December 25, 2024

Why seals can't secure elections

Over the last few weeks, I’ve described the chaotic attempts of the State of New Jersey to come up with tamper-indicating seals and a seal use protocol to secure its voting machines.

A seal use protocol can allow the seal user to gain some assurance that the sealed material has not been tampered with. But here is the critical problem with using seals in elections: Who is the seal user that needs this assurance? It is not just election officials: it is the citizenry.

Democratic elections present a uniquely difficult set of problems to be solved by a security protocol. In particular, the ballot box or voting machine contains votes that may throw the government out of office. Therefore, it’s not just the government—that is, election officials—that need evidence that no tampering has occurred, it’s the public and the candidates. The election officials (representing the government) have a conflict of interest; corrupt election officials may hire corrupt seal inspectors, or deliberately hire incompetent inspectors, or deliberately fail to train them. Even if the public officials who run the elections are not at all corrupt, the democratic process requires sufficient transparency that the public (and the losing candidates) can be convinced that the process was fair.

In the late 19th century, after widespread, pervasive, and long-lasting fraud by election officials, democracies such as Australia and the United States implemented election protocols in an attempt to solve this problem. The struggle to achieve fair elections lasted for decades and was hard-fought.

A typical 1890s solution works as follows: At the beginning of election day, in the polling place, the ballot box is opened so that representatives of all political parties can see for themselves that it is empty (and does not contain hidden compartments). Then the ballot box is closed, and voting begins. The witnesses from all parties remain near the ballot box all day, so they can see that no one opens it and no one stuffs it. The box has a mechanism that rings a bell whenever a ballot is inserted, to alert the witnesses. At the close of the polls, the ballot box is opened, and the ballots are counted in the presence of witnesses.

drawing of 1890 polling place
(From Elements of Civil Government by Alexander L. Peterman, 1891)

In principle, then, there is no single person or entity that needs to be trusted: the parties watch each other. And this protocol needs no seals at all!

Democratic elections pose difficult problems not just for security protocols in general, but for seal use protocols in particular. Consider the use of tamper-evident security seals in an election where a ballot box is to be protected by seals while it is transported and stored by election officials out of the sight of witnesses. A good protocol for the use of seals requires that seals be chosen with care and deliberation, and that inspectors have substantial and lengthy training on each kind of seal they are supposed to inspect. Without trained inspectors, it is all too easy for an attacker to remove and replace the seal without likelihood of detection.

Consider an audit or recount of a ballot box, days or weeks after an election. It reappears to the presence of witnesses from the political parties from its custody in the hands of election officials. The tamper evident seals are inspected and removed—but by whom?

If elections are to be conducted by the same principles of transparency established over a century ago, the rationale for the selection of particular security seals must be made transparent to the public, to the candidates, and to the political parties. Witnesses from the parties and from the public must be able to receive training on detection of tampering of those particular seals. There must be (the possibility of) public debate and discussion over the effectiveness of these physical security protocols.

It is not clear that this is practical. To my knowledge, such transparency in seal use protocols has never been attempted.


Bibliographic citation for the research paper behind this whole series of posts:
Security Seals On Voting Machines: A Case Study, by Andrew W. Appel. Accepted for publication, ACM Transactions on Information and System Security (TISSEC), 2011.

Do photo IDs help prevent vote fraud?

In many states, an ID is required to vote. The ostensible purpose is to prevent people from casting a ballot for someone else – dead or alive. Historically, it was also used to prevent poor and minority voters, who are less likely to have government IDs, from voting.

No one would (publicly) admit to the second goal today, so the first is always the declared purpose. But does it work?

In my experience as a pollworker in Virginia, the answer is clearly “no”. There are two basic problems – the rules for acceptable IDs are so broad (so as to avoid disenfranchisement) as to be useless, and pollworkers are given no training as to how to verify an ID.

Let’s start with what Virginia law says. The Code of Virginia 24.2-643 reads in part:

An officer of election shall ask the voter for his full name and current residence address and repeat, in a voice audible to party and candidate representatives present, the full name and address stated by the voter. The officer shall ask the voter to present any one of the following forms of identification: his Commonwealth of Virginia voter registration card, his social security card, his valid Virginia driver’s license, or any other identification card issued by a government agency of the Commonwealth, one of its political subdivisions, or the United States; or any valid employee identification card containing a photograph of the voter and issued by an employer of the voter in the ordinary course of the employer’s business. If the voter’s name is found on the pollbook, if he presents one of the forms of identification listed above, if he is qualified to vote in the election, and if no objection is made, […]

Let’s go through these one at a time.

