In 2004, Hopewell resident Stephanie Harris went to her polling place for the presidential primary, never expecting what was about to happen would alter her life and the public discourse around voter security for the next decade and a half.
When Harris entered the privacy booth that day, she saw one of Mercer County’s then-new touchscreen voting machines facing her, a model called the Sequoia AVC Advantage. She found her candidate of choice on the large paper ballot overlay, pressed the box next to the candidate’s name and then hit a large button at the bottom right of the machine to cast her vote.
Typically, at this point, the AVC Advantage will make a noise to indicate a vote has been counted. For Harris, nothing happened.
Harris exited the privacy booth slightly confused. A poll worker stopped her, and said her vote didn’t register and that she should try again. Harris did, four times with the same results.
After the fifth time, the poll worker shrugged, and said, “Well, I think it worked.” Harris never received definitive confirmation her vote had been cast. To this day, she doesn’t know whether the machine recorded her vote.
Harris couldn’t shake the feeling that her vote had been taken away. She asked the county for confirmation or at least an explanation. She didn’t get answers, but she did earn a new nickname, courtesy of a county freeholder—“the Incident in Hopewell.”
So she sued.
Filed October 2004 in Mercer County Superior Court against the State of New Jersey, the case alleged that direct-recording electronic (DRE) voting machines like the Sequoia AVC Advantage are insecure, unreliable and impossible to audit or otherwise double check. The legal process lasted 14 years and through the administrations of three governors.
“It just dragged on and on,” Harris said.
Eventually, a team of experts convinced the court that New Jersey’s DRE voting machines were in fact vulnerable and insecure. They showed the machines could be hacked, often in less than 10 minutes and at little expense. They demonstrated the logistics counties use for storing and transporting voting machines provided ample time and opportunity for hacking. And, since DREs do not produce a paper trail or any kind of auditable material, the experts proved this hacking could be done without evidence anything criminal ever had occurred.
Many states arrived at the conclusion that using DREs was just too risky, and moved away from them. New Jersey, however, remains one of a small minority of states still using DREs. Just 11 states use paperless machines as their primary voting equipment in at least some counties, and three of those states—Georgia, South Carolina and Pennsylvania—have committed to replacing the equipment by 2020.
When New Jersey voters go to the polls Nov. 5, however, most of them will be using the same type of machine Harris did 15 years ago.
On Election Day 2019, the 2020 presidential primaries in New Jersey will be just seven months away. Some counties will be introducing new machines this November. Others, such as Middlesex County, will have them for 2020. But not everyone is on the same page.
In Mercer County, officials said it is unlikely they will purchase new machines before the presidential primaries and 2020 general election. Instead, they aim to have new voting machines before 2023, when Mercer’s current fleet will be 19 years old.
Security experts agree this is a problem, since systems older than a decade are more likely to have security and reliability issues. It also puts Mercer County in the minority nationally, according to a report published in August by the Brennan Center for Justice at New York University School of Law. The report figures that only one-third of local election jurisdictions are using voting machines at least 10 years old.
This past summer, the U.S. Senate Select Committee on Intelligence released a report on the Russian government’s attacks on America’s election infrastructure. The report said there was an urgent need to secure America’s voting machines. It recommended states replace outdated and vulnerable machines with, at least, a voter-verified paper trail and to begin conducting statistically sound audits.
But in many New Jersey counties, that won’t happen.
“It’s our feeling that the 2020 election will be one of the most important of our lifetimes, and New Jersey will be voting on a very, very vulnerable system,” said Harris, who now serves as chair of the Coalition for Peace Action’s voting integrity taskforce. “The whole thing is extremely frustrating.”
* * *
For the opponents of DREs, the lack of progress especially frustrates because the machine’s security issues have been well known for more than a decade.
Harris’s case—filed under then-Assemblyman Reed Gusciora’s name in 2004 by the Rutgers Constitutional Litigation Clinic—was instrumental in rooting out those issues. (Gusciora, now the mayor of Trenton, represented Harris’s district in the state Assembly, and put his name on the case on behalf of all his constituents.)
