New Jersey has attempted six “Seal regimes” to protect their voting machines. Two new reports demonstrate the inadequacies of the seals and associated procedures. The reports document court testimony and contain sometimes graphic demonstrations of how easily various “tamper evident” seals can be compromised. [May not be deemed appropriate reading for officials and voters in some Connecticut towns]
Nothing like this could happen in Connecticut! Unlike New Jersey, we have no enforceable standards. See our editorial below.
The Reports
Security seals on voting machines: a case study, by Andrew W. Appel”Security seals on voting machines: a case study”, by Andrew W. Appel, Princeton University
Insecurity of New Jersey’s seal protocols for voting machines, by Roger G. Johnston
From Johnston:
In 2008 and 2009 the plaintiffs in the New Jersey voting-machine lawsuit, Gusciora v. Corzine, asked me to study the use of tamper-indicating security seals proposed by the New Jersey Division of Elections to secure their voting machines. In this paper I am making some of my assessments available to the public.
I found that the proposed seals and security measures are insufficient to guarantee election integrity. The skills, time, and resources to spoof these seals and security measures are not a major barrier to an adversary, and are, in fact, widely available. The design of the AVC Advantage voting machines themselves is not conducive to good security, especially the lack of security on the voter’s end of the machine. There are vulnerability and other problems with the seals chosen by New Jersey. Another serious problem is New Jersey’s failure to have well-designed seal use protocols in place. The lack of internal inspections of the voting machines is unfortunate, as is the State’s lack of concern about possible attacks on small numbers of voting machines (not just statewide attacks). I found that New Jersey does not exhibit a healthy security culture for elections, has no independent physical security experts and vulnerability assessors to advise the state, and misunderstands key security concepts. The poor security practices involved in storage, transport, and chain-of-custody for the voting machines are troubling as well…
154. In summary, I can state to a reasonable degree of certainty that the seals and security measures proposed by New Jersey to provide security for the AVC Advantage voting machines are insufficient to guarantee election integrity. The skills, time, and resources to spoof these seals and security measures are not a major barrier to an adversary, and are, in fact, widely available.
155. Various factors contribute to New Jersey’s ineffective security. The design of the AVC Advantage voting machines themselves is not conducive to good security, especially the lack of security on the voter’s end of the machine. There are vulnerability and other problems with the seals chosen by New Jersey. Another serious problem is New Jersey’s failure to have well-designed seal use protocols in place. The lack of internal inspections of the voting machines is unfortunate, as is the lack of concern about attacks on small numbers of voting machines given the number of close elections in the past.
156. Other negative factors include New Jersey’s failure to exhibit a healthy security culture for elections, the absence of independent physical security experts and vulnerability assessors to advise the state, and the state’s misunderstandings about key security concepts. The poor security practices involved in storage, transport, and chain-of-custody for the voting machines are troubling as well.
From Appel:
Tamper-evident seals are used by many states’ election officials on voting machines and ballot boxes, either to protect the computer and software from fraudulent modification or to protect paper ballots from fraudulent substitution or stuffing. Physical seals in general can be easily defeated, and the effectiveness of seals depends on the protocol for their application and inspection. The legitimacy of our elections may therefore depend on whether a particular state’s use of seals is effective to prevent, deter, or detect election fraud. This paper is a case study of the use of seals on voting machines by the State of New Jersey. I conclude that New Jersey’s protocols for the use of tamper-evident seals have been not at all effective. I conclude with a discussion of the more general problem of seals in democratic elections…
Simply slapping seals on a device does not magically protect it. Physical seals in general are can be defeated with simple techniques and at low cost [Johnston 1997a]. In addition the effectiveness of seals depends on having a protocol for their application and inspection [Johnston 1997b], otherwise one will notice if a seal has been replaced with a different one…
Appel demonstrates how, he as an amateur easily defeated several seals, one like many used in Connecticut to seal ballots:
The seals used by Union County are very easy to defeat in a few seconds, by poking a jeweler’s screwdriver into the opening and thereby disengaging the teeth. Strap seals in general are easy to defeat with simple tools [Johnston 1997a]. The jeweler’s screwdriver is not necessarily even the best or fastest way to defeat this seal; it is the one that occurred to the author, who was (at that time) entirely an amateur at defeating seals.
Like Connecticut there is no specific training on seal inspection for pollworkers or Moderators. Such training would likely be more challenging to implement in Connecticut, since we do not have specified standard seals or containers. In New Jersey:
Pollworkers are hired from among the general public to work 15 hours on election day for $200, with two hours of training before election day. This training covers how to run a polling place and conduct elections; it is not specific to seals. I have inspected the pollworker instruction manuals from three different counties; these manuals give no instruction in the purpose of the seals or in inspecting them for tampering.
