NEXT MONTH, U.S. CITIZENS GET TO EXERCISE their right to vote. But how can they know that their votes are truly counted? It is hard to forget Florida’s infamous hanging chads and butterfly ballots from the highly contested 2000 U.S. Presidential election. The controversy worked itself all the way up to the U.S. Supreme Court and resulted in unprecedented levels of attention to the nation’s varied voting methods.
Less well-remembered is Florida’s Congressional District 13 recount in Sarasota County in 2006. In that race, more than 18,000 votes went uncounted due to electronic voting errors. That’s just one example of how an approach that was supposed to solve the problems of 2000 led to problems of its own, such as technical vulnerabilities. It even perpetuated older problems, such as confusing ballot formats, which may have been behind those uncounted Sarasota votes.
The integrity of the voting system is integral to the health of a democracy and must be protected. But achieving that goal is not easy, as voting authorities struggling with various solutions have learned since the high-profile problems of 2000.
To address the voting problems that created such havoc in the Bush-Gore Presidential election, the Help America Vote Act (HAVA) was passed by Congress in 2002. HAVA provided federal funding for states to upgrade their voting systems in a way that would minimize the potential for a repeat of the dimpled chad fiasco. It also directed states to facilitate voting for the disabled.
The push for systems that both clearly recorded votes and accommodated the disabled contributed to the rise in popularity of electronic voting with what are called direct recording electronic (DRE) voting machines. By 2004, nearly 30 percent of registered voters were voting on electronic machines, according to USA Today.
But it soon became clear that DRE machines created as many problems as they solved. In addition to what occurred in Sarasota, there have been numerous instances of votes not being counted and of software bugs disrupting elections.
There is one way in which the electronic voting machine problems are even worse than the older machines, says Donald Moynihan, professor of public affairs at the University of Wisconsin, Madison, who has conducted voting machine studies. “At least with older voting technologies, you can usually tell if something’s gone wrong and try to figure out the extent of the problem,” he says, “whereas with the [new electronic] voting machines, it wasn’t always going to be apparent if something failed.” Worse, “if failure did occur, these systems failed completely, so you could lose, for example, a set of votes from an entire precinct.”
There is also a greater potential for sabotage via a cyberattack. To mitigate that exposure, many jurisdictions state that their DRE machines will never be hooked up to the Internet or a network, which would cut down on the risk of hacking from outsiders or the spread of malware and cyberattacks.
But that no-networking policy does not remove the threat of someone being able to physically alter the votes by breaking into the machines. The Vulnerability Assessment Team (VAT) at Argonne National Laboratory recently demonstrated that physical attacks can be just as effective as cyberattacks and harder to prevent, says Roger Johnston, VAT head, who worked on the example attacks.
What Johnston and a team of researchers did was devise an attack that required physical access to an electronic voting machine (in the most recent case, they attacked a Diebold system). Once physical access was attained, the attackers could manipulate the machine.
Johnston and his fellow researchers conducted what is known as a “man in the middle” attack, in which attackers broke into the machine and infiltrated it with a cheap and easily available microprocessor that could be remotely controlled. The attack required less than $30 in off-the-shelf parts and did not require high-level computer expertise.
“The point that we were trying to make was that, unfortunately, cyber is not the only issue. We have lots of other issues in particular involving physical intrusion or tampering and electronic intrusion or tampering, thus indicating particularly the need for good insider-threat mitigation,” says Johnston.
Johnston notes that machines are often left unattended, so there are plenty of opportunities for insiders or even outsiders to access the machines. What’s more, he says, the machines are vulnerable at a variety of times—throughout the delivery process and even while they are waiting to be used.
The voting machine companies have locks on the machines, but they “tend to use about the cheapest lock they can get,” Johnston says. In Johnston’s study, the researchers were not adept at picking locks, and they still had no trouble picking the machines’ locks in 30 seconds or less. It is clear that a skilled lock-picker could do it in two seconds, Johnston says. He adds, “it’s often the case that a single key opens all of the voting machines, at least maybe in one polling station or sometimes in a whole election jurisdiction, because they don’t want to wrestle with the whole key-control issue,” such as having to keep track of several different keys per polling site.
Johnston says that while it would just take an extra dollar or two to provide a better lock, the change in mind-set would be more difficult to achieve. Taking such steps would require more thinking from the vendors on security and about what the lock should do. He adds that it is unlikely vendors would change something like that unless the states and jurisdictions buying the machines demanded better security.
