By Jennifer Cohn
May 24, 2019
Note: This piece was updated on August 2, 2019 to indicate that the PAVE Act is now called the SAFE Act and that the SAFE Act has passed the House.
According to experts, the only way to know if an electronic vote total has been hacked is for voters to have separately recorded their intended selections on paper and for jurisdictions to then use the paper in a manual audit or recount, the results of which can be compared to the electronic total.
But even manual audits or recounts can be “hacked” if the selections on the paper have been marked by a machine, rather than the voter’s own hand. And no matter how that paper is marked, manual audits and recounts can be gamed if the chain of custody between election night and the audit or recount has been compromised.
With these basic principles in mind, here are ten realistic election security goals for 2020.
1. Hand marked paper ballots as a primary voting system.
- Experts recommend that most voters use hand marked paper ballots (counted on scanners or by hand), as opposed to machine-marked printouts from hackable ballot marking devices (BMDs). BMDs are, in effect, $3,000-$5,000 electronic pencils that look like traditional voting machines. The only purpose of a BMD is to mark the paper for the voter; the counting is conducted by a separate or integrated scanner.
- BMDs were initially designed for voters with disabilities, such as visual impairments, that prevent them from using hand marked paper ballots. But in the past few years, profit-motivated vendors have marketed BMDs for use by all voters. And because there is no universal definition of “paper ballot,” they have misleadingly characterized the machine-marked printouts generated by BMDs as “paper ballots,” thus implying that they can reliably detect and defend against hacking. Jurisdictions throughout the U.S. are flocking to these universal-use BMDs.
- But this recent academic report by three esteemed cybersecurity election experts explains the myriad reasons why machine-marked paper ballots from BMDs cannot reliably detect and defend against hacking: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3375755
- In addition to the problems discussed in the above report, relying on universal use BMDs will render elections vulnerable to denial-of-service attacks and power outages. By contrast, with hand marked paper ballots, a DOS attack or power outage would delay only the counting; it would not prevent people from voting.
- Moreover, similar to touchscreen voting machines, BMDs are particularly likely to create long lines because they limit the number of people who can vote at once to the number of working machines at the polling place. By contrast, with hand marked paper ballots, many people can concurrently mark their ballots using pens and privacy dividers. The scanning part of the process takes less than a minute. And if scanners break, the ballots can be deposited in sealed bins to be counted later.
- On a related point, as with touchscreen voting machines, universal use of BMDs will enable corrupt election officials to manufacture long lines that can swing elections by distributing too few working machines to jurisdictions whose votes they want to suppress.
- In short, we must strive to ensure that all jurisdictions use hand marked paper ballots (counted on scanners or by hand) as a primary voting system, with BMDs available only to voters with disabilities who wish to use them.
- No barcode BMDs for anyone. Unlike the paper printouts generated by traditional BMDs, the paper printouts generated by most of the new universal use BMDs include both a summary of the voters’ intended selections and a barcode. The barcode, which humans can’t read, is the only part of the printout counted by the scanner. Vendors have been unable to explain why they added the barcodes. But experts say that the barcodes constitute a new and dangerous attack vector, further undermining the integrity of our elections. Counties in the following states (and perhaps others) have recently bought or are planning to buy new barcode BMDs for universal use: GA, FL, PA, WI, OH, TX, KS, AR, DE, NJ, IN, NY, WV, KY, CA, CO (early voting only), and TN. We must stop this dangerous new trend.
- No hybrid BMDs for anyone. “Hybrid” BMDs are a unique and especially dangerous type of BMD that combines a BMD and scanner into a single unit. Experts say that at least three popular new hybrids on the market — the ES&S ExpressVote XL, the ES&S ExpressVote (which comes in both a hybrid and non-hybrid version), and the Dominion Image Cast Evolution (ICE) — can add fake votes to paper ballots after they are cast. Counties in the following states (and perhaps others) have recently bought or are planning to buy such BMDs for universal use: PA, OH, KS, DE, NJ, and NY. We must stop this dangerous new trend.
- No direct record electronic voting machines for anyone. The Help America Vote Act of 2002 allocated billions of dollars for new voting equipment, and many jurisdictions used the money to buy direct record electronic (DRE) voting machines. DREs, which typically have a touchscreen interface (though some have a dial), both record and count votes inside the machine. Cybersecurity experts have shown time and again that DREs are unreasonably vulnerable to hacking and malfunction.
- Some DREs are paperless, making manual audits or recounts impossible.
- Some DREs include so-called “Voter Verifiable Paper Audit Trails” (VVPATs), which are almost as bad as paperless machines. Studies show that most voters don’t review VVPATs, are unlikely to notice fraud or error on the face of VVPATs even if they undertake such review, and are unlikely to take action even if they detect a problem. VVPATs are also fragile and difficult to use in an audit. Here’s a link to a video by Emmy Award winning journalist and documentary film maker Lulu Friesdat exposing the many deficiencies of VVPATs: https://nowthisnews.com/videos/politics/how-secure-is-your-vote
- DREs have generally fallen out of favor, but many jurisdictions are still using the DREs they bought years ago, and a few (like Texas) have even bought new DREs. We must strive to ensure that no jurisdictions use DREs in 2020.
