April 27, 2024

Posts Comments

Security Seals on AVC Advantage Voting Machines are Easily Defeated

December 19, 2008 by

On September 2, 2008, I submitted a report to the New Jersey Superior Court, demonstrating that the DRE voting machines used in New Jersey are insecure: it is easy to replace the vote-counting program with one that fraudulently shifts votes from one candidate to another.

In Section 10 of my report, I explained that

  1. There are no security seals on New Jersey’s AVC Advantages
    that prevent removal of the circuit-board cover;

  2. Even if there were security seals, physical security seals are easily defeated and would not significantly increase the security of elections in New Jersey.
  3. And in conclusion, one cannot achieve trustworthy elections solely by trying to ensure that a particular computer program is installed in the voting machine.

In October 2008, the State of New Jersey (and Sequoia Voting Systems) reacted by installing new security seals on the circuit board cover of voting machines in New Jersey. That is, they reacted to point 1 and ignored points 2 and 3.

In December 2008 I submitted to the Court a new report, and a new video, demonstrating how New Jersey’s new security seals can be removed and replaced without leaving evidence of tampering. It took me about 7 minutes the first time I tried it; I estimate it would take less than half that time with practice.

The video available here is now available in a compressed mp4 format, though it still takes a while to load. not well compressed and takes forever to load over the Internet; sometime in the near future I hope to make available a better-compressed video.

Filed Under: Other Topics, Privacy & Security Tagged With: ,

Voting Machines are Silent in Princeton Today

November 4, 2008 by

In my recent report on the Sequoia AVC Advantage DRE voting machine, I explained (in Section 32) that the AVC Advantage makes a chirping sound when the pollworker activates the machine to accept a vote, and makes the sound again when the voter presses the CAST VOTE button. In important purpose of this sound is to alert all witnesses in the room that a vote is being cast. This makes it harder for people to cast extra votes on the machine. This idea goes back a hundred years: equip the voting machine (or even a simple ballot box) with a bell that rings every time a ballot is cast. In my report I wrote that the AVC Advantage’s chirping sound is not as loud as it should be.

This morning when I voted in Princeton, New Jersey, the chirping sound was not heard at all. When the AVC Advantage machines were activated to vote, and when the voters pressed the CAST VOTE button, there was no sound at all. Configuring the machines in this way is not a good idea. It makes the voters more uncertain about whether their vote was cast, and it makes it easier to inadvertently or deliberately cast extra votes.

UPDATE: Other machines in Princeton are making sounds. Also, some voters who used these very same machines report hearing sounds. So at this point I don’t believe that it’s a county-wide configuration issue. It may be a local, temporary malfunction of the little speaker in the operator panel, or it may be something else.

Repeated voting, though made easier by the absence of a sound, would still require collusion with the pollworker standing outside the voting machine. Such collusion does not require criminal intent. It may take the form,
Voter: I’m not sure my vote registered.
Pollworker: OK, I’ll activate the machine again just to make sure.
This scenario is not as far-fetched as you might think.

UPDATE 2: Another voter reports that when she voted later in the day at a different location in Princeton, she listened carefully (when pressing the CAST VOTE button) for the sound, but did not hear it. In both my case and hers, the CAST VOTE button was lit before we pressed it, so presumably our votes did count, if the manufacturer’s standard firmware was installed in the AVC Advantage.

Filed Under: Other Topics

Louisiana Re-enfranchises Independent Voters

November 4, 2008 by

Two weeks ago I wrote that independent voters were disenfranchised in the Louisiana Congressional primaries: unclear or incorrect instructions by the Secretary of State to the pollworkers caused thousands of independent voters to be incorrectly precluded from voting in the open Democratic primary on October 4th.

Today I am told that Secretary of State Jay Dardenne has corrected the problem. Earl Schmitt, a “Commissioner in Charge” (head precinct pollworker) in the 15th ward of New Orleans, reports that all pollworkers were recently brought in for a two-hour training meeting. They were given clear instructions that independent voters are to be given a ticket marked “Democrat” that permits them to vote in today’s Democratic runoff primary election. (Because of a hurricane, the original September 6th primary was postponed to October 4th, and both parties’ runoff primaries are being held today, along with the Obama vs. McCain presidential election. The Democratic Party is permitting independents to vote in their primary; the Republican Party is not. The general election for congressional seats in Louisiana will be December 6th.)

