Securing Elections

Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems are failing, and we need to fix them.

Today, we conduct our elections on computers. Our registration lists are in computer databases. We vote on computerized voting machines. And our tabulation and reporting is done on computers. We do this for a lot of good reasons, but a side effect is that elections now have all the insecurities inherent in computers. The only way to reliably protect elections from both malice and accident is to use something that is not hackable or unreliable at scale; the best way to do that is to back up as much of the system as possible with paper.

Recently, there have been two graphic demonstrations of how bad our computerized voting system is. In 2007, the states of California and Ohio conducted audits of their electronic voting machines. Expert review teams found exploitable vulnerabilities in almost every component they examined. The researchers were able to undetectably alter vote tallies, erase audit logs, and load malware on to the systems. Some of their attacks could be implemented by a single individual with no greater access than a normal poll worker; others could be done remotely.

Last year, the Defcon hackers' conference sponsored a Voting Village. Organizers collected 25 pieces of voting equipment, including voting machines and electronic poll books. By the end of the weekend, conference attendees had found ways to compromise every piece of test equipment: to load malicious software, compromise vote tallies and audit logs, or cause equipment to fail.

It's important to understand that these were not well-funded nation-state attackers. These were not even academics who had been studying the problem for weeks. These were bored hackers, with no experience with voting machines, playing around between parties one weekend.

It shouldn't be any surprise that voting equipment, including voting machines, voter registration databases, and vote tabulation systems, are that hackable. They're computers -- often ancient computers running operating systems no longer supported by the manufacturers -- and they don't have any magical security technology that the rest of the industry isn't privy to. If anything, they're less secure than the computers we generally use, because their manufacturers hide any flaws behind the proprietary nature of their equipment.

We're not just worried about altering the vote. Sometimes causing widespread failures, or even just sowing mistrust in the system, is enough. And an election whose results are not trusted or believed is a failed election.

Voting systems have another requirement that makes security even harder to achieve: the requirement for a secret ballot. Because we have to securely separate the election-roll system that determines who can vote from the system that collects and tabulates the votes, we can't use the security systems available to banking and other high-value applications.

We can securely bank online, but can't securely vote online. If we could do away with anonymity -- if everyone could check that their vote was counted correctly -- then it would be easy to secure the vote. But that would lead to other problems. Before the US had the secret ballot, voter coercion and vote-buying were widespread.

We can't, so we need to accept that our voting systems are insecure. We need an election system that is resilient to the threats. And for many parts of the system, that means paper.

Let's start with the voter rolls. We know they've already been targeted. In 2016, someone changed the party affiliation of hundreds of voters before the Republican primary. That's just one possibility. A well-executed attack that deletes, for example, one in five voters at random -- or changes their addresses -- would cause chaos on election day.

Yes, we need to shore up the security of these systems. We need better computer, network, and database security for the various state voter organizations. We also need to better secure the voter registration websites, with better design and better internet security. We need better security for the companies that build and sell all this equipment.

Multiple, unchangeable backups are essential. A record of every addition, deletion, and change needs to be stored on a separate system, on write-only media like a DVD. Copies of that DVD, or -- even better -- a paper printout of the voter rolls, should be available at every polling place on election day. We need to be ready for anything.

Next, the voting machines themselves. Security researchers agree that the gold standard is a voter-verified paper ballot. The easiest (and cheapest) way to achieve this is through optical-scan voting. Voters mark paper ballots by hand; they are fed into a machine and counted automatically. That paper ballot is saved, and serves as a final true record in a recount in case of problems. Touch-screen machines that print a paper ballot to drop in a ballot box can also work for voters with disabilities, as long as the ballot can be easily read and verified by the voter.

Finally, the tabulation and reporting systems. Here again we need more security in the process, but we must always use those paper ballots as checks on the computers. A manual, post-election, risk-limiting audit varies the number of ballots examined according to the margin of victory. Conducting this audit after every election, before the results are certified, gives us confidence that the election outcome is correct, even if the voting machines and tabulation computers have been tampered with. Additionally, we need better coordination and communications when incidents occur.

