The Sequoia AVC Advantage is a poll worker-activated full-face direct recording electronic voting system with a touch-sensitive matrix of switches that voters push to indicate their choices. The Advantage was introduced in 1990. James Bleck led the design team that led design patents on the machine in 1988. Sequoia had purchased the voting machine division of AVM Corporation in 1984 and acquired not only a portfolio of patents for electronic voting machines, but also the AVM Automatic Voting Computer, a machine that had been certified for use in New Jersey and Pennsylvania in 1982. The machine appears to have been based on AVM’s final patent for an electronic voting machine, granted to Thomas De Phillipo in 1977, and is an obvious predecessor of the Sequoia AVC Advantage. None of the AVM patents demonstrates the sophistication in physical design of the AVC Advantage.

Voting records are recorded internally to battery-powered RAM. Poll workers activate the machine using an operator panel on the side of the machine to choose the ballot style and voters make choices by touching a black arrow next to their choice. A record of the vote is then recorded internally to three sets of battery-powered RAM memory. The primary input device used by the voter is a large panel, containing a two-dimensional array of buttons and lights. This panel is covered by a sheet of paper on which contests and candidate names are printed. Markings on the paper are placed over the buttons that are to be pressed for the corresponding candidates; the lights on the panel, when lit, are visible shining through the paper. On the side of the machine, an “operator panel” contains additional buttons and an LCD alphanumeric display with two rows of 24 characters each. During an election, before each voter can vote, a poll worker must press a button on the operator panel to “activate” the machine to accept votes.

The DRE ballot is laid out so that there is an intuitive connection between the candidate’s name (shown on a printed ballot sheet) and the input device (a button behind a sheet of plastic). In the hardware of the voting machine, however, there is no direct connection between the button and the vote counter. Observing the click of a button and accumulating a corresponding candidate total is totally under software control. Since there is no inherent internal connection between the buttons and the totals kept in memory and reported at the end of the election, erroneous or malfeasant software can readily add to the wrong total or make some other error at any time during an election, thereby misrecording votes. Even though the software produces a so-called “audit trail” of the results, it can always display an “audit trial” consistent with its fraudulent results, and report that it has performed correctly.

At the close of the polls, the AVC Advantage communicates vote totals to election officials and to the public: it prints a paper printout of candidate totals, it writes these totals (along with a record of the votes cast on each ballot—the “ballot image”) to a Results Cartridge, about the size of a VCR tape, which is then removed from the voting machine. Finally, it keeps these totals (with the ballot images) in its internal memory. Election workers can extract this information from the AVC Advantage by using the menu buttons on the Operator Panel: the machine can be instructed to print the internally stored data onto its printer, or copy it to a fresh cartridge.

The voter enters the polling place and is given a voting ticket after confirming that the voter is registered. The voting ticket is a colored piece of paper with two identical and unique numbers. The voter hands their ticket to a poll worker operating an Advantage voting machine and then tears the voting ticket in half and hands one half back to the voter. The poll worker uses an operator’s panel on the side of the machine to choose the ballot style appropriate for that voter depending on the color of their voting ticket. The voter enters the curtains and verifies that their ballot is the right one by comparing the color of their ticket to an LCD screen in the lower-right corner of the front of the voting machine. The voter then votes by pressing a black arrow next to each choice in each contest on the ballot. Blinking lights above each contest indicate that no choice has yet been made. If the voter tries to choose more than one choice in a given contest (over-voting), the machine will ignore the second choice. To change a selection, the voter can press the black arrow by the incorrect choice to deselect it, then select the correct choice.

When done voting, the voter presses a “Cast Vote” button in the lower-right corner of the voting machine. It is very important that the voter does not push the vote-casting button until they are done voting; a vote inadvertently cast can likely not be redone. The vote is recorded internally to three sets of battery-powered RAM, one of which is on a removable cartridge. The vote records are stored in a manner similar to a ballot image.

