May 25, 2017

NJ Election Day: Voting Machine Status

Today is primary election day in New Jersey, for all races except U.S. President. (The presidential primary was Feb. 5.) Here’s a roundup of the voting-machine-related issues.

First, Union County found that Sequoia voting machines had difficulty reporting results for a candidate named Carlos Cedeño, reportedly because it couldn’t handle the n-with-tilde character in his last name. According to the Star-Ledger, Sequoia says that election results will be correct but there will be some kind of omission on the result tape printed by the voting machine.

Second, the voting machines in my polling place are fitted with a clear-plastic shield over the operator panel, which only allows certain buttons on the panel to be pressed. Recall that some Sequoia machines reported discrepancies in the presidential primary on Feb. 5, and Sequoia said that these happened when poll workers accidentally pressed buttons on the operator panel that were supposed to be unused. This could only have been caused by a design problem in the machines, which probably was in the software. To my knowledge, Sequoia hasn’t fixed the design problem (nor have they offered an explanation that is consistent with all of the evidence – but that’s another story), so there was likely an ongoing risk of trouble in today’s election. The plastic shield looks like a kludgy but probably workable temporary fix.

Third, voting machines were left unguarded all over Princeton, as usual. On Sunday and Monday evenings, I visited five polling places in Princeton and found unguarded voting machines in all of them – 18 machines in all. The machines were sitting in school cafeteria/gyms, entry hallways, and even in a loading dock area. In no case were there any locks or barriers stopping people from entering and walking right up to the machines. In no case did I see any other people. (This was in the evening, roughly between 8:00 and 9:00 PM). There were even handy signs posted on the street pointing the way to the polling place, showing which door to enter, and so on.

Here are some photos of unguarded voting machines, taken on Sunday and Monday:


  1. John Millington says:

    If we ass/u/me the machines are _made_ trustworthy (i.e. reflashed or otherwise forced into a known software configuration, and also inspected by experts(*) for hardware mods, etc) between the time they were unguarded, and the time they were used, does this become ok?

    (*) Heh. Yeah, I know.

  2. That business about not handling Spanish surnames properly smells like a due-process lawsuit waiting to happen, at least to this non-lawyer.

  3. @John Millington:

    It’s one of the very basic security maxims: if an attacker gains physical access to your hardware, you *ARE* screwed.

  4. Faramond says:

    Chris: The problem is not that a Spanish last name was accorded special, disadvantageous treatment to steal votes from the candidate, but that it was accorded special treatment in so far as voting machine operators entered a letter that does not exist in the English alphabet.

    We do not allow that the names of Asian American candidates to be written in their native scripts; Russian Americans’ in Cyrillic; or Scandinavian Americans’ with eths, thorns, and slashes; why should we accord persons with Spanish last names any special treatment?

  5. Michael Donnelly says:

    Peter’s right. Trust me, I know. 😉

    But, honestly, it’s a moot point. Given the shaky software, any kind of malicious attack takes a backseat (!) to general randomness caused by bugs. I can’t believe these machines are being used in a production environment.

  6. C. Hill says:

    In California we use these machines, but they are for disabled folks. We also leave them on site overnight, but employ a system seals that make any use or tampering pretty obvious,

  7. I am an election judge In NC…in our case, the ballot recptacles are left in the voting facility, and we bring in the ballot tabulators (we use an op-scan style paper ballot system) the morning of the election. Nothing may actually be at risk here. I would check with the relevant board of elections to make sure. If these machines are truly at risk, then blow the whistle…..tom

  8. I don’t know where C. Hill is but here in San Diego, California, although we don’t use the Sequoia machines, the voting machines are given to polling place volunteers to take home after their training session the week before the election so they can bring them to the polling place on election day. A friend of mine volunteered to work at a polling place in 2006 and I was shocked when I went to her house on the Saturday before the election to see five electronic voting machines on her living room floor.

  9. John Millington says:

    Peter, I get that, but realistically, they’re never going to be kept secure. Sometime after they leave Sequoia but before they are used, they’re going to sit in some storage somewhere, and it’s going to be prohibitively expensive to guarantee that no one has ever had any opportunity to permanently compromise them.

    *IF* we accept that weakness (that the machines are initially in a not-completely trustworthy state when you get them out of storage), do the operators at least _try_ to force them into a known configuration (regardless of the fact that it might not work)? That’s probably about the best one can do, unless they give up on computerized systems altogether.

  10. … do the operators at least _try_ to force them into a known configuration (regardless of the fact that it might not work)? That’s probably about the best one can do, unless they give up on computerized systems altogether.

    The way to engineer reliable systems out of unreliable components is well-known.

    You use redundancy.

    If you can’t secure a single machine, then the system has to be designed so that multiple machines —with independent custody— must be compromised in order to cause a vote failure. Obviously, it’s easier said than done. It’s rocket science.

    But, on the plus side, computers are no longer machines the size of refrigerators. These days, a person can take home a significant amount of computing power in a package the size of a paperback book. And that much computing power is cheap enough that you an afford to have three or four people take home redundant packages for a single voting station.

  11. Gary Beane says:

    In Colorado, Mike Coffman, the Secretary of State, first decertified all of the voting machines, and then a few months later, after a few changes , the details of which I am not certain, he certified them all as safe to use again. This was within a few weeks of the time when California just decertified their machines. How can these two events occur almost simultaneously? Indeed, many of the machines were Sequoia.

    What are the chances that in our democracy our vote will be inviolable?

  12. That’s funny about the tilde in the name causing problems. I’m the database administrator for the second largest city in our state. Last November I wrote a database and ASP web site for displaying election results. It consists of three parts: A Microsoft SQL Server database, the ASP pages, and an Access database for entering results.

    Note that this is just for displaying data on our web site, this does not record individual votes, we use mark sense systems where the voter fills in the little circle for their candidate. After the polls close, the process is that the city clerk receives the polling place’s results then gives the entry clerk a piece of paper, the clerk keys the results of the polling place into the database, and the web pages are automatically updated when they’re next pulled up.

    It was a lot of fun developing this system, and surprisingly simple: only three tables. But the funny part is that in our last election, one of the candidates had a tilde in their name. I pulled up Microsoft’s character program and it gave me a key code to give that candidate a tilde, all was cool.

    Election night came, no problems occurred. Granted, I’d tested extensively to minimize the risk of the system crashing on election night. But here’s the key bit: if Sequoia had a problem with a tilde in a name, it’s because they designed their system poorly. You never relate tables on something like a name, you relate on numbers whenever possible. I have three tables in my system: Candidates, PollingPlaces, and Votes. Each candidate has a number, each polling place has a number, and the vote table uses those two numbers to record results for each candidate: the only time the name appears is when the web page is loaded.

    *sigh* I hate bad design. I don’t understand how Sequoia and Diebold could muck it up so bad, unless they deliberately wanted insecure systems in order to influence results or they just didn’t care about proper development and wanted to maximize profit.

  13. Did you notice any tamper seals?

    I just worked the June 3 election in California. Scanners & voting machines were left overnight at the polling locations. That said, ALL of them had either numbered seals or numbered tied-type seals on them which had to be matched with your corresponding paperwork and then verified by two poll workers. You could tell if a seal was broken because it would show up as “VOID.”

  14. I do not think they should be left out overnight after the fixed election in 2000, hell Karl Rove is still out there

  15. Anonymous says:

    What about a program that is already in the machine that deletes votes to only
    show McCain votes? Could a machine be programmed before it was sold to
    a state? And how could you check a voting machine to see if it was already