I am the co-author behind ACM’s TechBrief on Election Security: Risk-limiting Audits. Ask me anything about election security!

Why don't we require all electronic voting to be done with open source hardware and software for true end to end auditability and transparency?

The current business model of elections is that the vendors have no requirements for open source, but they do have the requirement that their systems are subject to certification and testing. The certification process requires the vendors to share their source code with the testing labs.

For what it's worth, there have been a number of attempts at doing an open source voting system that could be commercially viable in the U.S. market, but none of them have achieved significant market share to date, except perhaps the Los Angeles VSAP system, but the source code isn't actually open yet (article from 2018, but I don't think anything has changed since then).

(I do consulting with another open source vendor, VotingWorks.)

Hence require open source. It isn't about being commercially viable, if not providing an open source product means it isn't commercially viable.

Here's a more concise way to put it: I would prefer if we did not have trade secrets in elections. Let the vendors copyright and/or patent their stuff, but the source code should be open to public inspection. This isn't about security, per se, as much as it's about transparency. If you want to get nerdier about it, it's also about publicly verifiable reproducible builds, which has ramifications for security and transparency.

How do you feel about the overall election security of the 2020 presidential race? Do you think there was any significant security gaps that heavily impacted the result?

To be absolutely clear, there is no evidence of any tampering with the 2020 presidential election. We have high confidence that the election outcome was correct.

Here's the crazy part: there's nothing inconsistent with the above statement and saying that there are a number of security weaknesses in our election systems that we need to improve. We'd love to see more states adopt risk-limiting audits (the topic of this post!), which would improve our confidence in their elections. Similarly, it's great that the older generation of paperless electronic voting systems are being replaced with newer machines that use paper ballots. This helps mitigate against the worst risks of malware or tampering with voting systems' software.

What about the races that were so far off from the pre-election polling?

No one even thought to audit the Senate race in Maine, because it was a huge margin, but the polls had it much closer.

Wouldn't it make sense to do some sort of audit in those situations?

I'm not an expert in polling, but polls have margins of error, and pollsters often make corrections to their raw polling to compensate for demographic differences between their sampled population and what they anticipate the actual electorate might look like. So, for any given poll, there are a bunch of assumptions baked into the numbers, any of which might turn out to be false. In other words, when an election disagrees with a poll, that can be a surprise, but it's not an immediate red flag.

That said, many states have laws that allow for automatic recounts when the margin of victory is small enough (typically under 1%). And we recommend that every state adopt risk-limiting audits (the topic of this post!) for all their elections, as a required procedure.

In a high-margin race, a risk limiting audit requires a very small number of samples in order to provide convincing evidence of the correctness of the outcome, so RLAs would be a great thing to adopt.

Several years ago, when Dominion voting machines were first introduced into Georgia, NPR ran an article that associated them with large donations to the Republican party.

Why should we trust/not trust Dominion to deliver unadulterated voting results?

Am I crazy to think the Q-Anon morons might be right, but not for the correct reasons.

For starters, the modern Dominion equipment uses a printed paper ballot. This means that every voter can (and should!) take the time to read the paper ballot that the machine produces and, if something is wrong, they can "spoil" their ballot and do it again. This is an important defense against any hypothetical tampering or malware with the software inside the machines.

After that, you're not being asked to trust machines. You're being asked to trust process. Those paper ballots travel in ballot boxes that are suitably sealed. Election officials tabulate the paper ballots with election observers and the press watching what they do. Georgia also did a risk-limiting audit (the topic of this Reddit post!) during the 2020 election which confirmed the result in the presidential race. (More details: Carter Center report, Georgia SoS's page)

As you might imagine, there's a lot more to it than I can summarize in a few paragraphs, but you should have some comfort that the combination of certification & testing, plus the use of the right kinds of policies & procedures, are where we gain confidence in our election systems.

Do you have any national elections system besides US that might worth your special consideration?

U.S. elections are quite unusual relative to most other countries. Of particular note, we're often asked to vote on a huge number of contests. My ballot in Houston, Texas has I think 93 contests or propositions on it. This means that we require automation in order to get timely and accurate results. And therefore we must have computers around, but we need processes like risk limiting audits (the topic of this post!) to mitigate against the risks of malware or tampering with the computers.

Several countries are currently experimenting with Internet voting (Estonia, Switzerland, Canada, and more). This creates a variety of new risks that are harder to mitigate. What do you do to prevent malware on a voter's computer from tampering with their vote? What do you do to protect the servers against denial of service attacks? For contrast, consider that a paper ballot, whether marked by hand or by machine, once it gets into a ballot box, is beyond the reach of even the most sophisticated Internet attacker. There's nothing a foreign nation-state adversary can do over the Internet to modify ink on paper!

Of course, the real world is never quite so simple. I had the chance once to speak with Swiss officials about this, and they pointed out how 40% of Swiss nationals are physically outside the borders of Switzerland at any given time. And they might vote five times per year. Perhaps unsurprisingly, there's a strong demand for Internet voting, and an ongoing challenge to see if they can mitigate against those risks.

Assuming the basic voting equipment is secure, how secure are the systems for agglomerating all those individual counts against, say, hacking or social engineering?

The purpose of a risk limiting audit (the topic of this thread!) is to efficiently determine if the tallying process gets the correct outcome. That's an important defense against hacking.

Social engineering / misinformation / disinformation is an important topic as well, but that's outside of the election system, in the sense that we can't fight misinformation by improving how our voting machines work. That said, fighting misinformation is a huge challenge that election officials now face. (Summary of the issues from the Brennan Center.)

Given the perceived vulnerabilities of electronic voting machines to remote bad actors, as well as the scalability for one bad actor to effect a large swath of machines, what are your thoughts on just reverting back to an entirely paper system? Is there a reason this would not be more secure?

The earlier generation of paperless electronic voting systems, adopted in the early 2000's, have been widely studied and have been found to have significant security flaws (examples: California "top to bottom" review in 2007, Ohio EVEREST 2007). (I was one of the co-authors on the California review.)

As a consequence, all the new voting machines involve paper in one form or another. The two most popular forms are ballot marking devices, which have some sort of computer interface and produce a printed ballot, and hand-marked paper ballots, which are typically scanned by a computer, often bolted to the top of the ballot box ("precinct count optical scanner").

The magic of a risk limiting audit (the topic of this thread!) is that it provides an efficient process where a post-election audit can prove, to a desired level of statistical confidence, that any errors in the electronic tabulation are small enough that they don't change the announced winner of a contest.

So, RLAs let us have the efficiency benefits of computers, while still having the security properties that we want from hand tallies, without requiring the slow (and error-prone) process of hand counting.

What do you think of requiring blockchain based audit trails of all processes around elections, voting, tallies, challenges, and recounts?

There's an entire academic discipline dedicated to the world of election integrity, and an important technique that's crossing the divide from academia to practice is called "end-to-end verifiable elections". Without getting lost in the technical details of how and why different encryption techniques are used, all of these voting systems generally include a concept called a "public bulletin board". If you squint at it, there isn't all that much difference between a public bulletin board and a blockchain. Both use cryptographic hash functions to build linear chains or tree-like structures.

The essential difference is that blockchains are "decentralized", which means that nobody is in charge. Instead, a series of unrelated parties reach a consensus as to what the blockchain means. In an election, however, all the parties are known in advance, and disputes are generally resolved through administrative processes or lawsuits. This means that public bulletin boards don't need consensus mechanisms. Instead, they're generally about publishing encrypted votes in such a way that a voter can verify that their vote was "counted as cast" (i.e., you get a strong proof that your vote was tabulated exactly as you cast it) as well as "cast as intended" (i.e., the machine didn't misinterpret your vote as you cast it). The exciting part of the cryptography is that we can achieve both of these properties without allowing you, the voter, to have enough evidence to be able to prove to anybody else how you voted (so, we don't enable bribery or coercion).