The Rutgers team employed a number of expert witnesses who devised simple ways to hack the voting machines used in New Jersey. One expert, Dr. Roger Johnston, discovered a hack of the Sequoia AVC Advantage through its front panel. Johnston at the time worked for Argonne National Laboratory, assessing threats to the United States’ national security. He concluded that New Jersey elections could be manipulated without accessing any computer chip or processor, and that any voter could execute the hack.
Another expert, Dr. Andrew Appel of Princeton University, didn’t even need time with the machine or experience in voting security to know the AVC Advantage presented issues. He wrote his 2004 testimony simply using basic computer science principles, information anyone who had taken even one computer science class would know.
He later devised a hack of the AVC Advantage that took just seven minutes to complete. It gained him national notice.
The only tools Appel needed for his hack were a screwdriver and a $4 chip with a cheating program installed. Once installed, the new chip will cause the machine to switch votes from one candidate to another until either the machine or the chip is replaced.
“You have to pick the lock,” Appel said. “You can pick that lock in 15 seconds, even if you have no skill in lock picking at all. Then you have to unscrew 10 screws. You have to pry out the chip, put in a new chip. Most of the seven minutes is unscrewing screws and putting them back in.”
In other words, could anyone alone with a DRE voting machine for a short amount of time influence elections for at least a decade?
“Yeah, they’re the worst,” Appel said.
Appel first became interested in election security in the early 2000s. States had begun switching to DREs in the aftermath of the 2000 presidential election, which thanks to “hanging chads” had shattered faith in the punchcard ballots then-popular across the country.
Appel knew that DREs weren’t much better.
“As a computer scientist, I understand that whoever gets to install the program in the voting machine gets to decide how it’s going to add up its results,” Appel said. “If the legitimate program installed by the manufacturer is in there, it’s usually pretty accurate in interpreting the buttons people pressed on the touchscreen. But if a hacker gets to install the program, it’s very easy to write a program that just shifts 20 percent of the votes from one candidate to another. It’s very easy to make that program do that only on Election Day so it can’t be tested before Election Day. And it’s possible to do it only when 100 voters have voted so any test you do, even with 10 or 20 votes, won’t detect it.”
Appel further proved just how insecure the entire system is in 2007, when he managed to buy five AVC Advantage machines on the internet from Buncombe County, North Carolina. It cost him $82.
The government in Buncombe sold a total of 136 machines on the auction site govdeals.com in January 2007. Any person could bid on and purchase the equipment through this site, as long as the bidder provided a name, address, email and telephone number. Appel paid for the machines by cashier’s check. No one asked him who he was or why he wanted five used voting machines.
He called the entire process “easy.”
There were some external differences in the appearance of the Buncombe machines compared to the ones used in Mercer County. But internal software was identical, meaning the voting machines could be used for practice and parts for hacking real elections.
It’s human nature, he said, to trust the machines we use on appearance alone. But Appel stressed that just because something looks like it is legitimate doesn’t automatically make it so.
“The layperson walks up to an ATM and thinks it’s a bank machine, walks up to a phone and thinks it’s a phone and walks up to a car, it’s a car,” Appel said. “But really the ATM is a computer that’s programmed to deal with money. The car, there’s actually 30 computers in a car. And the phone is a computer. Every one of those computers has software. If you replace the software in the ATM, it will hand out bills to someone who knows the right cheat code. If you replace the software in a car, it won’t listen to you when you put the brake pedal on. And if you replace the software in a voting machine? Right? But it looks like a physical thing. So, if it looks like a voting machine, it must count the votes. That’s why there’s a natural tendency to discount the threat.”
* * *
Mercer County has 600 Sequoia AVC Advantage voting machines, each nearly 16 years old.
Like other counties, Mercer stores the machines in a warehouse when not in use. County officials wouldn’t say where the warehouse is, for security reasons. But a quick web search returns as a result a county document that includes the warehouse’s exact street address in Hamilton.
At the warehouse, there is a security gate along the road intended to keep unauthorized people out. On either side of the gate are bold green signs with bright yellow arrows pointing to the “Voting Machine Division.”
On a day in mid-October, the security gate had been opened, allowing access from the street. The warehouse’s large loading bay door had been left open, too, allowing anyone who drove by the ability to see straight into the warehouse.
