Kellner Memo Dominion ICE
Kellner Memo Dominion ICE
Kellner Memo Dominion ICE
MEMORANDUM
To: Peter S. Kosinski
Andrew J. Spano
Gregory P. Peterson
Two respected professors of computer science have provided reports that the
Dominion ImageCast Evolution voting machine has a “design flaw.” Andrew W.
Appel, the Eugene Higgins Professor of Computer Science in the Department of
Computer Science at Princeton University,1 has written, “after you mark your ballot,
after you review your ballot, the voting machine can print more votes on it!”2
(emphasis in original). Richard A. DeMillo, Charlotte B. and Roger C. Warren
Distinguished Professor of Computing in the Department of Computer Science at
the Georgia Institute of Technology,3 has opined that Professor Appel has identified
“a vulnerability in Dominion’s ICE and that--absent a thorough and convincing
design and code review--there is no way to be confident that the system is immune
from the ballot stuffing attack he describes.”
Election Law § 7-201 requires that the State Board of Elections examine and
approve each type of voting machine or voting system before it can be used in New
York State. The examination criteria for certification of voting equipment are set
forth in Regulation 6209.6.4 The regulation requires that the vendor include detailed
documentation regarding software security:
1
https://www.cs.princeton.edu/~appel/
2
https://freedom-to-tinker.com/2018/10/16/design-flaw-in-dominion-imagecast-
evolution-voting-machine/
3
https://www.cc.gatech.edu/people/richard-demillo
4
9 NYCRR § 6209.6
page 2
In particular, “the vendor shall identify each potential point of attack,” and “for each
potential point of attack, the vendor shall identify the technical safeguards
embodied in the voting system to defend against attack.”
5
9 NYCRR § 6209.6(f)(3)(xiv)
page 3
If there is a serious possibility that an insider could install malware that could
program the printer to add marks to a ballot without the possibility of verification
by the voter, then the entire audit process is compromised and circumvented. If it
was possible for the machine to add a voting mark to the ballot without verification
by the voter, the audit is not meaningful because it cannot confirm that the ballot
was counted in the manner intended by the voter.
6
“NYSBOE Dominion Source Code Review Findings ImageCast Evolution Only” and
“NYSBOE Dominion Security, Accessibility and TDP Review ImageCast Evolution
Only”
7
“NYSTEC Review of the Dominion ImageCast Evolution 4.14.25 SBOE Upgrade
Testing”
8
State Board Resolution 18-13, adopted October 25, 2018
9
L. 2005, c. 181
10
Minute 42 of the video posted at:
http://westchestercountyny.iqm2.com/Citizens/SplitView.aspx?Mode=Video&MeetingID
=5245
page 4
In view of the omission of the security threats identified by Professors Appel and
DeMillo in the submission by Dominion in support of its application for certification
of the ImageCast Evolution, and in view of the absence of any analysis of this issue
in the SLI and NYSTEC reports, I request that the Election Operations Unit of the
State Board examine again the ImageCast Evolution to consider the vulnerability of
the voting system because the printer could be programmed to add marks to ballots
without verification by the voter, and that SLI and NYSTEC supplement their
reports with respect to these issues.