Following up on this post, I received the following from Andrew Appel, with a request to post on the blog:
- Response by Appel to Sequoia’s characterization of his testimony
by Andrew W. Appel, Professor of Computer Science, Princeton University
Sequoia’s “ballot blog” dated 2/22/09, about my testimony in the New Jersey voting-machines lawsuit, got some things right and some things wrong. What Sequoia got right is that I demonstrated for the Court the removal of supposedly tamper-evident seals from the Sequoia AVC Advantage voting machine, the replacement of the ROM, and replacement of all the seals in a way that did not leave evidence of tampering.
On the other hand, I did _not_ say that “The person would also have to break into the facility that
stored the voting machines in-between elections,” nor is that true. Sequoia distorted some statements about “seven and 15 minutes;” it’s just not true that something took “more than three times the amount of time” that I had predicted. In addition, Sequoia confuses the one-time-only “break into a voting machine and copy the firmware” with the for-each-machine-hacked “replace the legitimate software with the fraudulent software.”
Sequoia got right that if one wants to steal 1% of the vote in a statewide election without stealing more than 20% on any one voting machine, one would need to hack only 500 voting machines. But if one wishes to cheat in a less-than-statewide election (for mayor of a big city, or for state senator), or in a closer-than-1% statewide election, one would need to hack far fewer than 500 voting machines.
When I examined the State’s Sequoia AVC Advantage voting machines in July 2008, they had no security seals on them to prevent the ROM-replacement hack. I demonstrated on video (which we played in Court in Jan/Feb 2009) that in 7 minutes I could pick the lock, unscrew some screws, replace the ROM with one that cheats, replace the screws, and lock the door.
In September 2008, after the State read my expert report, they installed four kinds of physical security seals on the AVC Advantage. These seals were present during the November 2008 election. On December 1, 2008 I sent to the Court (and to the State) a supplemental expert report (with video) showing how I could defeat all of these seals.
In November/December 2008 the State informed the Court that they were changing to four new seals. On December 30, 2008 the State Director of Elections, Mr. Robert Giles, demonstrated to me the installation of these seals onto the AVC Advantage voting machine and gave me samples. He installed quite a few seals (of these four different kinds, but some of them in multiple places) on the machine.
On January 27, 2009 I sent to the Court (and to the State) a supplemental expert report showing how I could defeat all those new seals. On February 5th, as part of my trial testimony I demonstrated for the Court the principles and methods by which each of those seals could be defeated. I testified that I had not measured the exact time required to replace the ROMs with all these seals in place, but that my *rough estimate* was that, with sufficient practice, defeating the seals might take 7 to 15 minutes *in addition* to the 7 minutes required for picking the lock, unscrewing the screws, and replacing the ROM.
On cross-examination, the State defendants invited me to demonstrate, on an actual Sequoia AVC Advantage voting machine in the courtroom, the removal of all the seals, replacement of the ROM, and replacement of all the seals leaving no evidence of tampering. I then did so, carefully and slowly; it took 47 minutes. As I testified, someone with more practice (and without a judge and 7 lawyers watching) would do it much faster.
Finally, I testified about the accuracy of the Sequoia AVC Advantage. I believe that the most significant source of inaccuracy is its vulnerability to hacking. There’s no practical means of testing whether the machine has been hacked, and certainly the State of New Jersey does not even attempt to test. If we could somehow know that the machine has not been hacked, then (as I testified) I believe the most significant _other_ inaccuracy of the AVC Advantage is that it does not give adequate feedback to voters and pollworkers about whether a vote has been recorded. This can lead to a voter’s ballot not being counted at all; or a voter’s ballot counting two or three times (without fraudulent intent). I believe that this error may be on the order of 1% or more, but I was not able to measure it in my study because it involves user-interface interaction with real people.
In the hypothetical case that the AVC Advantage has not been hacked, I believe this user-interface source of perhaps 1% inaccuracy would be very troubling, but (in my opinion) is not the main reason to disqualify it from use in elections. It should be disqualified for the simple reason that it can be easily hacked to cheat, and there’s no practical method that will be sure of catching this hack.