I am happy that the Secretary of State moved quickly to retrain pollworkers. It’s not that no harm was done–after all, those independent voters might have made a difference in which candidates advanced to the runoff–but better late than never, in improving the administration of our elections.

Clarification: Only 2 of Louisiana’s 7 congressional districts required a runoff primary; the other 5 held their congressional general election on Nov. 4th.

Filed Under: Uncategorized

Independent Voters Disenfranchised in Louisiana

October 19, 2008 by

Louisiana held a Congressional primary election on October 4th, 2008. In the 4th-Congressional-district Democratic Primary, there were four candidates; the two candidates with the most votes advanced to the runoff. The margin between the second (advancing) candidate and the third (nonadvancing) candidate was 1,484 votes. But, as I will explain, at least 2,167 voters, and probably more than 5,000 voters, were wrongly prevented from voting in the Democratic primary. This disenfranchisement appears to result from incorrect or unclear instructions given by the Secretary of State to the pollworkers at all the individual precincts.

In Louisiana the Republican Party held a closed primary; that is, only those voters registered as Republicans could vote. The Democratic Party held an open primary; that is, the party allowed Democratic and Independent voters to vote in the Democratic congressional primary. Members of the Green Party, Reform Party, and Libertarian Party were not permitted to vote in the Democratic Primary. However, there were some races on the ballot other than the Congressional Primary election: for example, any voter in Shreveport could vote in the election for City Marshal.

On election day there were reports that when Independent voters pressed the button on the voting machine for a candidate in the Democratic congressional primary, nothing happened. In effect, these voters said that they were prevented from voting in the Democratic Congressional primary. This did not conform to the election law, because it did not respect the Democratic Party’s choice to hold an open primary.

Caddo Parish, in the 4th Congressional district, uses Sequoia AVC Advantage version 9.00H direct-recording electronic voting machines. I am very familiar with this model of voting computer, since I performed an in-depth study of these machines in New Jersey. The way these AVC Advantage voting computers work in a Louisiana primary election is this: Each voter, when he or she signs in to vote, is handed a ticket. The ticket indicates which primary election the voter is entitled to participate in. When the voter hands this ticket to the Commissioner (pollworker) who stands by the voting machine, the Commissioner presses an “option switch” button that selects which contests on the ballot that voter is permitted to vote in. The “option switch” button is sometimes called a “lockout” button, because it “locks out” some contests from the voter. For example, if the voter hands in a ticket marked REPUBLICAN, the Commissioner presses a REPUB lockout button. Then the Democratic primary ballot is “locked out” (so those buttons have no effect), and the Republican primary ballot is active. Or, if a registered Democrat approaches the polls, he or she gets a ticket marked DEMOCRAT: the operator pushes the DEM lockout button. This locks out the Republican primary ballot, and activates the Democratic primary ballot. Finally, a registered voter in the Green Party, Reform Party, or Libertarian party gets a ticket marked “No Party.” The Commissioner then presses the option switch marked “Others.” This locks out both primary ballots, so this voter can vote only in contests such as City Marshal.

With this combination of technological setup plus election law, it is clear that the pollworkers at the sign-in desk should hand Independent voters a ticket marked “DEMOCRAT.” Only this way can they vote in the Democratic primary. It won’t do to hand them a ticket marked “No Party” and then have the Commissioner press the “DEMOCRAT” button, because this solution won’t properly handle the Green, Reform, and Libertarian voters. So the question is, “Did the Secretary of State effectively instruct and train the Commissioners so that Independent voters were permitted to vote in the Democratic Primary?” He did not, as I will show.

When the polls are closed, the AVC Advantage prints out a paper tape (like a cash register tape) listing how many votes each candidate got. But in addition the computer prints out a list of “Option Switch Totals”, indicating how many voters were permitted to vote in each of the primary elections on the ballot. That is, the “Option Switch Totals” show how many times the Commissioner pressed each one of the the “DEM”, “REPUB”, and “Others” buttons.

On October 15th, 2008 I visited Caddo Parish’s voting-machine warehouse in Shreveport. I examined all the paper-tape “results report” printouts from the approximately 400 voting machines used in the entire Parish (a parish in Louisiana corresponds to a county in other states). I added up how many voters voted with the “Other” option-switch setting. All of these voters were “locked out” of both the Democratic and Republican Congressional primaries.

