September 24, 2018

Serious design flaw in ESS ExpressVote touchscreen: “permission to cheat”

Kansas, Delaware, and New Jersey are in the process of purchasing voting machines with a serious design flaw, and they should reconsider while there is still time!

Over the past 15 years, almost all the states have moved away from paperless touchscreen voting systems (DREs) to optical-scan paper ballots.  They’ve done so because if a paperless touchscreen is hacked to give fraudulent results, there’s no way to know and no way to correct; but if an optical scanner were hacked to give fraudulent results, the fraud could be detected by a random audit of the paper ballots that the voters actually marked, and corrected by a recount of those paper ballots.

Optical-scan ballots marked by the voters are the most straightforward way to make sure that the computers are not manipulating the vote.  Second-best, in my opinion, is the use of a ballot-marking device (BMD), where the voter uses a touchscreen to choose candidates, then the touchscreen prints out an optical-scan ballot that the voter can then deposit in a ballot box or into an optical scanner.  Why is this second-best?  Because (1) most voters are not very good at inspecting their computer-marked ballot carefully, so hacked BMDs could change some choices and the voter might not notice, or might notice and think it’s the voter’s own error; and (2) the dispute-resolution mechanism is unclear; pollworkers can’t tell if it’s the machine’s fault or your fault; at best you raise your hand and get a new ballot, try again, and this time the machine “knows” not to cheat.

Third best is “DRE with paper trail”, where the paper ballot prints out behind glass; the voter can inspect it, but it can be difficult and discouraging to read a long ballot behind glass, and there’s pressure just to press the “accept” button and get on with it.  With hand-marked optical-scan ballots there’s much less pressure to hurry:  you’re not holding up the line at the voting machine, you’re sitting at one of the many cheap cardboard privacy screens with a pen and a piece of paper, and you don’t approach the optical scanner until you’re satisfied with your ballot.  That’s why states (such as North Carolina) that had previously permitted  “DRE with paper trail” moved last year to all optical-scan.

Now there’s an even worse option than “DRE with paper trail;”  I call it “press this button if it’s OK for the machine to cheat” option.   The country’s biggest vendor of voting machines, ES&S, has a line of voting machines called ExpressVote.  Some of these are optical scanners (which are fine), and others are “combination” machines, basically a ballot-marking device and an optical scanner all rolled into one.

This video shows a demonstration of ExpressVote all-in-one touchscreens purchased by Johnson County, Kansas.  The voter brings a blank ballot to the machine, inserts it into a slot, chooses candidates.  Then the machine prints those choices onto the blank ballot and spits it out for the voter to inspect.  If the voter is satisfied, she inserts it back into the slot, where it is counted (and dropped into a sealed ballot box for possible recount or audit).

So far this seems OK, except that the process is a bit cumbersome and not completely intuitive (watch the video for yourself).  It still suffers from the problems I describe above: voter may not carefully review all the choices, especially in down-ballot races; counties need to buy a lot more voting machines, because voters occupy the machine for a long time (in contrast to op-scan ballots, where they occupy a cheap cardboard privacy screen).

But here’s the amazingly bad feature:  “The version that we have has an option for both ways,” [Johnson County Election Commissioner Ronnie] Metsker said. “We instruct the voters to print their ballots so that they can review their paper ballots, but they’re not required to do so. If they want to press the button ‘cast ballot,’ it will cast the ballot, but if they do so they are doing so with full knowledge that they will not see their ballot card, it will instead be cast, scanned, tabulated and dropped in the secure ballot container at the backside of the machine.”  [TYT Investigates, article by Jennifer Cohn, September 6, 2018]

Now it’s easy for a hacked machine to cheat undetectably!  All the fraudulent vote-counting program has to do is wait until the voter chooses between “cast ballot without inspecting” and “inspect ballot before casting”.  If the latter, then don’t cheat on this ballot.  If the former, then change votes how it likes, and print those fraudulent votes on the paper ballot, knowing that the voter has already given up the right to look at it.

Johnson County should not have bought these machines; if they’re going to use them, they must insist that ES&S disable this “permission to cheat” feature.

