Determining the Causes of AccuVote Optical Scan Voting ... · PDF fileAccuVote Optical Scan Voting Terminal Memory Card Failures ... tems normally use removable memory cards to ...

Determining the Causes ofAccuVote Optical Scan Voting Terminal Memory Card Failureslowast

Tigran Antonyan Nicolas Nicolaou Alexander A Shvartsman Therese SmithComputer Science amp Engineering University of Connecticut Storrs CT 06269 USA

tigrannicolasaastms08012engruconnedu

AbstractOptical scan (OS) voting systems play an increasing rolein the United States elections with over 40 states deploy-ing such systems The AccuVote optical scanners (AV-OS) manufactured by ESampS account for over 20 of allOS systems OS systems typically use removable media(cards) to provide election-specific programming to thescanners and to convey precinct election results for cen-tral tabulation Several reports document occurrences ofAV-OS memory card failures with up to 15 of all cardsfailing in some cases

This paper reports on determining the causes of mem-ory card failures that lead to complete loss of data fromthe card An initial experimental analysis identified thebattery discharge as a significant part of the problemThis finding led to the question of the dependability ofthe built-in function of the AccuVote OS system that is-sues a warning when the memory card contains a low-voltage battery We identified the components used toimplement this function in one type of AccuVote mem-ory card Using the specifications of the commodity bat-teries that are used in these cards we determined the timeinterval from the instant when a battery warning is issuedby the AccuVote to the point when the battery does nothave enough voltage to retain data on the memory cardWe show that such interval is about 2 weeks Thus timelywarnings cannot be provided to protect against batterydischarge and loss of data during the election processThe factors contributing to the short warning interval arelikely to apply to other battery-backed RAM cards suchas those used in the ESampS Model 100 Recommenda-tions for mitigating the problem are made in light of theexpected behavior of the warning system

lowastResearch funded by the Secretary of the State of Connecticut andperformed at the Center for Voting Technology Research at the Univer-sity of Connecticut

1 Introduction

A number of reports in recent years documented securityand integrity vulnerabilities associated with electronicelection systems (eg [24 3 19 32 34 13 14 33 1016 17 7 8]) While it is extremely important to un-derstand and mitigate the risks of misuse and tamperingwith electronic voting systems it is also important to en-sure that the systems are reliable and when this is notthe case to analyze the problems and develop solutionsleading to more dependable election systems

Over 55 of the counties nationwide across morethan 40 states incorporated OS election systems forthe November 2008 Presidential Elections with over20 of those counties deploying the AccuVote OpticalScan (AV-OS) tabulators from ESampS (formerly PremierElection Systems formerly Diebold) [30] These sys-tems normally use removable memory cards to provideelection-specific programming to the tabulators and toconvey election results to the election management sys-tems (EMS) for aggregation It has been widely reportedthat the AV-OS memory cards have been malfunctioningat an unacceptably high rate

Background and motivation This work is motivatedby the experience of using AV-OS systems in the Stateof Connecticut and our own work on audits in the stateWe study AV-OS memory card malfunctions that causethe cards to lose their data (eg see the informal com-pendium at VotersUniteorg) This is typically detectedwhen a programmed card is inserted into the OS tabu-lator prior to an election In other cases this is detectedwhen attempting to load election results from a mem-ory card to EMS for aggregation for example one re-port from Washtenaw County Michigan describes somecards that ldquowere wiped clean of their data following anelection [23] There were also reports of memory card

failures during the elections Such failures may be catas-trophic for DRE systems however they are more benignfor OS systems (possibly constituting denial-of-service)due to the ease of detection and the existence of voter-verifiable paper ballots In any case the magnitude ofreported failures is a serious concern Eg 44 of cardsin Volusia County Florida November 2006 over 9card failures in two other (unnamed) counties in the sameelection in Florida Other reports claim even higher fail-ure rates Unfortunately while identifying a perceivedproblem with memory cards these reports do not con-tain any technical data that can shed light on the causesof the problem and do not provide direct evidence thatdata is indeed lost in malfunctioning cards

The first specific data on the AV-OS memory card fail-ures appears in recent reports on technical audits in theState of Connecticut [29 28] The reports indicate thatanywhere from 35 to 15 of the memory cards exam-ined in audits are found to be faulty The tabulators arenot able to read such cards but using special instrumen-tation it is possible to extract the contents of such cardsWhen any such card is read it is revealed that it containsa sequence of arbitrary byte values without any apparentstructure or format In particular these cards are distinctfrom properly formatted but not programmed cards

Frequent occurrence of such card failures for OS maylead to the following denial of service situations1) Loss of card data before or during an election makes itimpossible to conduct the election unless a replacementis secured or is available in a timely manner This in-curs substantial overheads associated with preparing re-dundant cards before elections and card failures result indelays and interruptions on the election day2) Loss of card data after an election results in the com-plete loss of the electronic election results for the corre-sponding precincts This makes it impossible to performcentral aggregation of election results using an EMS (inthe jurisdictions where such aggregation is used eg inConnecticut this is not done)3) Loss of card data after an election makes it impossibleto audit the (lost) data on such cards In particular auditlogs stored on the cards are also lost

This report documents the results of the technical in-vestigation whose goal is to identify the main causesleading to the loss of data on AV-OS memory cards Weare able to present strong evidence that the major causeof this loss of data is the depletion of the battery con-tained in the memory card We also provide an expla-nation for why the function implemented in the AV-OSsystem to warn of the depleted battery condition is inef-fective and cannot be relied on to assess predictably thecondition of the on-board battery

Summary of the results For the purpose of this study105 memory cards for the AccuVote Optical Scan (AV-OS) system were retained from the November 2008 elec-tions in Connecticut 55 of these cards were identified asthe cards that lost their data The remaining 50 cardsformed the control group consisting of cards that did notfail during the same election

The AV-OS memory cards marketed by ESampS arethe 40-pin 128 KB cards that essentially comply withthe Seiko Epson specification [27] The cards employRAM that is volatile Each card contains a coin-sized 3Vbattery (2016 type) required by the card to maintain itsmemory The AV-OS system incorporates a function thatissues a ldquolow battery warning When so indicated it isprudent to replace the battery before using the card Ide-ally when no such indication is issued by the system thebattery has sufficient charge to enable the card to main-tain its memory (for a certain period of time)

The goal of this work is to explore the conjecture thatthe depletion of the on-board battery on these cards is amajor factor causing the loss of data If weak batteriesare indeed the cause of the memory loss and given thatthe good use procedures demand that the battery is re-placed upon the low battery warning before the card isprogrammed we also consider the adequacy of the im-plementation of the AV-OS low battery warning system

To this end we conduct a case study of the most com-mon memory cards used with the AV-OS terminals (thereare two known types of cards in use in Connecticut) Thecontributions of this work are as follows1 We conducted tests on 55 memory cards that lost theirdata in the November 2008 elections We programmedthese cards with valid data and we observed the state ofthese cards over time (at least four weeks) For thosecards that failed to retain data we replaced their batter-ies and we repeated the test We contrasted the results forthese cards with the results obtained from a test on a con-trol set of 50 cards Our findings present strong evidencethat battery depletion was the cause of the data loss2 The memory card provides two quantities relevantto the conversion of the battery behavior to the lifetimeof the memory card data (i) the amount of energy dis-charged from the battery as a function of time and (ii) thevoltage level that triggers the AV-OS low battery warn-ing Given these parameters we computed the time fromthe appearance of the low-battery indicator until the dataare lost due to battery discharge We call this time periodthe warning time and we estimate this time to be about2 weeks for these memory cards In light of this timebeing so short the frequency with which memory cardslose their data is explicable and a change is warranted