  • A voter registration card has no photo or signature, and little other identifying information, there’s no way to validate it. Since voters don’t sign the pollbook in Virginia (as they do in some other states), there’s no signature to compare to even if it did have a signature. And since the voter card is just a piece of paper with no watermark, it’s easy to fabricate on a laser printer.
  • A Social Security Card (aside from the privacy issues of sharing the voter’s SSN with the pollworker) is usually marked “not for identification”. And it has no photo or address.
  • A Virginia driver’s license has enough information for identification (i.e., a photo and signature, as well as the voter’s address).
  • Other Virginia, locality, or Federal ID. Sounds good, but I have no clue what all the different possible IDs that fall into this category look like, so I have no idea as a pollworker how to tell whether they’re legitimate or not. (On the positive side, a passport is allowed by this clause – but it doesn’t have an address.)
  • Employee ID card. This is the real kicker. There are probably ten thousand employers in my county. Many of them don’t even follow a single standard for employee IDs (my own employer had several versions until earlier this year, when anyone with an old ID was “upgraded”). I don’t know the name of every employer, much less how to distinguish a valid ID from an invalid one. If the voter’s name and photo are on the card, along with some company name or logo, that’s probably good enough. Any address on the card is going to be of the employer, not the voter.

So if I want to commit fraud (a felony) and vote for someone else (living or dead), how hard is it? Simple: create a laminated ID with company name “Bob’s Plumbing Supply” and the name of the voter to be impersonated, memorize the victim’s address, and that’s all it takes.

Virginia law also allows the voter who doesn’t have an ID with him/her to sign an affidavit that they are who they say they are. Falsifying the affidavit is a felony, but it really doesn’t matter if you’re already committing a felony by voting for someone else.

Now let’s say the laws were tightened to require a driver’s license, military ID, or a passport, and no others (and eliminate the affidavit option). Then at least it would be possible to train pollworkers what an ID looks like. But there are still two problems. First, the law says the voter must present the ID, but it never says what the pollworker must do with it. And second, the pollworkers never receive any training in how to verify an ID – a bouncer at a bar gets more training in IDs than a pollworker safeguarding democracy. In Virginia, when renewing a driver’s license the person has the choice to continue to use the previous picture, or to wait in line a couple hours at a DMV site to get a new picture. Not surprisingly, most voters have old pictures. Mine is ten years old, and dates from when I had a full head of hair and a beard, both of which have long since disappeared. Will a pollworker be able to match the IDs? Probably not – but since no one ever tries, that doesn’t matter. And passports are good for 10 years, so the odds are that picture will be quite old too. I’m really bad at matching faces, so when I’m working as a pollworker I don’t even try.

There are some positive things about requiring an ID. Most voters present their drivers license, frequently without even being asked. If the name is complex or the voter has a heavy accent or the room is particularly noisy, or the pollworker is hard of hearing (or not paying close attention), having the written name is a help. But that’s about it.

So what can we learn from this? Photo ID laws for voting, especially those that allow for company ID cards, are almost useless for preventing voting fraud. It’s the threat of felony prosecution, combined with the fact that the vast majority of voters are honest, that prevents vote fraud… not the requirement for a photo ID.

Internet Voting in Union Elections?

The U.S. Department of Labor (DOL) recently asked for public comment on a fascinating issue: what kind of guidelines should they give unions that want to use “electronic voting” to elect their officers? (Curiously, they defined electronic voting broadly to include computerized (DRE) voting systems, vote-by-phone systems and internet voting systems.)

As a technology policy researcher with the NSF ACCURATE e-voting center, I figured we should have good advice for DOL.

(If you need a quick primer on security issues in e-voting, GMU’s Jerry Brito has just posted an episode of his Surprisingly Free podcast where he and I work through a number of basic issues in e-voting and security. I’d suggest you check out Jerry’s podcast regularly as he gets great guests (like a podcast with CITP’s own Tim Lee) and really digs deep into the issues while keeping it at an understandable level.)

