Sequoia warns Princeton professors over e-voting analysis

Ed Felten is a Princeton University computer scientist who became well-known in technology circles for a paper he co-authored that showed flaws in digital audio watermarks. More precisely, Felten became well-known for the legal threats he received at the time from the Recording Industry Association of America.

Now Sequoia Voting Systems, which is one of the largest e-voting machine manufacturers in the United States, is threatening Felten too.

On Tuesday, Felten posted e-mail he and fellow Princeton professor Andrew Appel received from Sequoia saying:

As you have likely read in the news media, certain New Jersey election officials have stated that they plan to send to you one or more Sequoia Advantage voting machines for analysis. I want to make you aware that if the County does so, it violates their established Sequoia licensing Agreement for use of the voting system. Sequoia has also retained counsel to stop any infringement of our intellectual properties, including any non-compliant analysis. We will also take appropriate steps to protect against any publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property.

Sequoia also has threatened to sue New Jersey's Union County. County officials backed away from the idea after Sequoia sent them a stiff letter calling the software a "trade secret," according to The Star-Ledger.

The reason the county became concerned in the first place is that mysterious errors showed up in the February presidential primary election. In at least five counties, the paper-tape totals showing how many Democrats and Republicans voted didn't match Sequoia machine's cartridge printouts. Here's more, and here's Sequoia's explanation.

Sequoia may have something to worry about. Felten and his graduate students were able to hack into a Diebold machine, and Appel bought some 1997-vintage Sequoia machines online and concluded they "can be easily manipulated to throw an election."

Is Sequoia on solid ground, legally speaking? Until the details of the licensing agreements become public, it's impossible to know for sure. But it may have a better legal argument than the RIAA and SDMI folks did back in 2001; any lawsuit they brought would likely have been thrown out of court.

But just because Sequoia may have grounds to threaten a suit (and, remember, we don't know) doesn't mean it should. Felten and Appel are careful and diligent researchers. Instead of threatening them, it would make far more sense to hire them to conduct a security evaluation--one presumes that Sequoia would actually want to know if serious vulnerabilities exist. Legal bluster signals that Sequoia has something to hide.

For its part, Sequoia responded on Tuesday with a statement that says in part:

Sequoia's products - and those of all election equipment manufacturers - go through a complete and independent review as part of the Election Assistance Commission's (EAC's) federal voting system certification process including rigorous testing and a line-by-line review of the voting system's source code by EAC accredited Voting System Test Labs (VSTLs)...

In addition to the federal certification program, individual states have their own state certification programs which vary state-by-state but most often entail additional testing and review by qualified third party experts. Many states also require voting system manufacturers to submit their source code to be kept in escrow, should there be a need to access this code by the state in the case of some type of unanticipated situation or problem...

Additional independent reviews of Sequoia products have most recently taken place in the State of California (Secretary Bowen's Top to Bottom Review of Voting Systems), the State of Colorado and The City of Chicago/ Cook County, Illinois. In addition, the New Jersey Institute of Technology is also completing a review of the Voter Verified Paper Audit Trail (VVPAT) adaptation for Sequoia's AVC Advantage at the request of the state of New Jersey.

Sequoia does not support any and all unauthorized activities that violate or circumvent our product licensing agreements. Licensing agreements are standard practice in the technology industry, including the elections industry and have been for decades. Sequoia will vigorously protect and defend its intellectual property and enforcement of established licensing agreements...

Again, Sequoia may have the legal ability to shut down any Princeton research. But the better question is: why would it want to?

[Remo_Williams]

Well, there's another way.

Sequoia just doesn't get the work. In fact, publicize the the fact that the licensing agreement doesn't allow for independent inspection, and make that a condition for all e-vote machines.

Because y'know what? The paper machines were just fine. Keep your e-vote machines, and keep your payroll, your unsold inventory, and your rising debt.

Let the market forces collude to make the changes happen.

-R

[ckought]

According to their own statement

Appearently, they do allow independent inspection . . . they say so in their own statement to the press.

