The Iconoclast Subscribe to The Iconoclast
March 18, 2008 4:40 PM PDT

Sequoia warns Princeton professors over e-voting analysis

Posted by Declan McCullagh

Ed Felten is a Princeton University computer scientist who became well-known in technology circles for a paper he co-authored that showed flaws in digital audio watermarks. More precisely, Felten became well-known for the legal threats he received at the time from the Recording Industry Association of America.

Now Sequoia Voting Systems, which is one of the largest e-voting machine manufacturers in the United States, is threatening Felten too.

On Tuesday, Felten posted e-mail he and fellow Princeton professor Andrew Appel received from Sequoia saying:

As you have likely read in the news media, certain New Jersey election officials have stated that they plan to send to you one or more Sequoia Advantage voting machines for analysis. I want to make you aware that if the County does so, it violates their established Sequoia licensing Agreement for use of the voting system. Sequoia has also retained counsel to stop any infringement of our intellectual properties, including any non-compliant analysis. We will also take appropriate steps to protect against any publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property.

Sequoia also has threatened to sue New Jersey's Union County. County officials backed away from the idea after Sequoia sent them a stiff letter calling the software a "trade secret," according to The Star-Ledger.

The reason the county became concerned in the first place is that mysterious errors showed up in the February presidential primary election. In at least five counties, the paper-tape totals showing how many Democrats and Republicans voted didn't match Sequoia machine's cartridge printouts. Here's more, and here's Sequoia's explanation.

Sequoia may have something to worry about. Felten and his graduate students were able to hack into a Diebold machine, and Appel bought some 1997-vintage Sequoia machines online and concluded they "can be easily manipulated to throw an election."

Is Sequoia on solid ground, legally speaking? Until the details of the licensing agreements become public, it's impossible to know for sure. But it may have a better legal argument than the RIAA and SDMI folks did back in 2001; any lawsuit they brought would likely have been thrown out of court.

But just because Sequoia may have grounds to threaten a suit (and, remember, we don't know) doesn't mean it should. Felten and Appel are careful and diligent researchers. Instead of threatening them, it would make far more sense to hire them to conduct a security evaluation--one presumes that Sequoia would actually want to know if serious vulnerabilities exist. Legal bluster signals that Sequoia has something to hide.

For its part, Sequoia responded on Tuesday with a statement that says in part:

Sequoia's products - and those of all election equipment manufacturers - go through a complete and independent review as part of the Election Assistance Commission's (EAC's) federal voting system certification process including rigorous testing and a line-by-line review of the voting system's source code by EAC accredited Voting System Test Labs (VSTLs)...

In addition to the federal certification program, individual states have their own state certification programs which vary state-by-state but most often entail additional testing and review by qualified third party experts. Many states also require voting system manufacturers to submit their source code to be kept in escrow, should there be a need to access this code by the state in the case of some type of unanticipated situation or problem...

Additional independent reviews of Sequoia products have most recently taken place in the State of California (Secretary Bowen's Top to Bottom Review of Voting Systems), the State of Colorado and The City of Chicago/ Cook County, Illinois. In addition, the New Jersey Institute of Technology is also completing a review of the Voter Verified Paper Audit Trail (VVPAT) adaptation for Sequoia's AVC Advantage at the request of the state of New Jersey.

Sequoia does not support any and all unauthorized activities that violate or circumvent our product licensing agreements. Licensing agreements are standard practice in the technology industry, including the elections industry and have been for decades. Sequoia will vigorously protect and defend its intellectual property and enforcement of established licensing agreements...

Again, Sequoia may have the legal ability to shut down any Princeton research. But the better question is: why would it want to?

