March 28, 2024

What happens when the printed ballot face doesn't match the electronic ballot definition?

Part 4 of 4. Complete 4-part series available here.
The Sequoia AVC Advantage is an old-technology direct-recording electronic voting machine. It doesn’t have a video display; the candidate names are printed on a large sheet of paper, and voters indicate their choices by pressing buttons that are underneath the paper. A “ballot definition” file in an electronic cartridge associates candidate names with the button positions.

Clearly, it had better be the case that the candidate names on the printed paper match the candidate names in the ballot-definition file in the cartridge! Otherwise, voters will press the button for (e.g.,) Cynthia Zirkle, but the computer will record a vote for Vivian Henry, as happened in a recent election in New Jersey.

How do we know that this is what happened? As I reported to the Court in Zirkle v. Henry, the AVC Advantage prints the names of candidates, and how many votes each received, on a Results Report printout on a roll of cash-register tape. The printout reads, in this case,

    I23   Cynthia Zirkle      10
    I24   Ernest Zirkle         9
    J23   Vivian Henry        34
    J24   Mark A. Henry      33


In this election, four candidates are running for two positions in a vote-for-any-two election. Here, J23 indicates that the button at column J, row 23 on the face of the AVC advantage received 34 votes. The problem was that the poster-size printed paper covering the buttons had the name Cynthia Zirkle printed at position J23. Vivian Henry’s name was printed at position I23. That is, there was a mismatch between the printed paper and the electronic ballot-definition file. Similarly, the positions of Ernest Zirkle and Mark Henry were swapped.

Rebecca Mercuri told me that until the mid 1990s, the AVC Advantage firmware did not print the row/column numbers at all, so that mismatches like this were harder to detect.

One might think that all is well–there’s a fail-safe mechanism that can catch mistakes (or deliberate fraud) where the paper doesn’t match the electronic file. But in this election, the fail-safe mechanism did not work well at all.

First, there are almost no candidates or pollwatchers out there who know enough to look out for this kind of mismatch. In the Zirkle v. Henry election, Cynthia and Ernest Zirkle couldn’t tell from the documents available to them that the positions were switched. They and their lawyer got 28 (or more) sworn affidavits from citizens who said they voted for the Zirkles, and on that basis they got a court to permit an investigation. In any election that involved significantly more than 43 voters, it’s impractical to get sworn affidavits from everyone who voted for you. This election took place all on one voting machine; in big-time elections one would need to double-check the face of the ballot against the Results Report printout in every single precinct. This is physically possible, but it isn’t easy and independent pollwatchers are not trained to do it. In Zirkle v. Henry this came to light because certain experts got involved, but one can’t count on that in general.

Second, even in this case, the Court was uncomfortable just swapping the votes and declaring the Zirkles to be the winners of the election. That is, both the Plaintiffs (lawyers and expert witness for the Zirkles) and the Defendants (lawyers for the State of New Jersey and the County of Cumberland) stated to the court that they believed that Cynthia and Ernest Zirkle got 34 and 33 votes, respectively. Defendants Vivian and Mark Henry, representing themselves, took the position that a new election should be held.

In his ruling, the Court (Judge David Krell) said,

Based on all of the above, it is clear that the election at issue was defective and must be voided by the Court. While I do believe I have the authority to certify the Plaintiffs as the winners, I do not feel that this is the ideal result in this matter. … Accordingly, I am ordering a new election to be conducted.

If there was ever a case in which these row-and-column numbers could clearly indicate who won an election, this was it. And yet a very reasonable judge is uncomfortable using this information to declare a winner, and instead orders a new election.

Ordering a new election is not at all unreasonable, but it is important to remember that a new election can have its own problems. Citizens who came out to vote the first time may not have the time or inclination to vote again, and if so their (previous) legitimate exercise of the franchise is being devalued. Or, some who did not bother to vote the first time may take advantage of the “do-over.”

It is instructive to consider what would have happened if a similar kind of error had happened with optical-scan voting. It’s certainly possible that the position of names on the op-scan paper ballot might not match the programming of the optical-scan ballot-counter. In this case, the results would come out reversed just as they did in Zirkle v. Henry. But the Court would have simply ordered a recount, by hand, of the original paper ballots. Those ballots would have clearly showed the true result. No experts, and no do-over election, would have been necessary at all.

Will the NJ Attorney General investigate the NJ Attorney General?

Part 3 of 4
In my recent posts I wrote about my discovery that (apparently) a County employee tampered with evidence in a computer that the NJ Superior Court had Ordered the County to present for examination. I described this discovery to the Court (Judge David E. Krell); and then a County employee did admit deleting files. Judge Krell was very concerned about this possible spoliation of evidence. In his Order signed September 9, 2011, he wrote,

“AND IT IS FURTHER ORDERED that the court recommends that the New Jersey Attorney General (New Jersey Department of Law and Public Safety), Division of Criminal Justice, undertake an investigation of … the deletion of files on August 16, 2011, from the Board’s laptop computer … by the County’s computer technician who is reponsible for servicing the Board’s computers.”

