury, the chief of the state's Bureau of Voting Systems Certification, dictating the terms of the state-run audit convened to investigate the causes for massive undervote rate which seems to have tipped the election.

The extraordinary 3-page letter (posted in full at the end of this article) from Electronic Systems & Software, Inc. (ES&S) Vice President, Steven Pearson, is described as an "agreement" and instructs Drury on what may and may not be disclosed in the state's final audit report regarding the investigation.

The audit, for which ES&S was dictating terms to the state of Florida, was of their own voting systems used in the disputed race where 18,000 undervotes were discovered in the FL-13 election. The race was ultimately certified by the state with a 369 vote margin in favor of the Republican Buchanan, and is currently being contested in state court, and in Congress under the Federal Contested Elections Act.

"David, below are ES&S source code review guidelines for the conduction of any review of source code to be performed by the Department of State and any agent acting on your behalf as a result of the under vote investigation from the Sarasota County mid-term election. It is our desire the methodology and focus of the review be performed in a manner that incorporates the items described below," the agreement begins, before including a long, bullet-pointed and very narrow litany of specific dictates concerning what may and may not be done and/or discussed by the state-convened panel of investigators in their final report...

"The review needs to be focused on a singular purpose," Pearson instructs, before explaining that the testing is to focus solely on whether or not "code or logic exists in the software that would have directly and conclusively caused voter selections to not have been captured or to have been omitted for the U.S. House of Representative District 13 contest in the Florida 2006 General Election in Sarasota County."

"Any analysis, statement, inference, or comment that is outside the discovery of such software is not relevant and is outside the scope and boundary of this source code review," Pearson writes before listing dozens of bullet point instructions for what may and may not be allowed in both the review and final report.

He goes on to instruct Drury that ES&S must be allowed to review "any drafts, statements, reports or conclusions...prior to finalization, distribution, publication" of the report and that any violation thereof would be in violation of the agreement" leading to the destruction of "all copies" of such information.

Further, Pearson wrote, ES&S demanded "the opportunity to provide commentary to be interspersed into the report or to be attached to the report."

The long list of ES&S narrow dictates of what may or may not be discussed in the state report, which was finally released last month to much criticism from Jennings and others, includes (but is not limited to):

  • No statements about "potential" situations
  • No statements that discuss what "might" have occurred
  • No statements about possible "vulnerabilities"
  • No statements about the "style" of the source code
  • No statements commenting on the use of less desirable techniques, instructions, or constructs
  • No statements rendering opinions on proper uses, improper use, or correctness of source code
  • No statements rendering opinions on security techniques employed or not employed
  • No statements discussing relevance of any discoveries made in this review to any elections or contests outside the 2006 Sarasota General Election, U.S. House of Representative District 13 race.
  • No statements regarding conformance to source code standards of any type or kind

...etc.

The letter instructs, "If no conclusive evidence is found then all other statements are not necessary" and explains that "any conclusion" made by the state review "must be drawn based upon with the following foundational basis and underlying assumptions." A number of such assumptions are then listed: that "physical security of all voting system equipment and and materials...has been maintained" and "physical chain of custody for all materials...has not been broken or compromised," etc.

The remarkable letter was faxed to WIRED reporter, Kim Zetter after her coverage of a warning notice sent by ES&S to state officials, warning of a bug in their touch-screen voting system which could have caused the unusually large undervote rate seen in the FL-13 election (18,000 undervotes in a race decided by 369 votes). The bug was not fixed in Sarasota County prior to the election, and the warning letter, which we covered here, was never disclosed to the plaintiff's attorneys now contesting the election in state court.

Zetter covers the newly unearthed ES&S letter in her blog and includes the full letter on three different web pages. All three pages of the letter are posted in full below.

Just a few of the questions which occur to The BRAD BLOG now, in light of the discovery of this letter:

  • Although the letter is described as an "agreement" it is signed only by ES&S; did Florida officials agree to ES&S's terms of testing?
  • Were the computer scientists convened by the state apprised of these terms?
  • Was the final report shown to ES&S before publication?
  • If so, did they exercise their stated desire to edit the report and/or "provide commentary...interspersed into the [final] report?
  • Was this document ever revealed to plaintiff's attorneys contesting the election?

UPDATE 3/26/07: Alec Yasinsac, the lead principle investigator of the state-convened panel of scientists who reviewed the ES&S source code, responds to some of these questions on behalf of his full team. The response, and our response in kind, now posted here...

The December 15, 2006 letter from ES&S Vice President of Certification, Steven Pearson, to Florida's Bureau of Voting Systems Certification Chief David Drury follows in full below...