It's vital to agree on these procedures and policies before an election. Before the fact, when anyone can win and no one knows whose votes might be changed, it's easy to agree on strong security. But after the vote, someone is the presumptive winner -- and then everything changes. Half of the country wants the result to stand, and half wants it reversed. At that point, it's too late to agree on anything.

The politicians running in the election shouldn't have to argue their challenges in court. Getting elections right is in the interest of all citizens. Many countries have independent election commissions that are charged with conducting elections and ensuring their security. We don't do that in the US.

Instead, we have representatives from each of our two parties in the room, keeping an eye on each other. That provided acceptable security against 20th-century threats, but is totally inadequate to secure our elections in the 21st century. And the belief that the diversity of voting systems in the US provides a measure of security is a dangerous myth, because a few districts can be decisive and there are so few voting-machine vendors.

We can do better. In 2017, the Department of Homeland Security declared elections to be critical infrastructure, allowing the department to focus on securing them. On 23 March, Congress allocated $380m to states to upgrade election security.

These are good starts, but don't go nearly far enough. The constitution delegates elections to the states but allows Congress to "make or alter such Regulations". In 1845, Congress set a nationwide election day. Today, we need it to set uniform and strict election standards.

This essay originally appeared in the Guardian.

Posted on April 20, 2018 at 6:44 AM • 28 Comments

Comments

FRexApril 20, 2018 8:02 AM

The problem is that people so often are willing to argue with security experts or invent issues on this: "it's progress", "it strengthens democracy", "it's convenient", "just use blockchain" (this is increasingly answer to every problem ever in some circles), "it works perfectly in Estonia", "it takes too long to count paper votes", "who cares how we vote, it's all rigged anyway" (the last one usually spoken by someone from the West who happens to hate the results of the last election in their country).

Mike AckerApril 20, 2018 8:09 AM

First and Foremost: use a mark-sense paper ballot

Second: AUDIT

after the election select ( e.g. ) 1% of precincts at random. AUDIT the tally, manually.

if the machine count does not check then the software maker PAYS for a total manual recount.

Product liability is the key to cleaning up the HOT MESS that is commercial electronics today.

Brian HankinsApril 20, 2018 9:56 AM

"A record of every addition, deletion, and change needs to be stored on a separate system, on write-only media like a DVD."

Just a nit -- probably want to store on write ONCE media. Historically, write-only media has proven troublesome as an audit trail. :)

Not sure April 20, 2018 11:45 AM

What about vulnerabilities of scanning ballots? Threats from attacks on the ocr software and hardware - eg two independent ocr checks can be both compromised

Are there robust tests to validate the trustworthiness of ocr validation systems against threats from attacks on the ocr and data processing engines?

XavierApril 20, 2018 11:53 AM

Maybe another issue is the massive number of simultaneous votes in the US

If I compare to my country (France), for any election day, we vote only on ONE subject each time, and (rarely) 2 (in that case, there is 2 ballot boxes with a color coded scheme for the voting enveloppes)


This way, voting machines are not that useful, paper count is relatively easy (and if you have time you can volonteer to help)

There are some voting machines pushed by that industry lobbying, but it's not widely developped.


The US electoral system on the other hand seems to be designed to create issues (one fixed voting day, multiples ballots, same day registration...)

ChrisApril 20, 2018 12:18 PM

If you accurately choose the winner, then loser would already be convinced... I would argue that if the loser isn't convinced, then the burden is on the loser to show evidence.

More broadly, the arguments presented here ignore potentially larger issues - does each person eligible to vote vote only once? Is every voter actually eligible? I believe those issues are just as important.

I bring this up because "convincing the loser" is not simply a voting machine issue, or vote tampering issue.

