On October 3, Ohio Secretary of State Jon Husted issued a directive that no longer requires county boards of elections to send precinct-by-precinct level data to his office in time-based increments on Election Day. The new requirement is to provide their county’s “summary results” only, instead of individual precinct-by-precinct data.

On October 2, the Columbus Free Press published an article entitled “What’s up with Ohio’s election night reporting system? Nobody really knows what happens on Election Day” by Bob Fitrakis and Gerry Bello. The article pointed out that an existing Ohio Secretary of State directive had very specific requirements for county boards of elections to send precinct-by-precinct data starting once their first precinct reported, and continuing on a time schedule of every 15 minutes, 30 minutes or by the hour.

During the 2012 election, Husted’s office claimed 20 Ohio county boards of elections would to provide precinct-by-precinct vote totals to election officials and the press. Husted promised them fast and accurate data. However, when asked for that data after the 2012 election, Jon Husted’s office told requestors they did not have the data. Finally, a year later on Election Day 2013, the Secretary of State posted the precinct-by-precinct election results website.

Election integrity activists were concerned that the county precinct-by-precinct level data was not being shared with anyone, including the media, and was for the Ohio Secretary of State only. This data could be used throughout Election Day to learn what direction the vote totals were going, giving Husted and his allies an opportunity to get out the vote for Republican candidates in key areas of the state.  

The new October 3 Directive 2014-31 also contains the following: “Prior to Election Day, you will receive a shipment of USB thumb drives for use on election night to ensure the security of your central tabulating system. As in the past, unofficial election results provided to the Secretary of State’s Office will be summary only, rather than precinct-level. Precinct-level results will be uploaded by boards of elections for the official canvass.”

But, how secure are USB thumb drives?

“Security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work,” announced security researchers Karsten Nohl and Jakob Lell in a Wired magazine article. The article states that the team was “…demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.”

Here is the scary conclusion: “Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code.”

“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’” says Nohl, according to the article.