September 24, 2018

Serious design flaw in ESS ExpressVote touchscreen: “permission to cheat”

Kansas, Delaware, and New Jersey are in the process of purchasing voting machines with a serious design flaw, and they should reconsider while there is still time!

Over the past 15 years, almost all the states have moved away from paperless touchscreen voting systems (DREs) to optical-scan paper ballots.  They’ve done so because if a paperless touchscreen is hacked to give fraudulent results, there’s no way to know and no way to correct; but if an optical scanner were hacked to give fraudulent results, the fraud could be detected by a random audit of the paper ballots that the voters actually marked, and corrected by a recount of those paper ballots.

Optical-scan ballots marked by the voters are the most straightforward way to make sure that the computers are not manipulating the vote.  Second-best, in my opinion, is the use of a ballot-marking device (BMD), where the voter uses a touchscreen to choose candidates, then the touchscreen prints out an optical-scan ballot that the voter can then deposit in a ballot box or into an optical scanner.  Why is this second-best?  Because (1) most voters are not very good at inspecting their computer-marked ballot carefully, so hacked BMDs could change some choices and the voter might not notice, or might notice and think it’s the voter’s own error; and (2) the dispute-resolution mechanism is unclear; pollworkers can’t tell if it’s the machine’s fault or your fault; at best you raise your hand and get a new ballot, try again, and this time the machine “knows” not to cheat.

Third best is “DRE with paper trail”, where the paper ballot prints out behind glass; the voter can inspect it, but it can be difficult and discouraging to read a long ballot behind glass, and there’s pressure just to press the “accept” button and get on with it.  With hand-marked optical-scan ballots there’s much less pressure to hurry:  you’re not holding up the line at the voting machine, you’re sitting at one of the many cheap cardboard privacy screens with a pen and a piece of paper, and you don’t approach the optical scanner until you’re satisfied with your ballot.  That’s why states (such as North Carolina) that had previously permitted  “DRE with paper trail” moved last year to all optical-scan.

Now there’s an even worse option than “DRE with paper trail;”  I call it “press this button if it’s OK for the machine to cheat” option.   The country’s biggest vendor of voting machines, ES&S, has a line of voting machines called ExpressVote.  Some of these are optical scanners (which are fine), and others are “combination” machines, basically a ballot-marking device and an optical scanner all rolled into one.

This video shows a demonstration of ExpressVote all-in-one touchscreens purchased by Johnson County, Kansas.  The voter brings a blank ballot to the machine, inserts it into a slot, chooses candidates.  Then the machine prints those choices onto the blank ballot and spits it out for the voter to inspect.  If the voter is satisfied, she inserts it back into the slot, where it is counted (and dropped into a sealed ballot box for possible recount or audit).

So far this seems OK, except that the process is a bit cumbersome and not completely intuitive (watch the video for yourself).  It still suffers from the problems I describe above: voter may not carefully review all the choices, especially in down-ballot races; counties need to buy a lot more voting machines, because voters occupy the machine for a long time (in contrast to op-scan ballots, where they occupy a cheap cardboard privacy screen).

But here’s the amazingly bad feature:  “The version that we have has an option for both ways,” [Johnson County Election Commissioner Ronnie] Metsker said. “We instruct the voters to print their ballots so that they can review their paper ballots, but they’re not required to do so. If they want to press the button ‘cast ballot,’ it will cast the ballot, but if they do so they are doing so with full knowledge that they will not see their ballot card, it will instead be cast, scanned, tabulated and dropped in the secure ballot container at the backside of the machine.”  [TYT Investigates, article by Jennifer Cohn, September 6, 2018]

Now it’s easy for a hacked machine to cheat undetectably!  All the fraudulent vote-counting program has to do is wait until the voter chooses between “cast ballot without inspecting” and “inspect ballot before casting”.  If the latter, then don’t cheat on this ballot.  If the former, then change votes how it likes, and print those fraudulent votes on the paper ballot, knowing that the voter has already given up the right to look at it.

Johnson County should not have bought these machines; if they’re going to use them, they must insist that ES&S disable this “permission to cheat” feature.

Union County New Jersey and the entire state of Delaware are (to the best of my knowledge) in the process of purchasing ExpressVote XL machines, which are like the touchscreens shown in the video but with a much larger screen that can show the whole ballot at once.  New Jersey and Delaware should not buy these machines.  If they insist on buying them, they must disable the “permission to cheat” feature.

Of course, if the permission-to-cheat feature is disabled, that reverts to the cumbersome process shown in the video: (1) receive your bar-code card and blank ballot from the election worker; (2) insert the blank ballot card into the machine; (3) insert the bar-code card into the machine; (4) make choices on the screen; (5) press the “done” button; (6) wait for the paper ballot to be ejected; (7) compare the choices listed on the ballot with the ones you made on the screen; (8) put the ballot back into the machine.

