Please read the cover story of Politico Magazine today headlined “How to Hack an Election in 7 Minutes”. Ben Wofford’s excellent, comprehensive feature summarizes a great deal of almost 15 years of our work here at The BRAD BLOG. He focuses his piece on the core of computer science and cybersecurity experts initially working out of Princeton University back in 2005 or so, who have, since that time, gone on to publicly hack virtually every electronic voting system and tabulator still in use around the country (and even, looking forward, hacking at least one planned Internet Voting scheme.)
We’ve covered and/or broke the news about many of those landmark exploits, both here and on the radio, going back through 2005 or so. I don’t have time to collect all the links here at the moment, but it’s very nice to see so many of them rounded up so thoroughly in Wofford’s piece.
The 8,500+ word article is far too detailed to adequately summarize, or even quote from in detail here. So please go pour a tall drink or cup of coffee (you may need several, there’s a lot there) and go read about the “parabola of havoc and mismanagement that has been the fifteen-year nightmare of state and local officials”, as he accurately describes it, following the horrifically misguided and ill-advised move to computerized voting and tabulation systems following the 2000 election. I suspect we’ve filed almost as many articles on this topic as Wofford has words in today’s piece!
But there’s one element of his piece I want to ring in on specifically, as I think it represents something a bit more encouraging from the computer scientists who are discussed in the report than I have seen over the years…
Other than pulling together so many of their landmark e-voting exploits into one lengthy and harrowing article, what I think I may appreciate most here is that Wofford eventually gets to, in the final sections of the piece, the observation that many of the computer science and security experts themselves are finally beginning to take notice of. Specifically, that even many of their proposed solutions to this long American nightmare (such as newer computers to replace old ones, encrypted voting technology, post-election “spot checks” known as audits) will be no “silver bullet” to the existing problems. Many of their suggested solutions, as Wofford describes, are likely to result in some of the very same concerns that have caused worry among the electorate about security and a lack of confidence in reported results as with the previous “solutions” implemented as an answer to the 2000 Presidential Election nightmare, when the nation moved to the often-unverifiable and non-transparent, easily-manipulated and simply error-prone computer voting and counting systems funded by the federal Help America Vote Act to the tune of $4 billion.
For example, rather than directly just calling for, as I have, pilot programs for publicly hand-counted, hand-marked paper ballots, with results posted at the precincts on Election Night before ballots are moved anywhere (what I have long described as “Democracy’s Gold Standard”), Wofford cites Rice University computer scientist (and longtime critic of our existing e-voting systems) Dan Wallach’s explanation for a suggested cryptographic “solution”…
Well, that’s close to “Democracy’s Gold Standard”. But Wallach’s solution is then a system that would encrypt electronic ballots. It would, in theory, be far more secure than what we have now, but such a system still make it impossible for the public to oversee all of those ballots and, therefore, unable to know that they were accurately tabulated. As Wofford reports, he was left “dumbfounded” by four different explanations of Wallach’s confusing crypto solution that, he accurately observes, would likely repeat problems with public oversight of our current, horrible computer systems and “would abolish the concept of a countable ‘ballot’ [by] forcing us to trust that incomprehensible code is the equivalent of a ballot”…
“Crypto,†as it’s known in the field, would secure our elections something close to permanently. But it would change fundamentally the way we vote. It would make the act of gawking at random source code a civic requirement. And it would abolish the concept of a countable “ballot,†forcing us to trust that incomprehensible code is the equivalent of a ballot. Cryptographic voting is still years away from ready. But it also begs the question, of whether the concept has simply transferred a technocratic leap of faith from one part of the electronic system to another one. It seemed difficult to believe, after a bruising decade of invisible votes and disappearing ballots, that voters would put their faith in something so abstract. After four explanations from Wallach, I was still dumbfounded.
And that is at the core of the problem with electronically tabulated ballots. If the public — not just computer scientists — can’t oversee it and understand it, we will never have confidence in the reported results. And that, as I have long argued, represents as grave a threat to democracy as elections that are actually stolen.
(The need for Wofford’s article itself, coming on the heels of the DNC Email hack, charges by many Sanders supporter that the primary election was stolen, claims by Trump and friends that the November election will be “rigged”, etc. continue to support my argument that merely the threat or fear of a stolen election is as damaging to confidence in America’s system of democracy as anything else. I discussed this on air in great detail in a recent BradCast.)
In other words, even if a voting and counting solution is judged to be “secure” by experts, that’s not good enough for American democracy. Every citizen needs to be able to know and understand — without having to merely “trust” in anyone — that the reported election results accurately reflect voter intent.
It makes no more sense to simply trust in computer scientists than it does to simply trust in corporate entities like Diebold or ES&S or Sequoia or Hart InterCivic or Dominion when they tell us, as they have sworn over the years (and still do, as Wofford reports) that their systems are really, seriously, totally secure. Nothing to worry about!