During the hearing on September 1, Plaintiffs’ attorneys pointed out that the New Jersey Attorney General’s office had been co-counsel for the Defendants in Zirkle v. Henry. This means that lawyers from the AG’s office had very possibly advised the County employees before and after the evidence was erased. Plaintiffs’ attorneys pointed out that this would mean that Judge Krell was asking the Attorney General’s office to investigate itself. Plaintiffs asked the Court to appoint a Special Master.

Judge Krell explained why he was not inclined to do that. He said, “My understanding is Criminal Justice is totally separate from the Civil part of [the Attorney General’s] office.” That is, during the hearing the Judge stated his belief that the Division of Criminal Justice in the NJ Department of Law and Public Safety is sufficiently independent from the Division of Law in the Department of Law and Public Safety, such that it can properly investigate the possibility of criminal tampering of evidence in which attorneys from the Division of Law might have had a role.

I hope Judge Krell is right about that.

Did NJ election officials fail to respect court order to improve security of elections?

Part 2 of 4
The Gusciora case was filed in 2004 by the Rutgers Constitutional Litigation Clinic on behalf of Reed Gusciora and other public-interest plaintiffs. The Plaintiffs sought to end the use of paperless direct-recording electronic voting machines, which are very vulnerable to fraud and manipulation via replacement of their software. The defendant was the Governor of New Jersey, and as governors came and went it was variously titled Gusciora v. McGreevey, Gusciora v. Corzine, Guscioria v. Christie.

In 2010 Judge Linda Feinberg issued an Opinion. She did not ban the machines, but ordered the State to implement several kinds of security measures: some to improve the security of the computers on which ballots are programmed (and results are tabulated), and some to improve the security of the computers inside the voting machines themselves.

The Plaintiffs had shown evidence that ballot-programming computers (the so-called “WinEDS laptops”) in Union County had been used to surf the Internet even on election day in 2008. This, combined with many other security vulnerabilities in the configuration of Microsoft Windows, left the computers open to intrusion by outsiders, who could then interfere with and manipulate the programming of ballots before their installation on the voting machines, or manipulate the aggregation of results after the elections. Judge Feinberg also heard testimony that so-called “Hardening Guidelines”, which had previously been prepared by Sequoia Voting Systems at the request of the State of California, would help close some of these vulnerabilities. Basically, one wipes the hard drive clean on the “WinEDS laptop”, installs a fresh copy of Microsoft Windows, runs a script to shut down Internet access and generally tighten the Windows security configuration, and finally installs a fresh copy of the WinEDS ballot software. The Court also heard testimony (from me) that installing these Guidelines requires experience in Windows system administration, and would likely be beyond the capability of some election administrators.

Among the several steps the Court ordered in 2010 was the installation of these Hardening Guidelines on every WinEDS ballot-programming computer used in public elections, within 120 days.

Two years after I testified in the Gusciora case, I served as an expert witness in a different case, Zirkle v. Henry, in a different Court, before Judge David Krell. I wanted to determine whether an anomaly in the June 2011 Cumberland County primary election could have been caused by an intruder from the Internet, or whether such intrusion could reasonably be ruled out. Thus, the question became relevant of whether Cumberland County’s WinEDS laptop was in compliance with Judge Feinberg’s Order. That is, had the Hardening Guidelines been installed before the ballot programming was done for the election in question? If so, what would the event logs say about the use of that machine as the ballot cartridges were programmed?

One of the components of the Hardening Guidelines is to turn on certain Event Logs in the Windows operating system. So, during my examination of the WinEDS laptop on August 17, I opened the Windows Event Viewer and photographed screen-shots of the logs. To my surprise, the logs commenced on the afternoon of August 16, 2011, the day before my examination. Someone had wiped the logs clean, at the very least, or possibly on August 16 someone had wiped the entire hard drive clean in installing the Hardening Guidelines. In either case, evidence in a pending court case–files on a computer that the State of New Jersey and County of Cumberland had been ordered to produce for examination–was erased. I’m told that evidence-tampering is a crime. In an affidavit dated August 24, Jason Cossaboon, a Computer Systems Analyst employed by Cumberland County, stated that he erased the event logs on August 16.

Robert Giles, Director of the New Jersey Division of Elections, was present during my examination on August 17. Mr. Giles submitted to Judge David Krell an affidavit dated August 25 describing the steps he had taken to achieve compliance with Judge Feinberg’s Order. He writes, “The Sequoia hardening manual was sent, by email, to the various county election offices on March 29, 2010. To my knowledge, the hardening process was completed by the affected counties by the required deadline of June 1, 2010.” Mr. Giles does not say anything about how he acquired the “knowledge” that the process was completed.