2

3 For the typical election process in Connecticut weidentify the time when fresh batteries can be installedand the intervals during which the memory card dependsupon battery power We claim that for memory cardswhose components behave within their respective speci-fications the warning time provided by AV-OS is inade-quate to guarantee the retention of data for the durationof the electoral process As a corollary data retentioncannot be guaranteed for any duration beyond the elec-tions as may be required by some jurisdictions4 Where battery-backed memory cards are employedwe recommend supplementing the vendor instructionsfor battery handling In particular we recommend thatfor each election consideration be given to the age of thebatteries used with the cards If the time of the most re-cent battery replacement is more than a threshold amountof time for the specific battery (discussed later in this pa-per) in the past such batteries should be replaced beforethe election to mitigate the frequent occurrences of dataloss Given that not all batteries are created equal somelasting substantially longer than others it is prudent toobtain and examine battery datasheets from the respec-tive manufacturers to obtain the best value Lastly in thelonger term we recommend designing and using cardswith intrinsically non-volatile memory

Broader considerations Our study focuses on oneparticular optical scan system that employs battery pow-ered memory cards the ESampS AccuVote Optical Scan(AV-OS) as used in Connecticut and several other statesWe believe our results are applicable to other electionsystems that use battery powered removable media Thismerits future study however as of this writing we haveonly access to the election systems in Connecticut Otherelectronic voting systems with battery-backed memorycards (cartridges) include the ESampS Model 100 [26] cor-responding to 36 of all counties using OS systems andthe Optech III P Eagle [18] corresponding to 11 ofall counties The Sequoia AVC Advantage DRE (Di-rect Recording Electronic) is another example of an elec-tronic voting system using battery backed RAM [31]While there are no formal reports of memory card mal-functions in these machines it is prudent to conduct in-vestigation of memory card dependability in these andsimilar systems

Our recommended solution to replacing the batteriesbefore every election is simple but it comes at a costA state using AV-OS (or another similar system) willhave many thousands of cards and while batteries canbe bought in bulk at less than $1 per battery there arelikely to be substantial labor costs and costs associatedwith disposing a large number of batteries It will be im-

portant to assess these costs and to examine alternativessuch as keeping track of the age of each battery and re-placing only those that are at a higher risk of failing Apilot test should also be conducted to to assess these costsand the effectiveness of the proposed solution Anotheralternative is to develop plug-compatible memory cardsthat use non-volatile memory This may be particularlyimportant for those jurisdictions that require that all elec-tion data including electronic must be retained for atleast 22 months

Related work A similarly critical problem of detect-ing when a battery needs to be replaced or rechargedhas been faced in the setting of pacemaker batteries[6 25 22 20 11 12] In the time before the availabilityof transcutaneous recharging of pacemaker batteries asurgical procedure was scheduled to replace the batteryAs not all patientsrsquo batteries discharged within the sametime interval some method of assessing when to replacethe battery was desired Some pacemakers paced at areduced rate when the battery life remaining was shortWhatever the observable signal is the amount (in time)of warning given by the signal corresponds to the timeinterval from when the warning signal is detectable tothe time the performance of the battery-supplied systembecomes unacceptable

Paper outline In Section 2 we present historical ob-servations about the loss of data in cards that were exam-ined during the technical audits In Section 3 we presentthe details of our experiments In Section 4 we presentour analysis leading to the determination of the causes ofmemory loss and we provide an estimation on the warn-ing time for battery-backed cards In Section 5 we giverecommendations for mitigating the short warning timeproblem Section 6 contains conclusions from our in-vestigation and general recommendations on how to de-crease the occurrence of card failures

2 The Setting

The State of Connecticut introduced the AccuVote Opti-cal Scan (AV-OS) election systems in 2006 together withimplementing audits to mitigate the risks associated withsecurity and integrity issues in using electronic electionsystems The audits include post-election hand countedballot audits covering 10 of the voting districts andtechnical audits of the AV-OS memory cards performedbefore and after each state-wide election

The AV-OS tabulators use removable battery poweredmemory cards that are programmed prior to an electionwith the information pertaining to the specific contest

3

configuration in each voting district The memory cardused in Connecticut is a 40-pin 128KB card in many re-spects compatible with the Seiko-Epson datasheet [27]In additional to the contest configuration each memorycard also stores the counters representing the number ofvotes cast for the candidates and propositions and the au-dit log (as well as additional data) [1]

There were over 1000 polling places (inclusive ofabsentee) in the November 2008 elections in the Stateof Connecticut Each polling location has four mem-ory cards One of the four cards is randomly selectedfor the pre-election audit One of the remaining is nor-mally used in the election while the balance of two cardsserve as backups In total there are about 4000 mem-ory cards in Connecticut Note that for physical securityidentification and sealing purposes the memory cardsin Connecticut have tamper-evident self-adhesive labelthat also covers the battery compartment

The technical audits determined that a non-trivial per-centage of the memory cards lost their data at some pointafter being programmed for election The examination ofthe cards that lost data revealed that the contents of suchcards appeared as an arbitrary near random sequence ofbytes (characters) The AV-OS systems cannot use suchcards recognizing them as invalid (and offering to formatthese cards) Thus this does not present an immediate se-curity issue however the substantial percentage of suchcards observed in each election raises the concern of anon-malicious denial-of-service problem

Table 1 presents the percentage of cards that lost theirdata as discovered during the audits of five differentelections The pre-election audits are generally per-formed by randomly drawing one of four cards from eachdistrict before the election and the post-election auditexamines cards used in the elections for the voting dis-tricts subject to the 10 hand-counted ballot audit Theactual number of cards that lose their data could even behigher given that in some cases cards are reprogrammedbefore the election when cards with lost data are encoun-tered during the logic and accuracy tests

Several hypotheses explaining the causes of data losson memory cards were tested but did not yield evena remotely significant statistical difference with respectto control group For example it was hypothesizedthat memory cards might be damaged in some electro-magnetic way during transport however no differencesin the occurrence of data loss were observed for the cardsthat were transported using a common carrier vs thecards that were transported using a dedicated courierAnother test revealed no differences in the occurrenceof lost data for the cards that were ldquocold bootedrdquo where

the cards are inserted prior to starting the tabulator andfor the cards that were ldquohot booted where the cards areinserted after starting the tabulator

However and not surprisingly it was determined thatthe removal of the battery from the memory card re-sults in loss of data Replacing the battery reinitializesthe memory to some apparently random arbitrary dataGiven that the state of the card after the replacement ofthe battery (eg random looking data) was essentiallythe same as the state of the card that lost its data withbattery in place the conjecture was made that depletedbatteries caused loss of data What was somewhat sur-prising is that the AV-OS function designed to alert theuser that the battery is low did not do so consistently forthe cards that lost their data This led to the investiga-tion that encompassed both the experimentation with thecards that lost their data and the assessment of the lowbattery function of the AV-OS itself