Union County New Jersey and the entire state of Delaware are (to the best of my knowledge) in the process of purchasing ExpressVote XL machines, which are like the touchscreens shown in the video but with a much larger screen that can show the whole ballot at once.  New Jersey and Delaware should not buy these machines.  If they insist on buying them, they must disable the “permission to cheat” feature.

Of course, if the permission-to-cheat feature is disabled, that reverts to the cumbersome process shown in the video: (1) receive your bar-code card and blank ballot from the election worker; (2) insert the blank ballot card into the machine; (3) insert the bar-code card into the machine; (4) make choices on the screen; (5) press the “done” button; (6) wait for the paper ballot to be ejected; (7) compare the choices listed on the ballot with the ones you made on the screen; (8) put the ballot back into the machine.

Wouldn’t it be better to use conventional optical-scan balloting, as most states do?  (1) receive your optical-scan ballot from the election worker;  (2) fill in the ovals with a pen, behind a privacy screen; (3) bring your ballot to the optical scanner; (4) feed your ballot into the optical scanner.

I thank Professor Philip Stark (interviewed in the TYT article cited above) for bringing this to my attention.


Securing the Vote — National Academies report

In this November’s election, could a computer hacker, foreign or domestic, alter votes (in the voting machine) or prevent people from voting (by altering voter registrations)?  What should we do to protect ourselves?

The National Academies of Science, Engineering, and Medicine have released a report,  Securing the Vote: Protecting American Democracy about the cybervulnerabilities in U.S. election systems and how to defend them.  The committee was chaired by the presidents of Indiana University and Columbia University, and the members included 5 computer scientists, a mathematician, two social scientists, a law professor, and three state and local election administrators.  I served on this committee, and I am confident that the report presents the clear consensus of the scientific community, as represented not only by the members of the committee but also the 14 external reviewers—election officials, computer scientists, experts on elections—that were part of the National Academies’ process.

The 124-page report, available for free download, lays out the scientific basis for our conclusions and our 55 recommendations.  We studied primarily the voting process; we did not address voter-ID laws, gerrymandering, social-media disinformation, or campaign financing.

There is no national election system in the U.S.; each state or county runs its own elections.  But in the 21st century, state and local election administrators face new kinds of threats.  In the 19th and 20th centuries elections did not face the threat of vote manipulation (and voter-registration tampering) from highly sophisticated adversaries anywhere in the world.  Most state and local election administrators know they must improve their cybersecurity and adopt best practices, and the federal government can (and should) offer assistance.  But it’s impossible to completely prevent all attacks; we must be able to run elections even if the computers might be hacked; we must be able to detect and correct errors in the computer tabulation.

Therefore, our key recommendations are,

4.11.  Elections should be conducted with human-readable paper ballots.  These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner).  Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots.  Voting machines that do not provide the capacity for independent auditing (e.g., machines that do not produce a voter-verifiable paper audit trail) should be removed from service as soon as possible.

In our report, we explain why:  voting machines can never be completely hack-proof, but with paper ballots we can–if we have to–count the votes independent of possibly hacked computers.

4.12.  Every effort should be made to use human-readable paper ballots in the 2018 federal election.  All local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.

5.8.  States should mandate risk-limiting audits prior to the certification of election results.  With current technology, this requires the use of paper ballots.  States and local jurisdictions should implement risk-limiting audits within a decade.  They should begin with pilot programs and work toward full implementation.  Risk-limiting audits should be conducted for all federal and state election contests, and for local contests where feasible. 

In our report, we explain why:  examining a small random sample of the paper ballots, and comparing with the results claimed by the computers, can assure with high confidence that the computers haven’t been hacked to produce an incorrect outcome–or else, can provide clear evidence that a recount is needed.

5.11.  At the present time, the Internet (or any network connected to the Internet)  should not be used for the return of marked ballots.  Further, Internet voting should not be used in the future until and unless very robust guarantees of security and verifiability are developed and in place, as no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.

4.1.  Election administrators should routinely assess the integrity of voter registration databases and the integrity of voter registration databases connected to other applications.  They should develop plans that detail security procedures for assessing voter registration database integrity and put in place systems that detect efforts to probe, tamper with, or interfere with voter registration systems.  States should require election administrators to report any detected compromises or vulnerabilities in voter registration systems to the U.S. Department of Homeland Security, the U.S. Election Assistance Commission, and state officials.

Many of these recommendations are not controversial, in most states.  Almost all the states use paper ballots, counted by machine;  the few remaining states that use paperless touchscreens are taking steps to move to paper ballots; the states have not adopted internet voting (except for scattered ill-advised experiments); and many, many election administrators nationwide are professionals who are working hard to come up to speed on cybersecurity.

But many election administrators are not sure about risk-limiting audits (RLAs).  They ask, “can’t we just audit the digital ballot images that the machines provide?”  No, that won’t work:  if the machine is hacked to lie about the vote totals, it can easily be hacked to provide fake digital pictures of the ballots themselves.  The good news is, well designed risk-limiting audits, added to well-designed administrative processes for keeping track of batches of ballots, can be efficient and practical.  But it will take some time and effort to get things going: the design of those processes, the design of the audits themselves, training of staff, state legislation where necessary.  And it can’t be a one-size-fits-all design:  different states vote in different ways, and the risk-limiting audit must be designed to fit the state’s election systems and methods.  That’s why we recommend pilots of RLAs as soon as possible, but a 10-year period for full adoption.

Many other findings and recommendations are in the report itself.  For example, Congress should fully fund the Election Assistance Commission to perform its mission, authorize the EAC to set standards for voter-registration systems and e-pollbooks (not just voting machines); the President should nominate and Congress should confirm EAC commissioners.

But the real bottom line is:  there are specific things we can do, at the state level and at the national level; and we must do these things to secure our elections so that we are confident that they reflect the will of the voters.

Are voting-machine modems truly divorced from the Internet?

(This article is written jointly with my colleague Kyle Jamieson, who specializes in wireless networks.)

[See also: The myth of the hacker-proof voting machine]

The ES&S model DS200 optical-scan voting machine has a cell-phone modem that it uses to upload election-night results from the voting machine to the “county central” canvassing computer.  We know it’s a bad idea to connect voting machines (and canvassing computers) to the Internet, because this allows their vulnerabilities to be exploited by hackers anywhere in the world.  (In fact, a judge in New Jersey ruled in 2009 that the state must not connect its voting machines and canvassing computers to the internet, for that very reason.)  So the question is, does DS200’s cell-phone modem, in effect, connect the voting machine to the Internet?

The vendor (ES&S) and the counties that bought the machine say, “no, it’s an analog modem.”  That’s not true; it appears to be a Multitech MTSMC-C2-N3-R.1 (Verizon C2 series modem), a fairly complex digital device.  But maybe what they mean is “it’s just a phone call, not really the Internet.”  So let’s review how phone calls work:

The voting machine calls the county-central computer using its cell-phone modem to the nearest tower; this connects through Verizon’s “Autonomous System” (AS), part of the packet-switched Internet, to a cell tower (or land-line station) near the canvassing computer.

Verizon attempts to control access to the routers internal to its own AS, using firewall rules on the border routers.  Each border router runs (probably) millions of lines of software; as such it is subject to bugs and vulnerabilities.  If a hacker finds one of these vulnerabilities, he can modify messages as they transit the AS network:

Do border routers actually have vulnerabilities in practice?  Of course they do!  US-CERT has highlighted this as an issue of importance.  It would surprising if the Russian mafia or the FBI were not equipped to exploit such vulnerabilities.

Even easier than hacking through router bugs is just setting up an imposter cell-phone “tower” near the voting machine; one commonly used brand of these, used by many police departments, is called “Stingray.”

I’ve labelled the hacker as “MitM” for “man-in-the-middle.”  He is well positioned to alter vote totals as they are uploaded.  Of course, he will do better to put his Stingray near the county-central canvassing computer, so he can hack all the voting machines in the county, not just one near his Stingray:

So, in summary: phone calls are not unconnected to the Internet; the hacking of phone calls is easy (police departments with Stingray devices do it all the time); and even between the cell-towers (or land-line stations), your calls go over parts of the Internet.  If your state laws, or a court with jurisdiction, say not to connect your voting machines to the Internet, then you probably shouldn’t use telephone modems either.