When David Dill, a computer scientist at Stanford University, got involved in the election integrity movement in 2003, he believed the answer to election security was paper trails. Dill learned that states across the country (and in his own California county) had recently purchased—or were in the process of purchasing—new paperless, fully electronic voting machines, known as direct-recording electronic (DRE) machines. He and other security experts were concerned that with digital-only ballots and votes, the machines provided no viable way to verify election results or prove that voting machine software hadn’t been altered.
The next year, Dill launched Verified Voting, now one of the leading nonprofit election integrity groups in the country, in an effort to push for the adoption of so-called voter-verifiable paper audit trails. The group wanted states to deploy voting methods that had physical paper records that could be used to confirm each individual vote, thereby protecting against electronic tampering.
They wanted states to either use optical-scan machines, which employ full-size paper ballots, or to outfit their touchscreen and other DRE machines with printers that produce a paper scroll showing the choices voters made on the digital machines. Voters would be able to verify that the DRE machines accurately registered their choices before pushing a button to cast the digital ballot and the paper record.
It was the beginning of what would be years of effort to get verifiable elections, and 16 years later the country is still not close to meeting that goal. Voting machine security hasn’t improved since Dill, now a professor emeritus at Stanford University, first grew concerned about their use in elections. And until recently, there has been little interest in conducting meaningful post-election audits of paper ballot records that could help detect election manipulation and improve the integrity of results.
A hacker who wants to throw an election would make sure the winner takes the race by a wide margin.
This has become a bigger problem as the number of actors potentially interested in hacking voting machines and manipulating elections has grown — as has the sophistication level of hacking tools and techniques. In the early days, election integrity activists were largely concerned about rogue election insiders or random hackers subverting voting machine software. Now, with well-resourced and highly skilled state-sponsored hackers in Russia, China, and other countries regularly targeting critical infrastructure in the U.S., the threat has grown much larger and the need for effective means to verify election results more critical.
Dill and colleagues had some early successes toward verified elections. In May 2003, Rep. Rush Holt (D-NJ), with advice from Dill and others, introduced a federal bill that would have forced states to outfit their machines with printers so elections could be audited. The proposed legislation failed to gain traction with lawmakers. But in 2004, after California officials discovered that one of the top voting machine makers in the country had secretly installed uncertified software on machines used in that state, and after a number of election irregularities occurred in Ohio and Florida, each of these three states passed laws mandating the use of paper ballots or machines that could produce paper trails in their jurisdictions.
Dill and many others fighting for election integrity thought they were on their way to winning the battle, if only one state at a time.
But then Dill realized they had overlooked two important things with DRE machines, which by then were used in about 60 percent of jurisdictions across the country. Even if the machine printed a copy of the voter’s selections, it wasn’t clear voters would take the time to look at the paper record or notice if it was wrong.
If hackers could alter the software on the voting machines, they could also alter the paper record produced by the machine.
“The biggest worry I had,” Dill says, “is that the software could print this one thing on the paper ballot right in front of the voter’s face, and not enough voters would notice it.”
There was another issue. If hackers could alter the software on the voting machines, they could also alter the paper record produced by the software on the machine. The paper could show the voter their correct choices, while the black box system secretly recorded something else.
So Dill and colleagues urged states to replace fully electronic voting machines with optical-scan systems instead. Optical-scan machines use full-size paper ballots filled out by voters instead of machines, and are independent of the software. The ballots are scanned into a reader that records and tallies the votes digitally, but the paper ballots serve as backup. Election officials can compare the paper record against the digital tally after an election to verify the official results and determine if the software recorded votes accurately.
Over the years, as paperless voting machines experienced problems around the country and election officials came to realize the folly of paperless elections, many counties and states switched to optical-scan machines. Today, about 80 percent of voters cast ballots either with optical-scan machines or on DRE machines outfitted with printers that produce a paper trail. Five states — Georgia, Louisiana, South Carolina, New Jersey, and Delaware — still use paperless systems exclusively, and nine states — Texas, Pennsylvania, Kansas, Tennessee, Florida, Arkansas, Indiana, Kentucky, and Mississippi — use paperless systems in some of their jurisdictions.
But even though most machines now use paper ballots or produce a voter-verifiable paper backup, the election integrity problem has not been solved. Many states never look at the paper backup to verify the digital tallies, or they check only at a small percentage.