We report our findings in the next two sections Wedescribe how much warning time can be provided by theAV-OS battery warning indicator the report also drawsimportant distinctions between failure modes occurringin cards used in elections Using a case study we alsoprovide the warning time for the most common type ofmemory cards used in the AV-OS Because the achiev-able warning time is short a recommendation about bat-tery replacement is provided

3 The Symptoms

As shown in Table 1 the percentage of cards that losttheir data ranged from the low 34 in the audit ofNovember 2007 elections to the high 154 in the auditof August 2008 elections The failure rates fluctuate andthere does not seem to be a recognizable pattern in theseobservations (one important variable is not captured inthese statistics and that is whether or not and when thebatteries were replaced and in what cards)

This section presents an experimental investigation todetermine whether the batteries that power the memorycards may be responsible for the loss of data In additionwe observe the physical condition of the memory cardsand the function of the AV-OS tabulator that informs theusers that the card battery is depleted

31 Experimental SetupWe conducted experimental tests on 55 memory cardsthat lost their data in the November 2008 elections Weprogrammed these cards with valid election data and weobserved the state of these cards over time For those

4

Audit Election Cards with Data LossPost-election November 2009 election 12Pre-election November 2009 election 9Post-election November 2008 election 89Pre-election November 2008 election 89Post-election August 2008 primary 154Pre-election August 2008 primary 54Post-election February 2008 primary 48Post-election November 2007 election 8Pre-election November 2007 election 34

Table 1 Historical occurrence of cards with data loss

cards that failed to retain data we replaced their batteriesand we repeated the timed test We contrasted the resultsfor these cards with the results obtained from a test on acontrol set of 50 cards from the same election

We designed the timed memory card tests to performthe following

1 For the cards that were found to have lost their datatest the possibility of the cards to lose data againafter proper initialization (reprogramming)

2 For the cards that do lose their data again in (1)establish a time frame within which such behavioris observed

3 Perform statistical analysis on data retention afterreprogramming the card with a valid election data

4 Examine the behavior of the cards that lost their dataafter the batteries are replaced with new batteries

5 Contrast the behavior of the test group of card withthe cards that have not been previously identified asthe cards that lost their data

We present the results of the series of of three depen-dent tests and contrast them with the results of a teston a control set of cards In these tests each card is go-ing through the following three stages (i) programming(ii) content extraction and (iii) content validation Con-tent extraction and content validation stages were per-formed periodically after each card was programmedThis process continued for a predefined time period (atleast 4 weeks) The performance of each card was mea-sured in terms of how many days the card retained itsdata during the interval In addition to the three stageseach test included recording of the appearance of thelow-battery indication on the AV-OS display This in-formation on low-battery indication for each card wasobtained immediately prior to extracting the card data

Our three tests plus the control test are summarizedas follows

bull Test 1 includes all cards that previously lost theirdata The main goal of this test is to measure theperformance of these cards after reprogramming byrepeatedly validating the content of the cards Thistest is designed to assess the longevity and the like-lihood of these cards to lose their data again afterreinitialization

bull Test 2 is performed on the cards that had the worstperformance during Test 1 Specifically it is per-formed on the cards that lost their data within thefirst two days of Test 1 We repeat the steps of Test1 with these cards to assess whether these cards tendto lose their data in a short period of time We com-pare the performance of the cards in Test 2 with theperformance of the same cards in Test 1

bull Test 3 is performed on the cards that performedpoorly during Test 2 We aimed to test the hy-pothesis that depleted batteries caused properly pro-grammed cards to lose their data To test this wereplaced the batteries for all of these cards with newbatteries and we measured the performance of thesecards In particular we aimed to contrast the behav-ior of the cards that previously lost their data withthe behavior of the same cards but with new bat-teries For each such card we recorded the batteryvoltage reading of the original battery

bull Control Test includes 50 cards that were randomlyselected from the available cards from the sameelection that satisfied the following two conditionsduring the post-election audit (1) the cards con-tained valid data and (2) the cards did not containduplication events in their logs as card duplicationhas been used in some cases to restore the data on

5

the cards that lost it In this timed control test we re-programmed and repeatedly validated the contentsof these cards

We now describe our testbed We first describe thesteps that comprise the initialization (programming) andthe initial testing performed prior to each test

According to the election procedures in the State ofConnecticut the programmed cards are to be sealed intheir target AV-OS machine at least two weeks prior tothe election day Allowing for the typical two weeks forthe cards to be programmed and delivered to each vot-ing district this means that most of the cards are pro-grammed approximately four weeks before the electionday Therefore we chose four weeks (approximately) asthe minimum time frame for each test

In the tests we are concerned with card performanceWe pay special attention to ldquoworst performersrdquo thatis cards that lose their data in a short period of timeThroughout this experiment we use a two day time pe-riod as the threshold A card fails a test if it loses its databy the end of the timed test A card passes a test if by theend of the timed test it still holds its data

We used the election data from the election manage-ment system (GEMS) database files for November 2008elections to program the cards After programming thecards we ran a series of ldquocoldrdquo (cards are installed in thetabulator that is turned off) and ldquohotrdquo tests (cards are in-stalled in the tabulator that is turned on) to check whethera card is capable of holding the data immediately afterprogramming

To program (initialize) a memory card we perform thefollowing steps (1) power-off the tabulator (2) insert thememory card (3) power-on the tabulator (4) program thecard and (5) power-off the tabulator

Immediately after programming we perform a coldtest by powering-on the tabulator without removing thenewly programmed card A hot test follows by remov-ing and reinserting the card in the tabulator for threetimes with the tabulator powered-on Finally we restartand then power-off the tabulator and remove the mem-ory card This completes the initial testing procedure fora card

32 Test ResultsThe high level summary of the test results is presented inTable 2 We now discuss the results of each test

Test 1 In this test we used all 55 cards previouslyidentified to have lost their data Cards were initializedon 3242009 (14 cards) and the rest on 3252009 (41

cards) The duration of the test was 38 days 34 cards(62 of 55) lost their data one month after programmingThis means that cards that lost their data previously havea high chance of losing their data again after reprogram-ming It is also worth noting that 28 cards (51 of 55)lost their data within the first week after the initialization

Test 2 This test is designed to test the conjecture that ahigh percentage of cards that fail relatively quickly willfail again in a short period of time In this test we usedthe worst performing 20 cards from Test 1 The durationof the test was 31 days Our results show that 17 out of20 cards (85) lost their data within the first 2 days and18 out of 20 cards (90) lost their data within 10 days

Test 3 This test is conducted with the 17 cards that hadthe worst performance in Test 2 The duration of the testwas 29 days We took the batteries out of the cards andrecorded the voltage reading of each battery

We then installed new batteries in each card and re-peated the timed test Here we discovered that 4 out of17 cards lost their data even after the installation of thenew batteries

The four cards (12 of the total) that failed appearedto have hardware problems or showed signs of physicaldamage Two of the cards showed abnormal behaviorin particular one card appeared to have an internal shortcircuit as it was draining the battery to 0V within a veryshort time after installation Two other cards were ina physically damaged condition Out of the four cardsthree were physically damaged (eg as in Figure 1)