Who?April 20, 2018 12:35 PM

As I said lots of times in the last year the right way to alter elections (if there is a use for the word "right" in this context) is attacking the people not the technology itself. Attacking the voting machines is risky, as soon as the attack is discovered the President changes. Attacking people is safer, as the entire process has been designed to reflect people wishes and it is exactly that, people wishes, what is attacked.

HmmApril 20, 2018 3:18 PM

@Xavier

That's an interesting thought which kind of ties in with Bruce's main thrust.

If we had an 'election week' in which to cast a physical vote, all of which was a massively audited and observed process with data visible/confirmed in the public milieu, that would seem to solve several problems. Poor people who have to work / traveling people / infirm / caregivers / military, etc, all would have more flexibility - and the eligible voters would each have a lot less of an excuse for not exercising their duly inherited rights. The 5-12 hour lines we've seen in some states would be mitigated entirely. People could perhaps pre-register their "vote intention" prior to the actual election day, and that verification history could be used to later verify vote-change attack patterns in realtime, should they occur. The entire process would be slowed down to a less frenzied, less "watch cable news for 3 days straight" and more serious and solemn affair.

(and throw in campaign finance reform, since I'm daydreaming)

The only issue is cost and the willingness to invest in such trued cogs of representative governance. It will cost money to be designed, vetted, audited, administrated properly. It's a lot in a lump sum up-front, billions probably done right - however, the detractors of investing in democratic "infrastructure" on the basis of that cost really have nothing to stand on anymore as Trillion dollar tax cuts for the wealthiest have directly become Trillion dollar deficit norms. What could be more fundamental than an accurate vote count, even (and especially) according to the most strident restrictive voting advocates?

Why must we rush something so important as if that helps it somehow?

HmmApril 20, 2018 3:35 PM

Of course the other major consideration is who do we trust to design and vet such an endeavor?

There seems to be no single entity, we'd need a purpose-built coalition. This is the latent problem.

Trust.

justina.colmenaApril 20, 2018 5:32 PM

Those foreign-influenced self-aggrandizing fraternizing ballot-counting thieves in law have banned guns and legalized marijuana.

We gave up our freedoms and our rights for drugs. We ain't gettin' any of that back, ever.

Too bad. Once a free country.

Sancho_PApril 20, 2018 6:09 PM

Hmm.
I think the main problem with voting are the candidates.
If there is the choice between inept characters still each one remains a bad choice.
I assume all candidates want the very best for the populace and are not stupid.
-> @ the system to get candidates there is the problem!

So my proposal::
Find better candidates and require a 2/3 majority to win.

Btw:
Why do we need anonymity with democratic voting?
Because we can not trust our powers?
That would be a very serious issue.

HeckApril 20, 2018 6:56 PM

@Sancho_P
"Why do we need anonymity with democratic voting?"

Because, without anonymity one group of thugs will form that harass people who "vote wrong"... and another group of thugs will form that promise money to people who "vote right"... (because, without anonymity, those groups of thugs can see/verify who everyone voted for) No amount of regulation or even prison sentences can prevent this fully, only removing the ability for it to happen can: i.e. foolproof anonymity! And we know this from history. It's actually happened. Yes, in this country. It was a mess.

HeckApril 20, 2018 7:51 PM

I mean, it's like saying, "why do we need computer security? don't you trust people? you got bigger problems if you can't trust people!"

Yeah, we do have bigger problems: namely, you can NOT trust people. It's as simple as that. Therefore we have to set up systems that work "well enough" even in a world where lots of people will do bad things if they can get away with it scott free (and sometimes even if they can't get away with it).

That's why computers are so bad, the fundamentals of everything was designed in an era where we forgot about this, and designed everything with the assumption that everything else could be trusted.... It's wrong. Stop trusting everything. Prepare for the worst, but hope for the best. You'll be much better off for it.

VApril 20, 2018 9:46 PM

The article doesn't mention mail-in ballots, the one form of voting that is more or less guaranteed to be fraudulent. The person in a household with the largest fists can vote for everyone living there, mail can be intercepted and replaced, bad guys can watch you vote/seal your ballot in the envelope/drop it in a public mailbox, etc, etc.

If you want fair elections try the following:

1) You must be at least this tall to vote -OR- show proof you are at least x years old.
2) You must dip your thumb in the purple dye to vote.
3) Anyone physically present at a poling station who passed 1 and 2 may vote. (Not a citizen? No problem! Do you pay sales tax when you buy stuff? Can you go to jail if you break laws? If so, you have a stake in the election.)

Voting is done with paper ballots / electronic counting may be used / random precincts get a hand recount after the fact / any interested party may watch & record the counting process.

BennettApril 20, 2018 10:11 PM

This might be getting a little off topic, into "movie plot threat" territory...

How sure are we that optical media are "write-once"? Historically it was difficult to seek to specific angular positions, but then we got DiscT@2 and LightScribe which try to do exactly this (not likely accurate enough to overwrite bits, but why didn't anyone attack the position-based copy-protection schemes this way?).

There's a lot of redundancy on a disc (CIRC, EFM, and an upper Reed-Solomon layer—it's less than 30% "real" data). Though we can't "un-burn" a bit, we could perhaps burn more to cause an error and tweak the correction data to come out a certain way. There must be labs with lasers and positioning equipment accurate enough to do it.

Of course, it'd be much easier to just steal the disc and replace it outright. Or, blockchain! Don't know if that'll help the public, but if I say it often enough VCs will soon be throwing cash at me...

Alyer Babtu April 21, 2018 12:26 PM

The wiley ballot tamperer will of course see that the preferred outcome is obtained with the minimal biasing needed, so that the result is plausible. Can the audit methods detect this, are they sensitive enough ? And the tamperers would also avoid certain districts and focus on others, perhaps playing a long game.

Sancho_PApril 21, 2018 1:05 PM

@Heck

Small correction: It is a mess. [- not only in “this” country]

So what you say is:
We can not trust the thugs, be it left, right, red, black, green, yellow, …
They’d sell and exploit the personal voting results for their own benefit against us,
the society:
Because we always vote for lobbied thugs.

And this is exactly why election security isn’t really important:
Uncontrolled capitalism has won the elections years ago.
Perfect voting machines / systems, even anonymity, won’t change that.

Denton ScratchApril 21, 2018 1:47 PM

So the way I read the article (and I think all the comments I've seen), it feels that the discussion seems to be about the technical problem of constructing a trustworthy voting system.

Well: I think that's all well and good, IFF you have an informed voting populace. If you don't, then voting doesn't mean much, and the design of the voting system is a distraction.

DSApril 21, 2018 4:25 PM

Bruce, you might be happy to know that all of your suggestions are already the method by which elections are run here in Wyoming. I am an election judge/official who serves in a voting place where two precincts vote together. Here's our methodology:

1. Mark-sense ballots. The candidate/issue is marked on the ballot, the voters mark the ballot and return it to the mark-sense machine, where it is counted and deposited in a secured (locked) container until after the polls close.

2. Ballots are controlled in locked boxes before they come to the polling place. One of our/my jobs as a judge is to pick up the ballots, the memory card for the mark-sense reader, etc either the morning of the election (which means I'm getting out of bed at about 0400), or the night before the election. These materials remain under election judge control the whole time they're en route to the polling places, in locked boxes, with only the head judge having the key. The boxes are also sealed with serial numbered seals that cannot be re-sealed.

3. As ballots are being handed out, we are keeping a strict cross-check on how many ballots the machines show as having been deposited vs. how many ballots we've handed out. The count is always, always expected to match. We will look at the machine's count vs. the number of voters currently voting and how many ballots we've tallied as having been handed out. One of our risk points is a voter who tries to take a ballot from the polling place without depositing it into the mark-sense machine. We stop people from removing ballots from the voting place.

4. All polling places have two lists of voters - the "unofficial" registration list (which we use for "quick" lookups for people asking "Where should I be voting?" - more than a few people show up to a polling location that isn't "their" polling location). Then there are the "official" voting registration/vote tally lists. If someone was mailed a ballot for absentee or mail-in voting, that is noted on the official lists, and if a ballot has been seen from them (in a sealed envelope) by close of business the day before election day, then that is noted on the registration list. This prevents someone from voting by mail and voting in person. These lists are maintained under strict election judge control. The official lists are also where we note whether someone claiming to be that voter has come in to vote that day; if they have, then this is how we prevent them from voting twice.

Disabled voters have a machine which will assist them in marking the same mark-sense ballot that everyone else uses. There is no difference in the ballots for the disabled, and their machine tallies no votes. Voted ballots of the disabled are read/counted just as every other ballot is.

5. At the end of the voting day, the polls are closed and now the election judges get to work. All the ballots are taken out of the mark-sense machines and we judges on-site count them. The number must match the tally on the mark-sense machine. If it doesn't, then we work like hell to find out why. It cannot be "close enough." We require judges to insure the tally & physical ballots match exactly - or explain why they don't. We do not get to leave the polling place until the tallies match - or we have an explanation.

6. When the head judge and at least three other judges have verified that the tally matches, then the voted ballots are put into a locking metal box, along with the memory card(s) from the mark-sense scanning machine, the "official" registration lists and the vote certification records, signed by at least four election judges there at the precinct. There is no question who was responsible for the ballots coming from that election place. Then the box is locked and sealed with a tamper-proof, serial-numbered seal. All the unvoted ballots, the unofficial registration lists, etc. are similarly locked up in another box, under seal. The unvoted ballots are also counted, and the total of voted+unvoted+spoiled ballots must equal the total number of ballots sent out to the precinct that morning or the night before by the election office.

7. In our county, sworn members of the election office come out to the polling places within the city to pick up the election materials by 2100 after the polls have closed. In our outlying areas, sheriff's deputies (with badges, guns, etc) come out to pick up the election materials. Outlying areas in Wyoming could be a couple hours away from the election office.

8. After the election materials are returned to the main election office at the county seat, then the sworn election officers work on counting the absentee, early and mail-in ballots in a similar manner - using the mark-sense machines as we did in the live, in-person voting. Their counts must match, just as ours did.

9. After the election has been preliminarily certified, the election office staff go back again, through ALL the election materials, and hand-count everything. This might take a week or more to go through all the ballots in the county. After this checks out, the entire election's materials are put into a fire-proof safe in document boxes, sealed with tamper-proof seals, and that's that.

Paper ballots work. They work for us, we're able to comply with the federal election laws, and we're able to maintain a verifiable election with some work, but we all believe it is worth it. Election judges are paid a couple hundred dollars for their efforts, but that's being trimmed back - this year, the election office can no longer buy us lunch, so I guess we're going to brown-bag it. On election day, the judges are typically out of bed at 0500, down to the polling place by 0630, the doors open at 0700, and remain open until 1900. Most elections, the ballots are in the deputy's car by 2015, and we get out the door by 2030 to 2040 or so.

Ross SniderApril 21, 2018 4:36 PM

The biggest issues in election / democracy security are:

1. Republican/Democratic Party capture of the government. These parties have engineered the election commission so that it is not really possible to run as any other political party - or as independent.

2. Private / industrial capture of political parties. The board members to the only available political parties are from a very narrow demographic and their control of political parties represents a huge security compromise for democracy.

3. Gerrymandering, superdelegates, hom-estating and other hacking techniques for the political system.

4. Political advertizing, including by capture of the primary national news syndication outlets of the country. The other half of this is political surveillance, which is legally incorporated.

5. State capture by lobbyists, revolving doors, and privatized industries. These entities that hold significant power over otherwise democratic functions and institutions.

6. Lack of opportunity for majorities to change real outcomes, areas of the political arena which are not available to vote (domestic surveillance / national security / foreign policy), and a weak American political culture that discourages civil discourse, voting attendance, local involvement, unions, etc.

We could have the strongest electronic voting machines or paper ballots in the world and still fail to secure democracy given the sum of the threats above.

VW under the hoodApril 21, 2018 4:44 PM

Don't worry the stealth engineers from VW emmissions scandal are taking invisible election tampering as their next challenge

Uses AI to distinguish between actual election scenarios from auditing scenarios and act accordingly.

Alyer BabtuApril 21, 2018 8:34 PM

@Ross Snider

Some “pre-commentary” on your remarks, showing the problems are at least 100 years old:

On the rich in politics, G. K. Chesterton, Orthodoxy, 1908 - “You will hear everlastingly, in all discussions about newspapers, companies, aristocracies, or party politics, this argument that the rich man cannot be bribed. The fact is, of course, that the rich man is bribed; he has been bribed already. That is why he is a rich man.”

On the main problem of the party system, that it is really a single party, H. Belloc and C. Chesterton, The Party System, 1911 - “ ... something alien has intervened between electors and elected, between legislature and Executive, something that deflects the working of representative institutions.

That thing is the Party System.

A method of government has grown up in our country under which the representatives of the people are divided into two camps which are supposed to represent certain broad divergences of opinion. Between these two the choice of the election lies, and the side which secures the largest measure of support forms a Government, the minority undertaking the work of opposition.
...
The House of Commons had ceased to be an instrument of government. To whom, then, has the power of the House of Commons passed ? It has passed to a political committee for which no official name exists (for it works in secret), but which may be roughly called " The Front Benches." This committee is not elected by vote, or by acclamation, or even by general consent. Its members do not owe their position either to the will of the House or the will of the people. It is selected—mainly from among the rich politicians and their dependents by a process of sheer and unchecked co-option. It forms in reality a single body, and acts, when its interests or its power are at stake,as one man. No difference of economic interest or of political principle any longer exists among its members to form the basis of a rational line of party division. Nevertheless, the party division continues.”

RatioApril 21, 2018 11:15 PM

@Sancho_P,

So what you say is: [...]

No, that is not what @Heck is saying. (On a crucial point it’s the exact opposite!)

Security SamApril 22, 2018 9:31 AM

In a state of representative democracy
The best you going to get is mediocricy
For even though you elect a candidate
The winner fails to follow the mandate.

Ollie JonesApril 23, 2018 6:29 AM

We recently had a fiercely contested election for mayor in my city. We use marksense paper ballots, printed election rolls with checkboxes by them, and we allow any citizen access to watch the polls. To obtain a ballot, each voter is required to speak her name and address audibly (or have someone do it for her if she can't). She's required to do that again when putting the ballot into the counting machine.

This process is overseen by our professional city clerk and conducted by poll workers (this being New England, we call them "tellers") paid a fair stipend.

At the conclusion of our recent vote tallying, the city clerk gave a personal interview to reporters and citizens waiting, in which he said "this result is conclusive."

My point: even with decent choices of vote-gathering equipment there's a LOT riding on the credibility of the PEOPLE conducting elections. If our town clerk were not well-known for doing his job correctly according to law and ethics, our elections might fail even with our high-quality process.

Yes, the naively implemented old voting tech from right after the "hanging chad" era needs to be junked. But it's not enough.

PeterApril 25, 2018 10:02 AM

No, I don't vote on computerized voting-machines and my paper-ballot is hand-counted. But then, I'm from Denmark and our elections are not The Superbowl or a pissing-contest, we elect 179 members of Parliament.
And No, we do not elect sone quasi-dictator who sits on top of everything and can act like a French king. But then neither do Americans..Elect him, that is.

Computerized voting ? Might as well move to China.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.