Of course Connecticut uses different voting equipment and we have paper ballots to recanvass, recount, and audit. Yet, but the same seal challenges and risks apply. From Appel:
Therefore most computer scientists recommend methods of voting that allow computers to count the vote, with random audits to verify that (with high statistical probability) the computers are not cheating. For this to work, there must be a record of each ballot that is not mediated by a computer that could possibly cheat in creating this record. One method that satisfies these criteria is to let the ballots be paper optical-scan forms… Immediately at the close of the polls, the computer can report the candidate totals for that precinct, and in addition there are paper ballots that can be audited in a hand count of randomly selected precincts…
There remains a security problem to solve: how is the integrity of the ballot box to be maintained between the close of the polls and the time of the audit? One method would be to perform the audit immediately, in the presence of the same witnesses (from both political parties and from the State) that have been (presumably) watching the ballot box all day. This might be the best approach, but it has disadvantages: those witnesses may have been working for 14 hours already running the election, and it requires the random selection of precincts to audit to be made by the time the polls close.
Therefore it is usually presumed that some combination of security seals with chain-of-custody arrangements will provide for the integrity of the paper ballots. Therefore, the considerations discussed elsewhere in this paper—regarding security seals and their associated protocols—are very relevant to optical-scan balloting.
In Connecticut, we need to protect the ballots in order to trust the result of recanvasses, recounts, audits and investigations. But the results can only be no more reliable and credible than the chain-of-custody. And that chain-of-custody, is completely dependent on the seals used, seal protocols, actual practices, enforcement and enforceablity.
Nothing approaching these six regimes and court challenges could happen in Connecticut! Unlike New Jersey, we have no standard seal “regime”, no standard for seals or ballot containers and any election regulations and procedures going beyond the law are unenforceable. Similar court challenges in the “Nutmeg State” would be about as useful as carved wooden nutmeg seals.
Even if we had standards for seals and their inspection, not much would happen. Most of our statutes remain locked in the lever age, specifying that lever machines will be sealed with “a numbered metal seal” and some statutes covering earlier paper only elections where statutes require “ballot boxes” be sealed with “one adhesive ballot box sealing stamp” supplied by the Secretary of the State. We have no enforceable standards for ballot containers, ballots seals, tabulator seals, and “tamper evident” tape. Most interpret our statutes to mean that ballots do not have to be sealed beyond fourteen days after an election – with post-election audits commencing on day fifteen.
We located one section of the Connecticut statutes that was specifiably updated to address what happens if an optical scanner is found with a broken seal:
9-259 (c)…The seal on the tabulator shall remain unbroken. If the seal is broken, the registrars of voters shall be notified immediately and the tabulator tape shall be produced. If the tape does not show all zeros, the registrars of voters shall be notified immediately and the tabulator shall not be used.
So, even if a seal were broken, allowing an insider or outsider to change the memory card or “permanent” chips on the machine, as long as the the machine produced a zero tape then the election would go forward.
We have discussed seals and security before; highlighting the apparently unforeceable seals on our scanners specified by the Secretary of the State; and an earlier report on seals, also by, by Roger Johnson, and portions of the California Top-To-Bottom Review: FAQ – How can the scanner be hacked? It is kept in a canvas bag protected by a tamper-evident seal!
We also p
oint to the Coalition post-election audit reports which have documented the failure of election officials to follow chain-of-custody procedures, for example <read>
For more on Connecticut chain-of-custody, read our next post about a recent election in Colorado.
I found that the proposed seals and security measures are insufficient to guarantee election integrity. The skills, time, and resources to spoof these seals and security measures are not a major barrier to an adversary, and are, in fact, widely available. The design of the AVC Advantage voting machines themselves is not conducive to good security, especially the lack of security on the voter’s end of the machine. There are vulnerability and other problems with the seals chosen by New Jersey. Another serious problem is New Jersey’s failure to have well-designed seal use protocols in place. The lack of internal inspections of the voting machines is unfortunate, as is the State’s lack of concern about possible attacks on small numbers of voting machines (not just statewide attacks). I found that New Jersey does not exhibit a healthy security culture for elections, has no independent physical security experts and vulnerability assessors to advise the state, and misunderstands key security concepts. The poor security practices involved in storage, transport, and chain-of-custody for the voting machines are troubling as well.