Recall that for physical security identification andsealing purposes the memory cards have tamper-evidentself-adhesive label that also covers the battery compart-ment The card is built in layers with the card circuitpositioned within a frame that is in turn sandwiched be-tween two covers We noticed that if the paper label isdamaged absent or does not wrap around the card thensuch cards may start coming apart in particular expos-ing the battery compartment (one can see the battery inthe lower right corner of the card see Figure 1) Pollworkers may not necessarily be aware of this damageCards in this condition can lose their data in the event ofthe battery disconnection during normal handling It islikely that such cards may lose their data during normalhandling and shipping

Control Test In this test we used 50 randomly selectedcards satisfying the following conditions as determinedin the post-election audit (a) they contained valid dataand (b) their logs did not contain duplication events

6

Total Cards Failed Passed Start End Duration(days)

Test 1 55 (100) 34 (62) 21 (38) 03242009 05012009 38Test 2 20 (100) 18 (90) 2 (10) 04072009 05082009 31Test 3 17 (100) 4 (24) 13 (76) 04092009 05082009 29Control 50 (100) 0 (0) 50 (100) 05122009 06122009 31

Table 2 Results of the timed memory card test

Figure 1 Memory Card ndash enclosure is apart from frame

Cards were initialized on 5122009 (20 cards) and therest on 5132009 (30 cards) As expected not a singlecard lost its data in this test

However we note that 8 cards (16 of 50) had showna low battery indicator symbol at least once during thetest This is another cause for concern having to do withestablishing the expected longevity of batteries

33 Summary of the ExperimentalObservations

Although the tested sample of 55 cards is modest in sizethe timed tests provide very strong evidence that the mainfactors that cause data loss in memory cards are (a) de-pleted or improperly seated batteries and (b) physicaldamage and wear of the cards that might permit loss ofelectrical contact with the batteries

The results of Test 1 establish that the majority ofcards that experience this data loss do so within the firstweek after initialization (programming) The results ofTest 3 suggest that changing the battery will make thecard more reliable with a success rate of over 75

These results are contrasted with a timed test of thecontrol group of 50 memory cards from the November

2008 elections that were properly programmed and thatdid not experience any problems There were not in-stances of data loss in such cards

Additionally there is good evidence that the AV-OSfunction designed to warn of a low voltage battery is nota reliable predictor of the card data longevity In the ab-sence of warning the cards may still lose data in a shortperiod of time We have observed in Tests 1 and 2 thatthe low battery indicator symbol in the majority of caseswas displayed only intermittently

It remains to be determined why renewing the batteryin the undamaged cards in Test 3 did not prevent loss ofdata Given that we identified one card as having a hard-ware problem (internal short circuit) it is plausible thatsome other cards may also have internal damage or arein the process of degrading (eg as the result of electri-cal overstress from electrostatic discharge) While wecannot rule out secondary failure factors based on the ex-perimental data we do observe strong evidence that de-pleted batteries account for a large majority of failuresOur analysis of the memory card design (presented in thenext section) provides further evidence

7

4 The Causes

Section 3 presented experimental evidence that a de-pleted battery prevents a card from holding its pro-grammed data It might be helpful at this point to drawa distinction between battery service lifetime and end-of-service warning time and also a distinction betweenaverage value and a value that corresponds to an accept-ably low failure rate

One could easily imagine that a batteryrsquos service life-time could be weeks or months but its suddenness offailure being quite swift One could easily imagine bycontrast that a battery enters a slow decline from the on-set of its use and that slow decline remains slow yield-ing a long end-of-service warning interval

Both the service lifetime and the end-of-service warn-ing interval are quantities characterized by probabilitydistributions often the average and the standard devia-tion are a sufficient characterization of such a quantityAn average over many samples (typical or expected) ser-vice lifetime can be estimated using extensive samplingA histogram of these samples can be used to estimatethe probability density function To keep a failure ratebelow an acceptably small amount (presumed to be sig-nificantly less than 50expected value is neededltnewgt

Consistent with the presence of the battery warningsubsystem one of the vendorrsquos manuals [31] says to re-place or recharge the battery when the warning systemindicates that voltage is low While the datasheet for asimilar memory card [28] states that 57 years is the ex-pected (typical) lifetime for Seiko batteries when used inthis card our analysis making use of appropriate designvalues indicates it is prudent to plan for a much shorterlifetime

From the perspective of the battery designer it is de-sirable to minimize the waste of energy stored in the bat-tery the voltage should remain in the adequately highregion until as much as possible of the energy stored isdelivered The design goal to avoid waste of energy andtherefore maintain an adequate voltage when there is en-ergy still in the battery results in a battery end-of-life be-havior that has a ldquosuddenrdquo loss of voltage in turn imply-ing a short warning interval Some of this voltage changebehavior is represented in what is called the depletioncurve This curve shows how the voltage provided by thebattery behaves as the stored energy within the batteryis being consumed The battery depletion curve is pro-vided on the battery specification sheet for some brandsof batteries Laboratory measurements confirm the datasupplied on the manufacturersrsquo datasheets manufactur-ersrsquo data are used explain the loss of data in memorycards The battery depletion curve can be combined with

the battery monitoring technique to calculate the warn-ing time provided by the battery warning indicator

Certainly it is the case that batteries run out in manykinds of devices it is also the case that the AV-OS tabu-lator includes a function for providing a warning Whatis significant for reducing the occurrence of data loss isthe recognition that there is limited information availableto provide a warning and what information there is doesnot give enough advance warning for the current combi-nation of electoral process and battery replacement pol-icy This section explains how much advance warningcan be achieved given the nature of the battery by de-scribing certain technical details of battery behavior thatpertain to detection of end-of-service-life of a batteryThen we show with a case study of one of the cards usedin the AV-OS the amount of warning time to be expected

We define ldquowarning timerdquo to mean the amount of timestarting when a warning is issued and ending with theloss of card memory contents The warning time dependsupon battery design features and the load on the batterywhich is characterized by the manufacturers (as well asherein) by the current drawn from the battery and alsoby the impedance inducing that current Experimentscan establish this current load by attaching a resistor In-formed by the battery datasheets that the battery voltagefalls off quite steeply when it declines we began by in-vestigating the battery depletion curve (Section 41) Wedescribe how we then examined the end-of-service-lifedetection strategy employed in the design of the particu-lar memory card in the case study and also in the AV-OSmachine software (Section 42) We combine the batterydepletion behavior and the detection strategy to developour estimate of warning time We compare the warningtime with the time interval for a typical electoral processcontrasting the warning time with an election time frame

41 Battery Depletion

We consider the battery voltage as it can be expectedto behave over time As current is drawn from the bat-tery by any circuit the energy stored within the bat-tery is depleted The behavior of the voltage suppliedby the battery as current is drawn is expressed in adepletion curve The significance of depletion curveshad long been recognized [4 6] Datasheets (eg En-ergizer [9] and Maxell [21]) document the specificationsaccording to which the products can be predicted to per-form and publish the dependence of voltage output uponstored energy remaining for their batteries We usedmanufacturer specified data for our calculations of warn-ing times We measured several batteries from each

8

of several manufacturers to observe how our measure-ments corresponded to manufacturersrsquo data when thatwas available and to assess with what confidence wemight regard our measurements when manufacturerrsquosdata was not available Maxell is one manufacturer spec-ifying temperature dependence [21] for this battery It re-ports that a reduction of battery service lifetime of about20 can be obtained by operating the battery at minus20CThis is significant for shipment by air or transportationin winter weather in some regions of the United States

