Letter to the editor: More on Delco elections
Dear Editor, Broad + Liberty,
Re: Letter to the editor relating to Delco elections
Response #4
Before an election, the voter rolls should be filled with eligible voters. Of equal importance, the Delco’s Hart Verity election machines should be certified as capable of registering and counting the ballots cast by these eligible voters; the machines must go through what we will call the first steps of a pre-election certification dance. At first glance, the dance seems relatively straightforward, like a three step waltz.
Waltz
The first key step of the certification dance occurs before Delco’s election machines are even purchased by the county. It is referred to as the Trusted Build. The Trusted Build process ensures that the software installed on voting machines is compiled and configured according to approved specifications in a controlled and secure environment. Election machine companies with oversight from one of two U.S. Election Assistance Commission (EAC)-approved testing labs, build their software in a secure setting to match federal standards, ensuring it’s ready for accurate ballot scanning and vote counting. While on-line reports indicated that both of the labs performing the machine certification may not have themselves been certified for the 2018 and 2020 elections, thus affecting the claimed legitimacy of those election results, certification of the Trusted Build of Delco’s machines is not performed at the local level and thus was, for 2024, unobservable by the Delco Election Deep Divers.
A second key step of the certification dance is Hash Testing. Hash Testing helps to authenticate the Trusted Build by verifying the integrity of the software installed on Delco’s election machines through a comparison of the hash value (or fingerprint) of the installed software with its certified hash value as issued by the EAC. If the Hash Testing does not match the certified values, it directly negates the Trusted Build, indicating that the software on the machines may have been tampered with or modified after the initial trusted build process. Such a failure is a violation of 52 U.S.C. § 21081(a)(5) and invalidates the certification status of the machines until the discrepancy is resolved.
A final step in the certification dance is Logic and Accuracy Testing. L&A Testing is a mandatory pre-election process designed to ensure that voting equipment functions correctly and counts votes accurately. Here, election officials create sets of sample ballots, known as “test decks.” Machines must accurately process this stack of varying ballot types successfully. The Delco Election Deep Divers have observed L &A Testing performed on almost all of the county’s election machines.
While these first three steps seem a simple and straightforward waltz on the surface, scrutiny reveals frenetic Latin dances of South America, the election machines’ Venezuelan connection. In this letter we will partner in dance with Hash Testing, and share observations of the October 25, 2024, court case Mancini et al. vs. Delaware County (CV-24-008838), where two distinct mis-steps regarding Delco’s Hart Verity’s machine testing were addressed.
Cha-Cha
First, Federal law (52 U.S.C. § 21081(a)(5)) and Pennsylvania law (25 P.S. § 3031.11(a)) requires all election machines to undergo comprehensive testing to match certified software. Pennsylvania law (25 P.S. § 3031.10) specifically mandates counties to “publicly examine and test all automatic tabulating equipment to ascertain that it will accurately count the votes cast.” Mancini argues that to conform with this law, both tabulation accuracy (L&A Testing) and software integrity (Hash Testing) are required.
Delco and the PA Department of State Cha-Cha through a manic dance of baffling machine terminology to argue the contrary. In his testimony, James Allen, Director of Elections, equates turning on a machine with a V-drive to a ‘trusted build validation’: ‘That is entering a V-drive … into the device … when you boot it up and you print out the tapes … it references Hart Verity 2.7. That is the verification process.’ This garbles Trusted Build (the EAC pre-purchase check) with Logic and Accuracy Testing (the county vote-count test), sidelining Hash Testing (software integrity) entirely. Adding to the confusion, Allen’s casual use of ‘trusted build validation’—a phrase that, while echoing the EAC’s Trusted Build terminology, lacks a clear definition in either the Election Assistance Commission’s (EAC) glossary or Pennsylvania’s statutory framework—appears crafted to blur the lines between federal pre-purchase oversight of the Trusted Build and local operational checks like Logic and Accuracy Testing, leaving unclear whether he’s addressing software integrity or merely machine functionality. Most of us know that just because your computer displays the image of an operating system, the image on the screen does not prove the system’s presence nor guarantee a virus or malware is not also present.
