Several computer scientists said Wednesday that the vulnerability found in all touch-screen machines sold by Oakland-based Sequoia Voting Systems was not especially great because using the yellow button for vote fraud would require reaching far behind the voting machine twice and triggering two beeps.
"If the machine beeps loudly and someone has their arms wrapped around the machine, the poll workers are going to become suspicious," said David Wagner, a computer security and voting system expert at the University of California, Berkeley.
"It's kind of hard for me to see how this could be used very widely," he said. "It's retail fraud, so it's onesies and twosies and can only affect very close races."
A former poll worker in Tehama County tried alerting state elections officials to the vulnerability about a month ago and said he was told the problem did not seem significant. Ron Watt then obtained poll worker-training documents through a public records request and brought them to the attention last Friday of the state's chief voting systems tester.
On Monday, state elections officials issued a caution to the more than one-third of California counties that use Sequoia equipment, including Santa Clara County, where the touch screens are the primary voting system, and Alameda County, which relies on almost 1,000 machines as a secondary voting system intended for disabled voters. State elections officials reminded the counties to keep a close eye on the machines and post warnings that tampering with election equipment is a crime.
"All counties confirmed that they had implemented security measures, and they were aware of it," said Susan Lapsley, assistant secretary of state for elections.
Some counties were backing the machines up against walls; others were roping off the rear of the machines, state officials said.
"You can't do it surreptitiously," said Guy Ashley, spokesman for the Alameda County Registrar of Voters. "You have to know what you're doing.
"We train our poll workers to keep their eyes peeled, stay on the lookout for stuff like this. We think that will suffice."
Recognition of a potential new security problem that requires no knowledge of special passwords or access to the inner workings of a voting machine revives questions about the effectiveness of state and national evaluations of voting systems.
Twice earlier this year, computer experts and critics of electronic voting have discovered profound vulnerabilities in Diebold touch screens that allow someone with a few minutes of access to a machine to alter or replace its core software and load votes into it undetected.
Debate about the security and reliability of electronic voting has been central to the race for secretary of state, and Sequoia's yellow button became instant fodder Tuesday night in back-to-back radio interviews with Republican appointee Bruce McPherson and his Democratic challenger, state Sen. Debra Bowen, now neck-and-neck in the polls.
McPherson has said California's certification of voting systems is the nation's toughest and most stringent and he has certified several electronic voting systems for the November elections, including the Diebold and Sequoia touch screens.
Bowen has pointed to numerous findings of security problems by computer scientists and argued that electronic voting systems are not mature enough to be trusted in elections.
"And just this morning we learned that the Sequoia machine will allow a voter to vote multiple times if they do something very simple, which is to hold a button in the back down for three seconds," she said on a Los Angeles radio show Tuesday night, adding that McPherson's office "must have known" about the vulnerability for some time.
"No, that is not true," McPherson replied later in the same show. "That is not true. I think she is throwing a lot of fear and doubt out there, and it's unwarranted."
Sequoia's yellow button isn't a hack or flaw. The button has been a feature on Sequoia's mainline AVC Edge touch screens for years, designed as a backup for the typical method of voting on the machines.
In most counties, poll workers use a separate machine to activate a card that a voter inserts into the touch screen in order to retrieve the proper ballot. The yellow button is for counties that can't afford the separate machine or for cases when the card activator becomes inoperable, as happened to Diebold systems in March 2004 in Alameda and San Diego counties and last primary in Kern County.
Pressing, then holding the button for several seconds twice and answering a screen prompt sends the machine into a "manual activation" or "poll worker activation" mode. In that mode, someone can call up one ballot after another and vote them.
"You can literally vote continuously until you are physically restrained," said Watt, the former Tehama County poll worker who reported the problem to state elections officials.
Unlike the Diebold vulnerability, he said, using Sequoia's yellow button "takes no tools."
"In 18 seconds I can switch that to manual and start voting. In 30 seconds I can train you to do it," he said.
Watt and Bowen, the Democrat running for secretary of state, say the vulnerability should have been caught earlier, before the state approved the machine for use in elections.
"You shouldn't have a reset button on the outside of the machine," Bowen said. "Certainly when I'm secretary of state I'm going to want to know if there's a button that only requires physical access to the machine to vote multiple times. And unfortunately if someone does that, you're in a position where you don't know what votes to throw out."
Computer scientists say the manual mode can be rendered inoperable in the touch-screen software, but elections officials worry that it is too close to the election to attempt and may not be useful.
"It's a feature of the machine, it's one that's necessary from a couple of different perspectives but as long as people employ security measures that are already in place then it's mitigated," said Lapsley.
Contact Ian Hoffman at firstname.lastname@example.org or at (510) 208-6458.