We conducted laboratory measurements and obtainedthe depletion curves on several batteries that were bothelectrically and mechanically compatible with the mem-ory card Our laboratory measurements on batteriesfrom three different manufacturers are shown in Figure 2Each depletion curve is expressed as voltage vs timewhile measurements were collected at several values ofload between 671 kOhms and 33 kOhms on the plots theloads have been normalized to allow comparison amongManufacturers A B and C In particular the load wasnormalized to 10 microA and 25 weeks was chosen for thetime (horizontal) axis Explanation of why this value ofthe load and this value of the time were chosen are foundin Sections 42 and 43 respectively Table 3 presents thecomparison between the depletion time of the batteriesnormalizing the load to 300 kOhms

The measurements range from 06 to 15 of the pre-dicted lifetime of this type battery given by one batterymanufacturer [21] (Also the predicted lifetime differsby about a week from the shelf life of a line of memorycards manufactured by the same memory card manufac-turer Smart Modular Technologies) We are also pur-suing the measurements of the battery depletion curveusing memory cards to be reported in the future

As seen in the plots of Figure 2 the watch battery de-pletion curve has a flat region followed by a steeply drop-ping region As the reserve of stored energy in the batteryis reduced the voltage also tends to decline We reiter-ate that there are good reasons (eg avoiding waste ofenergy) for designing batteries to maintain output volt-age within a narrow region while the energy is being de-pleted In particular batteries have a design feature thatholds the remaining voltage above a designed level untilmost of the stored energy has been used This design fea-ture has the purpose of delivering the energy stored in thebattery in a manner efficient for its intended applicationIn other words electronic circuits waste less energy if noexcess voltage is delivered and they can be expected tofail to function if insufficient voltage is applied Thusthe minimum waste of energy is obtained when batteriesdeliver a constant voltage over their service life

Figure 3 Significance of load upon battery for servicelifetime

Using the Maxell datasheet [21] that provides infor-mation (shown in Figure 3) about depletion time as afunction of load to support our extrapolation we com-pute the anticipated depletion curve for the battery whenthe memory card is the electrical load It can be seen onthis plot that a current demand of 10 microA obtained from amemory chip datasheet corresponds to a service lifetimeof approximately 90 days (129 weeks)

42 Detecting End-of-Service Life ofthe Battery

To warn of depletion of the battery and subsequent lossof data the AV-OS provides a functionality that notifiesthe terminal operator that the voltage of the battery hasdropped to a ldquolowrdquo value On the memory card typewe examined a hardware chip the Dallas Semiconduc-tor DS1312 is used to compare the battery voltage underload with a voltage level set at the factory when the chipwas manufactured This chip produces a signal basedupon its examination of the battery voltage and that sig-nal nominally at 5V for no battery warning and below2V when a battery warning is being issued is routedfrom the memory card to the AV-OS processor The soft-ware in the AV-OS compares this battery warning signalwith 5V The software uses the result of this comparisonto inform the operator

Figure 4 illustrates the finite state machine (FSM) ofthe operation of the DS1312 chip using information ob-tained from the DS1312 datasheet [5] It also presents alegend of the possible values as a result of the variabilityin the manufacturing process that the various thresholdsmay take The chip has three responsibilities of whichwe describe two (the third function is write protection ofthe memory) The two relevant responsibilities are (as

9

Manufacturer A Manufacturer B Manufacturer C

Figure 2 Depletion curve measurements upon batteries from three different manufacturers (scaled to 10 microA)

Battery Load Time Interval above 2VManufacturer A adjusted to 300 kOhms 86 weeksManufacturer B adjusted to 300 kOhms 78 weeksManufacturer C 300 kOhms 189 weeks

Table 3 Comparison of the depletion interval with the load adjusted to 300 kOhms

used by the memory card) (i) keep continuous powersupply to the memory chip and (ii) send a signal whenlow-voltage is detected in the battery The chip has twovoltage inputs an input connected to the main power ofthe AV-OS (VCCI) and an input connected to the batteryof the memory card (VBAT)

The FSM starts from the ldquoNo Powerrdquo state Once weadd a new battery in the card we move to a freshness sealmode where it does not supply the memory with poweruntil the VCCI exceeds the predefined threshold (VCCTP)This threshold is the least amount of voltage that the chipexpects from the main power input When the AV-OS isturned on this threshold is reached and we move to theldquoOperating on Main Powerrdquo state Here the chip sup-plies the RAM chip with the power received from VCCIAlso as soon as we get to this state we test the batteryvoltage (ldquoTest VBATrdquo state) A second threshold is usedhere (denoted by VBTP) which defines the acceptablevoltage we should receive from the battery If VBAT isless than VBTP the battery warning (BW-) signal changesfrom nominally 5V (floated) to 0V (pulled low) If VBATis greater than VBTP then the BW- signal remains highIn this case the chip resets an internal clock and rechecksthe battery voltage every 24 hours The FSM moves tothe ldquoOperating in Batteryrdquo state if the VCCI drops belowthe supply switch threshold (VSW) and VBAT (and thusAV-OS is turned off) In this state the DS1312 suppliesthe RAM chip using the VBAT voltage If the VCCI be-

comes greater than VSW then from this state we moveback to the ldquoOperating the Main Powerrdquo state Noticethat the battery voltage is checked in this case as well

We can conclude that the battery is checked in twocases (i) startup (when the machine is turned on withthe memory card already in it or when the memory cardis inserted while the machine is already on) or (ii) peri-odically while the machine is left on and 24 hours havepassed from the last check The threshold VBTP cannotbe set higher than the voltage of a new battery otherwisenew batteries will immediately be declared to be at end oflife Therefore the highest meaningful value of VBTP isthe nominal voltage of the fresh battery 3 volts The low-est possible value of that threshold is the value neededby the memory circuits to retain data Between thesemaximum (fresh battery voltage) and minimum (small-est according to RAM specification) voltages is the re-gion within which a voltage threshold has a chance ofbeing useful In this region higher values of thresholdcorrespond to earlier warnings

We traced the BW- signal on the memory card by ex-amining the printed circuit board We found that on thiscircuit card the battery warning output signal from theDS1312 is routed to pin 2 on the card This pinrsquos signalis then provided to the comparator input port of the pro-cessor The software of the AV-OS in turn monitors thesignal on the port Because this signal is nominally a dig-ital signal raised to approximately 5V when the DS1312

10

Figure 4 Operation of DS1312

has not detected a battery warning condition the proces-sor software uses a threshold to evaluate the BW- signalThis threshold is set at 5V which is consistent with thedesire to provide a warning as soon as possible after theDS1312 has detected a warning condition

Thus we conjecture that the detection strategy whenthis version of memory card is used is a combinationof a hardware detection by the DS1312 circuit followedby a software detection of the ldquoBatteryWarningrdquo activelow signal output from the DS1312 on the comparatorinput port Though we have an idea of the method usedin AV-OS it is perhaps more useful to consider the lim-its for any implementation rather than specifically ad-dressing one instance of implementation For examplewere a gate array to be used for the battery warning func-tion as mentioned in [27] the limitations on detectionapproaches are still completely relevant

Choice for Load Current To estimate the service life-time of the battery of the memory card we need an esti-mate of the load that the card places upon the battery