In addition, Allen’s claim that post-election Hash Testing can’t occur “before certification because state law says you cannot touch equipment until it’s been certified” contradicts 25 P.S. § 3031.17, which permits pre-certification audits, audits Delco actually performed in 2024. His assertion that Hash retesting must happen “after certification” delays software checks beyond legal challenge windows, rendering them moot.
Pennsylvania’s Deputy Secretary for Elections and Commissions Jonathan Marks, tasked with overseeing election standards, sidesteps Hash Testing’s role, “I don’t believe that term is utilized in … the certification report or directive,” yet acknowledges, “counties should validate trusted builds per vendor methods.”
Delco hash-tested only 2% of its machines in the fall of 2024, nine of 428 precincts, and seems to feel that the PA administration’s failure to enforce Hash Testing shows Hash Testing isn’t required by PA law. Delco even proudly declares their extra 2% certification step shows exemplary standards compared to other counties in PA. However, while doing isolated testing may be better than none, it does not prove that the machines not tested have the proper software installed or that further testing isn’t required by law.
Tango
Mancini also raised concerns about MathNET.Numerics, an undocumented software present on Delco’s machine testing logs, but absent from EAC, Hart, or state certifications. MathNET.Numeric algorithms could Tango in as an uninvited partner on the V-drives installed for L&A Testing, or on the machines untested during Hash Testing, twirling through with uncertified moves that could sway the vote undetected:
MathNET’s statistics module could generate plausible but falsified vote distributions. An attacker could use these to “normalize” manipulated totals, ensuring they pass basic audits (e.g., matching expected turnout patterns).
MathNET’s numerical precision tools could compute or manipulate hash values to mimic legitimate ones, fooling Hash Testing. Its optimization routines could also solve for inputs that produce a desired hash, masking tampered software.
MathNET’s robust linear algebra tools could alter vote matrices—say, a matrix where rows are precincts and columns are candidates—by applying transformations (e.g., scaling, transposition) to shift totals undetected.
MathNET’s array and vector operations could temporarily flip votes in RAM—say, swapping candidate totals—then revert logs before saving.
MathNET’s regression and curve-fitting tools could adjust vote counts to fit predetermined trends (e.g., favoring a candidate in key precincts), ensuring results look organic under scrutiny.
Delco and PA acknowledge the presence of MathNET in both Delco’s machines and the EAC hash fingerprint. Both of these parties seemed to feel their responsibility to verify the fingerprint match does not extend to examining the fingerprint itself. FOIA requests for a complete list of approved EAC software initiated last fall fail to confirm this problematic software is EAC approved have yet to be answered, but even if the software is verified as approved, the approval would raise additional questions regarding how the EAC could justify such an approval.
The EAC promises a complete approved software list this fall, but the procrastination illustrated here by both the courts and government information providers repeatedly appears to drag answers through each successive election cycle until the process must begin again, ensuring a lack of results. And in this instance, like in the many other areas yet to be addressed, the election workers, and even the election staff responsible for the machines, could perform all their tasks perfectly and the machines could still easily, without their knowledge, influence the election results.
The court dismissed Mancini’s injunction for lack of “solid evidence” of corruption, but without full testing, we lack evidence of integrity either. Given the excessive cost of funding the machines, it is baffling why complete, effective Hash Testing has not yet been advocated and is universally neglected.
What is the answer? Hash Test every machine during L&A Testing. Boot each machine with its precinct drive, hash the full software—system plus drive—and match it to the EAC-certified version before test decks are processed. Failing machines could be suspended. The drives would be sealed and further sample-hash testing could be performed prior to certification.
This would at least represent an improvement, but Delco ignores suggested upgrades to the Hash Testing procedures. The county has the burden of proof to show that their election machines are secure; the public does not have a burden to prove that they are not. Moreover, our observations of Logic and Accuracy Testing reveal other flaws, indicating improvements in Hash Testing alone are not a solution to verifying election machine security.
Respectfully,
L. Lewis
Delco Election Deep Divers
