Paperless voting machines are just waiting to be hacked in 2020. We are a POLITICO cybersecurity reporter and a voting security expert – ask us anything.

What do you find are the most convincing arguments against Internet voting, for a non-technical audience?

One of the things that experts tell me all the time is that we don't know how to do anything over the internet with the level of security that we expect from our elections.

Supporters of internet voting often point out that we trust the internet for other sensitive applications, like banking. But you can dispute a transaction and get your money back. There's really nothing happening online that's comparable to elections, in terms of the stakes. So the inherent vulnerabilities in the internet raise more serious questions for voting than for any other application.

—Eric

Internet voting systems tend to be fragile. A few years ago, Washington, D.C. built an online voting system and invited anyone to try to hack in during a mock election. It took me and my students only about 48 hours to gain full control and change all the votes, and the election officials didn't notice anything was wrong until somebody noticed a musical "calling card" we left for them to find. More here:

https://freedom-to-tinker.com/2010/10/05/hacking-dc-internet-voting-pilot/

More recently, a colleague and I found exploitable vulnerabilities in an Australian online voting pilot during a live election:

https://freedom-to-tinker.com/2015/03/22/ivote-vulnerability/

—Alex

Can you show me proof that the current way of voting is not hacked

Here in the UK, we have a paper ballot and we mark our preferred candidate with a pen.

The ballot paper is then posted into a ballot box, which you can see and follow; all the way up until your vote is counted.

Not only does this ensure that you are able to audit exactly where your vote went and make sure it is counted correctly; but also that even if someone where to gain access to these ballots. They would be unable to make sweeping changes or even know the ballots that they are changing the votes of.

Essentially, paper ballots are almost impossible to compromise in any meaningful way.

Electronic voting is almost the complete opposite.

Colorado probably has the best voting system in the US. Mail in paper ballots where you tear off a tab with a unique number on it. You can check of your vote was counted via the ID number on a website, the same website you self register to get the mail ballot. Polling locations also have drop off spots two weeks before election day and the day of election if you vote in person they literally just print you out a paper ballot with that same tear off tab. They have a digital way to fill out the ballots if you prefer but the counting is not done by those machines it's simply for printing a filled out ballot. It's so much easier than New York where I used to live and voting participation in Colorado is some of the highest in the country.

Colorado deserves huge credit for being the first state to implement risk limiting audits (RLAs) state-wide.

https://en.wikipedia.org/wiki/Risk-limiting_audit

These audits are the gold-standard for checking that the paper and electronic records agree about the election winner. Basically, you have people inspect a random sample of the paper ballots, and you use math to make sure the sample is large enough so that the chance that the audit would miss outcome-changing fraud is less than a pre-specified probability (the "risk limit").

How big a sample you need to audit depends on how close the election result appears to be. Intuitively, if the computers say the race was a landslide, you only need to inspect a very small number of paper ballots to confirm it really was a landslide (maybe just a few hundred across the whole state), but if the outcome was a tie, you need to inspect every ballot to make sure. An RLA adapts the sample size to ensure that you already get to a high level of confidence, regardless of how close the outcome was.

Other states have recently passed RLA legislation, including Rhode Island and Virginia, and many counties across the country are piloting RLAs, but it's going to take a lot of work to get every state to run them.

—Alex

No. That's part of the problem with relying on paperless technology. You can't audit it, so you can't prove that negative.

This is not the same as saying that these machines have been hacked. But "I can't prove that there was a problem" is not the level of confidence you want in elections.

—Eric

No, and that is the fundamental problem with our current election system: it's based on faith, rather than evidence.

Our election system should be designed to produce evidence sufficient to convince a rational skeptic that the outcome is correct. One way to do that is to have transparent, observable processes, including statistically rigorous risk-limiting audits.

Instead, all too often, voters simply have to take election officials' word that everything is fine. Most election officials are great people and diligent public servants, but it seems fundamentally wrong that voters should be forced to trust them.

—Alex

What do you think about the brazilian voting machines and what happened when the Superior Electoral Court of Brazil denied your participation on an election auditing process?