Although many states have audit laws that require them to review digital tallies, audits often don’t kick in unless the margin of victory is one percent or less. A hacker who wants to throw an election would make sure the winner takes the race by a wide margin. Even when an audit does occur, there are often issues with how they’re conducted. In many states, audit laws allow officials to simply run paper optical-scan ballots through the scanner a second time, without ever visually examining the paper. If the software on the machine has bugs or has been subverted, it will produce the same faulty tally in the audit that it did during the first scan.
Even states that run manual audits — physically examining the paper ballots to compare them against the digital tally — look only at a selection of ballots from a small number of randomly selected precincts, instead of taking a sampling of ballots from every precinct. Counties not covered in the audit could be left with undiscovered problems that impact the outcome.
Hackers could conceivably intercept the transmission of unofficial tallies on election night to alter them.
This is why election integrity activists are now fighting for states to switch to risk-limiting audits, which examine a statistically significant sample of ballots from every precinct in a county. So far, Colorado is the only state that does mandatory audits that has conducted one using the risk-limiting method. The state conducted its first trial audit of a race last year. Rhode Island and Virginia have also passed laws requiring risk-limiting audits. A handful of cities in Michigan and other states plan to conduct pilot risk-limiting audits to see if the method is viable for them.
Why are audits so essential? Voting machines can be subverted in a number of ways. Although election officials insist the machines aren’t connected to the internet, this isn’t entirely true. Many voting machines have embedded cellular modems that are used to transmit vote tallies to central election offices at the end of an election. Hackers could conceivably intercept the transmission of unofficial tallies on election night to alter them. Any discrepancy between the unofficial tally on election night and the official tally calculated later would create distrust in an election outcome.
Hackers positioned near polling places and election offices could also potentially hack back into the machines by causing the voting machine modems to connect to malicious devices they control, instead of to legitimate cellular towers. These devices, known as stingrays, emulate a legitimate cell tower to force devices in the area to connect to them. Once connected to a voting machine that transmits results or to the tabulation machine that receives them, a skilled hacker could potentially alter voting machine and tabulation software or alter official vote totals, while erasing evidence of this activity.
Even if voting machines don’t have modems, hackers — rogue insiders or malicious outsiders — could still find ways to hack voting machines by targeting the voting machine manufacturers or other third-party vendors that help election offices program the voting machines before each election.
But hacking fears aren’t the only reason to audit elections. Software glitches can just as easily cause problems that could alter an election outcome but go unnoticed without a post-election audit of ballots.
In 2008, for example, optical-scan machines used in Humboldt County, California, randomly dropped 197 ballots because of a software bug. Although election officials printed a receipt from the machine on election day showing the ballots were scanned, the ballots and their votes inexplicably disappeared from the system days later. What’s worse, the log file in the machine showed no sign the ballots had ever been recorded in the system, even though the machine had printed a receipt at the time they were scanned.
County officials discovered the problem only by chance. That year, officials had implemented a special transparency project whereby paper ballots got scanned twice — once through the county’s official optical-scan voting machine and a second time, days after the election, through an off-the-shelf Fujitsu scanner bought for this purpose. When the two machines showed different vote totals as well as a discrepancy in the number of ballots scanned, they knew they had a problem. It turned out that a software flaw in the voting machine software caused that scanner to randomly drop batches of ballots from its database under certain conditions. Luckily, officials were able to recover the missing votes from the paper ballots.
This kind of recovery wouldn’t be possible in Georgia or any of the other states and counties that still use paperless voting machines that can’t be audited. Although officials might discover that a machine failed to record ballots or dropped ballots if the number of voters who signed in at the polls doesn’t match the number of ballots recorded on the machine, they would never be able to recover those lost ballots and votes because the ballots existed only in digital form.
There are efforts today to fix some of the security problems that exist in voting machines. But it will take a long time to do this, and even then these machines will never be completely hack-proof or glitch-free. The best option we have for detecting when something goes wrong in an election, and recovering from it, is using optical-scan ballots and conducting meaningful audits, Dill notes.
“The one place where I think voting technology has really advanced since I started this is the development of risk-limiting audits,” Dill says. “It hasn’t been improved cryptography or advances in voting machine technology. It’s not necessarily rocket science, but it’s carefully thought out and it should actually improve the trustworthiness of elections more than anything else we’ve come up with.”