That’s interesting. How is verification that your vote correctly tabulated your choice achieved without giving you proof another person would recognize?

There are a lot of variations on this, so I'm going to assume we're talking about how Microsoft's ElectionGuard project would work in the context of a ballot marking device. (I've written some of the code being used in ElectionGuard.)

Once the voter finishes specifying their vote, the machine computes an encrypted version of their vote. It's public key encryption, where the voting machine only knows the public key, so only the election official (or a group of election trustees working together, using a technique called threshold cryptography) can do the decryption.

The voting machine can also compute the hash of that encrypted ballot, and then hand it back to the voter, perhaps on a small receipt printer. Now here's the fun part: all the encrypted ballots for the entire election will be posted on some public web server somewhere. And you'll be able to use your receipt and figure out that a ballot matching your hash is right there where it's supposed to be. And now here's the crazy fun part: you can add all the encrypted ballots without first decrypting them. This is called an additive homomorphism. Every election observer can compute this same value, and compare it to the value that's ultimately decrypted by the election official, who provides a cryptographic proof that they did the decryption correctly. So, anybody can validate that their encrypted ballot is part of the big total and that the big total was decrypted correctly. But your receipt doesn't let you sell your vote, since it's the hash of an encrypted ballot, and that ballot is never individually decrypted. (This paragraph summarizes the "counted as cast" property.)

But wait, you ask, why should I believe that my ballot was correctly encrypted in the first place? Turns out, there are a number of independent ways to prove this.

1. Your paper ballot, which is human readable, includes the hash of your ciphertext below it. A risk-limiting audit would, for each ballot being audited, recompute the encryption of the ballot, based on the human-readable text, and make sure that the hash matches.
2. Ballots that are spoiled aren't tabulated. That means it's safe for the election official to decrypt those spoiled ballots. So we could create a process where regular voters and/or trained auditors are allowed to keep copies of spoiled ballots, and we'll check later on whether the human-readable text matches up with the ciphertext.

The cool trick here is that the machine doesn't know which ballots will be cast and which will be audited, so if it's going to cheat, it needs to cheat before it knows whether it might be caught. This is called a Benaloh challenge. Josh Benaloh is also, not coincidentally, one of the designers behind Microsoft's ElectionGuard.

If the hash doesn't give feedback to the voter that the ballot is counted correctly, I think you need open source to ensure that is actually done correctly.

The trick with these fancy e2e-verifiable schemes is that they're very good at providing the voter with evidence that everything worked perfectly, but if something goes wrong, and there are a lot of ways for things to go wrong, it's not necessarily easy to pinpoint the problem.

ElectionGuard happens to be open source, but that's not a requirement for security. In fact, the magic of e2e-verifiable schemes is that they create a much more interesting property called software independence, which means that we can verify a correct election outcome without being required to trust any of the software used by the election officials.

Risk limiting audits, by the way, are also a method of achieving software independence, without any cryptography at all.

My point really isn't about counting or verifying votes, but the monitoring of processes. Of course, being in the blockchain myself, I've focused on creating cryptographic proofs of sequences of events, and gathering all those proofs into summaries (block hashes if you will).

Allowing the logging of all the processes behind voting (the set up, poll, venue, setup, voting machine configurations), observers, workers, video, etc.) all to the blockchain, you end up with time sequences and actions that create responsibilities. Failures in process can't be hidden.

I feel actual voting and ballots don't gain much from the blockchain, though there are ways to use the blockchain for voting. The real gain is to audit the execution of the election.

Public blockchains are much more complex than your description, and do allow for selecting authorities in distributed locations that all contribute to a unified (cryptographically speaking) log of events.

A Reddit AMA is the wrong place to get into the finer points of blockchains, cryptocurrency, and/or public bulletin boards.