Recent posts from The Iconoclast
FBI's Net surveillance proposal raises privacy, legal concerns
Transcript: FBI director on surveillance of 'illegal' Internet activity
FBI, politicos renew push for ISP data retention laws
Shamos: Why e-voting paper trails are a bad idea
FBI nudges state 'fusion centers' into the shadows
Add a Comment (Log in or register) 21 comments (Page 1 of 1)
Well, there's another way.
by Remo_Williams March 18, 2008 5:37 PM PDT
Sequoia just doesn't get the work. In fact, publicize the the fact that the licensing agreement doesn't allow for independent inspection, and make that a condition for all e-vote machines. Because y'know what? The paper machines were just fine. Keep your e-vote machines, and keep your payroll, your unsold inventory, and your rising debt. Let the market forces collude to make the changes happen. -R
Reply to this comment View reply
Movie: "Hacking Democracy"
by Phil-IT March 18, 2008 5:59 PM PDT
Awesome yet scary documentary about e-voting machines...
Reply to this comment View reply
Eliminate Sequoia, Diebold, ES&S
by wiseleo March 18, 2008 6:17 PM PDT
These systems must be removed from our election system. Until we can independently verify the code and that the code we verified is what is running on the machine, the system cannot be trusted. Our elections process should not be subject to trade secret protection.
Reply to this comment View all 2 replies
Open Source It
by LinuxRules March 18, 2008 6:50 PM PDT
The fools in Congress and and election officials are to blame, forcing us to spend millions on inadequate machines that are not reliable and not giving us time to review and improve the faulty manchines, and they call this a democracy, dumnmockracy is more like it.
Reply to this comment
Pure electronic voting is unsafe and will be exploited
by wxwizard1 March 18, 2008 7:08 PM PDT
As a program of nearly 20 years experience, I can confidently state that no computer based device connected to a network is safe from being hacked. For evidence, simply consider the seemingly endless news reports of security breaches. And for everyone you here about in the news, there are many many more hacks that go undetected or unreported. Since perfect security is impossible, electronic voting machines need to have "hardcopy" redundancy in order verify the electronic vote counts. The solution is to provide two paper reports to the voter after they have voted. One is left with the voting center and processed independently to confirm the electronic vote. The other is for the voter to keep as a record of their vote. Also, if the one they keep has a common format, such a record could be scanned by news organizations as a kind of exit poll. This would serve to keep the powers in charge of voting honest. One thing is very clear to me. Electronic voting, if done without proper safe guards like I have outlined above, has an extreme risk of being exploited and manipulated. And if it 'can' be done, it 'will' be done. People need to take this very seriously!! Mark
Reply to this comment View reply
forget e-voting, period.
by gerrrg March 19, 2008 12:34 AM PDT
Use Oregon's vote-by-mail system instead. Everyone should have their vote counted, and that vote should be verifiable and trackable. E-voting is obsolete as a service. Once you've voted with Oregon's vote-by-mail, you'll ask yourself, "Why do I have to stand in a line for hours to vote?"
Reply to this comment
IPR no small matter
by cmwendy March 19, 2008 6:28 AM PDT
IPR is no small matter, even where the public weal is at stake. Companies like Sequoia bend over backwards to ensure/show that their stuff can't be tampered with. Their trade secrets and other IP deserve protecting: who's going to want to come to the table and develop the next solution - voting machine or other public- interest driven IT - if this can be poached? The answer is - no one.
Reply to this comment View all 3 replies
States should jettison these systems
by michael_o March 19, 2008 11:20 AM PDT
Congress should pass a law voiding any agreement that may lead to voting fraud, including one like that described in this article. This seems like an easy public policy debate. Until they agree to an entirely independent security audit, New Jersey -- and all other state's -- should not use these systems. The founders of the country probably would have prohibited Congress from passing a law allowing any state from entering into a contract reasonably calculated to increase the risk of voting fraud. But they probably thought nobody would be insane enough to actually ink an agreement like that, leading to another entirely different tirade questioning why any state agreed to this. There will still be plenty of money to be made selling and servicing the integrated system, even if the source-code is entirely open source. In fact, the software probably should be open-source: let's allow the hackers to do their magic in public before some sleazy politician does it in private. The fees these companies could charge to patch their open-source systems would probably more than outweigh any lost revenue of what's really just a basic counting program.
Reply to this comment
esmith@sequoiavote.com
by jonau March 19, 2008 12:53 PM PDT
rumor has it that's Ed's email. I plan to send him an email telling him to get a clue. I suggest you do too.
Reply to this comment
Sequoia Test statement is untrue
by johnwwashburn March 20, 2008 7:48 AM PDT
the statement: Sequoia's products - and those of all election equipment manufacturers - go through a complete and independent review as part of the Election Assistance Commission's (EAC's) federal voting system certification process including rigorous testing and a line-by-line review of the voting system's source code by EAC accredited Voting System Test Labs (VSTLs)... There is NO system on the market which has gone through the EAC testing and certification process. ALL systems currently on the market were qualified using the flawed vendor-funded, ITA system sponsored by the National Associatiation of State Election Directors (NASED). In fact for Sequoia to claim their systems have passed the EAC certification procedure is a violation of the manufacture's registration agreement Sequoia signed with the EAC. Read section 2.3.2 of the EAC Testing and Certification program manual found at: http://www.eac.gov/voting%20systems/docs/testingandcertmanual.pdf/attachment_download/file
Reply to this comment
Powered by Jive Software
advertisement

  • About The Iconoclast

  • Declan McCullagh has covered politics, technology, and Washington, D.C. for over a decade, which has turned him into an iconoclast and a skeptic of anyone who says: "We oughta have a new federal law against this."

Add this feed to your online news reader
Google
Yahoo
MSN

The Iconoclast topics

Latest blog posts from News.com

Featured blogs

Beyond Binary by Ina Fried A look at how technology is changing our lives and at the people behind all that life-changing stuff.

Coop's Corner by Charles Cooper Charles Cooper weighs in on Silicon Valley hijinks, and he doesn't suffer fools gladly.

Defense in Depth by Robert Vamosi Covering the latest in computer viruses and computer crime.

Geek Gestalt by Daniel Terdiman At the tech culture nexus of video games, fire art, and virtual worlds.

Green Tech Fresh green tech news and commentary.

One More Thing by Tom Krazit Tom Krazit takes on the tech phenomenon that is Apple, and keeps a close watch on the chip industry.

Outside the Lines by Dan Farber When business and technology meet, that's when things get interesting.

The Social by Caroline McCarthy Exploring all facets of social media and tech culture.

Underexposed by Stephen Shankland Coverage of digital photography, science, and open-source software.

advertisement
Welcome (log out) |View profile
Log in | Sign up Why join?
On TechRepublic: 10 ways users mess up their computers
Advanced
search
advertisementStart Doing More with Windows Mobile
Advanced
search
Visit other CNET Networks sites: