X

Sequoia warns Princeton professors over e-voting analysis

E-voting machine manufacturer threatens legal action against computer scientists, state officials over a planned security analysis.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read

Ed Felten is a Princeton University computer scientist who became well-known in technology circles for a paper he co-authored that showed flaws in digital audio watermarks. More precisely, Felten became well-known for the legal threats he received at the time from the Recording Industry Association of America.

Now Sequoia Voting Systems, which is one of the largest e-voting machine manufacturers in the United States, is threatening Felten too.

On Tuesday, Felten posted e-mail he and fellow Princeton professor Andrew Appel received from Sequoia saying:

As you have likely read in the news media, certain New Jersey election officials have stated that they plan to send to you one or more Sequoia Advantage voting machines for analysis. I want to make you aware that if the County does so, it violates their established Sequoia licensing Agreement for use of the voting system. Sequoia has also retained counsel to stop any infringement of our intellectual properties, including any non-compliant analysis. We will also take appropriate steps to protect against any publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property.

Sequoia also has threatened to sue New Jersey's Union County. County officials backed away from the idea after Sequoia sent them a stiff letter calling the software a "trade secret," according to The Star-Ledger.

The reason the county became concerned in the first place is that mysterious errors showed up in the February presidential primary election. In at least five counties, the paper-tape totals showing how many Democrats and Republicans voted didn't match Sequoia machine's cartridge printouts. Here's more, and here's Sequoia's explanation.

Sequoia may have something to worry about. Felten and his graduate students were able to hack into a Diebold machine, and Appel bought some 1997-vintage Sequoia machines online and concluded they "can be easily manipulated to throw an election."

Is Sequoia on solid ground, legally speaking? Until the details of the licensing agreements become public, it's impossible to know for sure. But it may have a better legal argument than the RIAA and SDMI folks did back in 2001; any lawsuit they brought would likely have been thrown out of court.

But just because Sequoia may have grounds to threaten a suit (and, remember, we don't know) doesn't mean it should. Felten and Appel are careful and diligent researchers. Instead of threatening them, it would make far more sense to hire them to conduct a security evaluation--one presumes that Sequoia would actually want to know if serious vulnerabilities exist. Legal bluster signals that Sequoia has something to hide.

For its part, Sequoia responded on Tuesday with a statement that says in part:

Sequoia's products - and those of all election equipment manufacturers - go through a complete and independent review as part of the Election Assistance Commission's (EAC's) federal voting system certification process including rigorous testing and a line-by-line review of the voting system's source code by EAC accredited Voting System Test Labs (VSTLs)...

In addition to the federal certification program, individual states have their own state certification programs which vary state-by-state but most often entail additional testing and review by qualified third party experts. Many states also require voting system manufacturers to submit their source code to be kept in escrow, should there be a need to access this code by the state in the case of some type of unanticipated situation or problem...

Additional independent reviews of Sequoia products have most recently taken place in the State of California (Secretary Bowen's Top to Bottom Review of Voting Systems), the State of Colorado and The City of Chicago/ Cook County, Illinois. In addition, the New Jersey Institute of Technology is also completing a review of the Voter Verified Paper Audit Trail (VVPAT) adaptation for Sequoia's AVC Advantage at the request of the state of New Jersey.

Sequoia does not support any and all unauthorized activities that violate or circumvent our product licensing agreements. Licensing agreements are standard practice in the technology industry, including the elections industry and have been for decades. Sequoia will vigorously protect and defend its intellectual property and enforcement of established licensing agreements...

Again, Sequoia may have the legal ability to shut down any Princeton research. But the better question is: why would it want to?