2. Well maintained non-hybrid BMDs (without barcodes) for voters with disabilities that produce full-face paper ballots (not summaries).
Jurisdictions must give voters with disabilities the option to vote with non-hybrid BMDs that do not count votes with barcodes and that produce a full-face paper ballot, not a summary. Jurisdictions must ensure that these BMDs are well maintained and that poll workers have been trained to use them, requirements that some jurisdictions have thus far failed to meet.
3. Transparent and secure chain of custody.
- Regardless of what type of “paper” is used to detect and defend against hacking, jurisdictions must maintain a transparent and secure chain of custody from the moment votes are received — whether by mail or at the polling place — through the conclusion of all manual audits and recounts and beyond. Each step of the process must be carefully scrutinized to ensure that the chain-of-custody can be accounted for at all times. Any break in the chain will invite fraud.
- Hand counting must be conducted publicly. If jurisdictions count paper ballots by hand, they must do so in public. Even hand marked paper ballots cannot prevent fraud if they are counted behind closed doors.
- If jurisdictions count paper ballots with scanners, they must preserve and publish the digital ballot images from the scanners. All or most scanners on the market today automatically generate digital ballot images when they scan the paper ballots. Ballot images are an important part of both transparency and security because they allow citizens to conduct election audits at little expense and without a court order.
- The images can also be used to confirm that the paper ballots used in an audit or recount have not been altered between the time they were scanned and the subsequent manual audit or recount. The images can thus help ensure that the chain of custody has not been compromised.
- Although ballot images constitute public records under federal law, some election officials — such as former Ohio Secretary of State John Husted and Alabama Secretary of State John Merrill — choose to delete them. This must not happen in 2020.
- Maintenance of chain of custody records: Jurisdictions must maintain chain-of-custody records for all election equipment and paper ballots from the polling place or mail room through the resolution of any and all potential election challenges and thereafter. These records must be available to campaigns on request and to the public via public records requests. Again, nothing can prevent fraud if the chain of custody is broken.
- The perils of a non-transparent and insecure chain of custody are discussed here: https://medium.com/@jennycohn1/the-disturbing-connection-between-the-butterfly-ballots-of-2000-and-the-corrupted-ohio-2004-48b1e07434ba
4. Public hand audits (Risk Limiting Audits) or full public hand counts must be conducted for every race.
If our plan is to secure electronic equipment with manual audits and recounts, we are in serious trouble. More than half of U.S. states do not require manual audits. And according to experts, only a few conduct manual audits sufficiently robust to detect hacking. Manual recount laws generally apply only if the margin of victory is less than 1%, and bad actors can avoid them by flipping enough votes to exceed the specified margin.
It is thus imperative that all jurisdictions conduct robust manual audits or full public manual re-counts for all races in 2020. Thus far, the only type of manual audit recommended by most experts is called a Risk Limiting Audit (RLAs). RLAs were invented by UC Berkeley Professor Philip B. Stark and have been endorsed by the League of Women Voters, Verified Voting, and Common Cause (among others).
5. No wireless or internet connections or remote access.
Despite initial denials, America’s largest voting machine vendor, ES&S, which accounts for 44% of US election equipment, admitted last year that it has installed remote access software in election management systems in 300 jurisdictions that it refuses to identify. Election management systems are centralized county or state computers that are used to program all precinct-based voting equipment and to aggregate all precinct tallies.
Diebold Election Systems, which ES&S acquired in 2009, reportedly installed remote access software in election management systems as well. America’s second largest vendor, Dominion Voting (37% of US election equipment), won’t say whether it also has installed remote access software in election management systems.
This is unacceptable. By enabling remote access to these election management systems, vendors like ES&S have made it easy for a corrupt insider or hacker to launch a coordinated attack across multiple counties and states, potentially changing even national election outcomes. Jurisdictions must disclose and remove any and all remote access software before 2020.
Jurisdictions must also disclose and remove any and all wireless modems from election equipment before 2020. ES&S installed wireless modems in precinct-based scanners throughout Florida, Wisconsin, and Illinois starting in 2015. The modems are used to send precinct-based tallies to the county-based central tabulators. According to experts, bad actors could use small cell-tower simulators, such as Stingrays, to intercept and alter vote tallies during wireless transmission. Similar to remote access, these wireless modems would make it easy for a corrupt insider or hacker to launch a coordinated attack on central tabulators in multiple counties and states, potentially swinging even national election outcomes.
6. Poll tapes posted outside the precincts; reported totals published with a breakdown of early voting verses election-day voting verses vote by mail.
Online reporting systems and election websites are, by definition, online and thus vulnerable to internet hacking. Russia was reported to have hacked Ukraine’s election reporting system in 2014. And in the US, Russia reportedly breached VR Systems, which provides not only voter registration software, but also reporting system software and management for its customers. VR Systems’ reporting systems in Florida experienced trouble in 2016.