The warehouse contains nearly all of the equipment needed to hold an election in Mercer County. Voting machines only leave the warehouse whenever there is an election. The county inspects each machine the Tuesday before the election. The county’s contracted movers, Broadway Movers, begin transferring machines from the warehouse to polling places immediately after inspection has concluded. The same movers pick up the machines a day or two after the election.
Mercer County has a contract with Broadway Movers, just renewed in February until July 2020. In it, there are stipulations on the kinds of trucks to be used, the number of machines on each truck, the procedure for picking up and dropping off machines at polling places.
The county even required Broadway Movers to provide its employee disciplinary policy and violation forms. But the county did not require background checks or other verifications of the people moving the machines, even though the movers would be left alone with the machines for long periods. Mercer County only requires background checks when working on county property, such as a construction contract, county spokesman Michael Boonin said.
Mercer County superintendent of elections Cathy DiCostanzo said her office keeps tabs on all its voting machines once they leave the warehouse, using a state tracking system. Each crew moving machines must log its progress in this system and sign off once the machines have been delivered to the polling place.
Once in the polling places, the machines are left alone. There’s no special security beyond whatever staff the polling place normally has, DiCostanzo said.
“But the machines are locked,” she said.
Middlesex County uses the same machines as Mercer County, the Sequoia AVC Advantage. Middlesex has more than 700 of the machines—purchased 21 years ago—at its warehouse in Edison. The county contracts with a private company to bring the machines to 254 polling places across Middlesex about one week before an election. The company then returns all the machines by the Monday following an election. (This will be the final general election in Middlesex County with the AVC Advantage. The county has purchased new machines for 2020.)
This procedure bothered Princeton University computer science professor Edward Felten, so between 2004 and 2008, he visited polling places across Mercer County and photographed himself in front of unattended voting machines. He testified there were no guards in any of the buildings, at least ones visibly patrolling the area near the machines. All the hallways were unlocked and accessible to the public. No key, badge or alarm code was needed to access them. Felten said in court documents that no one bothered him as he looked at and photographed the voting machines. No one talked to him. No one asked him what he was doing.
Felten also pointed out that several polling locations had prominent signs outside the buildings directing the public to the exact location of the voting machines, days before Election Day.
Counties across New Jersey still use the same procedure.
* * *
Much of Mercer County’s efforts have focused on preventing a cyberattack from afar.
Mercer County has developed an elaborate system for ensuring results are not affected by outside influences. It does not count votes on the internet, clerk Paula Sollami-Covello said, thanks to a 2010 ruling that made it illegal in New Jersey.
The AVC Advantage records votes onto a plastic cartridge that looks something like a larger version of an early video game cartridge. The technology actually dates from the same era, approximately the early 1980s.
When the polls close, a poll worker from each district removes the cartridges from each machine and brings them to the office of the clerk in their municipality. The clerk inserts each cartridge into a reader. The municipal clerk reads the cartridges and the results at the municipalities. Then, the clerk sends the results via a secure line to Sollami-Covello’s office. A staff member from the county clerk’s office is on hand at each municipality to observe the proceedings, and to bring the results cartridges back to the county office.
The results sent by VPN come in to a single computer that is not connected to the internet or other computers or servers. The results are recorded to a flash drive, and then brought to another computer to check the count. Every time the results are reloaded or refreshed, Sollami-Covello uses a brand new flash drive.
Sollami-Covello also has strict rules for internet usage in her office. She belongs to two election security panels—one at the federal level and another at the state level—and said she has attempted to put security best practices into place.
She acknowledges there is better technology for elections available now, but said her office has no role in purchasing voting machines. She can only give feedback, and work with the equipment she has now.
“I’m in my 14th year, and the [voting machines] were here before I got here,” Sollami-Covello said. “They’re old computers. You know how a 15-year-old computer would be today. They’re ancient because of the new systems and the new operating systems that have been developed. That being said, they’ve been pretty reliable. They work.”
“They’re old computers. You know how a 15-year-old computer would be today. That being said, they’ve been pretty reliable. They work.”
* * *
Stephanie Harris isn’t the only one to have an issue with the AVC Advantage. She isn’t even the only person in Mercer County.