Localities needed a way to ensure that votes would be recorded or that attempts to alter the output could be easily detected. Rebecca Mercuri, a respected electronic voting expert, suggested the use of what she called a voter-verified paper audit trail (VVPAT). With VVPAT, voters see a paper printout of their electronic selections before the votes are recorded. They can then verify that the designations are accurate and place the vote. If they don’t see an accurate reflection of their intended vote, they can immediately alert a polling station operative to the problem. This also provides a paper record of the vote for later reference in case something goes wrong with the vote counting or there is a contested or close election.
Many earlier DRE models did not provide for paper records of the votes that were placed. As this concept caught on, new DRE machines came out that were designed to provide paper trails; in some cases, printers and machines were retrofitted with the ability to produce a paper trail on older machines.
Eventually, however, voting experts concluded that VVPAT did not solve the problem. For starters, just as the electronic machines could be hacked and votes could be changed, the VVPAT printer could be hacked so that it would print out a different vote from what the machine recorded as placed. Additionally, many of the votes were being printed out on connected spools of paper, which were difficult to audit. The printers also created hassles for voters. Mercuri has since stated on her Web site that due to the problems with the implementation and deployment of the machines and the troubles using VVPATs in recounts, she is now opposed to the use of such systems.
Avi Rubin, a computer science professor at Johns Hopkins University who has been called upon by the government to testify on the topic of electronic voting security, supported the use of VVPAT with DRE machines in 2003, but changed his mind as well, as he told Congress in testimony on the topic in 2007.
Back to the future. Ironically, the consensus seems to be that the solution may be to move back toward a paper ballot, but with some technological twists. Mercuri is among those now supporting the use of paper ballots (which can be marked using special machines for the disabled, if necessary).
Rubin concurs, stating on his blog: “The only system that I know of that achieves software independence as defined by NIST, is economically viable, and readily available is paper ballots with ballot marking machines for accessibility and precinct optical scanners for counting—coupled with random audits. That is how we should be conducting elections in the U.S.”
David Jefferson, computer scientist at the Lawrence Livermore Laboratory and chairman of Verified Voting, a nonpartisan secure voting nonprofit organization, says DRE machines are reaching the end of their life spans in many jurisdictions, it’s unlikely that they’ll be replaced with newer DRE machines.
“There has been a lot of tightening of standards but the most serious problems are as serious as they ever were,” he says. Jefferson says that new DREs are not being designed or certified. According to Verified Voting statistics, four states still have completely paperless voting but have enacted laws to end the use of DRE machines. These electronic machines that once appeared the natural next step in voting could someday join the lever voting machines as relics of the past.
About 33 states now require paper records of voting, according to Verified Voting. Typically, paper ballots are counted by optical scanner machines. The paper records are then stored in case of a recount.
“The paper ballots, which are marked by the voter and checked by the voter, they are the final record of what the voters intended,” says Jefferson.
“I think this might be one area where in terms of the technology, simpler is better. To my knowledge there hasn’t been an improved technological approach that would eliminate all of the security concerns,” says Moynihan.
Optical scan issues. The combination of a paper ballot and an optical scanner also tends to be a cheaper solution than fully electronic voting machines. However, the scanners can be less convenient than DRE machines. Someone will have to look at the ballot and fill it out. This often provides less versatility than DRE machines, which can be programmed to be read in different languages, for example, and have their fonts adjusted.
And optical scanners are not immune to security challenges. They have been hacked as well. Johnston says he’s sure his team can pull off the same man-in-the-middle attack on optical scanner machines that was so successful on DRE machines. The critical difference is that, with optical scanners, the paper ballot creates a paper trail.
Five years ago, New Hampshire, which uses both hand counting and optical scanning machines, conducted a study of optical scanning machines to determine vulnerabilities and adopt safer procedures. One issue they discovered was that there “were certain ports in those machines that modems could be attached to,” says David Scanlan, New Hampshire deputy secretary of state. “So we physically disabled those ports…. And it just takes away that opportunity if it did exist, to be able to remotely get into those machines.”
Another way that New Hampshire attempts to keep things simple is to never hook the machines up to any network or central tabulation system. While central tabulation might be quicker, it opens the vote count up to more vulnerability.
Several other safeguards were adopted as well, according to Scanlan. One is to test the scanner memory cards after they have been programmed to see if they are tallying votes correctly; another is to seal the cards with tamper-evident seals so that it will be apparent if someone tampers with the memory card before the election. Town clerks are responsible for keeping logs on when the machines are sealed.
Imperfect ballots. It must be noted that there are other problems with paper ballots. Ballot format is still left up to the states, even in federal elections, says Jefferson. And while the butterfly ballots and punch cards that caused so much trouble have disappeared since the 2000 election, Jefferson says concerns remain with ballot design.