Brazil's paperless electronic voting machines have major security problems. I haven't had an opportunity to examine them myself, but fortunately Professor Diego Aranha (formerly of the University of Campinas) has. His research details many flaws, including ways that an attacker could potentially figure out how everyone voted! See: https://sites.google.com/site/dfaranha/projects

—Alex

What is the reason for the push for these machines when pen and paper seem so much more obviously secure and transparent...is it just that tallying votes is faster? Or is there something I'm missing?

It's important to note that there are two separate elements of voting where we can choose manual or electronic methods.

The first is the voting machine. You can use your hands as that "machine" and mark a paper ballot by hand, or you can have an electronic device where you make your choices and it spits out a paper record (or only records your vote digitally, which is the big problem in many counties right now).

The second is the tabulation machine. You can have poll workers manually counting votes based on the paper ballots, or you can have an optical scanner that digitally tallies votes based on those same ballots.

Tallying votes isn't as much of an issue — because optical scanners are pretty fast — as managing the devices that are used to actually record the votes. And many election officials find it more of a hassle to manage stacks of paper ballots than a handful of electronic machines. (Of course, electronic machines break down, so there are management problems there, too.)

—Eric

What’s the best way to overcome the “hanging chad” issue with paper ballots that we saw during the presidential election in 2000?

Manufacturers of paper ballots have significantly improved the design of these ballots since 2000. No voting method is perfect, but research from 2012 suggests that the error rate is between 1% and 2%. The vast majority of the voting problems I heard about on Election Day 2018 related to electronic voting machines, rather than paper ballots or their scanners. We've come a long way since 2000.

—Eric

Are you saying that foreign government agencies can and have tampered with actual voting machines and alter votes? From what iv'e read from the Mueller Report was that most efforts were focused on online social media, not actual government infrastructure.

If a voting district has been tampered with, what are the steps for a backup with paper ballots and whats the likelihood of people changing their votes/becoming uninterested in redoing the process?

What is the power of blockchain in voting and can it be effective? I only recall one presidential candidate(Andrew Yang) weighing pros and cons of it, but im largely unfamiliar with this method

This is no evidence that foreign governments have tampered with voting machines to alter votes. The problem is, there's a real threat that such an attack could happen in the future. Across much of the U.S., we vote on computer voting machines that have known vulnerabilities. And even in states that have a paper trail that can't be changed in a cyberattack, the paper usually isn't checked unless there's a recount.

Take a look at this federal court ruling about Georgia's voting system (released just this morning!). It shows in detail just how open to attack some of the electronic voting systems used today are.

https://pacer-documents.s3.amazonaws.com/47/240678/055111879247.pdf

—Alex

While I understand it can be hacked Is there any evidence that any of the previous machines used in previous elections (at any level) have been hacked?

While Russia is often cited as wanting to mess with western elections is that any evidence out there of a credible threat/intent to commit wild scale voter hacking at any election? beyond the teenager in his parents basement

​

kind regards, look forward to hearing from you

There is no evidence that a voting machine has been hacked while it was used in an election. And Russia has found it much easier to mess with our minds (through disinformation campaigns) than with our voting machines, so this is not likely to ever be their top attack vector.

The concern we see about voting security is about closing as many gaps as possible. There are certainly other gaps that are more likely to be exploited. But maintaining confidence is an important part of conducting elections, and people lose confidence when they know that they're voting on machines with vulnerabilities.

—Eric

What is the safest voting machine out there right now?

From a security perspective, the safest technology right now is hand-marked paper ballots (HMPB) coupled with precinct-count optical scanners (PCOS) and risk-limiting audits (RLAs).

In this kind of system, voters mark ballots manually and put them into a scanner right in the polling place. The scanner creates an electronic record of the marks, and the physical ballots are stored in a ballot box. This means there are redundant records—physical ballots and electronic records.

Officials can use an RLA to efficiently check that both sets of records agree about the winner. Tampering with both kinds of records (in a way that agreed) would require both a high-tech attack and a large conspiracy of people on the ground changing the paper.