Suffice to say that one of the core features of most blockchains is consensus, while one of the core features of a public bulletin board is maintaining evidence. Those are emphatically not the same thing, even though many of the same cryptographic techniques (zero knowledge proofs, hash data structures, etc.) are used in both settings.

What is being done to secure elections against vote trafficking/muling?

It's difficult to find evidence of this sort of thing. The most persistent rumors generally involve some form of bundling of vote-by-mail ballots. In the Rio Grande Valley of Texas, for example, they're called "politiqueros" or "politiqueras". It's unclear whether the impact of these sorts of activities are sufficient to change election outcomes, but Texas and other states have chosen to make it harder to vote by mail, claiming it would reduce fraud. Of course, whenever you change a policy like this, you'll have unintended effects, like making it harder for legitimate voters who might prefer to vote without needlessly exposing themselves to the risks of COVID.

How important is physical security? Do you assume there is none for this situation?

Physical security (or, if you prefer, "chain of custody") is essential to all elections. Even if we're talking about hand-marked and hand-counted paper ballots, we still need to ensure that ballot boxes were sealed properly, transported properly, and guarded properly. Of course, when you add computers to the mix, physical security is even more important. This is an important reason for having post-election audits, like the RLAs we talk about in the linked article at the top of this post. An efficient post-election audit allows for discrepancies to be discovered before an election result is certified.

Are these RLAs new? Have we used them before?

We summarize the adoption of RLAs in the article linked at the top. The idea is about a decade old and is growing in popularity among election officials.

Is there an inadvertent strength against systemic hacking since the US has so many different types of voting machines and laws?

Each of our states have their own rules and procedures, but there are only a small number of equipment vendors for the vast majority of votes cast. This means, in practice, that we can't depend on diversity as much of a security mechanism. Instead, we need better process and procedures (like risk limiting audits!) to help mitigate against some of the threats we face.

Two questions: first, what reasonable questions about election security can or should be raised for elections with fully paper ballots? What about those without?

Second, are there any major real-world known cases of voting machine interference that have affected a democratic outcome, in the US or elsewhere?

Thank you for offering to answer our questions.

Risk-limiting audits (the topic of this thread) are all about how to improve security with paper ballots. So a reasonable question for someplace that has paper ballots is "when are you going to do RLAs?"

Without paper ballots, we're back in the world of paperless electronic voting systems, which have been shown to have a variety of security vulnerabilities (discussed elsewhere in this Reddit). So a reasonable question for someplace that has paperless electronic voting systems is "when are you going to retire these machines and what's the plan to replace them?"

I'm not aware of any systematic voting machine election interference, at least in any U.S. election in anything resembling the modern era. If you go back far enough in time, you get plenty of well-documented messy elections. The story of "Landslide" Lyndon Johnson's victory in the 1948 Texas Senate Race is pretty amazing.

What states do voting the best? And what are the things they are doing to make it that way?

It's not really that simple. I could tell you that Rhode Island is amazing (try the grilled pizza!), but they face very different needs, never mind operating at a very different scale, from California or Texas. Small town elections are often done with hand-counted ballots, which is fantastic, but that would never work in huge cities, where it's just too slow and too error-prone.

Not technology-related, why do you think armed militia types are guarding ballot boxes?

This sounds like an attempt at voter intimidation, which can be a violation of federal and/or state laws. Here's the ACLU explainer.

Are the machines ever randomly subjected to a forensic level audit to ensure the machine operated as it should? Ultimately who is accountable for ensuring the machine operated as it should? Are there any consequences of a machine that didn’t operate as it should for the person or entity responsible for its operation? Are the machines connected to some kind of live operations center for real-time monitoring?

It's exceptionally difficult (read: expensive, time consuming) to do a forensic audit of the sort you're describing, and the adversary has an advantage in this game, because they could potentially engineer their malware to erase itself after the election is over.

The goal of RLAs and other kinds of election auditing procedures is to achieve a property called software independence, such that we can gain confidence in the correct outcomes of an election without requiring any confidence that the software is correct.