In February 2008, at least 37 AVC Advantage machines malfunctioned in eight New Jersey counties during the presidential primary, according to court documents. The malfunction allowed voters to cast votes in the primary for a party other than their own, namely Democrats attempting to write-in “Hillary Clinton” in the Republican primary.
Sollami-Covello inspected reports of results from voting machines, and noticed erroneous results that disagreed with the results recorded on the machines’ cartridges. On 30 machines in Mercer County, there were more votes than voters.
Sollami-Covello testified that she attempted to contact state officials about the error, and never received a response. She also said she contacted the manufacturer, whose only response was a press release trying to explain what caused the error.
Another election using the Sequoia AVC Advantage, in June 2011, wound up in court when the race for two open seats on the Democratic Executive Committee in Fairfield Township, Cumberland County, turned up suspicious results.
Ernest and Cynthia Zirkle had expected to win that race, a small contest that had fewer than 50 people voting and required just one voting machine. Instead, the final results appeared to be swapped, with the Zirkles only receiving nine and 10 votes, respectively, to their opponents’ 34 and 33.
They filed a petition to declare the election void, and requested a recount or a new election. They also took the extraordinary step of tracking down 30 voters who agreed to sign affidavits under oath saying they had intended to vote for the Zirkles.
The Cumberland County Board of Elections administrator claimed the result was due to a programming error, and admitted she had been programming voting machines personally before elections in order to avoid the cost of hiring a programmer.
In a memo to the court dated June 24, 2011, the administrator wrote, “I am deeply saddened that due to my mistake, I put doubt in the voters’ mind about our election process and the integrity of our voting machines. I can assure you that this was human error and not a voting machine problem.”
The judge, in response, put aside the result of the election, and allowed the Zirkles to collect further evidence to support their case.
The Zirkles tapped Appel, the Princeton University professor, as an expert. The court gave Appel permission to inspect the DRE used in the election as well as the election board computer used to prepare the PDF file of the paper ballot overlay. The same computer was used to make the ballot definition file, which is loaded into the voting machine via a cartridge and tells the machine which candidates are in the race and where they appear on the paper ballot.
When Appel showed up at the Cumberland County voting machine warehouse at the appointed time, he found the election administration computer had been wiped clean the previous day.
“Whether that was to cover up fraud or to cover up a blunder or for some other reason, we don’t know,” Appel said.
Cumberland County’s computer systems analyst later admitted to erasing the files, but never said why the computer had been wiped.
Appel said it was clear the names on the paper ballot overlay were opposite the names of the ballot definition file. In other words, people voting for Column A actually voted for Column B, and vice versa. But no one could suss out whether the swap happened on purpose or by mistake.
The judge ordered a new election in September 2011, which the Zirkles won. This only happened because few enough people voted in the initial election that the Zirkles could track down a majority to sign affidavits claiming the result was wrong, Appel said. In a larger election, there would have been no way to tell the names had been swapped, no paper trail available to audit the suspicious result.
Eight years after the Zirkle case, it’s a message computer scientists have had some success relaying nationwide. Nearly everywhere, that is, aside from the state the case took place.
“Election officials across the country have been pretty good in understanding the science and moving towards better technology,” Appel said. “Just in a few backwards states—South Carolina, Louisiana, New Jersey—they’re falling behind.”
“Just in a few backwards states—South Carolina, Louisiana, New Jersey—they’re falling behind.”
* * *
If the state and county governments in New Jersey have known for years that DREs have issues, then why do we still have the same machines?
It’s not for lack of trying, as both levels of government have taken measures to improve or move beyond DREs. But, ultimately, each winds up looking to the other to take the final action.
“It’s back and forth,” Harris said. “It’s a Buck Doesn’t Stop Here mentality.”
The state’s efforts started just months after Harris’ case was filed. In March 2005, four assemblymen—including Gusciora and fellow Democrat Herb Conaway, who represents portions of Burlington and Camden counties—introduced Assembly Bill 33. The bill would require all voting machines in New Jersey produce a voter-verified paper record by January 2008. It passed in both houses and became law just months later.
