Andrew W. Appel's

Studies of Voting Technology

 Andrew Appel

Recent articles on voting:

24 for '24: Urgent Recommendations in Law, Media, Politics, and Tech for Fair and Legitimate 2024 U.S. Elections, by the Ad Hoc Committee for 2024 Election Fairness and Legitimacy (Appel, Azari, Cain, et al.), edited by Richard L. Hasen, UCLA Law School, September 2023.

Is Internet Voting Trustworthy? The Science and the Policy Battles, by Andrew W. Appel, University of New Hampshire Law Review, 21 U.N.H. L. Rev. 523 (2023).

Evidence-Based Elections: Create a Meaningful Paper Trail, then Audit, by Andrew W. Appel and Philip B. Stark, Georgetown Law Technology Review, volume 4, pages 523-541, 2020.

Ballot-Marking Devices Cannot Assure the Will of the Voters, by Andrew W. Appel, Richard A. DeMillo, and Philip B. Stark. Election Law Journal, 2020. (Non-paywall version, differs in formatting and pagination; earlier versions appeared on SSRN.)

Fair Elections During a Crisis: Urgent Recommendations in Law, Media, Politics, and Tech to Advance the Legitimacy of, and the Public Confidence in, the November 2020 U.S. Elections,by the Ad Hoc Committee for 2020 Election Fairness and Legitimacy (Appel, Azari, Cain, et al.), edited by Richard L. Hasen, UCI Law School, April 2020.

Securing the Vote: Protecting American Democracy, by National Academies of Science, Engineering, and Medicine: Lee C. Bollinger, Michael A. McRobbie, Andrew W. Appel, Josh Benaloh, Karen Cook, Dana DeBeauvoir, Moon Duchin, Juan E. Gilbert, Susan L. Graham, Neal Kelley, Kevin J. Kennedy, Nathaniel Persily, Ronald L. Rivest, Charles Stewart III. September 2018.

Articles on Freedom-to-Tinker, 2024

Suggested Principles for State Statutes Regarding Ballot Marking and Vote Tabulation
Barcodes on paper ballots: the good, the bad, and the stealth
Rows and Columns, the County Line, and the ExpressVote XL

Articles on Freedom-to-Tinker, 2023

Unrecoverable Election Screwup in Williamson County TX
Sort the mail-in ballot envelopes, or don't?
Best practices for sorting mail-in ballots
Expensive and ineffective recounts in Los Angeles County
Willful disregard of voter intent in Los Angeles
Unsealing the Halderman report would be Responsible Vulnerability Disclosure
ExpressVote XL “fix” doesn’t fix anything
Searcy County Arkansas switches to hand-marked paper ballots
A reasonably priced Ballot On Demand system from Hart Intercivic
Switzerland’s e-voting system has predictable implementation blunder

Articles on Freedom-to-Tinker, 2022

ES&S Uses Undergraduate Project to Lobby New York Legislature on Risky Voting Machines
A PDF File Is Not Paper, So PDF Ballots Cannot Be Verified

Five-part series on the Swiss e-voting system:

  1. How to Assess an E-voting System
  2. How NOT to Assess an E-voting System, by Vanessa Teague
  3. How the Swiss Post E-voting system addresses client-side vulnerabilities
  4. What the Assessments Say About the Swiss E-voting System
  5. Switzerland’s E-voting: The Threat Model
Magical thinking about Ballot-Marking-Device contingency plans
The anomaly of cheap complexity
Is Internet Voting Secure? The Science and the Policy Battles
Why the voting machines failed in Mercer County
Next Steps for Mercer County Following Voting-Machine Failure

Articles on Freedom-to-Tinker, 2021

ESS voting machine company sends threats
Georgia’s election certification avoided an even worse nightmare that’s just waiting to happen next time
Expert analysis of Antrim County, Michigan
Juan Gilbert’s Transparent BMD
Internet Voting is Still Inherently Insecure
Voting Machine Hashcode Testing: Unsurprisingly insecure, and surprisingly insecure
Accommodating voters with disabilities
New Hampshire Election Audit, part 1
New Hampshire Election Audit, part 2
It’s still practically impossible to secure your computer (or voting machine) against attackers with physical access
Four 2020 lawsuits over internet voting
Another 2020 lawsuit over internet voting
“Signal Loss” and advertising privacy on Facebook

Articles on Freedom-to-Tinker, 2020

Five-part series on ballot-level comparison audits:

  1. Ballot-level comparison audits: central-count
  2. Ballot-level comparison audits: precinct-count
  3. Why we can’t do random selection the other way round in PCOS RLAs
  4. Finding a randomly numbered ballot
  5. Ballot-level comparison audits: BMD
Can Legislatures Safely Vote by Internet?
Fair Elections During a Crisis
Emergency Motion to Stop Internet Voting in NJ
Democracy Live internet voting: unsurprisingly insecure, and surprisingly insecure
NJ agrees No Internet voting in July, vague about November
Safely opening PDFs received by e-mail (or fax?!)
Voting by mail in NJ 2020
Election Audits in NJ 2020
Vote-by-mail meltdowns in 2020?
Election Security and Transparency in 2020
Federal judge denies injunction, so 7 states won’t be forced to accept internet ballot return
New Jersey gets ballot-tracking only half right
Did Sean Hannity misquote me?

