MUST READ: Congress demands answers from Google over Glass privacy concerns

Topic: Government US

eVoting systems come under fire

Summary: As reported by Robert McMillan and Elizabeth Montalbano at IDG News Service, Sequoia voting systems web site has been hacked and subsequently taken down.Sequoia and its voting system is not new to the news, as it was recently investigated by the Attorney General of New Jersey for "voting discrepancies" in last months primaries.

Nathan McFeters

By Nathan McFeters for Zero Day |

As reported by Robert McMillan and Elizabeth Montalbano at IDG News Service, Sequoia voting systems web site has been hacked and subsequently taken down.

Sequoia and its voting system is not new to the news, as it was recently investigated by the Attorney General of New Jersey for "voting discrepancies" in last months primaries. As stated in a separate story by McMillan, the state of New Jersey was going to conduct a third-party assessment:

"Clerks from a half-dozen New Jersey counties reported discrepancies in the voting tallies generated by approximately 60 of the state's Sequoia Voting Systems AVC Advantage e-voting machines during last month's election. In most cases the discrepancy involved a one- or two-vote difference between the paper tape logged by the machine and the number of votes stored in the computer's memory cartridges.

Sequoia blamed the discrepancy on poll worker error and said the problem could be fixed with a software update, but state clerks wanted a third-party investigation."

The hack was originally discovered and reported to IDG news by Ed Felten of the University of Princeton. Felten had recently been asked by the state of New Jersey to review the Sequoia systems; however, Sequoia threatened legal action against Felten. The following e-mail was sent to Felten and subsequently posted to his "Freedom to Tinker Blog" threatening legal action if he reviewed the system:

"A copy of an email I received has been passed around on various mailing lists. Several people, including reporters, have asked me to confirm its authenticity. Since everyone seems to have read it already, I might as well publish it here. Yes, it is genuine.

====

Sender: Smith, Ed [address redacted]@sequoiavote.com To: felten@cs.princeton.edu, appel@princeton.edu Subject: Sequoia Advantage voting machines from New Jersey Date: Fri, Mar 14, 2008 at 6:16 PM

Dear Professors Felten and Appel:

As you have likely read in the news media, certain New Jersey election officials have stated that they plan to send to you one or more Sequoia Advantage voting machines for analysis. I want to make you aware that if the County does so, it violates their established Sequoia licensing Agreement for use of the voting system. Sequoia has also retained counsel to stop any infringement of our intellectual properties, including any non-compliant analysis. We will also take appropriate steps to protect against any publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property.

Very truly yours, Edwin Smith VP, Compliance/Quality/Certification Sequoia Voting Systems

[contact information and boilerplate redacted]"

Due to this, Felten did not perform the assessment; however, as mentioned on News.com by Robert Vamosi, Sequoia appears to be feeling the pressure to perform an outside assessment as Vamosi states:

"On the resurrected Ballot Blog site on Thursday, Sequoia Voting Systems announced that it had initiated its own external review of the New Jersey voting systems. The external review, the company said, would be conducted by independent parties including Kwaidan Consulting of Houston, Texas; an Election Assistance Commission (EAC)-accredited Voting System Test Lab (VSTL)--Wyle Laboratories of Huntsville, Ala., and possibly another VSTL; and an academic institution."

I think at this point Sequoia owes explanation to the American people. What sort of testing will they have these outside firms conduct? I don't mean to imply that these companies aren't great at what they do, I would just think that a bit of transparency from Sequoia as to what they are trying to accomplish is important. One would think that an attack and penetration assessment would be of key concern for these types of systems.

This all comes in a week that has been extremely bad for eVoting, as one can clearly see from our previous blog posting about the hack that occurred on the State of Pennsylvania eVoting site. It appears clear that if American voters ever had much in the way of confidence in these systems, it must be dwindling at this point. I firmly believe that it is time the government (the federal government that is) take a stand on this, regulate voting across states (both paper and the online version), and get some testing done on these online voting systems. I know we are big on keeping a good chunk of power and freedom in the state governments, and that's fine, but how about a federal mandate to at least have your systems undergo rigorous testing by multiple vendors?

-Nate

Topics: Government US, Enterprise Software, Government, Legal

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion

  • Not truly independent review...