But the law ran into problems soon thereafter. Nearly all the compliance efforts were focused on retrofitting the existing DREs with a printer of some sort, not forcing counties to replace their fleets of mostly new machines. In 2006, the appellate division of New Jersey Superior Court ordered an emergency trial, which found that although technology existed that could retrofit a voting machine to produce a paper trail, it was not compatible with the kind of machine used in New Jersey. This meant the state could not meet the 2008 deadline set by the legislature.
The legislature extended the paper trail deadline three times, until it finally removed the deadline component of the legislation in 2009, saying the technology would be mandatory as soon as funds became available.
In a statement dated Jan. 26, 2009, the Assembly’s state government committee wrote that the suspension had to be done due to the state’s precarious finances. The state anticipated a $2.1-billion budget gap in 2009, with an even larger one in 2010.
“Although $19 million in state funds had been set aside to help pay the costs of retrofitting the direct recording electronic voting machines used in 18 of the state’s 21 counties, this money is no longer available for that purpose,” the statement said. “The funds have been placed in reserve to help the state meeting its urgent fiscal obligations and balance its budgets.”
The legislature approved the removal of the deadline by wide margins. Mercer County representatives in the Senate and Assembly were among the few to oppose the measure: Republican Bill Baroni and Democrat Shirley Turner in the Senate and Gusciora in the Assembly.
For Gusciora, it was another roadblock for his efforts to improve New Jersey’s election security. But he doesn’t regret the time he spent on it, saying the 2016 presidential election proved his measures are more important than ever.
“My own computer at home is subject to interference with cookies and viruses,” Gusciora said. “I don’t think electronic voting is any different.”
At the same time, the legislature seemed to acknowledge it had the right idea in 2005. It never removed the paper ballot requirement, and in 2008, it strengthened the state’s stance further by passing a new law requiring a recount by hand of a statistically valid sample of paper ballots after every election.
The only problem is, without enforcing the 2005 law, there never has been anything to audit.
“We have two good laws on the books,” Harris said. “Neither of them work because they’re still waiting for funding. You have this terrible situation, and no one’s doing anything about it.”
In 2010, the trial court in the Gusciora/Harris case issued an opinion where it admitted New Jersey’s voting machines were not secure. But it did not order counties to buy new equipment, instead opting to secure the existing DRE machines in a number of ways, including placing tamper-evident seals on all machines and revoking internet access for any computer used for election-related activities.
Within a year, Appel had figured out ways to break the seals without evidence, and published a paper about it.
Opponents of DREs say the only way to truly secure New Jersey’s elections is with new technology.
“With the state budget, what we’re talking about is such a small percentage, like one percent,” Harris said. “Is it worth it to protect our democracy?”
“WE HAVE TWO GOOD LAWS ON THE BOOKS. NEITHER OF THEM WORK BECAUSE THEY’RE STILL WAITING FOR FUNDING. YOU HAVE THIS TERRIBLE SITUATION, AND NO ONE’S DOING ANYTHING ABOUT IT.”
* * *
A bill that could take care of the problem has been idle in the New Jersey state legislature for more than a year. A group of four sponsors introduced the “New Jersey Elections Security Act” in May 2018. (Democrat Andrew Zwicker, who represents portions of Hunterdon, Mercer and Middlesex counties, was one of them.) A few weeks later, in June 2018, the Senate received a companion bill, with two primary sponsors and Linda Greenstein (D-Mercer/Middlesex) co-sponsoring.
The Senate bill has sat in the State Government, Wagering, Tourism and Historic Preservation Committee ever since. The Assembly bill moved out of committee in October 2018 by unanimous vote, but has yet to be heard on the Assembly floor.
The bill would establish a demonstration program in New Jersey that would eventually transition the state to a paper ballot voting system using optical scanners in each election. The program would start by providing new optical scan machines to three counties for the first general election following the bill’s approval. The secretary of state would select one county each in the Northern, Central and Southern parts of the state.
The program would then add six counties every year over the next three years, until all of the state’s 21 counties are using paper ballots with optical scanners. It would require every county to conduct a risk-limiting audit, recounting a statistically significant number of paper ballots to ensure the results match the tally returned by the optical scan machines.