"In addition to the federal certification program, individual states have their own state certification programs which vary state-by-state but most often entail additional testing and review by qualified third party experts."

Now they should have to live up to that statement and allow NJ to hire third party experts (in this case the Princeton people) to independently certify that the systems work properly.

[Phil-IT]

Movie: "Hacking Democracy"

Awesome yet scary documentary about e-voting machines...

[wpg88]

Hacking Democracy

so scary...so far from the truth...You have heard how when making movies they take artistic liberties...well they went all out on this one!!!There was way more conjecture in this one than most movies. unbelievable that people believe this crap. the only thing more laughable than this movie is Al Gore's joke of a movie. wake up people. for all the things to happen that they claim there would have to be such comspiracy that it would never be kept secret, wake up and smell the truth.

[wiseleo]

Eliminate Sequoia, Diebold, ES&S

These systems must be removed from our election system.

Until we can independently verify the code and that the code we verified is what is running on the machine, the system cannot be trusted.

Our elections process should not be subject to trade secret protection.

[Leria]

Exactly right

The people who are running the elections should have CARTE BLANCHE to send the machines to ANYONE, as long as they are an organization that can be trusted, in order to investigate whether the machines are secure or not.

If I was New Jersey, I would send the machine to Princeton anyway and just DARE Sequoia to take the state to court, asking them, as you did, "What do you have to hide?"

[wxwizard1]

Absolutely!

Listen to this person. They know what they're talking about!

[LinuxRules]

Open Source It

The fools in Congress and and election officials are to blame,
forcing us to spend millions on inadequate machines that are not
reliable and not giving us time to review and improve the faulty
manchines, and they call this a democracy, dumnmockracy is more
like it.

[wxwizard1]

Pure electronic voting is unsafe and will be exploited

As a program of nearly 20 years experience, I can confidently state that no computer based device connected to a network is safe from being hacked. For evidence, simply consider the seemingly endless news reports of security breaches. And for everyone you here about in the news, there are many many more hacks that go undetected or unreported.

Since perfect security is impossible, electronic voting machines need to have "hardcopy" redundancy in order verify the electronic vote counts. The solution is to provide two paper reports to the voter after they have voted. One is left with the voting center and processed independently to confirm the electronic vote. The other is for the voter to keep as a record of their vote. Also, if the one they keep has a common format, such a record could be scanned by news organizations as a kind of exit poll. This would serve to keep the powers in charge of voting honest.

One thing is very clear to me. Electronic voting, if done without proper safe guards like I have outlined above, has an extreme risk of being exploited and manipulated. And if it 'can' be done, it 'will' be done.

People need to take this very seriously!!

Mark

[My-Self]

It's not a bug, it's a feature !

Guess why politicians pay big bucks for those machines ?

Being able to use e-voting to fix election results is their 'best' feature. having paper trail or any form of verification / security defeats the purpose of those machines. The only way to defeat those machines is to expose what and why. That's exactly what researchers are trying to prove, and why they,re threatened with lawsuits.

BTW, I still have no answer to a question I've had for years about Diebold e-voting machines. Why the hell do they need an infrared IRDA port ?
http://www.votetrustusa.org/index.php?option=com_content&task=view&id=960&Itemid=51

[gerrrg]

forget e-voting, period.

Use Oregon's vote-by-mail system instead.

Everyone should have their vote counted, and that vote should be verifiable and trackable.

E-voting is obsolete as a service. Once you've voted with Oregon's vote-by-mail, you'll ask yourself, "Why do I have to stand in a line for hours to vote?"

[cmwendy]

IPR no small matter

IPR is no small matter, even where the public weal is at stake. Companies like Sequoia bend over backwards to ensure/show that their stuff can't be tampered with. Their trade secrets and other IP deserve protecting: who's going to want to come to the table and develop the next solution - voting machine or other public- interest driven IT - if this can be poached? The answer is - no one.

[ckought]

IPR doesn't preclude public knowledge

They could print their code on the front page of every newspaper in the country . . . they would still be able to sue anyone who copied it and used it for financial gain. Unless they offered it as "open source", then they still hold all the rights to the code and its function. The only times companies don't want their code know is because they fear hackers with find vulnerabilities within it that can be exploited.

