[Shank]

I worked as an election judge in the 2012 general election in Arapahoe County, Colorado. We had these exact machines. What isn't pictured is the physical security performed with them.

Typically, tamper seals that are identifiable as broken are placed on all access doors (including the power switch, data load slots, etc), access panels, and openings on the device. All seals were verified in tact before and after the election, and no voter was ever permitted in the back of the access panel where the firmware update would take place.

Before the machine starts, it gives a "zero" report which is verified independently by poll watchers, and confirms candidate choices are in place as needed. When the polls are closed, we seal everything again before the machines are sent back for reporting (at which point the seals are checked and verified prior to dumping results).

If this was really a damaging hack, the protective counter & live counters would show different numbers than what the machine read, but that didn't happen. It very clearly was tampered with, which means these physical measures would counteract any unwanted firmware updates during an election. It's preposterous to think that election judges aren't actively verifying seals during election day and making sure nobody is tampering with them.

[gergles]

> It's preposterous to think that election judges aren't actively verifying seals during election day and making sure nobody is tampering with them.

I've been an election worker around the country and have never been in a jurisdiction that did seal checks during the election - only once at the beginning and once at the end. Granted, I've never been in a jurisdiction using DREs, but still.

I agree physical security is a defense here, but this just reiterates, to me, how dangerous DRE voting machines are.

[JumpCrisscross]

I have been an election worker. We were asked to sign the attestation envelopes in advance.

I trust further checks were conducted higher up. But at our level, protocol was ignored.

[djrogers]

I hope to God you refused and reported this. That's completely illegal and could get you in a lot of hot water - not to mention the potential for enabling vote fraud.

[JumpCrisscross]

I refused. Everyone else complied. I wrote a letter to the Board of Elections and our state's Attorney General but never heard back.

[tropo]

Next time, call the news media. Be sure to pick places biased each direction. If time runs out, I suppose 9-1-1 is an option.

[laser]

You've got to be kidding? Why would you comply with that? Sounds completely illegal?

[TheSpiceIsLife]

And you reported this right?

[Shank]

I have no experience with non-DRE seal checking. Our seals had the machine serial numbers on them, with watermarks, etc. If a seal was mysteriously broken, it was in our best interest to take it out of service anyway, because suddenly the legitimate votes on that machine come into question.

[azernik]

In Alameda County, CA we use what look superficially to be the same machines, and have similar physical security measures - there are seals on all access points (e.g. on the cover protecting the power switch), and whenever we access one of them we save the seal's tag, log its ID, and log the ID of the replacement. At the end of the day you end up with basically a series of tags on a form that show chain of custody (the two people - always more than one - that handle the machine with a seal removed have to sign off on each change of tag).

EDIT: Note that we use these machines with an optional paper-printout add-on, and they're a non-default option mostly used to increase ballot accessibility - most people vote on paper ballots that are fed into a scanner on-site, so the scanner results can be cross-checked against the physical ballots in case of a disputed result.

[scoot]

So someone could spoil all the votes by breaking the seals?

[azernik]

Sure. And they could also spoil all the votes with an armed robbery - at many polling stations, there's no actual police presence until/unless someone calls them in.

The main intent of all the security measures is that any such tampering be obvious, and that it be clear whose votes (or at least, which precincts' votes) were compromised.

[shshhdhs]

Sure, but that doesn't address an attack that certain precincts that vote a specific party line could be compromised. If 100 attackers at 100 precincts slit some seals than that could swing a swing state

[anonbanker]

Basically, a team of 20 voters with boxcutters could spoil the results from an entire precinct.

[simooooo]

You would have to assume so...

[gcb0]

also trivial for attackers to have replacement plastic seals is their pockets

[zwp]

The seals aren't signed by election officials?

I'm not familiar with seals used on voting machines but that's common in other "tamperproof container" scenarios.

[helthanatos]

But you're assuming that all the officicials dealing with the machines have the same moral standards as you. It's not necessarily the voters that need to be watched...

[Shank]

At least in Arapahoe County, everything we did was in pairs of republicans and democrats, to ensure that it was a fair election as far as we could. This included seal checking, logging the zero counts, etc. Everything had a paper audit trail for who interacted with what, who signed off on what, and what was going on.

I don't know how it worked when the machines were picked up for counting, but I assume similar measures were in place.

Edit: Also, poll watchers from both parties could observe our methods. Everyone had a vested interest in verifying that no tampering was taking place, even if that didn't include election workers.

[wfunction]

> everything we did was in pairs of republicans and democrats

Question: What constitutes a Democrat or a Republican? Is registering as one enough? What guarantee is there people aren't lying about the parties they identify with?

[cperciva]

I don't know about the system in that particular county, but the system in most democracies is that any candidate has the right to appoint a representative to be present. In practice this means that the parties run down their lists of volunteers; depending on how many volunteers they have in a particular area it might be very easy for someone to get appointed as such. (In the last Canadian election, I turned up on election day to volunteer for a friend who was a candidate for a major party, and six hours later I was an Official Candidate Representative scrutinizing the vote counting.)

[wfunction]

Good to know -- thanks for the anecdote!

[pdkl95]

> What guarantee is there people aren't lying about the parties they identify with?

You, when you volunteer to work at the polls or as a party observer, thereby increasing the redundancy of the checks.

[oxide]

that's a risk you have to take, at some point. you eventually have to trust that someone isn't lying, somewhere along the chain.

what else could be done to further vet volunteers? you can't interrogate people or drug them with serums for the truth, so I think it's safe to assume registering is enough.

so, to answer your question, I doubt there is any "guarantee" other than the fact that these are volunteers and you'd have to be a real idiot to falsely register to ensure you can tilt the scales...of bipartisan pairs of Arapahoe County poll volunteers.

[wfunction]

> that's a risk you have to take

Well, obviously. But the risk can be high or low, right? You could either let any random voter you don't know walk in and become a volunteer after filling out a form, or you could let maybe ~50 people that the party's head/nominee personally trust pick a set of volunteers nationally based on e.g. personal knowledge or some concrete evidences of their past contributions and allegiance to the party. Or something else; there are lots of possibilities here. So I'm asking what the criteria are so I can understand how likely it is for something to go wrong here... I obviously understand nothing 100% bulletproof, so there's no need to point that out.

[CoryG89]

Maybe it's just me, but I think I would be more comfortable pulling 50 random people off the street to count votes than I would be with 50 volunteers appointed by the candidates, who have a much bigger incentive to violate the integrity of the vote (if needed).

[oxide]

let's take this a step further: two republicans, one falsely registered as a democrat, have been paired off at the polling station in Araphaoe County. the lie was bought, the fraud complete. now what?

[rebuilder]

Did third parties get representation?

[huxley]

Not sure about elsewhere, but in Canada, any candidate on the ballot is usually allowed to appoint up to two agents or scrutineers per ballot box, usually to spell each other off (it can be a very long day)

[wybiral]

Officials are more likely to be skilled at hacking paper than electronic devices :)

[slim]

You mean I could void all the votes simply by tampering with the seal? Seams like an easy attack

[Shank]

The answer to many physical security questions is "it depends." I don't have my materials on me anymore, but in general, seal tampering means a lot of extra scrutiny on the people watching the machines and transporting them. The chain of custody will pin the blame on the last person who signed off, and things get investigated as needed.

The system doesn't have something in place typically that says "if (sealVoided) { throw out election }" it just means that additional precautions are taken to ensure everything is good. It's never a binary answer, unfortunately.

[Mtinie]

Internally applied seals would be one form of defense against this vector.

Breaking the external seals would put the device into the "needs further investigation" category. After the election the device would be inspected and the internal seals confirmed. If those were still intact, the results from the machine could be certified.

[sschueller]

I think that is correct. If the seal is broken you can not guarantee that the votes are correct especially if there is no paper trail.

So for maximum impact make sure you go break the seal at the end of the day...

How many votes are stored on a single machine in a large district?

[pmoriarty]

I'd feel a million times more confident in a simple pen and paper voting system.

[motardo]

Yes. With paper ballots, cheating is at least detectable because there is literally a paper trail. With touch screens, maybe the results are correct, maybe the machine miscounted. There is no way to really know.

[codingdave]

The machine I used in early voting also had a paper trail - when you submitted the votes, it printed them as a secondary record. It was moving too fast for me to read all the votes as the paper went by, but the ones I caught were correct. So there is a literal paper trail there.

[wybiral]

There are digital records more than just a tally. Sure, maybe it's possible (with physical access) to destroyed or altered them, but the same holds for paper.

[pmoriarty]

It's much harder to undetectably destroy or alter large numbers of paper records than it is to do the same to digital records.

It's also sometimes possible to do this to digital records without ever being physically present in their vicinity. Once again, this is much harder with paper.

[nitrogen]

It's very easy to forge paper records, though. I seem to recall reading about a rigged election in a questionable democracy where the ballot counters were given several file boxes full of fake ballots in addition to their local precinct ballots, with official anti-tampering seals intact.

[im3w1l]

So now you need a distribution network for fake boxes and people in the precincts that are in on the conspiracy. Such a large org is leak-prone.

Contrast that with a group of just 1-3 techies.

[gregmac]

If the tapering is part of the software, the digital records mean nothing. I don't get why these things get used at all.

[wybiral]

Exactly. You could tamper with most systems if you had that much physical access, including paper counts. Which is why there are procedures in place to minimize that potential.

Plus an attack like this would be isolated to the single machine (not that it wouldn't be bad, but it wouldn't be applied in a distributed fashion).

[makomk]

With paper counts, it's easy to verify that the box is empty when it's initially sealed. With voting machines not so much.

[mixologic]

What happens if they find tampering of the seals? Does all the votes of that particular machine become questionable?

If someone were to tamper with the seals on many of the machines, and they target precincts that tilt heavily in favor of one party or the other, couldn't they theoretically invalidate a lot of ballots that are likely to help their opponents?

[tropo]

Suppose the election ends, and it's time to verify the seals. Oops, they are broken. Now what?

All the seals can do is cast doubt on the results. You can't bring back the voters to try again. Even if you could, time has passed and they might vote differently. You could toss out the results, but that affects things too.

If you toss out the results, an example attack is: break the seals in areas with undesired voters

Similar attacks can be done if you call voters back. Maybe this allows for more-favorable hours or different media exposure.

[revelation]

The machines are sent back to a central point, without getting a report at the individual polling stations?

I think I see the problem.

[Shank]

Results were printed out from the machines and posted outside the actual vote center after the election (Colorado law requires publishing the results of all electronic votes). If you were to visit a vote center after the polls closed, you'd see a tally report per machine on the window, visible for anyone to see.

The machines themselves were sent back and dumped. I don't actually remember if we printed 2 copies of everything (such as a copy for someone to tally up too).

[azernik]

In CA (Alameda County), we print out two copies - one to be posted publicly, and one to be returned to the central collection center. The collection center gets the paper printout of results, the memory card, and a printout of the system logs.