    I'm sorry, but if Sequoia is hiring the outside vendor to conduct the audit, then the external parties' independence is already suspect.
    MGP2
    Reply Vote

    • RE: Not truly independent review

      It's a good point and it makes one wish that the state of New Jersey or the fed was the one pushing this onto Sequoia.

      -Nate
      nmcfeters
      Reply Vote

  • State vs Fed

    Running elections is a State power. I am always leery of stealing power from the Sates and moving it to THE STATE. Our founding fathers were quite right about the idea that decentralizing power where possible maintains freedom and the opportunity for diversity. At 42, I have yet to see a situation where we moved State governance to a Federal level where I thought we received improved service, performance, or oversight.

    All of that being said, I do think we need to hold our elected officials accountable. We work every year until late may to "pay off" the various levels of government. We need to either demand better ROI, or demand lower spending and taxes so we can purchase quality replacements for their woefully inadequate services ourselves.
    philpenn
    Reply Vote

    • RE: State vs. Fed

      >>Running elections is a State power. I am always leery of stealing power from the Sates and moving it to THE STATE.


      I understand and agree with this, but this has become a bigger issue than the states can/will handle on their own. I don't want to take away the power for the state to handle their voting systems, but what I do want is for a federal mandate to say that voting systems must meet certain security requirements.

      -Nate
      nmcfeters
      Reply Vote

      • Why?

        This is a self correcting issue. If the voting systems are unreliable, there will be people up in arms forcing the States to change, or there will be political parties filing lawsuits to force change. Federal mandate of standards is not the answer. They always screw it up anyway. You are operating under the assumption that legislators would do the right thing here. This is almost never the case. When legislators get it wrong, it will be much easier for you to lobby your State to fix its mistake then the Fed. The Federal Government has almost no accountability to the people.
        philpenn
        Reply Vote

    • I agreee, but...

      It does seem that some Federal standard for voting systems with mandated independent analysis/review of systems should be required of any/all computerized voting systems. Or, perhaps, some independent industry group needs to step forward and set the standards, then certify systems as compliant with the standards (e.g., ISO, IEEE)? Seems the lack of any externally set, robust and comprehensive standards is partly to blame. Or course, this would require that companies making these devices be much more transparent and open to review...
      casachs
      Reply Vote

      • To me...

        ...the highest form of stupidity would be to allow incumbent politicians to set the standards for the mechanism that could unseat them from their cushy power laden jobs. If you think there will not be a great deal of self interest in any regulation around voting for government officials by government officials, you are nuts.
        philpenn
        Reply Vote

  • I simply don't trust em...

    I'm certainly not the aluminum foil on my hat wearing
    paranoid. Nor do I think the government has planted a
    chip in me...... at least not yet. However to simply trust
    that these machines work as they should or to not realize
    what you and I might think they should work and the
    people behind them are thinking the same is well just plain
    STUPID!!!!

    There should be multiple independent sources and test at
    random and unannounced times during a year to verify
    that these systems are always working as they should.

    Pagan jim
    James Quinn
    Reply Vote

    • I don't either!

      That's why I do not want them any where near setting up regulation for this technology. Don't use it if necessary, but do not let the people (and I use that term loosely), that we have in congress. There is no reason to expect that they will write this regulation any better than any other they have in recent years. It would be a disaster.

      I like the idea of independent oversight, but how do you make any entity truly independent? Even if they started off that way, they would hold so much power that the temptation to corrupt them would be nearly impossible to resist.
      philpenn
      Reply Vote

  • Why can't we make secure voting systems?

    We can make secure ATM's and internet kiosks, yet for some reason we fail horribly at evoting kiosks. What is this? This just doesn't make sense to me...

    - John Musbach
    John Musbach
    Reply Vote

    • But we can't make secure ATM's or internet kiosks...

      Hey John,

      We can't even make secure ATM's or internet kiosks. Go check out Billy Rios and Nitesh Dhanjani's presentation on Phishing, specifically where it relates to ATM skimming... it will be enlightening.

      On top of that... I've not seen an internet kiosk that I wasn't able to pop a command prompt on to run arbitrary commands.

      Nate
      nmcfeters
      Reply Vote

    • Because the commercial software developers...

      Don't know diddle about testing and verification.
      Bruizer
      Reply Vote
CNET Join | Log In | Privacy | Cookies Close