May 29, 2017

My testimony before the House Subcommittee on IT

I was invited to testify yesterday before the U.S. House of Representatives Subcommittee on Information Technology, at a hearing entitled “Cybersecurity: Ensuring the Integrity of the Ballot Box.”  My written testimony is available here.  My 5-minute opening statement went as follows:

My name is Andrew Appel.  I am Professor of Computer Science at Princeton University.   In this testimony I do not represent my employer. I’m here to give my own professional opinions as a scientist, but also as an American citizen who cares deeply about protecting our democracy.

My research is in software verification, computer security, technology policy, and election machinery.  As I will explain, I strongly recommend that, at a minimum, the Congress seek to ensure the elimination of Direct-Recording Electronic voting machines (sometimes called “touchscreen” machines), immediately after this November’s election; and that it require that all elections be subject to sensible auditing after every election to ensure that systems are functioning properly and to prove to the American people that their votes are counted as cast.

There are cybersecurity issues in all parts of our election system:  before the election, voter-registration databases; during the election, voting machines; after the election, vote-tabulation / canvassing / precinct-aggregation computers.  In my opening statement I’ll focus on voting machines.  The other topics are addressed in a recent report I have co-authored entitled “Ten Things Election Officials Can Do to Help Secure and Inspire Confidence in This Fall’s Elections.”

In the U.S. we use two kinds of voting machines: optical scanners that count paper ballots, and “touchscreen” voting machines, also called “Direct-Recording Electronic.”  Each voting machine is a computer, running a computer program.  Whether that computer counts the votes accurately, or makes mistakes, or cheats by shifting votes from one candidate to another, depends on what software is installed in the computer.  We all use computers, and we’ve all had occasion to install new software.  Sometimes it’s an app we purchase and install on purpose, sometimes it’s a software upgrade sent by the company that made our operating system.  Installing new software in a voting machine is not really much different from installing new software in any other kind of computer.

Installing new software is how you hack a voting machine to cheat. In 2009, in the courtroom of the Superior Court of New Jersey,  I demonstrated how to hack a voting machine.  I wrote a vote-stealing computer program that shifts votes from one candidate to another.   Installing that vote-stealing program in a voting machine takes 7 minutes, per machine, with a screwdriver.  I did this in a secure facility and I’m confident my program has not leaked out to affect real elections, but really the software I built was not rocket science — any computer programmer could write the same code.  Once it’s installed, it could steal elections without detection for years to come.

Voting machines are often delivered to polling places several days before the election—to elementary schools, churches, firehouses.  In these locations anyone could gain access to a voting machine for 10 minutes.  Between elections the machines are routinely opened up for maintenance by county employees or private contractors.  Let’s assume they have the utmost integrity, but still, in the U.S. we try to run our elections so that we can trust the election results without relying on any one individual.

Other computer scientists have demonstrated similar hacks on many models of machine. This is not just one glitch in one manufacturer’s machine, it’s the very nature of computers.

So how can we trust our elections when it’s so easy to make the computers cheat?  Forty states already know the answer:  vote on optical-scan paper ballots.  (My written testimony clarifies this statement.)  The voter fills in the bubble next to the name of their preferred candidate, then takes this paper ballot to the scanner—right there in the precinct—and feeds it in.  That opscan voting machine has a computer in it, and we can’t 100% prevent the computer from being hacked, but that very paper ballot marked by the voter drops into a sealed ballot box under the opscan machine.  Those ballots can be recounted by hand, in a way we can trust.

Unfortunately, there are still about 10 states that primarily use paperless touchscreen voting computers.  There’s no paper ballot to recount.  After the voter touches the screen, we have to rely on the computer—that is, we have to rely on whatever program is installed in the computer that day—to print out the true totals when the polls close.

So what must we do?  In the near term, we must not connect the voting machines to the Internet.  The same goes for those computers used to prepare the electronic ballot definition files before each election, that are used to program the voting machines—that is, we must not connect the voting machines even indirectly to the Internet.  Many able and competent election administrators already follow this “best practice.”  I hope that all 9000 counties and states that run elections follow this practice, and other security best practices, but it’s hard to tell whether they all do.

These and other best practices can help protect against hacking of voting machines by people in other countries through the Internet.  But they can’t protect us from mistakes, software bugs, miscalibration, insider hacking, or against local criminals with access to the machines before or after elections.  So what we must do as soon as possible after November is to adopt nationwide what 40 states have already done: paper ballots, marked by the voter, countable by computer but recountable by hand.

In 2000 we all saw what a disastrously unreliable technology those punch-card ballots were.  So in 2002 the Congress outlawed punch-card ballots, and that was very appropriate.  I strongly recommend that the Congress seek to ensure the elimination of paperless “touchscreen” voting machines, immediately after this November’s election.


  1. Luther Weeks says:

    ” we must not connect the voting machines even indirectly to the Internet. Many able and competent election administrators already follow this “best practice.””
    Hopefully those officials realize that this means that machines have never been connected to the Internet, that the Internet includes any internal connection that might connect to the outside world or includes connectivity to any computer that has ever connected to the outside world. And that in the long run even that is far from sufficient, since, as Mr. Appel has demonstrated, connectivity is not required to hack a computer/voting machine.