Wouldn’t it be better to use conventional optical-scan balloting, as most states do?  (1) receive your optical-scan ballot from the election worker;  (2) fill in the ovals with a pen, behind a privacy screen; (3) bring your ballot to the optical scanner; (4) feed your ballot into the optical scanner.

I thank Professor Philip Stark (interviewed in the TYT article cited above) for bringing this to my attention.

 

Comments

  1. This authors basic lack of research and understanding about how these machines work combined with a serious absense of facts will undoubtedly sway all 10 of his readers to think there something wrong with these devices when in fact there’s not. Election officials using these machines and others conduct significant testing before and after elections to make sure the results are accurate, an ssential fact that this type of fake news false narrative brand of journalism always fails to mention. Next time do your homework.

    • Who are you? And why should we believe you? This article is articulate and persuasive. Hand-marked paper ballots (which are then scanned and saved) are the easiest and most secure method of voting.

    • Oh, pleeease Jill.. Get a clue. Or get another job and stop working for ES&S. This author is an esteemed computer scientist and he knows a hell of a lot more than you. What “election officials” do this so-called significant testing you allege is being done? Some little lady in a courthouse in Topeka? I’m sure she will have a prayer of a chance to find and defeat malware or other attacks from Russia’s top cyber spies or for that matter a good domestic hacker. Cybersecurity is real and the best way to protect our elections are with paper ballots hand-marked by the voter, and risk limiting audits of our elections.

    • Dr Appel clearly needs to do more homework on how these machines work. I’m only seeing 114 peer reviewed publications on various areas of Computer Science, including voting machine security.

      https://dblp.uni-trier.de/pers/hd/a/Appel:Andrew_W=

  2. Oh, and Jill…. learn to spell.

  3. Harvie Branscomb says:

    The article is being generous to the Express Vote design. In reality, both options leave the software with a way to cheat. When the voter prints the bar coded selections-only card, the machine knows when this took place, and the machine also knows when the card is reinserted back into the machine. So it can know how long the voter spent reading the card – if any time at all. So it still can know when to cheat. To solve this, a separate scanner such as a DS-200 must be used. That’s the scanner that can read a hand marked ballot – the best solution.

    Notice that unlike a full face ballot, the Express Vote card doesn’t have room for a ballot issue text. Instead it will indicate only “Initiative 23A yes” or similar. Most voters will not be familiar with these short titles and will not be able to verify them. And it is the unintelligible barcodes that actually contain the votes. If the voter had a guide to the ballot questions at the time and actually verified the printed text, it would still require a post-election ballot level risk limiting comparison audit to be sure the machine did not missprint the bar codes.

    And there is another problem. Because the ExpressVote card doesn’t resemble an absentee ballot, whichever format is rare will become a risk for ballot identification and loss of voter privacy.

    Yes I agree with the author, voter hand marked ballots are far more desirable for an evidence based election. They reveal when the voter failed to understand, made a mistake or had a minor physical disability and always offer an alternative means of expression and human interpretation. Hand marked ballots are naturally verified. Machine marked ballots are unlikely to be verified when onscreen verification had already been completed.

    • Harvie Branscomb says:

      I didn’t explain in my above comment that the two cheats aren’t the same. If the voter never touches the paper, the machine can vote on paper as it likes if this isn’t somehow prevented by excellent testing. Of course excellent and extensive testing in election conditions would be a remedy.

      In case the voter touches paper but doesn’t take time to verify, the voter intent is committed to in printing but the machine can learn to anticipate which vote patterns ( including gestures while onscreen marking) are not likely to be verified and then cheat in the future by choosing carefully which ballot card to interfere with. Tabulation RLA would discover most instances of regular cheats that would change an outcome, but only if the RLA is well executed. Cheats executed only in cases where the voter likely will not verify are more sophisticated and can escape the audit net.
      Also it should be clarified whether the ExpressVote can modify or update the voter intent representation on the card, in which case the guided cheating on an already printed card is easier.

      When BMD like Express Vote are prevalent, remediation of such potential cheats may require deliberate in-election testing or rewards given to voters for discovery and also of course serious follow-up when discrepancies are encountered. A voter mark to indicate completion of verification on paper would be a very good initial step leading to closing of this risk.

    • Harvie Branscomb says:

      Thanks to everyone who is helping to address the thorny issue of ballot images on Ballot Marking Device (BMD) screens that deserve verification not just before – but after – they are printed on paper and are expected to be treated by a tabulation RLA as paper ballots representing verified intent. I think things need to be done to motivate that verification, and to inform the audit when we know something about how much verification was done.

      • The scanner could in principle record the number of seconds between printing of the ballot and scanning of the ballot along with each ballot image. Of course, this also requires trusting the software and hardware, which is the problem we’re trying to solve…

Speak Your Mind