One way to know if reported totals have been attacked is to compare the results shown on the “poll tapes” at each polling place to the polling-place totals later reported by the county or state. (Poll tapes look like cash register reels and show the totals generated by each machine at the polling place.) But not all jurisdictions attempt to reconcile the poll-tape totals with reported polling-place totals.
Moreover, not all jurisdictions post the poll tapes outside the precincts on election day. Some jurisdictions charge thousands of dollars to provide copies in response to public records requests.
And some jurisdictions don’t distinguish early voting verses election-day voting verses vote by mail on those reported totals, making it impossible to compare the poll tapes to the reported totals.
Based on my own inquiries, no one routinely sends runners to the polling places to gather the poll-tape totals so that they can be compared to the reported totals.
All of this must change in 2020. Specifically, we must ensure that:
A. All jurisdictions post the poll tapes outside the corresponding precincts and election centers on election night and for at least two days thereafter.
B. All jurisdictions scan the poll tapes and make them available to the pubic via public records requests.
C. All jurisdictions publish reported totals (distinguishing early voting vs. election day vs.vote by mail).
D. Campaigns, political parties, voting rights groups and voters send runners to the polling places on election night to photograph the poll tapes so that the totals can quickly be compared to the reported totals.
7. Paper voter registration rolls as backup.
Russian hackers reportedly targeted voter registration systems throughout the United States and had the ability to alter data. To defend against the likelihood of a repeat in 2020, jurisdictions must have paper voter registration lists as backup at all precincts and polling centers.
8. Move away from proprietary software in election equipment.
Just two vendors — ES&S and Dominion Voting — account for more than 80% of US election equipment. These vendors claim that their software is proprietary and routinely block forensic analysis of their equipment on this basis, further undermining the integrity of our elections and ability to determine if systems have been hacked.
As a long term goal, jurisdictions should move away from proprietary software and toward open source software in any and all election equipment.
9. Background checks for voting machine vendors.
Voting machine vendor Global Election Systems, which later changed its name to Diebold Election Systems, included up to five convicted felons in management positions. One of those individuals, the company’s largest shareholder and senior programmer, was convicted of embezzlement involving sophisticated computer tampering. The central tabulators used to count one-third of the votes in 2004 were reportedly programmed by this convicted embezzler. When the media started asking questions, Diebold stated that the embezzler had left the company. But court records obtained by election integrity advocate and writer Beverly Harris showed that he maintained an under-the-radar relationship as a “consultant.”
The president of Diebold’s election division at that time was Bob Urosevich, who had previously founded ES&S with his brother Todd (who remained at ES&S). ES&S acquired Diebold in 2009, and the combined company accounted for 70% of US election equipment at that time. Although the Department of Justice forced ES&S to sell some of Diebold’s assets in 2010 (warehoused equipment and intellectual property), it appears that ES&S maintained most or all of Diebold’s contracts. The contracts are critical because they are what give a vendor the ability to control an election.
Voting machine vendors and election-service providers must conduct background checks and certify that no one who has been convicted of a felony is performing services on behalf of the company or as a contractor or consultant.
10. Persuade Congress to pass the PAVE Act (which is now called the SAFE Act)
Senator Ron Wyden’s PAVE Act would implement goals 1, 4, and 5 for federal elections. It has been endorsed by the League of Women Voters, Common Cause, the National Election Defense Coalition, the Brennan Center, OSET, Elizabeth Warren, Kamala Harris, Cory Booker, Bernie Sanders, Stacey Abrams, and independent cybersecurity and election experts such as Profs. Andrew Appel, Richard DeMillo, Matt Blaze, and Philip B. Stark.
The PAVE Act is now called the SAFE Act and has passed the House.
Please tell your members of Congress to pass the SAFE Act, while concurrently amplifying and supporting the additional goals set forth on this list. Thank you.
Synopsis of Goals
- Hand marked paper ballots as a primary voting system: no touchscreen voting machines, no barcodes on ballots, no “hybrids,” no machine-marked paper ballots from ballot marking devices (except for voters with disabilities)
- Well-maintained non-hybrid BMDs without barcodes that produce full-face paper ballots (not summaries) for voters with disabilities.
- Transparent and secure chain of custody: digital ballot images preserved and published, published chain of custody records
- Public hand audits (or full public hand counts) for all races
- No wireless modems or remote access
- Posted poll tapes and reported results (distinguishing early voting vs election day vs. absentee)
- Paper voter rolls as backup at the polling places
- Begin moving away from proprietary equipment
- Vendor background checks
- Persuade Congress to pass the PAVE Act (now called the SAFE Act), which is endorsed by LWV, Common Cause, the Brennan Center, the National Election Defense Coalition, OSET, and others.
Update: August 2, 2019
11. Require public disclosure of any and all attempted and successful breaches of election systems.
12. Require that voter registrations include intrusion detection software. See: https://cdn.americanprogress.org/content/uploads/2018/02/21105338/020118_ElectionSecurity-report11.pdf#page=62
13. Require that voter registration systems include logging capabilities to track modifications to the database. See: https://cdn.americanprogress.org/content/uploads/2018/02/21105338/020118_ElectionSecurity-report11.pdf#page=62