Andrew Appel, another seminal player in the past decade of ingeniously disturbing voting systems hacks emanating out of the Princeton group, offers a solution that is, a bit closer to “Democracy’s Gold Standard”, even if it’s not yet all the way there…
“There’s a very simple and old-fashioned recipe that we use in our American democracy,†Appel says. “The vote totals in each polling place are announced at the time the polls closed, in the polling place, to all observers—the poll workers, the party challengers, any citizen that’s observing the closing of the polls.†He goes on to describe how the totals in that precinct would be written on a piece of paper—pencils do just fine—then signed by the poll workers who have been operating that polling site.
“Any citizen can independently add up the precinct by precinct totals,†he continues. “And that’s a very important check. It’s way that with our precinct-based polling systems, we can have some assurance that hacked computers could not undetectably change the results of our election.â€
If I understand what Appel seems to be calling for there, it is almost like the system of precinct-based, publicly hand-counted, hand-marked paper ballots I am suggesting (see how some 40% of New Hampshire towns do it on election night, to fully appreciate “Democracy’s Gold Standard”). But his system of publicly announcing precinct results still seems to be based on an initial computer-tally of results in the first place.
The good news here is that even the scientists — who I have long worked with, interviewed, and hugely respect for their work in identifying problems and vulnerabilities in our e-voting systems — finally seem to be getting closer and closer to realizing that the solution to the problem of computer voting and tabulation is not necessarily using different or better or newer computer voting and tabulation systems.
They are computer scientists, after all. So, it is not a surprise that many of them seek computer science based solutions here. In this case, however, with the unique issue of counting votes cast on secret ballots, and the need for the public to be able to oversee and have confidence in the tally, I suspect more and more each year that the solution must ultimately have nothing to do with computers at all.
Now go pour that tall drink or brew that pitcher of coffee and read Wofford’s piece at Politico.
Please support The BRAD BLOG’s fiercely independent, award-winning coverage of your electoral system, as available from no other media outlet in the nation with a donation to help us keep going (Snail mail, more options here).
I think cybersecurity experts are an ideal source for identifying the problems precisely because the problems arise from 21st century computer technology, which is the world they occupy.
Cybersecurity experts are the worst source to consult with concerning the solution precisely because the solution is to be found in 19th century technology — hand-marked paper ballots that can be publicly hand-tallied at each precinct on election night (aka “Democracy’s Gold Standard.”).
(First of all I’m with Ernie in comment #1. Second of all, here are my eight cents.)
I love that this article was written and published. Here’s my unsolicited evermore-election-integrity-please proofreading/edit—
1. In the chapter that begins in big bold letters–In American politics–5th sentence in–“But even an unrigged election can go haywire, as the nation learned in horror during the Florida recount in 2000…”–
I think it’s problematic describing the 2000 presidential election as “unrigged”. There is quite a bit of evidence of mischief quite possibly intending to effect the vote. I realize nothing has been proven in court(then again, no one ever tried) but between voters been purged from rolls, funny business with the paper chosen for certain ballots, the design of certain ballots, the republican brown shirts storming the recount, etc. the argument that it WAS rigged is not without merit.
2. In the same section, the 4th paragraph down begins–“Almost from the day they were taken out of the box, the touch-screen machines demonstrated problems (the same companies had a much better track record with Optical Scan machines).”
“the same companies had a much better track record with the Optical Scan machines.”–While the author does eventually describe some of the problems of opscan machines, I’m uncomfortable with this assertion written in this way at this point of the article. This whole business of how our election system is so banana republic is an awareness issue. The nation, by and large, seems oblivious to the problem and its implications. Anything that may provide the continuing false impression that there’s not a completely vulnerable, unreliable, non-transparent system being used is not helpful.
3. 3rd paragraph down from the break that says–“No county clerk anywhere in the United States has the ability to defend themselves against distant threats.”–next to last sentence–“For hacking purposes, there’s little difference: In a close election, only a few precincts with paperless touch screens would be required to deflate vote totals, says Appel, even if the majority of counties are still in the Stone Age.”
I’m not sure what he means here by “counties..still in the Stone Age.” So maybe I’m misreading it. But my fear is that he’s referring to counties that are hand-counting the old-fashioned way. If I’m wrong, fine. If he does mean that, he’s denigrating what we know to be our Gold Standard.
4. Next paragraph down, 1st sentence–“The move away from electronic voting is a positive one, the professors say; the best option for election security are the optical scans.”
No. The best option is hand-counted paper ballots in full public view. Stephen Spoonamore knows this. Aren’t there professors studying the problem who also acknowledge this?
