The New York State Legislature is considering a bill that would ban all-in-one voting machines–that is, voting machines that can both print votes on the ballot, and scan and count votes from the ballot, all in the same paper path. This is an important safeguard, because such machines, if they are hacked by the installation of fraudulent software, can change or add votes that the voter did not intend and never got a chance to see on paper.
One voting-machine company, Elections Systems and Software (ES&S), that makes an all-in-one voting machine (the ExpressVote XL), is lobbying hard against this bill. As part of their lobbying package, they are claiming, “Rochester Institute of Technology researchers found zero attacks*” on the ExpressVote XL, based on an article (included in ES&S’s lobbying package) from Rochester Institute of Technology entitled “RIT cybersecurity student researchers put voting machine security to the test.”
If this were actually a scientific article, one could critique it as actual science. But it’s not a scientific paper: the article is written by the RIT public relations department (Scott Bureau, Senior Communications Specialist, RIT Marketing and Communications). The article describes an undergraduate student “capstone project:” The students were interviewed by ES&S, allowed ES&S to inspect their testing site, then signed a nondisclosure agreement with ES&S. The students made up two “Attack Scenarios”, then spent 10 days trying to find attacks. They found some vulnerabilities, but not one that could change votes.
The students made public a one-page poster