The Curious Case of Coos County - Log Off

The Curious Case of Coos County - Log Off
Photo by Joe Green / Unsplash

In previous posts about the Curious Case of Coos County I outlined the various methods the County Clerk used to deny access to basic election information. This post continues that assertion with how they redacted election logs so that they were completely useless in determining if a clean election was run.  

Coos County uses Clear Ballot systems to count ballots returned to the Elections Office. Those systems use two scanners attached to two laptops (Scan Stations) which read the ballots and turn them into ballot images which are then stored on a third computer called a Scan Server. The Scan Server is used to look at those images and determine the voters intent. The election workers use a web interface on an internal network to control the Scan Server functions. Every action the election worker does, and the system does, is logged in two log files; the web activity log (WAL) and the election activity log (EAL). This is an overly simplified explanation but will suffice for the topic of this post.

In May of 2021 a public records request (PRR) was made to get the WAL and EAL files for the November 2020 General Election. In June of that year they responded but instead of providing the log files in the normal CSV (comma separated values) format they provided PDF (portable document format) files which makes extracting the data in usable manner next to impossible.  

The delay in responding to the request was attributted to them having the Legal Office Manager cull through all the log records and redacted them for security reasons. The exact wording of the response was...

Please note that the IP addresses were redacted persuant to ORS 192.345(23) as having the potential to compromise security.

No slight to the Legal Office Manager but how would that person know what a security concern for an election system log might be? How far up the food chain did this command come from and what were the instructions?

Removing, or redacting, IP addresses implies that addresses from outside the internal network had been accessing the computers inside the supposedly secure and inaccessible network. They repeatedly state that their election computers are secure and not connected to any other network and certainly not the internet. There is no way to prove this claim unless someone can review the logs to see for themselves.

If it were just the IP addresses that had been redacted then the logs still would have been usable to determine if the proper steps had been executed during the election run. The logs would normally show when ballots were designed, when systems were setup, when counters were zeroed, when the scans started, etc. That was not the case with these logs. So much data was removed as to make them unusable for any analysis whatsoever.

In the process of working on this problem I asked other election integrity people if they had received WAL and EAL files for Clear Ballot systems from other counties. They had and were willing to give me copies so that I could compare the differences.  

Election Activity Logs

Let us begin with the Election Activity Log, or EAL, file I was given by Coos County. It starts off normally with all the ID sequence numbers going in an expected numerical order.

Coos EAL page 1

Then 132 pages later we get this...

Coos EAL page 133

The date jumps from ID 380553 with time stamp 2020-09-10 11:26:11 to ID 380554 with a time stamp of 2020-11-20 06:51:29. The ID number designates the sequence number of the log entry. That means there were no log entries removed due to redaction because the numbers are in sequence.

Does this mean the system was not running from weeks before the election until well after the election?  


If that were the case then the election was not run at all on this system. What this implies that logging was turned off on September 10th and then turned back on on November 20th.

The final curious thing about this report is that the request for the log files was filed in May of 2021 but the header in this report file says it was generated on December 3rd, 2020.  It might be they just handed over a previously run request, but it is a bit odd.

Web Activity Logs

So lets move on to the Web Activity Log, or WAL, file. This is what a normal WAL file looks like...

Image of partial normal WAL file

Notice that it has columns for Time, Source, Election, User, Machine, Severity, Message and URL. This is just the first dozen, or so, lines from a log file that has tens of thousands of entries.  

Now lets look at the WAL from Coos County...

Coos WAL page 1

That's it.  That's all of it.  

Notice it only has columns for Time, Election, User, Machine and Message.  There are supposed to be 22,221 entries but there are only twenty shown.  

Check out how the time stamp jumps from 2020-09-09 14:13:08 to 2020-11-20 11:33:23 then back to 2020-11-03 22:54 then forward again to 2020-11-20 11:07.  Correct log entries would be in time sequential order.  There are no log entries from September 9th until the two, only two, entries for November 3rd then nothing until November 20th.  This is not a true log file but a not-so-clever ruse to make it look like they are complying with the PRR.

Things that make us curious...

  • The log files were redacted for security reasons.  It is only a security issue if you have your systems open to the outside World.
  • The redaction demand order was probably from higher up the command chain than the Elections Office, County Clerk or County Counsel.
  • The election activity log files had a time stamp jump that implied logging was turned off.
  • The web activity logs had columns removed.
  • The web activity log had time stamps that jumped forward and backwards when normal log files go in time sequential order.

The sheer number of odd instances has us scratching our heads once again in the Curious Case of Coos County.