By examination of the memory card we identified thatthe card is equipped with a Hynix HY628100B RAM

chip From the RAMrsquos datasheet [15] we obtained thestandby current level at which the RAM is guaranteedto retain data According to the datasheet the particularRAM chip requires no more than 10 microA of standby cur-rent load This is the value of current we use as the loadupon the battery

Battery Lifetime The voltage of the battery is usedto detect the beginning of its end-of-life The voltagethreshold (VBTP) should be lower than the nominal oper-ating voltage or the false alarm rate (the frequency withwhich good batteries are declared to be at end-of-life)will be unreasonably high Let us postulate then that thethreshold level is 28V We know from above that the theHY628100B series RAM requires no more than 10 microAof standby current load Given this information we ob-serve from the Energizer datasheet [9] that for a thresh-old voltage of 28V and a minimum acceptable voltageof 20V we expect to obtain 2000 hours of warning (12weeks) If the threshold voltage were 25V and the min-imum acceptable voltage were 20V we expect to obtaina warning time of 800 hours (48 weeks) From the Max-ell datasheet we find that for a threshold of 28V and a

11

minimum acceptable voltage of 20V we expect to ob-tain a warning time of 2600 hours (155 weeks) and fora threshold voltage of 25V with a minimum acceptablevoltage of 20V we expect to obtain a warning time of800 hours (48 weeks)

In the case of the Dallas Semiconductor DS1312 [5]the VBTP threshold was 25V (the minimum possiblethreshold) In this case the warning time would be con-sidering the above batteries less than five weeks If thebattery voltage were supplied to the RAM through theDS1312 battery monitor circuit it would experience avoltage drop between its measurement point and its pointof application to the RAM This drop is specified to beno worse than 02V In this case 22V is the least volt-age necessary for the DS1312 to deliver 2V to the RAMHence in this case the warning time equals to the amountof time to move from 25V to 22V and that is 900 and600 hours respectively or less than 53 or 36 weeksOther battery brands may differ

The steepness of the battery depletion curve whichis an intended design feature of the battery (see Sec-tion 41) causes the strong influence of these factors(current drawn voltage threshold) upon the warningtime Figure 5 depicts the depletion curve of the batteryand shows the warning time in weeks from 25V (pointA) and 24V (point B) to 22V (point C) and 2V The plotis scaled to correspond to 10 microA of load The shape ofthe curve differs between manufacturers so the warningtime depends upon the brand of the battery neverthe-less the warning time is too short for all of the batterieswe have investigated

43 Battery Lifecycle in an Election

So as to suggest the least possible criticism of the de-sign while addressing the cause of the memory carddata loss we chose to assume the following (a) No cur-rent is drawn from the battery during the presence of avoltage supply from the AV-OS (b) No transient spikeof drawn current occurs at any point in the lifecycle(c) The memory is in a standby lower current consump-tion mode of operation when the battery backup is beingused (c) Because battery lifetime is specified at roomtemperature the effect of cooling as would expected ifair shipment were used has not been taken into accountIn effect we have assumed that the battery is maintainedwithin the range for which it is specified to operate eventhough that is unlikely to be the case because the inter-nal temperature inside the equipment while operating isvery likely to be higher than room temperature and thetemperatures experienced during shipping during winter

The lifecycle of a memory card used in an elec-tion includes preparation delivery use in the tab-ulation of cast ballots use in aggregation Even-tually the interest in the data as represented inthe card memory is over If the lifecycle lasts sixweeks the warning time ought to be at least sixweeks

Figure 6 The lifecycle of a memory card in an election

might be colder than room temperatureThe recommended lifecycle begins with a fresh bat-

tery being installed in the memory card As shown inFigure 6 the battery experiences a sequence of eventsrelated to an election After a fresh battery is installedin a memory card using the DS1312 (Figure 4) the bat-tery is protected from its load until after the first time themain power from the tabulator is applied Whenever thememory card is inserted into the tabulator there are twopossibilities either the tabulator is already on or the tab-ulator is turned on We start our estimate of lifetime withthe later of these two events because that is the eventwhen the electrical power of the tabulator is applied tothe memory card

Adequate Warning Estimation Now let us considerwhether an adequate amount of warning can be obtainedAs described earlier the battery voltage is used to in-dicate the remaining service life of the battery Usingthe battery voltage as the signal of remaining service lifesuggests measuring the prevailing battery voltage andalso establishing a voltage level against which the pre-vailing battery voltage is compared When the resultof this comparison is that the prevailing voltage has de-clined below the threshold voltage then an action suchas the issuance of a message to an operator can be initi-ated Higher threshold values have the potential to warnearlier possibly wasting more stored energy Lowerthreshold values have the potential that the battery energyruns out before the battery is replaced Thus the thresh-old value is set in an attempt to give adequate warningIt is worth considering whether it is possible to obtainadequate warning One part of this consideration is howmuch warning is adequate

12

(A) Depending upon the brand of the battery the output voltageof the battery can cross below 28V almost immediately in the lifeof the battery [21] or not until 12 days prior to end of life [9](B) With a threshold setting of 25V a warning time of 7 weekwith one brand of battery is obtained and with another brand5 weeks(C) 2V is the voltage specification for a possible SRAM chip22V specified so that a DS1312 chip would (by specificationsheet) deliver 2V to the RAM Using 22V shortens the warningtime for a threshold of 25V from 7 weeks to 5 weeks and from5 weeks to less than 4 weeks

Figure 5 Estimating warning time

The lifecycle of an election is part of the considerationof what an adequate warning time would be A typicalelectoral process follows the stages presented in [2] Inbrief the electoral process consists of five main stagesprogramming testing election tabulation and auditingShipment occurs several times this should not be ne-glected because it offers opportunities for weather andadversaries to interfere with the mission of the memorycard

A memory card is first prepared to support the elec-tion Once the card is programmed it remains idle until itis tested in the precincts The programming of the card isexpected to be performed at least three weeks before theelection Subsequently testing and election stages areassumed to be performed at almost the same time Afterthe election is completed the card remains idle until thecentral tabulation of the results is completed (where thisis the normmdashcentral tabulation is not performed in Con-necticut) tabulation is usually completed the same dayas the election (but in Connecticut the cards reside at theprecincts for at least two weeks after that) Then the cardis used for auditing and the data should be retained for atleast one more week see Figure 6 This stage completesthe cycle of the election process and determines the ex-pected timemdashsix weeksmdashduring which the card is goingto be idle and the battery energy is subject to depletionas illustrated in Figure 5

Let us now assume that when the card is programmedfor election the status of battery warning is checked andis seen to pass inspection Recall that the battery voltagedeclines at end-of-service life but the decline is quitesteep As shown in Figure 5 at 2 weeks prior to theend-of-service life the estimate of the measured volt-age is 26V Thus a warning threshold would have to behigher than 26V Examining the graph the warning volt-

age threshold of 28V or higher appears for this brand ofbattery to provide as much as four weeks of warningThis threshold level is close to the normal voltage rangeof the battery suggesting that the rate of false alarmsie warnings issued when not warranted might be high