—Alex

India uses EVMs that haven't had any problems. They arent connected to any systems whatsoever so can't be hacked unless you hit each individual machine. Why can't the US?

It's true that India has the largest deployment of electronic voting machines in the world, based on a home-grown machine that is dramatically simpler than the touch screen computers common in the US, but they still have lots of problems.

I worked with researchers in India several years ago to do a detailed security analysis of the Indian machines. You can read our research paper and see a video of our findings here: https://indiaevm.org

With just a few minutes of physical access, an attacker can tamper with the machines to change the votes stored in them, or to make the machines count future elections dishonestly. We built low-cost hardware devices to carry out both attacks.

As a result of our research, India has recently rolled out a voter-verifiable paper audit trail (VVPAT), which could help detect such attackers. Unfortunately, I understand that there are some major unresolved problems with the implementation. First among them, the audits aren't risk-limiting, so in a close election, they might not be thorough enough to detect outcome-changing fraud.

—Alex

Why bother with voting machines at all?

There is no way to verify the integrity of the electronic count, neither for an individual voter nor at the national level. Hence, you'll need a manual count to be able to trust the result, which reduces the machine to an incredibly expensive pen.

Even after hacking many different voting machines myself, I don't agree that we should get rid of computer counting technology completely. There is a long, rich history of fraud in paper voting (see https://en.wikipedia.org/wiki/Electoral_fraud#Tampering_with_electronic_voting_machines) that we'd be foolish to ignore.

We can do a lot better by using computer systems that are "software independent". That means that any error or hack affecting the outcome can be detected. One way to do this is to use paper ballots with optical scanners and manual risk-limiting audits, so you get two independent records of every vote that would need to be separately hacked to change the results without detection.

That's way stronger than either hand-counted voting or unaudited computer voting alone.

—Alex

If our local voting area has refused to get paper backups what can we do to pressure them?

Point them to the bi-partisan Senate Intelligence Committee's recommendations:

https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume1.pdf

Given Russian interventions to undermine the credibility of the election process, states should take urgent steps to replace outdated and vulnerable voting systems... at a minimum, any machine purchased going forward should have a voter-verifiable paper trail.

Or the findings of the National Academies of Science, Engineering, and Medicine:

http://sites.nationalacademies.org/pga/stl/voting/index.htm

[a]ll local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.

Or if they really want to get down into the details, to my Coursera course, Securing Digital Democracy:

https://www.coursera.org/learn/digital-democracy

Edit to add: Groups like Verified Voting have great resources about election security that could be a big help for your local efforts.

— Alex

If it were tied into DMV systems and everyone gets a 'one use' RSA token to get you into the ballot, which then uploads and encrypts to a cloud repository with DoD protections wouldn't that work?

At least two potential problems there:

1. Voters (many of whom only go to the polls every two or four years) will lose their RSA tokens.
2. With elections, we're worried about very powerful adversaries, and RSA's SecurID tokens have been hacked before, apparently by China. https://www.theregister.co.uk/2012/03/29/nsa_blames_china_rsa_hack/

—Alex

Why can't voting machines give you a receipt of your votes? If each receipt had a unique code, you could go to a website later and see whether your vote was counted. Maybe even see all the votes cast (anonymously of course). If your vote(s) don't show-up you would have a reasonable right to complain. As it is, the whole thing is a black box where no one has any idea of what happens after you leave the machine.

There's an active research area about this, called end-to-end verifiable voting system.

https://en.wikipedia.org/wiki/End-to-end_auditable_voting_systems

The challenge is, can we make a kind of cryptographic receipt that proves to you, the voter, that your vote has been correctly included in the count, but that doesn't let you prove to anyone else how you voted. (Because if you could, you could use the receipt to sell your vote, or you could be coerced into voting a certain way...)

Hopefully some day soon we'll have paper-based voting systems that also gives you this kind of proof.

—Alex

Technically inclined people were warning about this way back in the early 2000s. Do you have any insight on why those warnings went unheeded for so long and people are just now starting to catch on to these problems?

For virtually any big but hard-to-visualize problem, it often takes a galvanizing event to grab people's attention.