In all, 2,167 voters in Caddo Parish voted with the Other option switch. These voters were not able to record a vote in either the Democratic or Republican party primary, that is, they were “locked out” of voting in the Democratic Congressional Primary. The vast majority of these 2,167 locked-out voters are Independents, because Party registration for the Green Party, the Libertarian Party, and Reform Party is negligible. For example, the Green Party has only 1,064 registered voters in the entire State of Louisiana (7 Congressional districts). In contrast, there are about 80,000 Independent voters in the 4th Congressional district alone. Thus, almost all of the 2,167 voters in Caddo Parish who were locked out were almost certainly Independents.

Some independent voters approached the polls and were told that independent voters were not permitted to vote in the Democratic Congressional Primary. Some of these voters left the polling place without signing in to vote. These voters were disenfranchised as well, in addition to the 2,167 that we can count in the option-switch numbers.

Caddo Parish contains about 40% of the voters of the entire 4th Congressional district. If the same proportion of Independent voters were locked out of the Democratic primary in the other parts of the district, that means that more than 5,000 Independent voters were illegally disenfranchised from voting in the Democratic primary. Since the margin between winning and losing candidates was 1,484, that means the number of disenfranchised voters was larger than the margin of victory. Those voters could have changed the outcome of the election, if they had been lawfully permitted to vote.

Louisiana holds its runoff primary election (for both parties) on November 4th. Once again, the Democratic Party is holding an open primary, and the Republican Party is holding a closed primary. I urge the Secretary of State of Louisiana to give clear instructions to Commissioners of precincts, as follows:

“Independent voters are to be given a ticket marked DEMOCRAT. Democratic voters are to be given a ticket marked DEMOCRAT. Republican voters are to be given a ticket marked REPUBLICAN. Green Party, Reform Party, and Libertarian Party voters are to be given a ticket marked NO PARTY.”

Filed Under: Uncategorized Tagged With:

Report on the Sequioa AVC Advantage

October 17, 2008 by

Today I am releasing an in-depth study of the Sequoia AVC Advantage direct-recording electronic (DRE) voting machine, available at citp.princeton.edu/voting/advantage. I led a team of six computer scientists in a monthlong examination of the source code and hardware of these voting computers, which are used in New Jersey, Pennsylvania, and other states.

The Rutgers Law School Constitutional Litigation Clinic filed a lawsuit seeking to decommission of all of New Jersey’s voting computers, and asked me to serve as an expert witness. This year the Court ordered the State of New Jersey and Sequoia Voting Systems to provide voting machines and their source code for me to examine. By Court Order, I can release the report no sooner than October 17th, 2008.

Accompanying the report is a video and a FAQ.

Executive Summary

I. The AVC Advantage 9.00 is easily “hacked” by the installation of fraudulent firmware. This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this “hack” takes just 7 minutes to perform.

The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do. The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously.

II. Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges. The virus can steal the votes of blind voters, can cause AVC Advantages in targeted precincts to fail to operate; or can cause WinEDS software to tally votes inaccurately. (WinEDS is the program, sold by Sequoia, that each County’s Board of Elections uses to add up votes from all the different precincts.)

III. Design flaws in the user interface of the AVC Advantage disenfranchise voters, or violate voter privacy, by causing votes not to be counted, and by allowing pollworkers to commit fraud.

IV. AVC Advantage Results Cartridges can be easily manipulated to change votes, after the polls are closed but before results from different precincts are cumulated together.

V. Sequoia’s sloppy software practices can lead to error and insecurity. Wyle’s Independent Testing Authority (ITA) reports are not rigorous, and are inadequate to detect security vulnerabilities. Programming errors that slip through these processes can miscount votes and permit fraud.

VI. Anomalies noticed by County Clerks in the New Jersey 2008 Presidential Primary were caused by two different programming errors on the part of Sequoia, and had the effect of disenfranchising voters.

VII. The AVC Advantage has been produced in many versions. The fact that one version may have been examined for certification does not give grounds for confidence in the security and accuracy of a different version. New Jersey should not use any version of the AVC Advantage that it has not actually examined with the assistance of skilled computer-security experts.

VIII. The AVC Advantage is too insecure to use in New Jersey. New Jersey should immediately implement the 2005 law passed by the Legislature, requiring an individual voter-verified record of each vote cast, by adopting precinct-count optical-scan voting equipment.

Filed Under: Uncategorized Tagged With: , ,