Election Security

It's over. The voting went smoothly. As of the time of writing, there are no serious fraud allegations, nor credible evidence that anyone tampered with voting rolls or voting machines. And most important, the results are not in doubt.

While we may breathe a collective sigh of relief about that, we can't ignore the issue until the next election. The risks remain.

As computer security experts have been saying for years, our newly computerized voting systems are vulnerable to attack by both individual hackers and government-sponsored cyberwarriors. It is only a matter of time before such an attack happens.

Electronic voting machines can be hacked, and those machines that do not include a paper ballot that can verify each voter's choice can be hacked undetectably. Voting rolls are also vulnerable; they are all computerized databases whose entries can be deleted or changed to sow chaos on Election Day.

The largely ad hoc system in states for collecting and tabulating individual voting results is vulnerable as well. While the difference between theoretical if demonstrable vulnerabilities and an actual attack on Election Day is considerable, we got lucky this year. Not just presidential elections are at risk, but state and local elections, too.

To be very clear, this is not about voter fraud. The risks of ineligible people voting, or people voting twice, have been repeatedly shown to be virtually nonexistent, and "solutions" to this problem are largely voter-suppression measures. Election fraud, however, is both far more feasible and much more worrisome.

Here's my worry. On the day after an election, someone claims that a result was hacked. Maybe one of the candidates points to a wide discrepancy between the most recent polls and the actual results. Maybe an anonymous person announces that he hacked a particular brand of voting machine, describing in detail how. Or maybe it's a system failure during Election Day: voting machines recording significantly fewer votes than there were voters, or zero votes for one candidate or another. (These are not theoretical occurrences; they have both happened in the United States before, though because of error, not malice.)

We have no procedures for how to proceed if any of these things happen. There's no manual, no national panel of experts, no regulatory body to steer us through this crisis. How do we figure out if someone hacked the vote? Can we recover the true votes, or are they lost? What do we do then?

First, we need to do more to secure our elections system. We should declare our voting systems to be critical national infrastructure. This is largely symbolic, but it demonstrates a commitment to secure elections and makes funding and other resources available to states.

We need national security standards for voting machines, and funding for states to procure machines that comply with those standards. Voting-security experts can deal with the technical details, but such machines must include a paper ballot that provides a record verifiable by voters. The simplest and most reliable way to do that is already practiced in 37 states: optical-scan paper ballots, marked by the voters, counted by computer but recountable by hand. And we need a system of pre-election and postelection security audits to increase confidence in the system.

Second, election tampering, either by a foreign power or by a domestic actor, is inevitable, so we need detailed procedures to follow--both technical procedures to figure out what happened, and legal procedures to figure out what to do--that will efficiently get us to a fair and equitable election resolution. There should be a board of independent computer-security experts to unravel what happened, and a board of independent election officials, either at the Federal Election Commission or elsewhere, empowered to determine and put in place an appropriate response.

In the absence of such impartial measures, people rush to defend their candidate and their party. Florida in 2000 was a perfect example. What could have been a purely technical issue of determining the intent of every voter became a battle for who would win the presidency. The debates about hanging chads and spoiled ballots and how broad the recount should be were contested by people angling for a particular outcome. In the same way, after a hacked election, partisan politics will place tremendous pressure on officials to make decisions that override fairness and accuracy.

That is why we need to agree on policies to deal with future election fraud. We need procedures to evaluate claims of voting-machine hacking. We need a fair and robust vote-auditing process. And we need all of this in place before an election is hacked and battle lines are drawn.

In response to Florida, the Help America Vote Act of 2002 required each state to publish its own guidelines on what constitutes a vote. Some states -- Indiana, in particular -- set up a "war room" of public and private cybersecurity experts ready to help if anything did occur. While the Department of Homeland Security is assisting some states with election security, and the F.B.I. and the Justice Department made some preparations this year, the approach is too piecemeal.

Elections serve two purposes. First, and most obvious, they are how we choose a winner. But second, and equally important, they convince the loser--and all the supporters--that he or she lost. To achieve the first purpose, the voting system must be fair and accurate. To achieve the second one, it must be shown to be fair and accurate.

We need to have these conversations before something happens, when everyone can be calm and rational about the issues. The integrity of our elections is at stake, which means our democracy is at stake.

This essay previously appeared in the New York Times.

Posted on November 15, 2016 at 7:09 AM • 77 Comments

Comments

Nicki HalflingerNovember 15, 2016 7:39 AM

In the past few elections, I used an optical scan voting system. I agree, that is probably the best system available, but I would like to see the scanner in a privacy booth where it can display the votes as it interprets the markings. I would then have the right to cancel that, have it retry or request a new ballot, voiding the old one, until I am satisfied with what it reads. Printing a receipt with your vote would violate that laws in many states banning showing others your ballot.

FlorianNovember 15, 2016 8:04 AM

Don´t forget electoral fraud caused by hacking/rigging campaining databases causing faulty campaign planning and voter addressing.

Peter KnoppersNovember 15, 2016 8:33 AM

Andy referred to the paper by Ron Rivest.

The problem with this paper is that even though the described system may eventually be proven to be flawless, it is too complicated for most mortals to understand the proof.

Consequently Ron Rivest's voting system does not meet the requirement that even the losers will believe that the result is correct. (Unless all losers happen to be better experts in math and cryptography than I am - which is EXTREMELY unlikely.)

Am election system should be so simple and robust that the losers understand that they have honestly lost.

Criminals Influence USA Elections Scamming Google & FacebookNovember 15, 2016 8:50 AM

Hi,
I’m a gullible moron and get my phony election news from advertisers:
https://www.buzzfeed.com/craigsilverman/how-macedonian-spammers-are-using-facebook-groups-to-feed-yo

Zuckerberg in Usual Denial – Secret Facebook group Formed!

'Despite Mr Zuckerberg’s denials, employees from across the company have secretly come together to try and tackle the issue, according to a report by Buzzfeed. 
“It’s not a crazy idea. What’s a crazy idea is for him to come out and dismiss it like that, when he knows, and those of us at the company know, that fake news ran wild on our platform during the entire campaign season,” one Facebook employee said.
The purpose of these fake news stories and images appears to be to influence political opinion – but many could be being created to make money instead.

More than 100 US political websites were found to be registered in one small town in Macedonia called Veles, according to Buzzfeed.'
http://www.independent.co.uk/news/business/news/facebook-fake-news-secret-task-force-employees-unit-donald-trump-us-elections-a7418066.html

uh, MikeNovember 15, 2016 9:02 AM

Many junior sysadmins make basic mistakes of neglect, such as not maintaining or checking their backups, or inadequately securing a sensitive resource, like email. Then they find out why, and get discipline.

America is junior on the global scale. And we avoid learning from older, more experienced nations.

Get ready to learn by experience.

Big, Black NemesisNovember 15, 2016 9:12 AM

It does need to be registered as national infrastructure and treated as if the code is running on DoD networks.

Remember OPM. Here is the reality about OPM: a scapegoat was made, burned at the stake, and all sins forgiven. On the Chinese side, they claimed to have caught, arrested, and jailed the guilty. And, I am sure, did all so, while walking backwards with their eyes closed so as to not see any of the data...

The scapegoat system works, sure, for stupid instinctual sensibilities. But, the head of OPM was put there by somebody, and more agencies should have had a say. The system should have been audited and real controls and security needed to be put on it.

FYI, what the US has not pointed out is the DoD was hacked left and right, deep in, from Chinese hackers in all those years before the US finally got up and said, on the world stage, "China is hacking us". A good decade of silence while they played and lost counterintelligence games.

It was like Hanssen and Ames all over again, except on a much larger scale.

The same will happen with voting.

Voting fraud is historically massive in the US, and it should not be thought otherwise. We certainly did see Russia attempt to interfere with the US election. Not on the level they did with Ukrainian elections (google foreign affairs magazine).

But it is kind of a big deal they did.

If anyone disagrees with the historical problems of voter fraud in the US, start to do your research on Tammany Hall, for one, in the 19th century.

Nevermind massive voter fraud well documented in even the Presidential elections, at least since the Kennedy election. Certainly, massive voter fraud in Southern states.

And the very electoral college system is there, why? It was created as a bulwark for slaveholders.

That is a shame and embarassment.


The US Gov does know how to run and secure networks. They wrote the books on the subject and strongly helped do so over these past decades. Nobody has been better at finding security vulnerabilities then the NSA and CIA DST. The NSA, especially, who have been securing code for a very long time, and are the leaders of code review. And DHS has been helping substantially, by funding critical projects, and running educational projects.


All of this needs to be done for the voting systems.

Excuses that the systems are secure because they are not modern is a shame.

That is the very worst form of "security by obscurity".

Mainframes, for instance, from the late 80s remain in usage around the world. In many fortune 500 companies. And while obscure, they are much more hackable then more modern systems, once attacks are known. Capabilities not easily open to lone wolf hackers, but very open to nation states. Further, if calculations are able to be performed en masse, then most certainly rigged votes can be performed en masse.


Finally, we need for government workers to be serious about not becoming biased for one party or the other. That is a severe danger. The Hatch Act needs to be strongly rewritten to avoid these sorts of problems.

The US Attorney and OPR need to look at the FBI's role in influencing this election, and prosecute, to head these matters off and make examples.


Dave SillNovember 15, 2016 9:18 AM

The election went smoothly and nobody suspects fraud, so there was no hacking?

Maybe the hacking went smoothly because nobody suspects it occurred.

Douglas KnightNovember 15, 2016 9:32 AM

How can you assert with so much certainty that zero votes for one candidate reflects error, not malice? How about when Gore got negative votes?

Cultivating an Engaged ReadershipNovember 15, 2016 9:52 AM

A proven record-profits-technique is to keep your products energized and emotional. Feed their passions and compel them to participate. Righteous anger or indignation are priceless traits to Cultivate.
‘Fair and Balanced’ Fox News used to be the best raking in advertising dollars but now (with the last election) social media is king.
Claim you are not a news source and play-act naive to both the public and to employees. Just as stock market pro's make money off market volatility, advertisers delight in continuously engaged targets.

thesaucymugwumpNovember 15, 2016 9:58 AM

Certain systems must not be on the Internet at all. China stole much of the F-35's technology largely for two reasons: Chinese nationals working for the motherland and military-industrial complex corporations networking different campuses together for their convenience. And we need to insert a stake in the heart of remote monitoring.

Big, Black Nemesis wrote: "The US Attorney and OPR need to look at the FBI's role in influencing this election, and prosecute, to head these matters off and make examples."

Any normal person with a security clearance who did even some of the things HRC did would have been arrested and prosecuted. Violations of a security clearance can often be prosecuted for neglect. You've never had a security clearance, have you?

Dave Sill wrote: "Oh yeah, add in the fact that none of the pollsters predicted a Trump victory..."

Most everyone I know, and most every stranger with whom I spoke, voted for Trump. I suspect the reverse is true for you. People told me how pollsters would call them, not to collect their opinions, but to bully them into voting for HRC. I'll bet many Trump voters bit their lip and waited for election day.

ab praeceptisNovember 15, 2016 10:17 AM

thesaucymugwump

Yeah, them damn slit-eyed chinks! Couldn't they steal the stuff in the proper democratic way nsa, cia, and the war secretary stole whole countries wealth, oil, secrets, technology, business, etc?
But no, them damn chinks had to steal it old style. That's what one gets when some "rogue countries" don't learn the proper us-american way.

But they did at least one thing half-right. They spy on their citizens like the us-americans spy on everybody on this planet incl. their own citizens. That the chinks mainly spy only on their own citizen can be forgiven; after all they are an underdog in spying on their people and have much more to learn from nsa, cia, fbi.

Btw. them russkies are even worse. They do not steal their technology at all but they develop their own technology and laugh about the trillion $ problem called f-35. Evil russkies!

quixoteNovember 15, 2016 10:19 AM

It's a good point that for the losers to be convinced the election must be shown to be fair and accurate.

Like some of the other commenters here, I'm a bit boggled that modern polling could be so, presumably, wrong; that there could be so many indications of Russian contacts with a campaign plus some whiffs of hacking; and zero careful investigation by three-letter agencies of what exactly happened. The FBI involvement certainly looks, to this amateur, as more than truly weird ineptitude.

At least to this loser, that "shown" part isn't even on the map. So I'm curious about what I'm missing that makes Bruce so certain that there was no funny business. Serious question.

HackerNovember 15, 2016 11:20 AM

Big Black Nemesis is wrong is suggesting that the US Government has good enough procedures for handling the IT systems components of a paper ballot system. The gold standard to look at is the Nevada Gaming Commission and their procedures for gambling machines.

thesaucymugwumpNovember 15, 2016 12:25 PM

@ab praeceptis

I should know better than to post on the Reddit of security.

You seem really comfortable throwing racial epithets around. I deal in facts, not emotions. I could find many articles regarding espionage by Chinese nationals by searching on "chinese espionage" or something related to that.

And it's hardly just the U.S. I won't include URLs because Schneier has probably restricted that, but the following articles from Der Spiegel prove that China has stolen and continues to steal massive amounts of IP from the entire world:
- "Product Piracy Goes High-Tech: Nabbing Know-How in China"
- "Harmony and Ambition: China's Cut-Throat Railway Revolution"
- "Beijing's High-Tech Ambitions The Dangers of Germany's Dependence on China"

China also steals technology from Russia. The Diplomat's article "How China Plans to Use the Su-35" discusses that.

I could go on about China's labor camps and how it willingly returns escapees from North Korea because it views their imprisonment, torture, and execution as collateral damage to maintain China's buffer zone against the West. You won't read the below from my blog, but perhaps someone with an open mind might.

The UN Refugee Convention was originally drafted in 1951, with a 1967 Protocol. China signed both in 1982. China signed the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment in 1987. These treaties expressly forbid the deportation of refugees back to a country where they will be tortured, imprisoned, and executed, which is exactly what happens to North Koreans when they are returned to the DPRK. Both treaties were signed well after China replaced the ROC in the UN in 1971, so China cannot claim that it inherited conditions of which it was unaware.

notmeNovember 15, 2016 12:44 PM

National standards for e-voting security will ensure that all voting machines have the same vulnerability, so that a hacker can compromise all of them at once.

TedNovember 15, 2016 12:47 PM

Rep. Hank Johnson introduced two bills to Congress this September with the goal of protecting voting systems and election integrity.

“Election Infrastructure and Security Promotion Act of 2016” (H.R. 6073)
H.R. 6073 would require DHS to classify election systems as critical infrastructure. It would also call on the Election Assistance Commission (EAC) and NIST to develop election security and transparency standards. Additionally, it would authorize the National Science Foundation (NSF) and DARPA to establish programs for researching the improvement of the voting process.

“Election Integrity Act of 2016” (H.R. 6072)
H.R. 6072 would limit the purchase of new voting systems that do not provide paper ballots and would establish protocols when there is a voting system failure. The bill would prohibit voting systems that tabulate votes from being insecurely connected to the internet, would require paper ballots and the publications of poll tapes, and would enable manual audits with the results to be published, etc.

https://hankjohnson.house.gov/media-center/press-releases/rep-johnson-introduces-bills-protect-voting-systems-integrity-elections

Obvious BullshitNovember 15, 2016 12:49 PM

We should declare our voting systems to be critical national infrastructure.

That's the dumbest thing I've ever heard.

AnuraNovember 15, 2016 1:11 PM

As we've seen, all it takes is to control the media and voter fraud doesn't matter.

The biggest threat to Democracy isn't voting machines, it's propaganda, it's refusing to report on stories that make your side look bad, and making news where there isn't any to make the opponent look bad. Now you've got a horrible person as a President, who has close ties to the head of one of the propaganda outlets that has been undermining democracy (who has a good chance of being the next white house press secretary).

The worst part about that is that we have validated the Republican party's horrible and disgustingly anti-Democraatic tactics, from the voter suppression, to abuse of power, to straight-out lying to the American people. You think this is going to end? The party of fear has power, and they are going to exploit that to undermine democracy whenever possible.

Voter fraud is a stupid distraction, when Democracy has already been killed by a massive disinformation campaign - you can't truly have Democracy when the rich are controlling information the voters receive. Donald Trump has already shown his contempt for anyone who disagrees with him personally, and with his close ties to propagandists, we can expect the censorship and propaganda campaigns are going to be massive - the smear campaigns, abuse of the FBI to censor opponents, the disinformation, the flat out lies, the withheld information (if there is one thing we know about Donald Trump is that everything he says is a lie, and he is desperately trying to not reveal anything about himself) - unless we are vigilant and fight back starting today, it's only going to become more widespread.

When you elect people who hate democracy, lack empathy or concern for people other than themselves, and have shown concern for absolutely nothing but taking and keeping power, they will use whatever means at their disposal to hold on to it.

ab praeceptisNovember 15, 2016 1:22 PM

thesaucymugwump

"throwing racial epithets around" - BS. That was sarcasm.

I did, as you seem to not have noticed that, not say that China doesn't steal technology. I just said that the "wonderful democracy" with their nsa, cia, and others agencies steals no less bot rather more.

"China's labor camps" - just go ahead. But as we are just talking about issues like thatm let's also talk about guantanamo and abu graib.

Again, my point isn't that China is a nice country but rather that compared to the united states it's indeed a very civilized, friendly, democratic, and honest country.

And no, that's not hatred against the us. It's just a clear hint at who should prefer to discreetly stay mute on matters like stealing, torturing, lawlessness, etc.

In case that helps to cool your emotions down: my own country is hardly better than the us or China.

Ross SniderNovember 15, 2016 1:29 PM

We should simultaneously iterate to build trustworthy voting devices, iterate to build trustworthy voting institutions, and iterate to correct failings of US political system.

All of these things should be considered critical national security.

But - as invoking National Security usually does - it should not write a blank check to intelligence agencies to run amok fixing their control over the situation. Control != security.

We need to be very careful about iterating toward a civil society, slowly shrugging off the militarization of civic law that has crept over America since the late Cold War.

Clive RobinsonNovember 15, 2016 1:51 PM

@ [Jim] Hacker,

The gold standard to look at is the Nevada Gaming Commission and their procedures for gambling machines.

Hmm that made me smile.

You are of course aware that their technical protections and the other evaluation systems have been beaten?

We know this from some who have beaten them but have been insuficiently cautious that they made people others suspicious, thus given their game away.

AnuraNovember 15, 2016 2:07 PM

@Clive Robinson

At least with elections, you can audit them pretty simply enough - if you have electronically printed and scanned paper ballots, with electronically transmitted results at both the printer and the scanner (which will differ, but by a fairly consistent margin), as well as separate hardware at the printing and scanning level that logs the raw data for every ballot scanned and printed on a tamper-evident storage device inside the machine, randomly select precincts to hand-count paper ballots after the election, and good exit poll procedures designed to detect election fraud, you can make it so that widespread fraud is easily detected. With good, secure design, code signing, and formal verification, you can make tampering difficult, and with the right procedures for auditing and securing machines you can make it effectively impossible to do on a large enough scale to matter.

Earl KillianNovember 15, 2016 2:36 PM

I would say there is one serious fraud allegation, but it doesn't involve hacking the vote, but rather deleting legitimate voters from the voting roles by state election officials (an operation called crosscheck):
http://www.gregpalast.com/election-stolen-heres/
(according to Wikipedia, Greg Palast "is a New York Times-bestselling author and a freelance journalist for the BBC as well as the British newspaper The Guardian.")
The irony is that, if true, this is an evil act carried out in the name of securing the election.

hermanNovember 15, 2016 2:43 PM

Hmm, hacking the American elections do not even make a good movie plot. I think there are better things to worry about.

StreeterNovember 15, 2016 2:48 PM

@herman,

Like what? The environment? How about housing? Or jobs? Maybe taxes huh?

Don't worry, when in washington you do as the rest of the washers do: you launder.

The Republicans are making the best out of an assisted victory, you know why they shifted to thinktanks AFTER the win right? ;-)

The trap laid bare.

Gerard van VoorenNovember 15, 2016 3:24 PM

@ Mm,

Our democracy is at stake. Because it's Super important to know whether the American people chose the guy who supports waterboarding or the lady who supports fucking heads of state up the ass with a bayonet.

Well, uh yes. But that's only the final choice. There have been choices before, many choices over multiple years. This is only the latest choice. Don't blame the candidates, blame the people. Like with war. Don't blame the politicians, blame the soldiers who show up to fight and kill and don't learn.

Anon CowardNovember 15, 2016 3:51 PM

Sophisticated web analytics is going to make it easier to steal just the right number of votes in the right districts to avoid detection by exit polls. Nobody bothers to recount expected results.

We need a process that allows anyone to do their own recount:

(1) Voters fill out paper ballots.
(2) After polls close, poll supervisors videotape the paper ballots, the vote-total screen and a wristwatch as ballots move through the optical scanner. Scanners must include a camera mount or a tripod/copy stand will be needed.
(3) Checksum the video file.
(4) Upload the video file, the checksum, the file size, the run-time and all the vote totals to the internet.
(5) Publish the same file metadata and totals in the local physical newspaper of record.

Anyone who wants a recount can throw a pizza party to watch the video to see every ballot go by while the totals rise.

This guards against two types of ballot-printing fraud resulting from the assumption that all printed ballots are identical:
(1) After a run of legitimate ballots, malicious ballots include check boxes positioned outside of the expected scanner detection region. This creates a no-vote in one race.
(2) A portion of the paper ballots have Candidate A appearing in Column B and vice-versa to reduce an expected margin of victory.

Notice that I said videotape. This should be a separate camcorder, not a series of JPEG files created by the scanner or managed by the scanner software. Eventually, you'd hope for open-source software to fast-forward and extract perfectly-aligned snapshots of each ballot. It would be fun if the software could then sort those images based on the relative darkness of areas where mutually-exclusive check marks should appear in any particular race. You could then manually do a rough binary search through the ordered JPEGs to find the point where the weakest mark for one candidate is followed by unmarked ballots followed by the ballots with the weakest marks for the other candidate.

Kudos to blackboxvoting.org for their free eBook about voter fraud.

Doug KNovember 15, 2016 5:53 PM

there are questions about the voting machines. Since many by design do not have an audit trail, the only possible verification is against exit polls. The exit polls diverge from the vote count by margins that we haven't seen since 2000, which was the previous outlier. We know the voting machines were targeted in the months before the election, according to the FBI. It's not likely the hackers gave up.

See
http://washingtonmonthly.com/2016/11/14/the-great-skewing/

and also
https://twitter.com/wildwestleft/status/797525833061715968

JFNovember 15, 2016 6:14 PM

Concern about the voting systems in the various states may be legitimate, but ignores a more immediate threat, which is the manipulation and subversion of political discourse and democracy itself via internet trolling and outright espionage.

I lost a little sleep last night while pondering the implications of reports such as the following, which, once you know what to look for are both numerous and credible.

http://www.businessinsider.com/russia-internet-trolls-and-donald-trump-2016-7

What are the implications of systematic trolling, and espionage culminating in selectively dumping intel favorable or unfavorable to one candidate (a la the Wikileaks DNC emails)? One can only imagine what kind of dirt the Russians have on Trump but choose to hold onto.

Is industrial scale disinformation capable of turning an election? In a close race, the answer is almost certainly yes, and we may have just seen one example. People were incredulous as Trump emerged victorious in the primaries time after time, and rightly so.

Would Trump supporters feel duped knowing that Russia was meddling in the US election? Or would they be indifferent?

Would US Intelligence even reveal they were aware an election was "rigged" by a foreign power, to use a term Trump was fond of? Such a revelation after the fact would create chaos, I think.

Precinct AuditorNovember 15, 2016 6:16 PM

"To be very clear, this is not about voter fraud. The risks of ineligible people voting, or people voting twice, have been repeatedly shown to be virtually nonexistent, and "solutions" to this problem are largely voter-suppression measures. Election fraud, however, is both far more feasible and much more worrisome."

I used to volunteer as a voting precinct auditor: yes, people can and do vote fraudulently; the usual method is submitting absentee ballots. Little is done about it because there are no clear or satisfying remedies. Stop the presses and re-conduct the election? How do voters appeal a bad vote? How can anyone prove anything? When voting is made increasingly easy to do with no penalty or safeguards, humans are humans, and they will take advantage. And trust me, they do. Just because no one has made any real effort at finding and reporting the evidence doesn't mean it isn't happening. Both parties have unclean hands and so neither is all that motivated.

Requiring a valid state issued photo ID is not voter suppression, but voter eligibility confirmation. All arguments against such a requirement have been feeble at best. Anyone can get one for free in most states or for a token amount. All you need do is present proof you were born here (there are very few elders left who were born before state birth certificates were issued). You have to provide bona fides to drive or work here, one would think voting would and should have stricter standards than those two require.

Actual voter suppression consists of restricting access to the polls (short hours, physical impediments, intimidation), by issuing provisional ballots as a mollifier and then merely tossing them out because of a technicality (you did not register because you haven't voted in a while, you didn't bring a voter card with you).

Ensuring that election fraud doesn't happen is much easier to address and as you say, an ounce of prevention is far and away better than a pound of cure. But humans wait until it hurts before acting.

Earl KillianNovember 15, 2016 6:31 PM

As for paper trails, consider this Palast snippet interviewing voting rights attorney Robert Fitrakis. The full transcript may be found at http://www.democracynow.org/2016/11/8/greg_palast_in_ohio_on_gop

GREG PALAST: In Ohio in 2004, the mismatch of exit polls and the machine count, that put George W. Bush back in the White House, raised questions of the integrity of Ohio’s voting machines. They had no paper ballots to allow an audit of the vote. But today, many new voting machines in Ohio have a built-in safety feature.

ROBERT FITRAKIS: Well, machines now can actually take a ballot image, in the sequence of every single one cast, to eliminate fraud if somebody tampers with the paper ballots.

GREG PALAST: There’s only one problem.

ROBERT FITRAKIS: They’ve decided to turn off the security.

GREG PALAST: Election law attorney Robert Fitrakis represents Republicans and Democrats. He just discovered that the photo image and audit protection functions have literally been shut off.

ROBERT FITRAKIS: So they bought state-of-the-art equipment and turned off the security.

GREG PALAST: We followed Fitrakis into state court in Columbus. He’s seeking to order the Republican secretary of state to turn on all the voter protections on the machines. We weren’t allowed to film, but Republican officials argued that it would require a massive effort to turn on the protection applications.

ROBERT FITRAKIS: It’s a drop-down box, just like on your computer. Do you want ballot images of every ballot cast? You would think yes. Same thing for the audit log.

GREG PALAST: The judge, a Republican appointee, disagreed. He ruled that the Republican officials could leave the machines unprotected.

Precinct AuditorNovember 15, 2016 7:43 PM

@Earl Killian, got a link to the court ruling with the judges findings? Some rulings are well-explained, some are not. Also, DemocracyNow is about as scrupulously objective as InfoWars. The assertion in the piece that the Republicans--the party started by abolitionists to counter the Democrat KKK Party--are trying to go back in time to remove blacks from the voter rolls is risible. Working the racism angle is profitable--cf Al Sharpton--but the claim that the racism that existed during Jefferson *still* exists, unchanged, is a bridge too far and defies logic. Really DemocracyNow? Even millennials are Jim Crow in their bones? America has evolved not one jot?

All humans are racist to some degree and the degrees change as you age. It is an equal opportunity flaw. I personally have experienced it from a co-bus riding commuter years ago in Los Angeles. He was black, I am not. He called me a chink.

In the words of Chief Justice John Roberts and I find no quibble with it, color will stop mattering when color stops mattering. As long as race is used by someone in some way, it still matters, for good *and* ill. I can't wait for us to stop using it for anything because clinging to it wastes a lot of time.

Mike Z.November 15, 2016 7:45 PM

Mr. Schneier,

Wikileaks followers could really use your professional opinion:

1. People are reporting that the latest batch of Wikileaks insurance files don't seem to match the associated hashes as in all previous releases. Here are the files:

https://mobile.twitter.com/wikileaks/status/796085225394536448

A twitter post that appeared with hashes shortly thereafter has strangely disappeared.


2. People are reporting that Wikileaks has not authenticated itself via PGP since October 16.

3. Some people are claiming they've been banned from responding to Wikileaks' twitter account upon asking about these two previous matters.

Has Wikileaks been hijacked?

More here:

https://m.reddit.com/r/WikiLeaks/comments/5d132g/wikileaks_latest_insurance_files_dont_match/

missed_the_topic_completelyNovember 15, 2016 8:25 PM

[i]China has stolen and continues to steal massive amounts of IP from the entire world:[/i]

And what happens when you can sue someone for "having an idea." Moribund economic growth in a rentier state.

What happens to borrowers in a marketplace? The best ones do okay. The rest fail. "Stealing ideas" is the crux of innovation.


The Republicans are too busy chasing away voters in many States to try to hack dozens of different precinct polling machines.

btwìxanîf&stônNovember 15, 2016 9:47 PM

@Anura

Somewhere back there, you had presented a decent stopgap to the current woes of democracy. Know what I'm talking about? Neither do I, nor do the rest of us...

Fear of the other may work best now!

ChadNovember 15, 2016 10:04 PM

Lots of great ideas!

- optical-scan paper ballot machines that leave a paper trail

- add a display screen to these machines so voters can see what the machine is recording off their ballots as it scans them

- optical-scan machines must run open-source software so they're security can be thoroughly audited for maximum security


Anything less than this will not meet Bruce's two stated purposed for holding an election. Picking a winner and verifying the winner.

Uncle Joe StalinNovember 15, 2016 10:08 PM

Mm..Kay,
Bruce forgot his meds again and we go through another "Foreign election hack" column with war rooms and blah blah blah.

Jeez Louise.

We all know most of the problems in manipulating an election:

--Absentee ballot fraud (well documented)

--Lack of paper ballots with new-fangled compu-vote crap systems (well documented for 16 years.)

--Suppress vote by Republican Sec of State/Counties removing mostly Democrats from voter lists (Palast documents this every election since 2000, this year he claims ~1.3 million voters struck from lists in contested states.)

--Suppress vote by barring felons in the highest incarcerated population in the world.

--"Provisional Ballots" instead of counted ballots( many years documented)

--Then all the rest of suppression like few machines in precinct, moving precincts, few precincts for 10s of thousands of voters so they leave,
short voting hours, etc.(200 years documented)

All the above is part of our lovely elaborate election system and no one fixes it cuz we have so much fun cheating each other among ourselves.

What isn't documented and hasn't happened is Boris,Natasha and the Gang of Four somehow "hacking" the election with ill defined "propaganda" (like art we will know it when we see it) or actually getting into 3144 county run elections (plus some cities) to somehow change the totals without getting caught. Kind of like what we do in most of the countries we crush under our boot heel.

Well I don't see the Russian Spetsnaz or the Red Army in my town, but I do see Bruce selling some magic beans to a bunch of rubes for a lot of Homeland Security bucks.

Clive RobinsonNovember 16, 2016 12:15 AM

@ Anura,

At least with elections, you can audit them pretty simply enough.

The problem is not realy that you can audit them, but the audit process has a significant margin of error when compared to exit polls and other cross checking, because people can either decline to answer or lie.

Further as has been seen in the past with Florida under JEB all manner of tricks can be used prior to the election to deny people votes, which people tend not to talk about because it can be portrayed as "just a few percent at most".

But that "few percent" realy matters when you have "First Past The Post Elections". If you think about it logically in first past the post voting only one vote counts. The closer the campaigns run the harder it is for people to chose thus you would expect a very near equal result, and near equal votes produce the most accusations of "vote rigging". They also make detecting rigged votes very difficult as the difference aproaches that "single vote" statistical methods will just not work to give a reliable answer. Especially as propaganda becomes more and more effective, especially negative propaganda as it gets closer to the actual day of voting.

One way to partly solve this and also as a side effect open up elections is "Proportional Representation" (PR) unlike first past the post which is "winner takes all" each party gets a share of power based on the number of votes they get.

However although PR might solve some problems it creates others to the point it can confuse voters, or encorage tactical voting.

I'm by no means certain what method of voting for a representative is best, which is why I would prefer getting rid of "representative democracy" and replacing it with actual democracy where people vote on substantive issues.

Howrver that again has problems as the UK Brexit showed. It was a first past the post vote of "in or out" and most in the UK would agree not just that a bad campaign was run by most intetested parties, but also that the US via President Obama significantly interfeared with the process (much more so than the US claim that Russia has with their election).

The only thing that is realy clear from both Brexit and US Presidential voting is that the population in general is very very dissatisfied with not just the process but more importantly the politicians and would cheerfully stick quite a few of them up against a wall or hang them by their feet etc which historically has been the fate of monarchs, dictators, tyrants and politicians on the take, when they have alowed there behaviour to become sufficiently objectionable to the citizens.

AnuraNovember 16, 2016 1:04 AM

@Clive Robinson

Exit polls aren't perfect, but with enough samples and well-structured polls, they can limit the effectiveness of fraud by forcing you into those margins, while secure design and auditing of voting machines, as well as various procedures can make widespread tampering next to impossible. To detect election fraud through exit polls, you need questions and methodologies designed for it (most media exit polls are not designed to detect fraud), which requires detailed demographic breakdowns observed by exit pollsters, and procedures and strategic planning so you can poll as many people as possible from as many different areas. Now, take those polls, correlate with demographic information from voter rolls, and you can detect any significant tampering on a local level by observing anomalies.

Having paper ballots that voters can read and are asked to verify before placing in the scanner helps a lot as well, especially when combined with multiple electronic backup stores from different sources. Combining all of that with random hand counts makes widespread tampering with the ballot scanners difficult, and then doing the best you can to secure and audit individual machines can seriously limit the ability to tamper with elections undetected. It's not just about one thing, it's about everything.

ab praeceptisNovember 16, 2016 1:42 AM

Earl Killian

Even I heard a thing or two about the election make shift state of ohio. So it sounds like the allegations are true, and solid, and annililating.

But then, maybe not. If I got that right the usa is a federation states and those states make many of their laws. Mabe there is privacy law? Like in "The process of electing is one in which the individual citizen shall be unhampered, undisturbed, without any influence exerted upon him/her and in full privacy and confidentiality".

It wouldn't be the first time that something, anything provided features that can be activated or deactivated so as to meet local legislation.

I don't know much about the usa other than that astonishingly many there tend to answer the question "tell me a country that starts with a 'u'" either with "Hmmm, that's a tough one. Don't know." or with "Urope?", and I certainly don't know about state specifics beyond some funny things the whole world is laughing about, let alone about state legislation ...

... but it seems to me that "they turned off the cameras!!!!" not necessarily proves that a major crime has been committed. Maybe (again, I don't know but it might be worth a look) maybe they just for a sudden and surprising change decided in ohio to respect the election laws and the constitution.

Btw. they have much bigger problems. The russkies are there and taking over the country. I have proof. As unbelievable as it may sound I happend to see both an employee at a gas station and someone working at a burger "restaurant" *without big fat flags on their shirt*!!! Unbelievable. Must be KGB officers.

RatioNovember 16, 2016 1:45 AM

@Gerard van Vooren,

Don't blame the candidates, blame the people. Like with war. Don't blame the politicians, blame the soldiers who show up to fight and kill and don't learn.

Soldiers fight and kill; it's part of their job description. What would you have them learn?

(Not that I'm really expecting a response from you. When the ideological platitudes and tales from Lalaland run out, you disappear as well: ICC, ICJ, and the rest; Corbyn's so-called facts.)

peteNovember 16, 2016 6:44 AM

1 : Create a Central Person Registry (CPR)
2: Give all citizens a unique ID-number
3 : Require citizens to keep their address updated in said CPR
4 : When election-time comes, send a "Voter Card" to ALL citizens of legal voting age
5 : Use paper ballots . Computers can not be trusted PERIOD .
And Bruce KNOWS they can't be trusted .
6 : Use Manual Counting
7 : Let the citizens do the counting, not some private corporation, under control of representatives from the Home Office or whatever .

It works fine in Denmark, but I could imagine many Americans would not like to have a mandatory ID-number .. "Mark of the Beast" and all that hogwash..

If anyone has doubts about the results, they are welcome to re-count !

bcNovember 16, 2016 8:59 AM

I do not find this essay persuasive. Please see guns and big data for an argument as to why I feel 'hacked' is the appropriate term to describe what happened in the US election. I have also posted a response to this essay. Love your work, Bruce Schneier. I always look to you for clarity on these issues, but I think sometimes you need to go a bit broader and deeper to explain the social context within which computer security functions.

Gerard van VoorenNovember 16, 2016 9:27 AM

@ Ratio,

The only reason I kept the reply to myself is that I didn't (and don't) like your attitude.

RatioNovember 16, 2016 9:39 AM

@Gerard van Vooren,

What attitude is that? That I think facts actually matter? That ideology doesn't trump reality? Any hint?

MeNovember 16, 2016 1:43 PM

Yup, I've said it many a time, if you 'need' voting machines (don't want to waste paper on a ballot?) the right way to do it is this:

1) Person goes into booth, selects candidates.
2) Machine prints out selections onto a 'receipt', candidates are encoded into a bar/box code, but also printed out in text.
3) Receipt is placed in ballot box (possibly auto scanning on the way in)

This means that the vote is verifiable at every step:
- Voter can check that the ballot has the proper votes written in text.
- Vote counts must match the number of ballots.
- Double checking is fast (re-scan all ballots).
- Bar/box code can be checked against text to ensure there are no shenanigans.
- Hand counts are also easy (if time consuming), if there is fraud suspected in the machine count.

WhiskersInMenloNovember 16, 2016 3:29 PM

I agree but feel that the risk is larger than it appears.

The voter difference between Hillary and Donald is astoundingly small.
Twiddling any system to bias it one way or another but only by 1% would be difficult
to discover at a national level.

Audit of almost all ballot systems have a limitation based on issues of privacy.
Once cast privacy makes it difficult to verify because the identity of a valid voter
and the vote gets unlinked when cast.

The contents of a sealed tamper evident box are difficult to alter but a broken seal
could sway an election if the broken seals invalidate the ballots and the broken seals
break in heavy one way or another areas.
Florida, Pennsylvania and Michigan might be close enough to be targets for manipulation.
Predicting which state and precinct to manipulate is hard.

The difficulty of knowing what to fiddle with is one protection that might be a stronger
assurance than many that would risk loss of privacy.

The future, It will always be at risk by internal or external changes.
And I believe sub percent near tie results may bend to some subtle external
action ignored or unknown today.

rNovember 16, 2016 4:04 PM

No harder than the effort that was thrown into redistricting.

Likely less so if they're just skimming the pot.

TJNovember 16, 2016 4:18 PM

I've been waiting for somebody to solve the problem of memory corruption exploitation, xss, csrf, sql injection etc..

That way the software based election system will be secure and not just have some noob-sysop level policy stuff like jails and domain restrictions..

K15November 16, 2016 8:40 PM

Bruce, what kind of a response have you gotten from (current) govt, about this? And do those who had decided not to deem it critical infrastructure still think they decided right?

What else needs to be critical infrastructure, that isn't?

When people don't seem to be unduly concerned, what's the right inference to draw?

K15November 16, 2016 8:43 PM

Do we have a big enough sample size of high-stakes elections won "by a nose" by now, to see whether they break randomly?

TJNovember 17, 2016 3:29 AM

PROTIP: Don't have network engineers design your security especially if you're a ballot committee for a nation.. Use after free vulnerability? Wut dat?

Clive RobinsonNovember 17, 2016 4:01 AM

@ ALL,

With the discrepancy between voting and exit polls, don't read to much into them.

In effect the pollsters are doing something that is considered part of the illegal act of "buying votes" that is they are soliciting for gain how a voter cast their vote...

Some voters thus do not want to participate and others will deceive the pollster in some way to preserve the privacy of their vote.

You would naturally suspect that with a controversial candidate that this would be more pronounced. That is those that voted for XXX and not YYY may not wish it to be known that they voted for XXX, thus in effect kow-tow to what is seen as "social preasure" of voting for YYY.

In the UK we saw this behaviour fairly prominently with people predominantly saying they voted for remain, but vote count records showing leave...

It was the problem of knowing that leaving was mad, as was staying mad, the former on economic grounds the latter on political grounds. So in the end it turned into a "backlash vote" against the incumbent politicos. I suspect from what has been said about the US voting patterns that the same or similar has happened with the US presedential elections.

As can be seen post these events, people still will not say that "I voted for the madness we've brought down upon ourselves"...

AnuraNovember 17, 2016 8:34 AM

@Clive Robinson

Exit polls designed to detect fraud usually use secret ballots for that reason. They get more people participating and they are more likely to answer honestly.

False Premise SpotterNovember 18, 2016 8:17 AM

>The risks of ineligible people voting, or people voting twice, have been repeatedly shown to be virtually nonexistent

Uh, really? [Citation Needed], big time.

Let's spend 10 seconds Google'ing:

http://www.thegatewaypundit.com/2016/10/pew-center-1-8-million-dead-people-voter-rolls-2-75-million-registered-two-states/

http://wjla.com/features/7-on-your-side/millions-of-voters-registered-in-multiple-states-including-abc7-reporter

I recall reading a story of a guy registered in 3 or 4 states. It's not hard, and you won't get caught.

If you think that doesn't qualify as a sizable relevant risk, then tell me again by how many votes Hillary lost.

AnuraNovember 18, 2016 11:30 AM

@False Premise Spotter

Registered is not the same as voted. The actual risks of people voting multiple times are pretty negligible; this is something easily detected by simply checking poll books. Really, the only thing you should take from that is that having individual states manage voter registration separately from each other is pretty stupid (the whole idea of having to register to vote is pretty stupid).

rNovember 18, 2016 12:29 PM

False premise, while being registered in more than 1 state should be reasonably suspect it does not necessarily constitute fraud.

There's alot of truckers out there who vote from the friendliest write-in-ballot supporting state, it's not fair to dismiss votes on the basis of suspicion if the only leg work one is going to do is from behind a desk.

Earl KillianNovember 18, 2016 4:28 PM

@ Precinct Auditor
Your argument that the Republican party remains committed to its principles of 150 years ago is amusing. Most of that went out the window in 1968 with Richard Nixon's southern strategy.

You are critical of Democracy Now, but the source was Robert Fitrakis; DN was only a conduit for his claims that an important security feature was turned off, and I don't think that fact has been challenged. You seem to be inferring things that I did not say and responding to those.

I was actually posting this information in response to what Bruce wrote, viz. "But second, and equally important, they convince the loser--and all the supporters--that he or she lost. To achieve the first purpose, the voting system must be fair and accurate. To achieve the second one, it must be shown to be fair and accurate." It is a statement I agree with, and which I think was not honored by Ohio.

I don't know if election fraud occurred in Ohio as a result of the disabling of audit facilities, and my note should not be interpreted as a claim that such occurred. I do know that the principle that Bruce elucidated was violated.

La RazaNovember 19, 2016 8:06 PM

Precinct Auditor said:

>You have to provide bona fides to drive or work here, one would think voting would and >should have stricter standards than those two require.

I think we both know why the Democrats do not want universal voter ID laws. They can't win without the illegal alien vote and the fraudulent vote. They know it and we know it. It has nothing to do with "suppressing" black people because proposals have been made to provide voter ID cards FREE OF CHARGE. Still not good enough for them. They simply don't want voters to have to prove citizenship before voting.

AnselmNovember 21, 2016 5:13 AM

The other side of that medal is that those people who don't already have a driver's licence and would thus be required to go for the “free voter ID” are likely to be poor and underprivileged folks who would probably vote Democrat. Once a voter ID requirement is established the Powers That Be, if they're Republican, can make it arbitrarily hard for people to obtain a free voter ID, e.g., by only issuing them from the free-voter-ID office in the state capital which is open on alternate Fridays from 6am to 6.15am.

Over here in Germany, everyone who is eligible to vote gets a card in the mail several weeks before an election, telling them where their voting location is etc. You need to bring that card to the polling station when you vote and show it to the election officials who will then check you off in the voter registry and give you a ballot. This works quite well. But then of course we have mandatory citizen registration so the election office knows who people are and where they live.

DougNovember 21, 2016 7:06 PM

@ Clive Robinson, "Some voters thus do not want to participate and others will deceive the pollster in some way to preserve the privacy of their vote."

The silent majority still won the election by a widest margin.

So, the problem isn't limited at the polls but also at the voting booths, where the majority didn't care to show, and no slices of free pizza is going to solve it.

Until then, we'll continue to live under our democracy.

isitNovember 21, 2016 11:57 PM

@Doug

So, the problem isn't limited at the polls but also at the voting booths, where the majority didn't care to show, and no slices of free pizza is going to solve it.
Did you accidentally leave out a comma between "no" and "slices"?

Free food at the polls might just give you the necessary majority to win. Alternatively, you could claim to offer free slices for the masses without really meaning it, but what's your plan for after everyone has realized that they've been had?

NilsDecember 23, 2016 7:48 AM

I really like this is essay, because it shows again how dependent our lives are from computers. They help us make our lives much easier but whenever there need to be handled big data there is always the risk that somebody hacks the system. In smaller dimensions, this can "only" hurt the company and result in financial problems but in bigger dimensions - as for this election - it can damage a whole democracy and - even worse - people's faith in it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.