“There are still misleading ballot formats on printed paper ballots or on the screens of electronic voting machines. The human interface to paper and electronic voting systems has not been given much serious attention, and there have been recent horror stories as bad as those of the butterfly ballot (although no presidential election hung in the balance),” he says.
Many, including Jefferson, have written studies stating that poor ballot design likely leads to confusion and undercounting of votes. This can happen even in electronic voting, as was the case in the 2006 Sarasota congressional election.
Auditing. Pamela Smith, president of Verified Voting, says one of the major improvements in voting over the last four years is that more states are doing postelection audits. To be able to do an audit, there has to be a paper trail, however. To that end, several states passed laws that require them to get voter-marked paper ballot systems. Others stipulate that the states can no longer buy paperless touchscreen voting machines when the time comes to replace their current systems. “They can only replace them with a voter-marked paper ballot system,” says Smith.
Auditing can be a challenge even with paper records, however. “In particular, when you have an electronic count, there is not usually an easy way to take a random electronic ballot and then find the corresponding paper ballot,” says Jefferson. It would help if the systems were modified to make that step easier, he says.
Verified Voting wants states to start using risk limiting audits. This involves using a specific statistical approach developed by University of California-Berkeley statistics professor Philip B. Stark to calculate how many ballots (or how many precincts worth of ballots) must be recounted to give a reasonable assurance that the election is accurate, says Smith. The process has been endorsed by numerous academics and voting officials. It is an alternative to just taking a look at a flat percentage of voting systems or precincts or doing a full manual recount.
Stark says the approach provides a way to be confident that, even if there are errors, the contest has been decided the right way. And if not, the audit can correct that. The way it does that is as you are counting ballots by hand, you start to gather evidence about the outcome. “And when you have really strong evidence that the outcome is right, you stop counting. If you never get strong evidence that the outcome is right, you keep counting until you’ve counted everything,” says Stark. So, you could have to count all the votes by hand, but often, you’ll have to count far fewer if you find that you have a very low margin of error. Stark says evidence is accumulated until the evidence is strong enough, or everything is counted.
California, Colorado, and counties in Ohio are experimenting with these types of audits, according to Stark. The audits must be conducted by hand counts of paper ballots. Not all states have a paper record of each vote.
Ballot security. Any system that relies on paper ballots must, of course, take care to secure both blank ballots and those used to cast votes. Otherwise, ballots could be stolen or tampered with. In the 2008 Presidential primaries, New Hampshire was criticized for how ballots were stored, for example, Scanlan says. In response, the state made some changes. “We brought a lot of uniformity to that part of the election process and trained the local election officials on how to properly store ballots when the election’s over so that people can’t question the validity of the actual ballots you’re counting in the recount,” he explains.
There are still problems that some advocates say can only be solved with additional federal legislation. Verified Voting supports the Voter Confidence and Increased Accessibility Act, which would set national voting standards and establish uniform requirements such as post-election audits. Smith says that having a consistent standard of equity and verifiability among states’ voting systems would create a confidence in the systems that would encourage increased voting. The bill was still in committee at press time, however, and is unlikely to pass.
People do their banking online. They communicate online. They do their shopping online. So it’s only natural that citizens would expect that they should also be able to vote online. Internet voting has been touted as a convenient option especially for absentee voters, such as citizens who are overseas during an election and deployed military personnel. But the security issue remains.
In a highly publicized Internet voting failure, Washington, D.C., conducted a pilot project in 2010 of an Internet voting Web application. They invited the public to test the system. Within 36 hours, a team from the University of Michigan had hacked the system and programmed it to play the University of Michigan fight song as users cast votes. And though Professor J. Alex Halderman, who worked on the hack, blogged that there was a simple fix for the specific vulnerability, he added that the system was brittle, and it would be very difficult to secure.
Smith said that such systems are vulnerable, and they’re not being properly tested. Despite the failed test in Washington, others are proceeding to explore this option. “Some whole states, some counties [are] experimenting with these,” says Smith, who points out that the Department of Defense is still funding grants for online balloting experiments.
“I think there’s a sense that there would be a certain amount of convenience for some voters,” she says. “But we want voting to meet a standard for justifiable confidence, a standard for auditability, a standard for security.”
Smith also points out that it is difficult for Internet voting to remain anonymous. Jefferson agrees and states that voting should be treated as a national security issue: “You can’t imagine doing military command and control over open Internet from unsecured [computers] the way people want to conduct elections. We have to treat election infrastructure as if it’s a critical national infrastructure, the disruption of which does major damage to the country.”
Smith says that while it is possible that better approaches to handle the voting process will develop, paper appears to be the most secure way for now. “The question is, with voting, how many are we willing to lose?” Smith says the answer should be none.