Mr. Giles was present in Judge Feinberg’s courtroom in 2009 when I testified that the Hardening Guidelines are not simple to install and would typically require someone with technical training or experience. And yet he then pretended to discharge the State’s duty of compliance with Judge Feinberg’s Order by simply sending a mass e-mail to county election officials. Judge Feinberg herself said that sending an e-mail was not enough; a year later, Mr. Giles has done nothing more. In my opinion, this is disrespectful to the Court, and to the voters of New Jersey.

NJ election cover-up

Part 1 of 4
During the June 2011 New Jersey primary election, something went wrong in Cumberland County, which uses Sequoia AVC Advantage direct-recording electronic voting computers. From this we learned several things:

  1. New Jersey court-ordered election-security measures have not been effectively implemented.
  2. There is a reason to believe that New Jersey election officials have destroyed evidence in a pending court case, perhaps to cover up the noncompliance with these measures or to cover up irregularities in this election. There is enough evidence of a cover-up that a Superior Court judge has referred the matter to the State prosecutor’s office.
  3. Like any DRE voting machine, the AVC Advantage is vulnerable to software-based vote stealing by replacing the internal vote-counting firmware. That kind of fraud probably did not occur in this case. But even without replacing the internal firmware, the AVC Advantage voting machine is vulnerable to the accidental or deliberate swapping of vote-totals between candidates. It is clear that the machine misreported votes in this election, and both technical and procedural safeguards proved ineffective to fully correct the error.

Cumberland County is in the extreme southern part of New Jersey, a three-hour drive south of New York. In follow-up posts I’ll explain my 3 conclusions. In the remainder of this post, I’ll quote verbatim from the Honorable David E. Krell, the Superior Court judge in Cumberland County. This is his summary of the case, taken from the trial transcript of September 1, 2011, in the matter of Zirkle v. Henry.

(click here to continue)

Why seals can't secure elections

Over the last few weeks, I’ve described the chaotic attempts of the State of New Jersey to come up with tamper-indicating seals and a seal use protocol to secure its voting machines.

A seal use protocol can allow the seal user to gain some assurance that the sealed material has not been tampered with. But here is the critical problem with using seals in elections: Who is the seal user that needs this assurance? It is not just election officials: it is the citizenry.

Democratic elections present a uniquely difficult set of problems to be solved by a security protocol. In particular, the ballot box or voting machine contains votes that may throw the government out of office. Therefore, it’s not just the government—that is, election officials—that need evidence that no tampering has occurred, it’s the public and the candidates. The election officials (representing the government) have a conflict of interest; corrupt election officials may hire corrupt seal inspectors, or deliberately hire incompetent inspectors, or deliberately fail to train them. Even if the public officials who run the elections are not at all corrupt, the democratic process requires sufficient transparency that the public (and the losing candidates) can be convinced that the process was fair.

In the late 19th century, after widespread, pervasive, and long-lasting fraud by election officials, democracies such as Australia and the United States implemented election protocols in an attempt to solve this problem. The struggle to achieve fair elections lasted for decades and was hard-fought.

A typical 1890s solution works as follows: At the beginning of election day, in the polling place, the ballot box is opened so that representatives of all political parties can see for themselves that it is empty (and does not contain hidden compartments). Then the ballot box is closed, and voting begins. The witnesses from all parties remain near the ballot box all day, so they can see that no one opens it and no one stuffs it. The box has a mechanism that rings a bell whenever a ballot is inserted, to alert the witnesses. At the close of the polls, the ballot box is opened, and the ballots are counted in the presence of witnesses.

drawing of 1890 polling place
(From Elements of Civil Government by Alexander L. Peterman, 1891)

In principle, then, there is no single person or entity that needs to be trusted: the parties watch each other. And this protocol needs no seals at all!

Democratic elections pose difficult problems not just for security protocols in general, but for seal use protocols in particular. Consider the use of tamper-evident security seals in an election where a ballot box is to be protected by seals while it is transported and stored by election officials out of the sight of witnesses. A good protocol for the use of seals requires that seals be chosen with care and deliberation, and that inspectors have substantial and lengthy training on each kind of seal they are supposed to inspect. Without trained inspectors, it is all too easy for an attacker to remove and replace the seal without likelihood of detection.

Consider an audit or recount of a ballot box, days or weeks after an election. It reappears to the presence of witnesses from the political parties from its custody in the hands of election officials. The tamper evident seals are inspected and removed—but by whom?

If elections are to be conducted by the same principles of transparency established over a century ago, the rationale for the selection of particular security seals must be made transparent to the public, to the candidates, and to the political parties. Witnesses from the parties and from the public must be able to receive training on detection of tampering of those particular seals. There must be (the possibility of) public debate and discussion over the effectiveness of these physical security protocols.

It is not clear that this is practical. To my knowledge, such transparency in seal use protocols has never been attempted.


Bibliographic citation for the research paper behind this whole series of posts:
Security Seals On Voting Machines: A Case Study, by Andrew W. Appel. Accepted for publication, ACM Transactions on Information and System Security (TISSEC), 2011.