I’ve gotten a bunch of emails about an alleged vulnerability with the Sequoia touchscreen system, widely used in California (where much of the uproar seems to be centered). Ian Hoffman has a story out on this alleged vulnerability, where he says that “a button in back … can allow someone to vote multiple times.” Later, he writes:
Sequoia’s yellow button isn’t a hack or flaw. The button has been a feature on Sequoia’s mainline AVC Edge touch screens for years, designed as a backup for the typical method of voting on the machines.
In most counties, poll workers use a separate machine to activate a card that a voter inserts into the touch screen in order to retrieve the proper ballot. The yellow button is for counties that can’t afford the separate machine or for cases when the card activator becomes inoperable, as happened to Diebold systems in March 2004 in Alameda and San Diego counties and last primary in Kern County.
Pressing, then holding the button for several seconds twice and answering a screen prompt sends the machine into a “manual activation” or “poll worker activation” mode. In that mode, someone can call up one ballot after another and vote them.
No doubt, this feature may be a potential vulnerability. But, as David Wagner from UC Berkeley (and other researchers that Hoffman consulted) point out:
Several computer scientists said Wednesday that the vulnerability found in all touch-screen machines sold by Oakland-based Sequoia Voting Systems was not especially great because using the yellow button for vote fraud would require reaching far behind the voting machine twice and triggering two beeps.
“If the machine beeps loudly and someone has their arms wrapped around the machine, the poll workers are going to become suspicious,” said David Wagner, a computer security and voting system expert at the University of California, Berkeley.
“It’s kind of hard for me to see how this could be used very widely,” he said. “It’s retail fraud, so it’s onesies and twosies and can only affect very close races.”
From what I’ve seen of this device and read so far about this vulnerability, I’d have to agree with David’s assessment. I’d also point out that this is a potential vulnerability that election officials can minimize by a variety of procedural and training steps (which should be used where possible in the current and future election cycle):
- Train pollworkers, election judges and other election officials about this vulnerability and alter them to closely monitor the machines during the course of voting to insure that they are not being tampered with.
- In the short term, seal the button to minimize access.
- In the long term, the button should be dealt with via a physical hardware or firmware change, that will effectively “lock” the button (physically or via a password).
Update (10:45am):
I received email from Michelle Shafer from Sequoia Voting Systems, pointing out that this “function is configurable at the jurisdictional level when the customers set up their database.” She also passed along reference to the following from their formal statement:
Election jurisdictions have three choices regarding Pollworker Activation when setting up their election databases. Jurisdictions can choose: 1) to allow ONLY Pollworker Activation of the Edge voting unit (in the case where jurisdictions have decided not to use card activators at all), 2) to NEVER allow Pollworker Activation, which would disable this back-up feature in all Edge voting units in the jurisdiction for that election and 3) to allow PollWorker Activation as a back-up procedure only as determined is needed by an individual polling location because of a card activator issue. This flexibility has always been present in Sequoia’s election management system and gives our customers options to activate or not activate per their determination and election procedures.
So jurisdictions do not have to use this function. But if they do, they need to insure that they have procedural safeguards in place (again including seals where possible, and education for the pollworkers), as I discussed earlier.