The DOL issued a Request for Information (PDF) that asked a series of questions, beginning with the very basic, “Should we issue e-voting guidelines at all?” The questions go on to ask about the necessity of voter-verified paper audit trails (VVPATs), observability, meaningful recounts, ballot secrecy, preventing flawed and/or malicious software, logging, insider threats, voter intimidation, phishing, spoofing, denial-of-service and recovering from malfunctions.

Whew. The DOL clearly wanted a “brain dump” from computer security and the voting technology communities!

It turns out that labor elections and government elections aren’t as different as I originally thought. The controlling statute for union elections (the LMRDA) and caselaw* that has developed over the years require strict ballot secrecy–such that any technology that could link a voter and their ballot is not allowed–both during voting and in any post-election process. The one major difference is that there isn’t a body of election law and regulation on top of which unions and the DOL can run their elections; for example, election laws frequently disallow campaigning or photography within a certain distance of an official polling place while that would be hard to prohibit in union elections.

After a considerable amount of wrangling and writing, ACCURATE submitted a comment, find it here in PDF. The essential points we make are pretty straightforward: 1) don’t allow internet voting from unsupervised, uncontrolled computing devices for any election that requires high integrity; and, 2) only elections that use voter-verified paper records (VVPRs) subject to an audit process that uses those records to audit the reported election outcome can avoid the various types of threats that DOL is concerned with. The idea is simple: VVPRs are independent of the software and hardware of the voting system, so it doesn’t matter how bad those aspects are as long as there is a robust parallel process that can check the result. Of course, VVPRs are no panacea: they must be carefully stored, secured and transported and ACCURATE’s HCI researchers have shown that it’s very hard to get voters to consistently check them for accuracy. However, those problems are much more tractable than, say, removing all the malware and spyware from hundreds of thousands of voter PCs and mobile devices.

I must say I was a bit surprised to see the other sets of comments submitted, mostly by voting system vendors and union organizations, but also the Electronic Privacy Information Center (EPIC). ACCURATE and EPIC seem to be lone voices in this process “porting” what we’ve learned about the difficulties of running secure civic elections to the labor sphere. Many of the unions talked about how they must have forms of electronic, phone and internet voting as their constituencies are spread far and wide, can’t make it to polling places and are concerned with environmental impacts of paper and more traditional voting methods. Of course, we would counter that accommodations can be made for most of these concerns and still not fundamentally undermine the integrity of union elections.

Both unions and vendors used an unfortunate rhetorical tactic when talking about security properties of these systems: “We’ve run x hundreds of elections using this kind of technology and have never had a problem/no one has ever complained about fraud.” Unfortunately, that’s not how security works. Akin to adversarial processes like financial audits, security isn’t something that you can base predictions of future performance on past results. That is, the SEC doesn’t say to companies that their past 10 years of financials have been in order, so take a few years off. No, security requires careful design, affirmative effort and active auditing to assure that a system doe not violate the properties it claims.

There’s a lot more in our comment, and I’d be more than happy to respond to comments if you have questions.

* Check out the “Court Cases” section of the Federal Register notice linked to above.

Seals on NJ voting machines, March 2009

During the NJ voting-machines trial, both Roger Johnston and I showed different ways of removing all the seals from voting machines and putting them back without evidence of tampering. The significance of this is that one can then install fraudulent vote-stealing software in the computer.

The State responded by switching seals yet again, right in the middle of the trial! They replaced the white vinyl adhesive-tape seal with a red tape seal that has an extremely soft and sticky adhesive. In addition, they proposed something really wacky: they would squirt superglue into the blue padlock seal and into the security screw cap.

Nothing better illustrates the State’s “band-aid approach, where serious security vulnerabilities can be covered over with ad hoc fixes” (as Roger characterizes it) than this. The superglue will interfere with the ability for election workers to (legitimately) remove the seal to maintain the machine. The superglue will make it more difficult to detect tampering, because it goes on in such a variable way that the inspector doesn’t know what’s supposed to be “normal.” And the extremely soft adhesive on the tape seal is extremely difficult to clean up, when the election worker (legitimately) removes it to maintain the machine. Of course, one must clean up all the old adhesive before resealing the voting machine.