That's what Russia's 2016 interference did. It brought these issues from academic conferences to cable news. Even though there were no confirmed cases of hacked voting machines, the issue of voting machine security became (reasonably) wrapped up in broader discussions about ways to improve the system.

—Eric

Hi Alex - I work on election security in my state, assessing different county setups. Every county votes on paper, but you showed me last year that even the tabulators are susceptible. I was lucky enough to be in the audience during your talk at DEF CON.

ES&S seems to have at least a decent system in place for delivering and handling election definition USB sticks. What's the real risk of tabulators being hacked? Is there an easy way to check what vulnerabilities exist by firmware version? Do you have any recommendations on securing paper ballot states?

Thanks!

Yes, even tabulators (optical scanners) are susceptible to hacking, because under the hood, they're pretty powerful computers, with complex, reprogrammable software and sometimes even wireless Internet access (for transmitting results on election night).

In past studies, we've found that election definition files (which officials copy to ever machines before the election to program in the ballot design and the counting rules, etc.) can carry malware or exploit things like buffer overflows to infect the machines. ES&S is a good illustration of the risk: they create the ballot programming for 2000 jurisdictions across 34 states from their corporate headquarters, which is a much more centralized point of attack that most people are aware exists.

One important defense is to make sure you have the latest firmware. But voting machine firmware tends to be years out of date, because there's a lengthy certification process. For instance, the latest certified ES&S software still relies on Windows 7, which will soon be unsupported by Microsoft.

Incredibly, most states do not even require that jurisdictions use the newest available firmware. For example, Georgia currently uses paperless DREs across the state with firmware that hasn't been updated since 2005.

The strongest and most important defense is to rigorously audit the paper trail, through manual risk-limiting audits. Even if the machines are somehow hacked, such audits ensure that there's only a small statistical chance that any outcome-altering fraud will go undetected. That creates a powerful deterrent, and if an attack happens anyway, you can correct it by recounting the paper.

—Alex

What steps can state and local government take (or have they taken already) to secure voter roll information and keep those interested in foul play from disrupting the voting rights of citizens?

The federal government, through the Department of Homeland Security, has been offering free cybersecurity services to state governments for things like these databases. They'll come in, scan and probe these systems, and produce a report with recommended fixes. So that's one good option.

DHS's services are in high demand, though, so there have historically been long wait times for them. But many companies offer similar services where they'll audit the databases for vulnerabilities.

From a technical perspective, these databases are nothing special. They run on the same technology that powers databases in many other industries. As a result, many of the best practices for protecting them — like reducing unnecessary user privileges and regularly applying software updates — are common knowledge in the IT world.

When the Obama administration saw Russia interfering in the 2016 election, voter registration databases represented their biggest concern. Because they're connected to the internet, it's much easier for a hacker to remotely mess with them than with actual voting machines. So even though our tracker page doesn't evaluate these databases, they're definitely one of the most tempting targets and highest-priority systems for defending.

—Eric

My ideal system would be:

Vote at some machine of some sort. Get shown your vote, then press a button to input it. You then get a printout of the votes you made (and can dispute any error immediately on-site if there's a discrepancy).

You can then take that printout home, and the day after the election, look up on the county registrar website that your vote was counted, and counted correctly. Single errors could be fixed, massive discrepancies could be investigated by the media.

Administrators should also be able to verify that all the votes that were counted were legitimate votes, and not input later to tip the scales.

But, it would still remain anonymous. No one would be able to trace back that vote to your identity, or, pull up a list of who voted for who.

Is this just impossible?

You can then take that printout home

This would violate the fundamental principle of ballot secrecy. If you could prove how you voted (with this printout), it would be possible to bribe, blackmail, or threaten you into voting a certain way.

This is one of the biggest challenges to designing a trustworthy voting system — the fact that election officials can't let you take home any proof of how you voted. This is one of the biggest differences between designing voting machines and designing every other form of technology: it needs to be auditable without providing any links between users and inputs.

—Eric

Wouldn't blockchain technology completely eradicate the ability for elections to be tampered with?