Articles on Freedom-to-Tinker, 2019

Reexamination of an all-in-one voting machine
Voting machines I recommend
BMDs are not meaningfully auditable
ImageCast Evolution voting machine: Mitigations, misleadings, and misunderstandings
How to do a Risk-Limiting Audit

Articles on Freedom-to-Tinker, 2018

Are voting-machine modems truly divorced from the Internet?
Securing the Vote — National Academies report
Serious design flaw in ESS ExpressVote touchscreen: “permission to cheat”
Design flaw in Dominion ImageCast Evolution voting machine
Continuous-roll VVPAT under glass: an idea whose time has passed
An unverifiability principle for voting machines
Ten ways to make voting machines cheat with plausible deniability
Cheating with paper ballots
End-to-End Verifiable Elections
When the optical scanners jam up, what then?
Two cheers for limited democracy in New Jersey
Florida is the Florida of ballot-design mistakes
Expert opinions on in-person voting machines and vote-by-mail
Why voters should mark ballots by hand
Pilots of risk-limiting election audits in California and Virginia

Articles on Freedom-to-Tinker, 2016

Internet Voting, Utah GOP Primary Election
Internet Voting? Really?
Security against Election Hacking – Part 1: Software Independence
Security against Election Hacking – Part 2: Cyberoffense is not the best cyberdefense!
Which voting machines can be hacked through the Internet?
My testimony before the House Subcommittee on IT

Articles on Freedom-to-Tinker, 2013

Oral arguments in NJ voting-machines lawsuit appeal

Articles on Freedom-to-Tinker, 2012

Broken Ballots
Oral Arguments 12/4 in NJ Voting-Machine Lawsuit
NJ Lt. Governor invites voters to submit invalid ballots
Voting machine lawsuit, oral arguments, venue change

Articles on Freedom-to-Tinker, 2011

Seals on NJ voting machines, 2004-2008
Seals on NJ voting machines, October-December 2008
The trick to defeating tamper-indicating seals
What an expert on seals has to say
Seals on NJ voting machines, March 2009
Seals on NJ voting machines, as of 2011
Why seals can't secure elections
NJ election cover-up
Did NJ election officials fail to respect court order to improve security of elections?
Will the NJ Attorney General investigate the NJ Attorney General?
What happens when the printed ballot face doesn't match the electronic ballot definition?
Corruption Bureau assigns fox to guard henhouse
Appeal filed in NJ voting-machines lawsuit

Articles on Freedom-to-Tinker, 2010

Court permits release of unredacted report on AVC Advantage
NJ court permits release of post-trial briefs in voting case
Unpeeling the mystique of tamper-indicating seals

Articles on Freedom-to-Tinker, 2009

Optical-scan voting extremely accurate in Minnesota
NJ Voting-machine trial update
NJ Voting-machine trial: Plaintiffs' witnesses
NJ Voting-machine Trial: Defense Witnesses

Articles on Freedom-to-Tinker, 2008

Election Machinery blog
Judge Suppresses Report on Voting Machine Security
Report on the Sequioa AVC Advantage
Independent Voters Disenfranchised in Louisiana
Louisiana Re-enfranchises Independent Voters
Voting Machines are Silent in Princeton Today
Security Seals on AVC Advantage Voting Machines are Easily Defeated

Internet Voting? Really?  TEDx talk, March 2016


Security Seals on Voting
Machines: A Case Study

      Video demonstration of how to hack a voting machine
The New Jersey Voting-machine Lawsuit
and the AVC Advantage DRE Voting Machine
Some of my work on voting is described on my blog at Freedom-to-Tinker.

Voting-machine lawsuits

Gusciora v. Corzine and Zirkle v. Henry

Teaching

Research and Public Service

New Jersey Election Cover-up: During the June 2011 New Jersey primary election, something went wrong in Cumberland County, which uses Sequoia AVC Advantage direct-recording electronic voting computers. I served as an expert witness in the resulting lawsuit. From this I learned several things; see the attached report.