If I write code that makes an ATM work, nobody else can use my code without permission to make their brand of ATM work. They can, however write their own unique code that makes their ATMs work the way my ATMs work (unless I patent a particular aspect of my ATM's function that is unique to all other ATMs on the market). The same concept is true for voting boxes -- nobody "owns" the rights to make voting boxes and they all pretty much work the same way (even non-electronic ones) -- therefore, the company can't claim IPR on the concept of voting machines, only the copyright to the code that makes their particular brand work and possibly any patents that make their brand unique from other brands -- and the copyright laws and patent laws protect the company even if the code is made public.

[Lamppost0]

Small issue

They're bending over backwards not to ensure/show that their stuff can't be tampered with; they are bending over backwards to SELL THEIR PRODUCT AS SOMETHING THAT CAN'T BE TAMPERED WITH.

If it really couldn't be tampered with, they would tell the professors to do their worst.

[ka1axy]

Not much significant "IP" in a voting machine

If the electronic voting machine were some kind of innovation, I might be more inclined to agree with you.

However, any "intellectual property" here is of minimal value, except, perhaps, to the vendor. These machines are embedded systems which display a list of candidates, accept inputs from a touchscreen and write the results to a memory card. Nothing novel here. If there is, it's probably protected by patents. Any hacker worth his reputation could probably write better code than you'll find by examining what's currently in the machine.

In short, nobody's going to learn any earth-shattering coding secrets by examining the voting machine code. The vendor's most likely just afraid that an objective evaluation of the code will reveal defects, which might affect their future sales. I believe that concern, valid as it is from the vendor's point of view, is overridden by the public's right to know that their votes are being accurately tabulated.

[michael_o]

States should jettison these systems

Congress should pass a law voiding any agreement that may lead to voting fraud, including one like that described in this article. This seems like an easy public policy debate. Until they agree to an entirely independent security audit, New Jersey -- and all other state's -- should not use these systems.

The founders of the country probably would have prohibited Congress from passing a law allowing any state from entering into a contract reasonably calculated to increase the risk of voting fraud. But they probably thought nobody would be insane enough to actually ink an agreement like that, leading to another entirely different tirade questioning why any state agreed to this.

There will still be plenty of money to be made selling and servicing the integrated system, even if the source-code is entirely open source. In fact, the software probably should be open-source: let's allow the hackers to do their magic in public before some sleazy politician does it in private. The fees these companies could charge to patch their open-source systems would probably more than outweigh any lost revenue of what's really just a basic counting program.

[jonau]

esmith@sequoiavote.com

rumor has it that's Ed's email. I plan to send him an email telling him to get a clue. I suggest you do too.

[johnwwashburn]

Sequoia Test statement is untrue

the statement:
Sequoia's products - and those of all election equipment manufacturers - go through a complete and independent review as part of the Election Assistance Commission's (EAC's) federal voting system certification process including rigorous testing and a line-by-line review of the voting system's source code by EAC accredited Voting System Test Labs (VSTLs)...


There is NO system on the market which has gone through the EAC testing and certification process.

ALL systems currently on the market were qualified using the flawed vendor-funded, ITA system sponsored by the National Associatiation of State Election Directors (NASED).

In fact for Sequoia to claim their systems have passed the EAC certification procedure is a violation of the manufacture's registration agreement Sequoia signed with the EAC.

Read section 2.3.2 of the EAC Testing and Certification program manual found at:
http://www.eac.gov/voting%20systems/docs/testingandcertmanual.pdf/attachment_download/file

[jypeterson]

What disturbs me is that the NJ county was performing its due diligence to protect its citizens and yet they were not protected as a government entity for doing what they thought was right, by ensuring that the voting process could not be circumvented. I wish that they would have proceeded and Sequoia sued. Then, the courts would have heard the arguments against e-voting and a public record and case law would have been established on the subject.

Sure, hacking and changing votes could occur, but what is more frightening is that an error in the code could persist and an individual's suffrage would not be upheld.