Blockchain's great for maintaining a distributed ledger, and that might be useful for some election applications (like voter registration), but it's far from the hardest security challenge facing elections.

Say you wanted to build a blockchain-based online voting system. You'd need to be really sure that the blockchain system itself was secure (and remember, we want the majority of voters to decide who wins, not the majority of miners!), but you'd also need to figure out how to authenticate voters securely, and how to guard against attacks that compromise voters' client devices and modify votes before they're posted on the blockchain.

These are really hard problems, as evidenced by frequent attacks that steal cryptocurrency by stealing passwords, installing malware on clients, or compromising exchanges.

— Alex

PA Pollworker Here - I support HMPBs for all that are able and BMDs for disability use. The state has allowed counties to select systems that are BMD for all if they want. This seems overly expensive and less secure than voting my paper (especially with many counties selecting the ES&S ExpressVote XL - it's an election, not netflix and chill).
Aside from providing the scientific evidence, is there any way that you would suggest getting the point across to BOE officials and decision makers that HMPB systems are better? The officials make the excuse that disabled voters should not be made to vote on something different. That language seems directly ripped from ES&S promo materials and no one can tell me why we don't have ramps everywhere instead of stairs.

PA native here— I agree that using BMDs (touch screen computers that print your ballot) for all voters creates unnecessary security risks, and there's no question that the equipment is far more expensive than using hand-marked ballots and a single scanner per polling place.

What I worry about most is that BMDs could be hacked in a way that causes them to print different choices from what the voter marks on screen. In preliminary studies where we've had people vote in mock elections where we hacked the BMDs outselves, only a tiny fraction of people notice, and most of them blame themselves for making a mistake rather than suspecting the machine!

One of the most frequent problems raised by voters with disabilities is that when BMDs are only provided for voters who need them, they're often not set up properly or otherwise out of order. But those seem like much easier problems to address (say, by requiring adequate testing and auditing local municipalities' compliance) compared to somehow making BMDs unhackable.

—Alex

How is this year any different from the past 20?

There's more pressure on election officials to buy more secure voting machines. I've only been covering this topic for a few years, but experts tell me that they've never seen anything like this level of public awareness about voting security. And in many places, we're seeing election officials respond accordingly. That's the big difference.

—Eric

I know paper can't be hacked, but can you ensure that the results still aren't rigged with paper voting? Is it a matter of going back to paper voting, or is it a matter of improving the paperless voting system?

It is much harder to do mass tampering with votes recorded on paper than it is to do so with electronically recorded votes (see my answer here).

There is no way to completely rule out malicious insiders throwing away ballots or things like that, but if we stopped doing everything that was even a little bit risky, we wouldn't have a civilization anymore.

—Eric

Given our current electorate voting systems, what counties are the most primed for election hacking?

That would be the counties still using paperless voting machines, which you can find here.

—Eric

Are the computers connected to some kind of system when they’re being used? Also, if they are, could they be affected in that would make it mark a paper ballot incorrectly?

Voting machines are supposed to be disconnected from all other systems when they're being used, but some of them have wireless modems that are used for transmitting unofficial results on election night. Under the right circumstances, these modems can be vectors for remote compromise (because they transmit over, and thus connect to, the internet).

If a hacker were to plant malicious code on a voting machine (whether through modems or by compromising the software that's used to program the machines before elections), they could cause it to incorrectly mark the ballot.

This is one reason why many experts dislike ballot-marking devices, which are computers that generate paper ballots once a voter is done voting. BMDs are the hot new thing in many jurisdictions that are ditching their paperless voting machines, but with a BMD, you are still trusting a computer to accurately mark the piece of paper.

—Eric

Did any country get electronic voting right so far? India, for example, is very large country and uses it and there's been concern about it recently.

This is a hard question to answer. There is no point at which we can definitively say that something is working reliably and securely and that its operator got it "right." Someone can always find a vulnerability in a system tomorrow that changes our understanding of its security.

Estonia, for example, touts its widespread digitization and its online voting, but there have been problems there.

—Eric