April 18, 2014

avatar

Joisy on my mind

Like everyone interested in the mechanics of elections, I’ve been fascinated by the New Jersey efforts to allow voters to request and submit ballots via email. In this posting, I’d like to address four brief points that I don’t think have received much attention – the first two policy, and the last two technical.

First, the New Jersey directives have been inconsistent in how they’ve treated the requirement for returning paper copies of ballots submitted by email. For good reasons, New Jersey law requires that hardcopies be submitted to the local elections office, to be postmarked not later than election day. But some of the releases from the Lieutenant Governor’s office have mentioned this requirement, and others have been silent. In particular, the final release, put out mid-afternoon on Election Day, says nothing about the topic, when it extended the deadline for returning the email copy to the end of Friday. I expect that the majority of email ballots will not have corresponding hardcopies returned, which should (if the law is followed) result in the email copies being discarded.
[Read more...]

avatar

Tim Lee Reporting on NJ Email-Assisted Voting

Earlier this week, Professor Andrew Appel posted that “NJ Lt. Governor invites voters to submit invalid ballots“. Andrew has been offering updates at the bottom of his post since then. Professor Ed Felten also summarized the state of “New Jersey Voting in the Aftermath of Hurricane Sandy,” concluding that, “I would strongly oppose any long-term move toward online voting, but I can see the point of allowing limited email+hardcopy voting for displaced voters under these very unusual circumstances.”

This morning, Tim Lee (an alumnus of of CITP) wrote on Ars Technica that:

…anecdotal evidence is starting to trickle in that the system isn’t working as well as organizers had hoped. One address used to request ballots was not even accepting e-mail late Tuesday morning. And in another county, an election official responded to problems with the county e-mail system by inviting voters to send ballot requests to his personal Hotmail address.

[Read more...]

avatar

New Jersey Voting in the Aftermath of Hurricane Sandy

Hurricane Sandy has disrupted many aspects of life here in New Jersey. Even beyond the physical destruction, the state’s infrastructure is still coming back on line. Many homes are still without power and heat, and some roads are closed. Schools were closed all of last week, and some will be closed for longer.

Sandy has also disrupted plans for Tuesday’s election. The election cannot be rescheduled, so we have to find a way to let people vote. Here in Princeton, 63% of the voting districts will vote in temporary, relocated polling places.

In response to the electoral challenges, New Jersey Lieutenant Governor Kim Guadagno has issued three orders (1, 2, 3), decreeing changes in voting procedures:
[Read more...]

avatar

NJ Lt. Governor invites voters to submit invalid ballots

On November 3rd, the Lieutenant Governor of New Jersey issued a directive, well covered in the media, permitting storm-displaced New Jersey voters to vote by e-mail.  The voter is to call or e-mail the county clerk to request an absentee ballot by e-mail or fax, then the voter returns the ballot by e-mail or fax:

“The voter must transmit the signed waiver of secrecy along with the voted ballot by fax or e-mail for receipt by the applicable county board of election no later than November 6, 2012 at 8 p.m.”

We see already one problem:  The loss of the secret ballot.  At many times in the 20th century, NJ political machines put such intense pressure on voters that the secret ballot was an important protection.  In 2012 it’s in the news that some corporations are pressuring their employees to vote in certain ways.  The secret ballot is still critical to the functioning of democracy.

But there’s a much bigger problem with the Lt. Gov. Kim Guadagno’s directive:  If voters and county clerks follow her instructions, their votes will be invalid.
[Read more...]

avatar

Report on the Sequioa AVC Advantage

Today I am releasing an in-depth study of the Sequoia AVC Advantage direct-recording electronic (DRE) voting machine, available at citp.princeton.edu/voting/advantage. I led a team of six computer scientists in a monthlong examination of the source code and hardware of these voting computers, which are used in New Jersey, Pennsylvania, and other states.

The Rutgers Law School Constitutional Litigation Clinic filed a lawsuit seeking to decommission of all of New Jersey’s voting computers, and asked me to serve as an expert witness. This year the Court ordered the State of New Jersey and Sequoia Voting Systems to provide voting machines and their source code for me to examine. By Court Order, I can release the report no sooner than October 17th, 2008.

Accompanying the report is a video and a FAQ.

Executive Summary

I. The AVC Advantage 9.00 is easily “hacked” by the installation of fraudulent firmware. This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this “hack” takes just 7 minutes to perform.

The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do. The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously.

II. Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges. The virus can steal the votes of blind voters, can cause AVC Advantages in targeted precincts to fail to operate; or can cause WinEDS software to tally votes inaccurately. (WinEDS is the program, sold by Sequoia, that each County’s Board of Elections uses to add up votes from all the different precincts.)

III. Design flaws in the user interface of the AVC Advantage disenfranchise voters, or violate voter privacy, by causing votes not to be counted, and by allowing pollworkers to commit fraud.

IV. AVC Advantage Results Cartridges can be easily manipulated to change votes, after the polls are closed but before results from different precincts are cumulated together.

V. Sequoia’s sloppy software practices can lead to error and insecurity. Wyle’s Independent Testing Authority (ITA) reports are not rigorous, and are inadequate to detect security vulnerabilities. Programming errors that slip through these processes can miscount votes and permit fraud.

VI. Anomalies noticed by County Clerks in the New Jersey 2008 Presidential Primary were caused by two different programming errors on the part of Sequoia, and had the effect of disenfranchising voters.

VII. The AVC Advantage has been produced in many versions. The fact that one version may have been examined for certification does not give grounds for confidence in the security and accuracy of a different version. New Jersey should not use any version of the AVC Advantage that it has not actually examined with the assistance of skilled computer-security experts.

VIII. The AVC Advantage is too insecure to use in New Jersey. New Jersey should immediately implement the 2005 law passed by the Legislature, requiring an individual voter-verified record of each vote cast, by adopting precinct-count optical-scan voting equipment.