Let us call detection of end-of-service life ldquodetectionrdquoLet us call declaration of end of service life when thatdeclaration is premature ldquofalse alarmrdquo By setting thevoltage threshold higher we increase both the probabil-ity of detection and the probability of false alarm If weset the threshold value to reduce false alarms we alsoreduce the probability of detection This sort of systembehavior is often shown in receiver operating characteris-tic (ROC) curves Some choice informed by the relativevalues of a missed detection and a false alarm is madeabout what point on the ROC will be chosen We ascribea significant value to a missed detection especially for aDRE but we need to avoid constant false alarms Usingthe threshold implemented in the memory card we ana-lyzed and good quality batteries we determined that thatthreshold provides twelve days of warning

Estimating service life We close this section with abrief description of how to estimate the service life of abattery that could be used to guide the decision of whenbatteries need to be replaced A procedure for estimatingthe service life of a battery is as follows

1 Estimate how much current load one should plan onbeing presented to the battery For example if thebattery supplies a single RAM and that RAM instandby mode is specified to require no more than10 microA then one would use 10 microA

2 Choose a battery whose datasheet supplies a deple-tion curve

13

3 Estimate the values of some relevant parameterseg if the datasheet gives various depletion curvesdepending upon operating temperature and thetemperature makes a significant difference to the de-pletion curve then it is advisable to estimate the op-erating temperature and select the depletion curvefor that temperature or perhaps interpolate betweencurves for higher and lower temperatures to esti-mate the corresponding depletion curve

4 Obtain the value of voltage needed from the bat-tery so that the circuit supplied by the battery canfunction For example if the RAM requires at least20V and an intervening circuit produces worstcase a voltage drop of 02V add these to obtain the22V required of the battery

5 Using the current load from item 1 and the curve ob-tained in item 3 read the amount of time it takes forthe batteryrsquos output voltage to decline to the voltagevalue obtained in item 4

5 Recommendations

Our main conclusion for the AV-OS system is that it isnot advisable to rely on the (absence of) low-voltagewarning as an indication that the memory card will retainits data for the entire duration of the electoral process Ifthe state of the battery is unknown the absence of low-voltage warning at best means that the battery will lastfor for at least two weeks which may be sufficient

In general when using battery-backed RAM ensuringfresh batteries in the process of preparing for the elec-tion is recommended The batteries can be purchasedin quantity for about $050 so the cost of replacementcan be expected to be dominated by labor costs thoseare unknown to us If labor costs were low enoughand memory cards and batteries uniquely identified bat-teries could be removed in between elections Recordscould be kept of time-in-use of individual batteries Inthe more likely event that labor costs dominate and with-out a means to assign a cost to environmental impact forthe case where battery-backed RAM cards continue tobe used the recommendation is to provide fresh batter-ies Given the technology used to implement the cardsand the characteristics of the batteries setting the warn-ing threshold at a higher voltage (even if this were prac-tically implementable) would result in frequent prema-ture warnings of battery depletion necessitating batteryreplacements even if the batteries have adequate energyleft This will not avoid replacing most (or all) batteriesat the point where the preparation for election is started

The memory card can be expected to draw battery cur-rent from the first time the card is powered by other thanthe battery ie by the tabulator Subsequently the cardis going to draw current for any interval when the card isnot supplied power from another source Therefore it isimportant to choose batteries whose depletion curve re-mains above 25V for the required interval of time Forexample if a card is to retain its data for up to 12 yearthen a battery needs to be chosen so that it maintains25V or more for at least 26 weeks when a load of 10microA (corresponding to the datasheet specification of cur-rent load for a low power CMOS RAM) is applied

If we assume standby mode for the memory and usememory that requires no more than 10 microA of standbycurrent load (with no other components drawing current)and use the Energizer CR2016 battery (a better battery)we estimate that the life of the battery should be approx-imately one year This number is obtained as followsThe battery voltage is nominally 3V and we assume theHynix RAM whose datasheet [15] specifies 10 microA cur-rent drawn in standby mode The lifetime of the En-ergizer battery when its voltage remains above the 2Vneeded for data retention in standby mode at that cur-rent load according to its datasheet [9] is 9000 hours orapproximately one year

Given that it is possible that a memory card is used forelections once a year it leads us to the same conclusionFor each election a decision would be made whether ornot to replace the batteries for this election The decisionwould be based on the amount of time since the batterieswere last replaced and on the estimate of the service lifeof the battery (eg using the procedure at the end of theprevious section)

6 Conclusions

This paper presents experimental and analytical evidencethat the primary cause of the loss of data frequently ob-served with the AccuVote Optical Scan (AV-OS) mem-ory cards is due to battery depletion Memory cardsare prone to losing their data even if the AccuVote low-battery warning is absent at the time the cards are pro-grammed

Supplementing the experimental data our analysis ex-plains why memory cards lose data and why they do sounexpectedly In our assessment a memory card can berelied upon to hold its data for no more than 2 weeks af-ter programming when the AV-OS does not issue a low-battery warning

Because the warning time is short we suggest thatelection officials and memory card programmers do not

14

rely on these warnings Instead they should take mitigat-ing measures for example consider replacing batteriesbefore cards are prepared for elections Concurrently thefeasibility of using non-volatile removable media oughtto be explored

The factors contributing to the short warning time arethe steepness of the battery depletion curve (a function ofhow fast energy is drawn from the battery) and the par-ticular rate with which energy is drawn from the batteryBecause these two factors can be expected to be similarin other electronic voting systems using battery backedRAMs it appears likely that other such electronic votingwould experience failures of the kind seen in the AV-OSIt appears likely that in all such battery-backed RAMsystems it is not practical to provide earlier warningsbecause there are bound to be many false warnings withperfectly healthy batteries

It would be extremely important to obtain experimen-tal support for our conjecture by analyzing other elec-tronic voting systems that use battery backed RAMshowever this would require the level of access to suchsystems that as of this writing and upon our beliefis only available in Connecticut (where only AV-OS isused) Our study should motivate further research forother election systems that rely on battery powered cardsfor data retention eg OS ESampS Model 100 and DREAVC Advantage

We also recommend that audit proceduresmdashhand-counted audits in randomly selected precincts and pre-and post-election audits of memory cardsmdashbe put inplace in any jurisdictions that encounter memory cardfailures If a memory card fails prior to a technical au-dit it is also recommended that the precinct where thecard was used is automatically selected for hand-countedballot audit (for systems that have voter-verified ballots)

In addition to renewing batteries based on our ob-servations election officials should inspect the cards forphysical wear and damage The visual inspection needsto focus on loose or damaged enclosures and such cardsmust be replaced or repaired

Lastly while recommending proactive battery replace-ment programs additional work is necessary to developfeasible logistics and estimate the costs of such pro-grams

Because the warning time is short we suggest thatelection officials and memory card programmers do notrely on these warnings Instead they should take mitigat-ing measures for example consider replacing batteriesbefore cards are prepared for elections Concurrently thefeasibility of using non-volatile removable media oughtto be explored

Addressing the broader landscape it is extremely im-portant to assess both the security and reliability aspectsof electronic voting systems Beyond the obvious needfor these systems to be reliable and dependable defectsand benign failures in such systems and their componentscould be used by nefarious actors to mask tampering Forexample attackers can hope to cover their tracks by us-ing the knowledge that volatile memory cards with weakbatteries are likely to lose their data within days thuspotentially thwarting subsequent forensic investigationUnderstanding the reliability limitations of existing vot-ing systems further motivates the development of betternew systems and helps improve safe use procedures forexisting systems

