Security Against Election Hacking – Part 1: Software Independence

Author: Andrew W. Appel

This article was originally posted to Freedom to Tinker on August 17, 2016.

There’s been a lot of discussion of whether the November 2016 U.S. election can be hacked. Should the U.S. Government designate all the states’ and counties’ election computers as “critical cyber infrastructure” and prioritize the “cyberdefense” of these systems? Will it make any difference to activate those buzzwords with less than 3 months until the election? First, let me explain what can and can’t be hacked. Election administrators use computers in (at least) three ways:

1. To maintain voter registration databases and to prepare the “pollbooks” used at every polling place to list who’s a registered voter (for that precinct); to prepare the “ballot definitions” telling the voting machines who are the candidates in each race.
2. Inside the voting machines themselves, the optical-scan counters or touch-screen machines that the voter interacts with directly.
3. When the polls close, the vote totals from all the different precincts are gathered (this is called “canvassing”) and aggregated together to make statewide totals for each candidate (or district-wide totals for congressional candidates).

Any of these computers could be hacked. What defenses do we have? Could we seal off the internet so the Russians can’t hack us? Clearly not; and anyway, maybe the hacker isn’t the Russians—what if it’s someone in your opponent’s political party? What if it’s a rogue election administrator?

The best defenses are ways to audit the election and count the votes outside of, independent of the hackable computers. For example,

1. Once the pollbooks are printed (a few days before the election), they can be inspected or audited (by election administrators, or by credentialed designates representing the candidates and political parties) to make sure that no names have been left off (or no illegitimate names have been added). A “spot-check” (a randomized partial audit) may do as well. The list of registered voters is a public record, so all the information is available to do this spot-check.Even if no one spot-checks in advance: If a legitimate voter shows up at the polling place and their name has been left off the pollbook (via computer hacking?), this is a real problem—but at least it’s a detected problem. It would be hard to get away with large-scale election-theft this way without a big story in the newspapers. (See: voter-registration purge in Florida 2000.)Problem: What if the pollbooks are not printed in advance, but they are “live” in laptop or tablet computers at the polling places? Then it’s harder to audit in advance: if the pollbook computers are hacked, we won’t know until election day. But at least we’ll know. And the use of provisional ballots can ameliorate this kind of disaster.Recommendation: paper voter-lists in the precincts, as backup to the electronic pollbook system; credentialed party representatives and citizens permitted to inspect/audit these in advance. When provisional ballots are used, officials must systematically check the provisional ballot envelopes and tally the field that tells the reason why the voter was not issued a regular ballot.
2. What if the voting machines in the precinct are hacked? With optical-scan voting, the voter fills in the bubbles next to the names of her selected candidates on paper ballot; then she feeds the op-scan ballot into the optical-scan computer. The computer counts the vote, and the paper ballot is kept in a sealed ballot box. The computer could be hacked, in which case (when the polls close) the voting-machine lies about how many votes were cast for each candidate. But we can recount the physical pieces of paper marked by the voter’s own hands; that recount doesn’t rely on any computer. Instead of doing a full recount of every precinct in the state, we can spot-check just a few ballot boxes to make sure they 100% agree with the op-scan computers’ totals.Problem: What if it’s not an optical-scan computer, what if it’s a paperless touchscreen (“DRE, Direct-Recording Electronic) voting computer? Then whatever numbers the voting computer says, at the close of the polls, are completely under the control of the computer program in there. If the computer is hacked, then the hacker gets to decide what numbers are reported. There are no paper ballots to audit or recount. All DRE (paperless touchscreen) voting computers are susceptible to this kind of hacking. This is our biggest problem. Fortunately, only about 6 states (and several counties in another few states) use paperless touchscreen voting machines (“DRE without VVPAT”). Almost all the states in the U.S. have moved to optical-scan voting (“Paper ballots”), which is much more defensible against hacking.Voters in states with paperless touch-screen voting machines should write to their state legislators and to their governor, to ask that their state switch over to optical-scan voting machines. (It’s too late to switch before the 2016 election.) Some of the states with heaviest use of touch-screen voting machines are: Louisiana, New Jersey, Pennsylvania, Georgia, South Carolina, Tennessee, Texas, Delaware, Kentucky.On-line (internet) voting is another kind of paperless computer voting, and it’s very easy to hack. On-line voting should never be used for elections that really matter.
3. Aggregating the precinct totals together: Those computers can be hacked too. Fortunately, we can independently audit this addition. In most states, in every precinct at the close of the polls the vote totals for that precinct are announced in public, right there in the precinct. Typically, the voting machine prints out the totals on a cash-register tape, and that printout is signed by the pollworkers and the designated party challengers, and any citizen can observe this process and copy down the numbers from the printout. Well organized political parties collect this information from every precinct, at the close of the polls, and add it up themselves, just in case the County Clerk’s software has been hacked. In fact, a good County Clerk will add it up herself or himself independently of the election-equipment vendor’s highly automated (but hackable) software, just to be sure.Problem: Some states don’t have a tradition of political parties organizing volunteers to witness and collect this data; in some states, there’s not a clear statutory right for citizens to observe this process. These problems are fixable before this November’s election; election officials should do everything they can to encourage citizen participation in this part of the canvassing process.
   So the good news is: our election system has many checks and balances so we don’t have to trust the hackable computers to tell us who won. The biggest weaknesses are DRE paperless touchscreen voting machines used in a few states, which are completely unacceptable; and possible problems with electronic pollbooks.

In this article I’ve discussed paper trails: pollbooks, paper ballots, and per-precinct result printouts. Election officials must work hard to assure the security of the paper trail: chain of custody of ballot boxes once the polls close, for example. And they must use the paper trails to audit the election, to protect against hacked computers (and other kinds of fraud, bugs, and accidental mistakes). Many states have laws requiring (for example) random audits of paper ballots; more states need such laws, and in all states the spirit of the laws must be followed as well as the letter.

In Part 2 of this series, I’ll discuss cybersecurity policy for election infrastructure.