Furthermore, Roger demonstrated for the Court that all these seals can still be defeated, with or without the superglue. Here’s the judge’s summary of his testimony about all these seals:


New Jersey is proposing to add six different kinds of seals in nine different locations to the voting machines. Johnston testified he has never witnessed this many seals applied to a system. At most, Johnston has seen three seals applied to high-level security applications such as nuclear safeguards. According to Johnston, there is recognition among security professionals that the effective use of a seal requires an extensive use protocol. Thus, it becomes impractical to have a large number of seals installed and inspected. He testified that the use of a large number of seals substantially decreases security, because attention cannot be focused for a very long time on any one of the seals, and it requires a great deal more complexity for these seal-use protocols and for training.

For more details and pictures of these seals, see “Seal Regime #4” in this paper.

What an expert on seals has to say

During the New Jersey voting machines lawsuit, the State defendants tried first one set of security seals and then another in their vain attempts to show that the ROM chips containing vote-counting software could be protected against fraudulent replacement. After one or two rounds of this, Plaintiffs engaged Dr. Roger Johnston, an expert on physical security and tamper-indicating seals, to testify about New Jersey’s insecure use of seals.

In his day job, Roger is a scientist at the Argonne National Laboratory, working to secure (among other things) our nation’s shipments of nuclear materials. He has many years of experience in the scientific study of security seals and their use protocols, as well as physical security in general. In this trial he testified in his private capacity, pro bono.

He wrote an expert report in which he analyzed the State’s proposed use of seals to secure voting machines (what I am calling “Seal Regime #2” and “Seal Regime #3”). For some of these seals, he and his team of technicians have much slicker techniques to defeat these seals than I was able to come up with. Roger chooses not to describe the methods in detail, but he has prepared this report for the public.

What I found most instructive about Roger’s report (including in version he has released publicly) is that he explains that you can’t get security just by looking at the individual seal. Instead, you must consider the entire seal use protocol:


Seal use protocols are the formal and informal procedures for choosing, procuring, transporting, storing, securing, assigning, installing, inspecting, removing, and destroying seals. Other components of a seal use protocol include procedures for securely keeping track of seal serial numbers, and the training provided to seal installers and inspectors. The procedures for how to inspect the object or container onto which seals are applied is another aspect of a seal use protocol. Seals and a tamper-detection program are no better than the seal use protocols that are in place.

He explains that inspecting seals for evidence of tampering is not at all straightforward. Inspection often requires removing the seal—for example, when you pull off an adhesive-tape seal that’s been tampered with, it behaves differently than one that’s undisturbed. A thorough inspection may involve comparing the seal with microphotographs of the same seal taken just after it was originally applied.

For each different seal that’s used, one can develop a training program for the seal inspectors. Because the state proposed to use four different kinds of seals, it would need four different sets training materials. Training all the workers who would inspect the State’s 10,000 voting machines would be quite expensive. With all those seals, just the seal inspections themselves would cost over $100,000 per election.

His report also discusses “security culture.”


“Security culture” is the official and unofficial, formal and informal behaviors, attitudes, perceptions, strategies, rules, policies, and practices associated with security. There is a consensus among security experts that a healthy security culture is required for effective security….

A healthy security culture is one in which security is integrated into everyday work, management, planning, thinking, rules, policies, and risk management; where security is considered as a key issue at all employee levels (and not just an afterthought); where security is a proactive, rather than reactive activity; where security measures are carefully defined, and frequently reviewed and studied; where security experts are involved in choosing and reviewing security strategies, practices, and products; where the organization constantly seeks proactively to understand vulnerabilities and provide countermeasures; where input on potential security problems are eagerly considered from any quarter; and where wishful thinking and denial is deliberately avoided in regards to threats, risks, adversaries, vulnerabilities, and the insider threat….

Throughout his deposition … Mr. Giles [Director of the NJ Division of Elections] indicates that he believes good physical security requires a kind of band-aid approach, where serious security vulnerabilities can be covered over with ad hoc fixes or the equivalent of software patches. Nothing could be further from the truth.

Roger Johnston’s testimony about the importance of seal use protocols—as considered separately from the individual seals themselves—made a strong impression on the judge: in the remedy that the Court ordered, seal use protocols as defined by Dr. Johnston played a prominent role.