Voting: April 2008 Archives


April 4, 2008

Ed Felten has another post up about the discrepancies in the Sequoia machines used in the New Jersey primary. At the moment, I don't have much to add to Ed's analysis of the situation (except to say that this sure looks like some corner case where some counter is being incremented where it shouldn't or not incremented where it should), but check out the image of the summary tape he posts:

Note the empty space where the number of the seal is supposed to be written down but isn't. That's not really good.

The background here is that there are lots of parts of the voting machine which (e.g., the ability to open the case or swap memory cards), if accessed by the wrong people, could lead to various forms of attacks. It's hard to build the system to guarantee that nobody could obtain access, and what's really needed is to limit access to authorized personnel, which is even harder. Instead, the systems are generally designed so that a temper evident seal can be placed in such a way that you need to breach the seal in an obvious way order to obtain access. In practice it turns out that this isn't always true, both because the seal points aren't always placed correctly and because it's actually known to be possible to open a lot of seals without creating evidence (see the California TTBR reports for more on this.) But that's the theory.

However, there are a lot of seals and they need to be broken and replaced pretty frequently (e.g., to insert and remove the memory cards before and after the election) and seals are available on the open market. So, it's not just enough to have a seal, you need to be able to detect when the seal is replaced with another, similar seal. Unsurprisingly, this is done by having each seal have its own serial number. Every time a seal is breached or placed you're supposed to record the seal number (that's what that space on the summary tape is for) and part of the job of verifying a seal is checking that the number is what it's supposed to be. If you don't record the seal numbers, then the system falls apart, since anyone who has access to any tamper seals at all can just break the seals, do whatever they want, and replace them with their own seals. And since a lot of the security of the current systems depends on the seals working (for instance, in many of the systems the seals cover access points which would allow complete subversion of the device; see the TTBR reports again) this is fairly serious.

Now, I don't know that much about the ES&S machines or the chain of custody procedures in NJ. It could easily be that NJ has some procedural control that renders this particular seal unimportant. But absent any further information, this seems like not it might not be a particularly great practice.