Many experts, including Appel, prefer this optical scan technology because it creates an auditable paper trail, with a clear record of which candidates each voter intended to select. Voters indicate on paper their candidates of choice and then feed the paper ballot through a scanner, which keeps a running tally. The paper ballots collect in a large ballot box beneath the scanner.
“There’s no computer interpreting to you what that ballot says,” Appel said. “You can read it with your own eyes. And then when it’s recounted, the people recounting it—with people from both parties witnessing it—can see it with their own eyes. That means if there is computer hacking, that can’t interfere with being able to get the right answer.”
As a bonus, every county clerk in New Jersey already uses similar technology with vote-by-mail ballots.
Some New Jersey counties have already tried out the optical scan technology for in-person voting, thanks to $380 million in funding Congress provided to states in 2018 to help upgrade voting infrastructure. New Jersey took its portion of the funding, chipped in a bit extra and, in August 2018, launched a $10.2-million election security program.
New Jersey Division of Elections director Bob Giles has developed a wide range of initiatives that include cybersecurity, physical security, training, updated voting equipment and auditing.
The state offers free security assessments for counties, with the state working with the U.S. Department of Homeland Security to inspect voting machine warehouses and clerk’s offices. The state team checks lights, doors, cameras and other security measures to ensure they are working and up to standard.
The state will then issue a report, and counties can apply for grants to remedy any issues. So far, 13 counties have taken advantage.
Giles also ran an event Sept. 10 at the Hyatt Regency in West Windsor, where 420 officials from counties across the state participated in tabletop exercises. The scenarios were meant to prepare counties for physical and cyberattacks occurring pre-election, during the election and post-election, Giles said.
The state also used the election security funding to start a grant program, with counties receiving up to $130,000 to trial new machines. As part of the trial, the counties accepting grant money agree to participate in a risk-limiting audit with their new machines.
Seven counties joined: Bergen, Essex, Gloucester, Hunterdon, Mercer, Union and Warren. Of the seven, Union and Warren have replaced their entire inventory with machines with a paper trail.
Union County has received criticism because it tested and later purchased machines called the ExpressVote that Appel says raises similar security issues to DREs because voters indicate their choices on a touchscreen. Appel also said the decision cost Union County taxpayers two to four times more than if the county had gone with optical scan. Each ExpressVote machine is more expensive than its optical scan counterpart, and counties need more ExpressVote machines to conduct an election.
Mercer County received a $100,000 grant from New Jersey to use to purchase new machines, deciding to test the Dominion optical scan machine in a school referendum election in Princeton in December 2018. The county placed one optical scan machine in one voting district.
Everything went so smoothly, Sollami-Covello said, that she and other election officials in Mercer recommended the optical scan machines to the people with purchasing power—the county freeholder board and the county executive. Sollami-Covello said she’s convinced the county should go with optical scan machines because they’re “the safest way.”
“I have some confidence in the current system because we are not on the internet,” Sollami-Covello said. “But, ultimately, I would like to see a paper trail.”
The Mercer County Board of Chosen Freeholders has begun the process of replacing the county’s AVC Advantage machines. In the spring, the board heard presentations from vendors. But freeholder board chairman John Cimino said no definitive decisions have been made, and doubts Mercer County would make a purchase before the 2020 elections. The next county budget would not be in place in time to buy new machines before the presidential primary in June, and Cimino worried about voter and poll worker confusion should different machines be used in the primary and general elections.
However, the county knows it will cost $3 to $5 million to purchase new machines, and Cimino said the county government knows it needs to act fairly soon.
“Our machines are getting to the end of life,” Cimino said. “Because of that, you’re going to see some level of movement in the 12 to 36 month timeframe.”
But three years is a long time, particularly to people like Stephanie Harris who have warned about Mercer County’s current machines since George W. Bush’s first term as president.
Harris said all DRE machines should be changed out before the 2020 primary, if possible, and counties still have plenty of time to act.
Most clerks want six months to switch a voting system, but the state of Virginia—wary of its touchscreen machines—swapped technologies in just three months.
With seven months until the June 2 primary, the clock continues to tick for New Jersey.
“It can be done, but there has to be the political will to do it,” Harris said.