“ES&S uses undergraduate project to lobby New York legislature”

voting technology

This is insane, via Andrew Appel:

The New York State Legislature is considering a bill that would ban all-in-one voting machines–that is, voting machines that can both print votes on the ballot, and scan and count votes from the ballot, all in the same paper path. This is an important safeguard, because such machines, if they are hacked by the installation of fraudulent software, can change or add votes that the voter did not intend and never got a chance to see on paper.

One voting-machine company, Elections Systems and Software (ES&S), that makes an all-in-one voting machine (the ExpressVote XL), is lobbying hard against this bill. As part of their lobbying package, they are claiming, “Rochester Institute of Technology researchers found zero attacks*” on the ExpressVote XL, based on an article (included in ES&S’s lobbying package) from Rochester Institute of Technology entitled “RIT cybersecurity student researchers put voting machine security to the test.

If this were actually a scientific article, one could critique it as actual science. But it’s not a scientific paper: the article is written by the RIT public relations department (Scott Bureau, Senior Communications Specialist, RIT Marketing and Communications). The article describes an undergraduate student “capstone project:” The students were interviewed by ES&S, allowed ES&S to inspect their testing site, then signed a nondisclosure agreement with ES&S. The students made up two “Attack Scenarios”, then spent 10 days trying to find attacks. They found some vulnerabilities, but not one that could change votes.

The students made public a one-page poster describing their project. It’s fine for undergraduate student work–capstone projects are a really useful part of engineering education. But it’s not a scientific paper that describes their methods, the limitations placed upon them by needing permission from ES&S, nor (in any detail) their results.

Even so, the students describe enough for me to notice that they missed three of the most important attack scenarios

Share this: