August 19, 2017

Security against Election Hacking – Part 1: Software Independence

There’s been a lot of discussion of whether the November 2016 U.S. election can be hacked.  Should the U.S. Government designate all the states’ and counties’ election computers as “critical cyber infrastructure” and prioritize the “cyberdefense” of these systems?  Will it make any difference to activate those buzzwords with less than 3 months until the election?

First, let me explain what can and can’t be hacked.  Election administrators use computers in (at least) three ways:

  1. To maintain voter registration databases and to prepare the “pollbooks” used at every polling place to list who’s a registered voter (for that precinct); to prepare the “ballot definitions” telling the voting machines who are the candidates in each race.
  2. Inside the voting machines themselves, the optical-scan counters or touch-screen machines that the voter interacts with directly.
  3. When the polls close, the vote totals from all the different precincts are gathered (this is called “canvassing”) and aggregated together to make statewide totals for each candidate (or district-wide totals for congressional candidates).

Any of these computers could be hacked.  What defenses do we have?  Could we seal off the internet so the Russians can’t hack us?  Clearly not; and anyway, maybe the hacker isn’t the Russians—what if it’s someone in your opponent’s political party?  What if it’s a rogue election administrator?

The best defenses are ways to audit the election and count the votes outside of, independent of the hackable computers.  For example,

  1. Once the pollbooks are printed (a few days before the election), they can be inspected or audited (by election administrators, or by credentialed designates representing the candidates and political parties) to make sure that no names have been left off (or no illegitimate names have been added). A “spot-check” (a randomized partial audit) may do as well.  The list of registered voters is a public record, so all the information is available to do this spot-check.Even if no one spot-checks in advance:  If a legitimate voter shows up at the polling place and their name has been left off the pollbook (via computer hacking?), this is a real problem—but at least it’s a detected problem.  It would be hard to get away with large-scale election-theft this way without a big story in the newspapers.  (See: voter-registration purge in Florida 2000.)

    Problem:  What if the pollbooks are not printed in advance, but they are “live” in laptop or tablet computers at the polling places?  Then it’s harder to audit in advance: if the pollbook computers are hacked, we won’t know until election day.  But at least we’ll know.  And the use of provisional ballots can ameliorate this kind of disaster.Recommendation:  paper voter-lists in the precincts, as backup to the electronic pollbook system; credentialed party representatives and citizens permitted to inspect/audit these in advance.  When provisional ballots are used, officials must systematically check the provisional ballot envelopes and tally the field that tells the reason why the voter was not issued a regular ballot.

  2. What if the voting machines in the precinct are hacked? With optical-scan voting, the voter fills in the bubbles next to the names of her selected candidates on paper ballot; then she feeds the op-scan ballot into the optical-scan computer.  The computer counts the vote, and the paper ballot is kept in a sealed ballot box.   The computer could be hacked, in which case (when the polls close) the voting-machine lies about how many votes were cast for each candidate.  But we can recount the physical pieces of paper marked by the voter’s own hands; that recount doesn’t rely on any computer.  Instead of doing a full recount of every precinct in the state, we can spot-check just a few ballot boxes to make sure they 100% agree with the op-scan computers’ totals.

    Problem:  What if it’s not an optical-scan computer, what if it’s a paperless touchscreen (“DRE, Direct-Recording Electronic) voting computer?   Then whatever numbers the voting computer says, at the close of the polls, are completely under the control of the computer program in there.  If the computer is hacked, then the hacker gets to decide what numbers are reported.   There are no paper ballots to audit or recount.   All DRE (paperless touchscreen) voting computers are susceptible to this kind of hacking.   This is our biggest problem. Fortunately, only about 6 states (and several counties in another few states) use paperless touchscreen voting machines (“DRE without VVPAT”).  Almost all the states in the U.S. have moved to optical-scan voting (“Paper ballots”), which is much more defensible against hacking.

    Voters in states with paperless touch-screen voting machines should write to their state legislators and to their governor, to ask that their state switch over to optical-scan voting machines.  (It’s too late to switch before the 2016 election.)  Some of the states with heaviest use of touch-screen voting machines are:   Louisiana, New Jersey, Pennsylvania, Georgia, South Carolina, Tennessee, Texas, Delaware, Kentucky.

    On-line (internet) voting is another kind of paperless computer voting, and it’s very easy to hack.  On-line voting should never be used for elections that really matter.

  3. Aggregating the precinct totals together: Those computers can be hacked too.  Fortunately, we can independently audit this addition.   In most states, in every precinct at the close of the polls the vote totals for that precinct are announced in public, right there in the precinct.  Typically, the voting machine prints out the totals on a cash-register tape, and that printout is signed by the pollworkers and the designated party challengers, and any citizen can observe this process and copy down the numbers from the printout.   Well organized political parties collect this information from every precinct, at the close of the polls, and add it up themselves, just in case the County Clerk’s software has been hacked.  In fact, a good County Clerk will add it up herself or himself independently of the election-equipment vendor’s highly automated (but hackable) software, just to be sure.