5. The end of same paragraph into the 1st sentence of the next–“With the right auditing policies you can recount or do a statistical sample of the ballot boxes to make sure there aren’t cheating computers out there.â€
State policymakers listened.”–
I think this is misleading. It makes it sound as if maybe the auditing is happening. It’s not, as far as I know.
6. In the paragraph below the picture of the “WV vote flipping being caught on tape”, the 3rd sentence begins–“You would be hard pressed to find an example of our voting systems ever being hacked in a real election environment…”.–
The speaker is Kathy Rogers a spokesperson for ES&S. Her assertion here goes unchallenged. It is much more accurate to say that we’re hard pressed to find any examples of hacking when we never bother to look. It’s not as if there aren’t many, many, many questionable outcomes. Alvin Greene, to name a famous one. Election hacked or computer malfunction? Who knows? We never bother to check.
7. Below the paragraph starting–What would be the political motivation–“The good news is that Wallach thinks we’d smell something fishy, and fairly fast: “If tampering happens, we will find it.”
I hope this is true. I have no idea. At the very least this assertion needs to be reconciled with assertions by other computer experts saying that there are ways to hack that are undetectable.
8. The next to the last paragraph, third sentence begins–“Even if the vote were never hacked—and it is an exceedingly implausible event…”
The phase”…it is an exceedingly implausible event…” is a most confounding one. We’ve just been reading throughout the article how numerous and easy are the ways to mess with our elections. Where in the world does this assertion come from? There would certainly seem to be foreign states that might have an interest in influencing our election outcomes. And does anyone in the world think there are not any number of Americans in politics and business who for the sake of power and money would hesitate for a second to rig the game if they had the chance? I repeat–how in the world after all the great work he does in this article does he come up with the notion that hacking an election here would be an “exceedingly implausible event?”
I do not understand the insistence on ballots filled out by hand. Those have two separate problems: 1) it makes it extremely hard for disabled people, and 2) it requires us to *interpret* things.
Computers should not be keeping tracks of votes, period. They should not be tallying votes, period, at least not by themselves.
But computers can, very easily, with no problems, allow us to *print* ballots. The voter slides the ballot in a computer, make the voting selection there, it prints on the ballot (In *text*, not in any sort of code), the voter looks at it, and either takes it to the ballot box to cast it, or takes it back to table to shred (In front of everyone) and get another one.
This removes all ambiguity from what circles are filled in, or that voter intent is. The ballot will have, clearly printed on it in a machine-readable font, HILLARY CLINTON or whatever.
I, personally, would like to see this system then both machine counted immediately *and* hand counted over the next day.
David Cheathem said @3:
For disabled voters, I have no problem with allowing optional assistive voting devices as needed, as required by HAVA and in place in all 50 states already.
As to the need to “interpret things”…that is not actually a problem, as seen in the public hand-count of the hand-marked paper ballots in Minnesota’s Franken/Coleman race back in 2008 where out of millions of ballots cast, there were no more than about one dozen upon which both parties could not agree on voter intent. Determining voter intent is not difficult. Those who suggest otherwise are trying to pull one over on you.
Determining voter intent with any certainty on computer-printed ballots, however, is virtually impossible…
We agree on that!
Here’s the problem(s):
1) There is no way to know after an election that the ballot we are looking at is actually the one approved by the voter. Hand-marked ballots have evidence, intrinsically, of voter intent. Computer-printed ballots could have been printed by ANY computer at any time. No way to know that with any certainty.
2) Presuming we can somehow know that the computer-printed ballot was the one actually cast by the voter, we can’t know if the voter actually verified that it was correctly printed by the computer, as studies show the vast majority of voters don’t check the computer-printed paper.
3) While most don’t check that paper, of those who do bother to review the computer’s summary of votes, as Rice University found, some two-thirds don’t notice when the computer has flipped one or more of their votes!
4) Even if the computer-printed ballot cast is the one actually cast by the voter, and even if the voter checks their computer-printed ballot, and even if they notice any and all computer vote flips, there is no way for the public to know after an election if any of that is true! In the bargain, we are back to the same 100% unverifiable, faith-based elections we have on DRE (touch-screen) systems.
And, one last point on this. The systems that print ballots, like the one being foolishly designed for L.A. County, use bar codes, not text, for tabulating results. The voter may (or may not) approve the text print out, but that’s not even what is tabulated by the computer tabulators in tallying and reporting the results! Adding yet another unnecessary hole via which the results can be gamed.
And for what reason? None that I have been able to tell, while covering this beat for quite some time.
Doing both, btw, is still another way to game the system. All you’d have to do is somehow jam one of those two different counts to introduce doubt into the entire matter, and give reason to nullify results. Again, needlessly, and unnecessarily.
Hope that response is helpful!