What might go wrong in the 2016 Election
Matt Bernhard and J. Alex Halderman
Election technology in the United States is less than perfect, and much has been said about the security risks. However, U.S. elections are not homogenous: the voting machines in use vary county-by-county, and the potential impact of any problems depends on whether a local issue could tip a state’s electoral votes. In this post, we take a detailed look some of the things that could go wrong and in which districts, and we map the impact they could have on the Presidential race.
The Bottom Line
Unless the election is extraordinarily close, it is unlikely that an attack will result in the wrong candidate getting elected. However, there is a non-negligible risk that anomalous events could cause state-level disruptions. Figure 1 aggregates at-risk counties up to the state-level, over a proportionally scaled electoral map. If a state uses insecure electronic voting machines in more than half its districts, sees greater than 80% of its votes cast via mail-in ballots, or sees a majority of precincts that indicate extreme difficulty finding poll workers, we consider it at-risk.
Notably, several at-risk states have narrow margins in current polls. As jurisdictions with close races are most vulnerable to having their results perturbed or cast into doubt, these are the ones to be concerned about. Nevada, Pennsylvania, Ohio, and Colorado top the list of states to watch out for tomorrow. Together, they account for just under 10% of electoral votes.
Read on for an explanation of how we came up with this model, as well as details on the specific threats facing the election.
The Data
Our analysis combines data from FiveThirtyEight, Verified Voting, and the Federal Election Assistance Commission (EAC). Collecting data about election mechanics in the U.S. is difficult, and in fact the only time we get relatively good data about elections is during and immediately after elections. The EAC only collects data each election cycle, and it can be difficult to pin down what kind of methods and voting technology will be used in the next election until it is held. Even then, U.S. elections are administered at the state and local levels, so data from individual precincts can be messy, uneven, or sometimes completely unavailable. We have tried to compensate for this by taking a conservative approach to conclusions of vulnerability, erring on the side of assessing less vulnerability when we have insufficient data to draw stronger conclusions.
Much of the data presented here was collected shortly after the 2014 election in EAC surveys, while the Verified Voting data dates to 2014 or later, with the most recent information available being used. Predicted election margins comes from FiveThirtyEight and are current as of 2:45 AM Monday, November 7th EST.
Electronic Voting Equipment
We begin by looking at direct-recording electronic voting machines (DREs). These computer voting machines store the primary (or only) record of each vote in electronic memory. Vulnerabilities in DREs have been thoroughly documented over the past decade (for instance, see California TTBR and Ohio’s Project EVEREST), and it is well established that they carry an elevated risk of hacking. Most DREs do not produce a physical record of each vote, so they provide little opportunity to detect or correct computer-based fraud.
According to Verified Voting’s data, roughly 30% of Americans live in precincts which use DREs as their standard polling place equipment. This is probably a slight overestimate, as many precincts have been switching from DREs to precinct-count optical scan paper ballots. (Paper ballots do provide a physical record of each vote, and most election security experts consider precinct-count optical scan to be the best available voting method). Figure 2 is based on Verified Voting’s data and highlights counties that use DREs as their primary means of voting.
Jurisdictions with thinner hatches in Figure 2 use DREs with voter-verified paper audit trails (VVPATs). This means they print a record of every ballot as it is cast. Only about 4% of voters live in precincts that use DREs with VVPATs as the primary mode of voting, and again this number is likely an overestimate. Ideally, voters can check the paper record before it is stored in a ballot box, but voters often fail to spot discrepancies on the printed record. If malicious software changes someone’s vote, they may not notice it. Even worse, the VVPAT records are almost never checked to see if they agree with the computer count.
Not only are DREs prone to hacking, but in the event of a close, disputed race, they produce little evidence to rule out computer-based fraud. DRE-dependent states with close margins will be important to watch tomorrow, particularly Nevada, North Carolina, Florida, Ohio, and Pennsylvania.
Understaffed Precincts
Poll workers are the first line of defense against election malfunction. They are responsible for carrying out important security procedures and for looking out for problems or attempted fraud. Unfortunately, nearly 20% of precincts reported difficulty finding poll workers in 2014, and those willing to volunteer were from populations which are less than representative of society at large. The vast majority of poll workers in 2014 were over age 41, and 26% were over 71.
Fewer poll workers means a much heavier burden on those who do show up, and in total it means fewer eyes watching the critical processes that comprise electoral procedure. Moreover, being stretched too thin can result in procedural mistakes. If an anomaly occurs, understaffed precincts will be less able to respond quickly and effectively, placing them at greater risk of disruption. Figure 3 shows the U.S. counties reported difficulty finding poll workers in 2014, shaded in orange.
Not all precincts reported this statistic, so we’ve conservatively coded no-responses as “no trouble finding poll workers.” Again, watch for states with close margins (North Carolina, Ohio, Arizona, Nevada, and Colorado), as eye-witness accounts of anomalies are often pivotal in post-election court cases.
Voting through the mail
Five U.S. states allow voters to cast votes through the mail as a primary means of conducting the election, and in Washington, Oregon, and Colorado elections are exclusively held this way. Most states also allow absentee ballots to be sent through the mail. This method of voting does have some advantages: it’s convenient for voters and it produces a physical record of the votes. However, vote-by-mail is not ideal.
In most absentee voting procedures, voters have no way of knowing their ballot was received and counted. As mail-in ballots are filled out without the privacy of a voting booth, voters can be more easily threatened or bribed into giving their support to a particular candidate.
Figure 4 highlights vote-by-mail localities, including precincts that receive a high proportion of mail-in absentee ballots. As midterms often see lower turnout and other confounding effects, Figure 4 includes data from both the 2014 midterms and the 2012 presidential election. Interestingly, lower turnout in 2014 did not seem to significantly impact the proportion of absentee votes cast, so almost all of the districts overlap.
Compared to DREs, vote-by-mail ballots are more robust to influence from computer hackers or foreign governments, and they do provide a physical record of each vote that can be audited in the case of a dispute. However, they are at somewhat greater risk of coercion or procedural error than traditional paper ballots.
Putting it all together
Each of the dimensions of election vulnerability above presents real risks, And localities that are subject to multiple of these risk factors would be especially attractive targets for malicious attempts to disrupt the election. Figure 5 shows all at-risk precincts: those using DREs, those reporting severe difficulty finding poll-workers, and those which see a very high proportion of mail-in ballots (>80%).
Election vulnerabilities are especially potent in races with close margins, as we have already discussed. Fortunately, only a few states have both our risk factors and close margins (less than 3%). Figure 6 inverts the margin colors to make at-risk, close-margin jurisdictions stand out. Key places to watch are Nevada and Colorado and certain counties in Ohio, North Carolina, and Pennsylvania.
Our risk analysis is not exhaustive. A well resourced adversary, for instance a foreign government, could do plenty of other things to disrupt the election. Cutting the power to a few key precincts could throw the entire election into chaos. Or an attacker could try to manipulate voter registration databases, so that large swaths of the population were reported to be ineligible to vote on election day. Attacks on major Internet sites, like the recent DDoS attacks by the Mirai botnet, could hinder voters from learning when and where they can vote. Fortunately, most precincts have fallback plans in the case of a complete failure of infrastructure (that have already been utilized in some places), and in all likelihood an election result would still be generated in the case of a large-scale cyberattack.
In conclusion, the 2016 election is less secure than it should be. While we think it’s unlikely that hackers will be able to silently change who wins, attacks that attempt to disrupt or discredit the electoral process in critical states are a distinct possibility.