AcknowledgmentWe thank the anonymous reviewers for their insightfuland detailed comments that helped us to significantly im-prove the presentation

References[1] ANTONYAN T DAVTYAN S KENTROS S KIAYIAS A

MICHEL L NICOLAOU N RUSSELL A AND SHVARTS-MAN A Automating voting terminal event log analysis InElectronic Voting Technology Workshop Workshop on Trustwor-thy Elections (EVTWOTE09) (2009)

[2] ANTONYAN T DAVTYAN S KENTROS S KIAYIAS AMICHEL L NICOLAOU N RUSSELL A AND SHVARTS-MAN A A State-wide elections optical scan voting systemsand the pursuit of integrity Trans Info For Sec 4 4 (2009)597ndash610

[3] BANNET J PRICE D W RUDYS A SINGER J ANDWALLACH D S Hack-a-vote Security issues with electronicvoting systems IEEE Security amp Privacy 2 1 (2004) 32ndash37

[4] CHARDACK W M GAGE A A FEDERICO A JSCHIMERT G AND GREATBATCH W Clinical experiencewith an implantable pacemaker Ann N Y Acad Sci 111 (Jun1964) 1075ndash1092

[5] DALLASSEMICONDUCTOR Ds1312 nonvolatile controller withlithium battery monitor

[6] DAVIES G AND SIDDONS H Prediction of battery depletionin implanted pacemakers Thorax 28 2 (March 1973)

[7] DAVTYAN S KENTROS S KIAYIAS A MICHEL LNICOLAOU N C RUSSELL A SEE A SHASHIDHAR NAND SHVARTSMAN A A Pre-election testing and post-electionaudit of optical scan voting terminal memory cards In Proceed-ings of the 2008 USENIXACCURATE Electronic Voting Work-shop (EVT 08) July 28-29 2008 San Jose CA USA (2008)

[8] DAVTYAN S KENTROS S KIAYIAS A MICHEL LNICOLAOU N C RUSSELL A SEE A SHASHIDHAR NAND SHVARTSMAN A A Taking total control of voting sys-tems Firmware manipulations on an optical scan voting terminalIn Proceedings of the 24th Annual ACM Symposium on AppliedComputing (SAC 09) (2009)

15

[9] ENERGIZER HOLDINGS I Energizer cr2016 lithium coin

[10] FELDMAN A J HALDERMAN J A AND FELTENE W Security analysis of the Diebold AccuVote-TS votingmachine httpwwwusenixorgeventevt07techfull_papersfeldmanfeldmanpdf 13 September 2006

[11] HAUSER R G WIMER E A TIMMIS G C GORDON SET AL Twelve years of clinical experience with lithium pulsegenerators PACE 9 (1986)

[12] HAYES D L AND VLIETSTRA R E Pacemaker malfunctionAnn Intern Med 119 (1993)

[13] HURSTI H Critical security issues with Diebold optical scandesign httpwwwblackboxvotingorgBBVreportpdf 4 July2005

[14] HURSTI H Diebold TSx evaluation Black Box Voting ProjecthttpwwwblackboxvotingorgBBVtsxstudypdf 11 May 2006

[15] HYNIX Hy628100b series 4 2001

[16] KIAYIAS A MICHEL L RUSSELL A SHASHIDAR NSEE A AND SHVARTSMAN A An authentication and ballotlayout attack against an optical scan voting terminal In Proceed-ings of the USENIXACCURATE Electronic Voting TechnologyWorkshop (EVT 07) (August 2007)

[17] KIAYIAS A MICHEL L RUSSELL A SHASHIDHAR NSEE A SHVARTSMAN A A AND DAVTYAN S Tamperingwith special purpose trusted computing devices A case study inoptical scan e-voting In Proceedings of the 23rd Annual Com-puter Security Applications Conference (ACSAC 2007) Decem-ber 10-14 2007 Miami Beach Florida USA (2007) pp 30ndash39

[18] KLOEPPEL T Automated Election Services - Optech III Infor-mation httpwwwboisfortecomdocumentsAESINFOdoc 32010

[19] KOHNO T STUBBLEFIELD A RUBIN A D AND WAL-LACH D S Analysis of an electronic voting system In Pro-ceedings of the IEEE Symposium on Security and Privacy (2004)pp 27ndash42

[20] LEE Y S Battery depletion monitor 2009 United States Patent4313079 httpwwwfreepatentsonlinecom4313079htmlviewed 1 July 2009

[21] MAXELLHITACHI Lithium manganese dioxide rechargeablebatteries ml2016 June 2003

[22] MEDTRONIC At500 pacing system follow-up protocol2009 httpwwwmedtroniccomcrmperformancearticlesat500_batteryhtml viewed 1 July 2009

[23] MORGAN M Election night in washtenaw county November2009 The Ann Arbor Chronicle

[24] NORDEN L The machinery of democracy Protecting electionsin an electronic world 2005 Brennan Center Task Force onVoting System Security httpwwwbrennancenterorgpage-ddownload_file_36343pdf

[25] ROOS M KOBZA R AND ERNE P Early pacemaker batterydepletion caused by a current leak in the output circuitry Rec-tification not exchange Pacing and Clinical Electrophysiology30 5 (2007) ON 1540-8159 PN 0147-8389 AD Division ofCardiology Kantonsspital Luzern Luzern Switzerland

[26] SBE M100 Battery Primer Document Control VS-02-14Copyright 2006 by Election Systems amp Software 11208 JohnGalt Blvd Omaha NE 68137-2364 all rights reserved Printedin the USA 2 2010 North Carolina State Board of Elections

[27] SEIKOEPSON SRAM IE Series

[28] SHVARTSMAN A KIAYIAS A MICHEL L RUSSELL AANTONYAN T DAVTYAN S KENTROS S AND NICO-LAOU N Post-election audit of memory cards for the november2008 elections version 10 UConn VoTeR Center (May 2009)

[29] SHVARTSMAN A KIAYIAS A MICHEL L RUSSELL AANTONYAN T DAVTYAN S KENTROS S AND NICO-LAOU N Statistical analysis of the post election audit data 2008november elections VoTeR (May 2009)

[30] Verified Voting httpwwwverifiedvotingorg

[31] VERIFIEDVOTING Electronic Voting Machine Infor-mation Sheet - Sequoia Voting Systems - AVC Ad-vantage httpwwwverifiedvotingorgdownloads2008SequoiaAVCAdvantage-fullpdf 2008

[32] VORA P L ADIDA B BUCHOLZ R CHAUM D DILLD L JEFFERSON D JONES D W LATTIN W RUBINA D SHAMOS M I AND YUNG M Evaluation of votingsystems Commun ACM 47 11 (2004) 144

[33] WAGNER D JEFFERSON D AND BISHOP M Security anal-ysis of the Diebold AccuBasic interpreter Voting Systems Tech-nology Assessment Advisory Board University of CaliforniaBerkeley 14 February 2006

[34] WERTHEIMER M A Trusted agent report DieboldAccuVote-TS voting system RABA Innovative Solution Cellhttppeoplecsailmitedurivestvotingreports2004-01-2020RABA20evaluation20of20Diebold20AccuVotepdfJanuary 2004

16