    Problem:  Some states don’t have a tradition of political parties organizing volunteers to witness and collect this data; in some states, there’s not a clear statutory right for citizens to observe this process.   These problems are  fixable before this November’s election;  election officials should do everything they can to encourage citizen participation in this part of the canvassing process.

So the good news is: our election system has many checks and balances so we don’t have to trust the hackable computers to tell us who won.  The biggest weaknesses are DRE paperless touchscreen voting machines used in a few states, which are completely unacceptable; and possible problems with electronic pollbooks.

In this article I’ve discussed paper trails: pollbooks, paper ballots, and per-precinct result printouts.  Election officials must work hard to assure the security of the paper trail: chain of custody of ballot boxes once the polls close, for example.  And they must use the paper trails to audit the election, to protect against hacked computers (and other kinds of fraud, bugs, and accidental mistakes).  Many states have laws requiring (for example) random audits of paper ballots; more states need such laws, and in all states the spirit of the laws must be followed as well as the letter.

In Part 2 of this series, I’ll discuss cybersecurity policy for election infrastructure.

Comments

  1. Max Hailperin says:

    In addition to providing a record of who is pre-registered, an electronic poll book serves to record who signs in to vote, which is used as a cross-check on the physical security of the ballot box — the number signed in should match the number of ballots. In states with election-day registration (EDR), the electronic poll book is also used to process new registrations, which are also integrity-relevant. Because of these additional functions, auditing the list of pre-registrations (with paper backup) is not sufficient — the sign-in and EDR (if used) should also be audited. This is why the Minnesota electronic poll book law requires the device to print out each transaction of signing in a voter or processing an EDR application.

    • Max Hailperin says:

      Beyond the basic requirement that the electronic poll book print each transaction out, the Minnesota law also requires that those printouts be “on material that will remain legible through the period prescribed by [the election records retention section of the statutes].” The law also contains requirements that the paper record be checked when validating the number of votes cast and when entering the EDR applications into the statewide system.

  2. Paul Stokes says:

    Re: “Well organized political parties collect this information from every precinct, at the close of the polls, and add it up themselves, just in case the County Clerk’s software has been hacked.”

    I doubt that this is done in many states, at least for all the candidates and issues. And it wouldn’t be easy. A typical ballot can have several tens of contests and an additional number of issues, like constitutional amendments and bond issues. The matter is further complicated because there are votes in the precincts, absentee ballot votes, and in many states, early voting sites and vote centers where anyone from any precinct can vote on any voting machine in the county.

    • Max Hailperin says:

      Another huge (if not widely prevalent) complicating factor is that some jurisdictions use Ranked Choice Voting.

  3. You do NOT want to select ballot-boxes at random for auditing, you want a biased selection 🙂

    I know it’s a common statistical error to apply bell-curve assumptions to non-bell-curve data, but voting patterns should follow a bell curve. If one party is hacking some ballot boxes, then we will have TWO bell curves, the hacked boxes and the unhacked boxes. Combine them, and all the hacking will be skewed to one end.

    So if our “random selection algorithm” is actually biased to prefer boxes that deviate from the average, any hacking should show up quickly, and only at one end. If it shows up at *both* ends, you can decide to either junk the election as “too fraudulent”, or decide that the evidence appears to show that the hacking has canceled each other out, and the result can be trusted even if the individual counts can’t.

    • Andrew Appel says:

      You’re assuming that all precincts in the state have the same average distribution of voters. But that’s not the case; some precincts are very heavily Democratic, and other precincts are very heavily Republican. Therefore, just because a precinct reports results that are far from 50/50, does not mean it’s likely hacked.

      Google “risk-limiting election audits” and you’ll see a whole scientific literature of statistical methods for choosing what ballot boxes to audit.

  4. Julia Perry says:

    It is SO critical that you pointed out first and foremost that the ballot layouts are available for public inspection, and then the tallying systems are tested and public witnesses are allowed. But no one goes and does that. Andrew, do you know about the Florida U.S. Senate race in 1988? I was Director of Information Systems for Democrat Buddy MacKay, stayed on staff several months after the election, and have been published with some of my written analyses. We impressed upon the State convention, several years in a row, how those parts of Election Law needed to be utilized. You can tell, as now can everyone else, that it wasn’t done in those 4 key FL counties.

    I’m really close to Pamela and have attended the first VV citizen lobbying project in Apr 2004. But let me know if you haven’t read about that particular election debacle, especially things written by my friend Ronnie Dugger.

  5. Julia Perry says:

    If Russia can hack into our States’ voter tallying systems, shouldn’t we be paying attention to the fact that partisan Secretaries of State might be primed to do the exact same thing?