  1. New Jersey court-ordered election-security measures have not been effectively implemented.
  2. There is a reason to believe that New Jersey election officials have destroyed evidence in a pending court case, perhaps to cover up the noncompliance with these measures or to cover up irregularities in this election. There is enough evidence of a cover-up that a Superior Court judge has referred the matter to the State prosecutor's office.
  3. Like any DRE voting machine, the AVC Advantage is vulnerable to software-based vote stealing by replacing the internal vote-counting firmware. That kind of fraud probably did not occur in this case. But even without replacing the internal firmware, the AVC Advantage voting machine is vulnerable to the accidental or deliberate swapping of vote-totals between candidates. It is clear that the machine misreported votes in this election, and both technical and procedural safeguards proved ineffective to fully correct the error.

Security Seals On Voting Machines: A Case Study, by Andrew W. Appel. Accepted for publication, ACM Transactions on Information and System Security (TISSEC), 2011.

Abstract: Tamper-evident seals are used by many states' election officials on voting machines and ballot boxes, either to protect the computer and software from fraudulent modification or to protect paper ballots from fraudulent substitution or stuffing. Physical tamper-indicating seals can usually be easily defeated, given they way they are typically made and used; and the effectiveness of seals depends on the protocol for their application and inspection. The legitimacy of our elections may therefore depend on whether a particular state's use of seals is effective to prevent, deter, or detect election fraud. This paper is a case study of the use of seals on voting machines by the State of New Jersey. I conclude that New Jersey's protocols for the use of tamper-evident seals have been not at all effective. I conclude with a discussion of the more general problem of seals in democratic elections.

Analysis of the AVC Advantage DRE voting machine: In July 2008 I led a team of computer scientists in a study of the software and hardware of the Sequoia AVC Advantage. This is in connection with the NJ voting-machines lawsuit.

Summary article:
The New Jersey Voting-machine Lawsuit and the AVC Advantage DRE Voting Machine, by Andrew W. Appel, Maia Ginsburg, Harri Hursti, Brian W. Kernighan, Christopher D. Richards, Gang Tan, and Penny Venetis.
Published in EVT/WOTE'09, Electronic Voting Technology Workshop / Workshop on Trustworthy Elections, August 2009.

Technical reports:

Down for the count, our voting machines remain vulnerable to tampering, op-ed article in the Bergen Record, June 22, 2008. [local copy] Note correction: in the next-to-last paragraph, change "a month later" to "at that time."
Letter to the New Jersey Voting Machine Examining Committee, May 2008.
Effective Audit Policy for Voter-Verified Paper Ballots, by Andrew W. Appel. Presented at 2007 Annual Meeting of the American Political Science Association, Chicago, September 1, 2007.
Earlier version, February 2007.
6300 beads representing the precincts in a New Jersey Governor election; 10% of the beads are blue, representing fraudulent voting machines. A 1% sample (63 beads) is shown; it is extremely likely to include at least one blue bead (in this case the sample has 7 blue beads), and thus the audit will catch some of the fraudulent machines (triggering, in principle, a wider recount and a forensic investigation). 100 marbles representing the precincts of a city mayoral election; 10% of the marbles are blue representing fraudulent voting machines. A 1% sample is shown (one marble); it's unlikely that a 1% sample will include any blue marbles. While a 1% audit works well for statewide races, it does not suffice for local or legislative-district elections. (Photos: Alex Halderman)
Andrew Appel with an AVC Advantage voting machine. Photo credit: Alex Halderman
How I bought some used voting machines on the Internet
(voting machines as Halloween costumes...)
How to Defeat Rivest's ThreeBallot Voting System, by Andrew W. Appel. October 2006.

Related papers:
The Trouble With Triples: A Critical Review of the Triple Ballot (3ballot) scheme, Part 1 by Charlie Strauss, October 5, 2006.
A Critical Review of the Triple Ballot Voting System. Part 2: Cracking the Triple Ballot Encryption by Charlie Strauss, October 8, 2006.

Ceci n'est pas une urne:
On the Internet vote for the
Assemblée des Français de l'Etranger (click here for the report)

(ici la version française)
I testified as an expert witness for the plaintiffs in Gusciora v. McGreevey, a lawsuit in New Jersey state court filed in October 2004. The plaintiffs argued that the use of Direct Recording Electronic (DRE) voting machines without a voter-verified paper ballot is both unconstitutional and illegal in New Jersey.
My testimony before the State Government Committee of the New Jersey State Senate, on the topic of voting machines, May 26, 2005.
I taught a Freshman Seminar on Election Machinery in the Fall semester 2004.