When the polls close, poll workers remove cartridges of battery-powered RAM containing the vote records from each machine. At this point, depending on local election procedure and regulations, the cartridges can either be physically transported to a tabulation facility or their data can be sent over a modem. At the tabulation facility, the votes from all cartridges and precincts are read into vote tabulation databases and combined to result in an aggregate vote tally. In order to send vote records over a modem, a cartridge reader must read out each cartridge and then a modem in the cartridge reader can be used to transmit the votes over telephone lines. The cartridge reader can also print out a results tape of all votes cast in a precinct. The total tape and cartridges can then become part of the official record of the election.

1. After registering, take your voting ticket (a colored-by-party piece of paper with two identical but unique numbers).
2. Hand your voting ticket to the poll worker at the Advantage booth. The poll worker will tear the voting ticket in half (hence the two identical numbers), hand back one half to you and use the other to determine the appropriate ballot based on party affiliation to display via a control panel on the back of the unit.
3. Verify that you’ve received the correct ballot by matching your ticket color against the one in the lower-right corner of the screen.
4. Make your selections by pressing the black arrow next to each choice, and press the arrow again to deselect. The blinking light above a contest means you still have voting to do.
5. When you’ve made your selections, press the Cast Vote button. Do not push this button early! You likely will not be able to recast your vote!

A Voting Demo from Bergen County NJ

Hack a Sequoia Advantage with Andrew Appel Part 1

Remote Vote Tampering Attack on a Sequoia AVC Voting Machine by Argonne National Lab

Hack a Sequoia Advantage with Andrew Appel Part 2

Sequoia Voting Systems AVC Advantage usage in November 2020 (click map for details)

Resources

The New Jersey Voting-machine Lawsuit and the AVC Advantage DRE Voting Machine, Andrew W. Appel et al (2008)
Insecurities and Inaccuracies of the Sequoia AVC Advantage 9.00H DRE Voting Machine (2008)
UCSD: The Case of Return-Oriented Programming and the AVC Advantage

Security Seals

Ideally, the Advantage’s exposed ports, memory card access areas, and case seams are covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to maintain chain of custody of sensitive materials.

Broken Buttons, Broken Lights

The Advantage is a “buttonmatrix” DRE on which the voter presses a button over which the machine’s paper ballot face is placed (under a plastic cover). A light illuminates next to each selection made by the voter. These buttons and lights, especially those frequently used in Federal races, can break or burn out. If you see evidence of this – e.g., a light not lighting up after multiple button presses – you should request that the machine be pulled from service or that the button in question be serviced.

Fleeing Voters/Premature Voting

Some voters can be easily confused and press the vote button too early or not at all. If a voter complains that they were only able to vote in the first few races, they probably pressed the vote button before they were finished voting their ballot. Unfortunately, there’s not much to be done here, besides emphasize that voters should make sure that they press the vote button only after they are certain they have voted as they intended in all contest on their ballot. If a voter neglects to press the vote button and leaves a valid ballot on the machine, poll workers will probably have procedures to deal with this problem. We recommend that a poll worker reach in between the curtains and simply cast this vote.

Incorrect Ballot Style

The Advantage accommodates a number of different ballot styles for different precincts by disallowing voters to vote in contests for which they are not eligible. In a primary election, if a voter complains that their party contests are not activated or that local races specific to their precinct are not activated, the poll worker probably pushed the incorrect ballot style option. The poll worker should cancel that ballot and activate the correct one.

Incorrect Totals Tapes

The Advantage has been shown to incorrectly add up the number of voters given a particular ballot style when compared to the number of votes cast.

Sensitive Disability Access Panel

The disability access panel on the Advantage is particularly sensitive. Viruses and other malicious programs, including some that could change vote data, could easily be introduced through the ADA accessibility interface. The flash memory used for audio files to accommodate voters with visual impairment should be sealed with tamper-evident seals and monitored at all times.

Misleading Activation

When the Advantage is not activated to vote a valid ballot, it will still go through the motions in a way that will confuse voters into thinking that their ballot was cast. It even goes as far as to say, “Vote recorded — thank you!”, despite the fact that it couldn’t have recorded the ballot since it was not activated to do so.