• Eighteen years after the notorious "hanging chads" that muddled tabulation of votes in the 2000 presidential election, voting technology hasn't improved all that much, according to a new report from the NAS.
• In an era when foreign interference in elections is a primary concern, America's highly localized electoral system makes it harder — but not impossible — to "hack."
• Despite a worldwide trend toward online voting, paper ballots still provide the most reliable and secure way to ensure electoral integrity.
• Still, writes Adam Ambrogi, director of the Elections Program at the Democracy Fund, tech is not the enemy.
Picture this: the state of electoral infrastructure in the United States. What comes to mind? Perhaps dispiriting photos of election officials during the historic 2000 Florida recount, squinting at chads on punch-card ballots and debating whether they were hanging, dimpled, indented, or possibly even pregnant with voter intention. But maybe that’s not even the lowest point.
The worst electoral failing? Perhaps it’s the terribly designed “butterfly ballot” in Palm Beach County from that same election. The ballot’s confusing layout made it difficult to tell whether one was voting for Reform Party candidate Pat Buchanan or Democratic candidate Al Gore. Almost 20,000 votes were spoiled because many voters punched the hole for both candidates. Buchanan also gained thousands of overvotes because many Gore voters likely punched the wrong hole.
Out of almost six million votes cast in Florida under these contentious conditions, George W. Bush was certified as 537 votes ahead — and was thus awarded all of Florida’s electoral votes and, with them, the presidency. Suddenly, the not-so-healthy state of U.S. election infrastructure leaped into national prominence. Consequently, in 2002, the Help America Vote Act (HAVA) was signed into law with overwhelming bipartisan support, and billions of dollars were allocated toward its goals. It looked like the machinery of elections was finally being taken seriously. Hopefully the system would be fixed — or at the least, greatly improved.
Eighteen years after the chaos of dimpled chads, a new report from the National Academies of Sciences, Engineering, and Medicine (NAS), Securing the Vote: Protecting American Democracy, documents in exacting detail the still-insecure, still-troubled state of electoral infrastructure in the United States. The 156-page report conjures up an even more unfortunate image than those of hanging chads: a virtual “404 error” page, symbolizing the lack of available methods and implementations to reassure Americans that voters will have an expeditious voting experience, where all voters can verify that their vote is counted accurately, and that there are system-wide and systematic procedures in place for meaningful audits to guard against tampering at all stages of the electoral process — from pollbooks/voting to tallying/certification.
There is one electoral infrastructure-related issue that has gotten widespread attention: voter fraud, allegations of which have been repeated at the highest levels of government. Yet multiple investigations have found that voter fraud remains a vanishingly rare occurrence in the United States. Unfortunately, while many of the vulnerabilities and insecurities outlined in the NAS report remain unresolved, unsubstantiated claims of mass voter fraud have been used to push through stricter voter-ID laws and other implementations that in effect can restrict the right to vote.
About the NAS Report
Securing the Vote: Protecting American Democracy, a report from the National Academies of Sciences, Engineering, and Medicine (NAS), was released on September 6, 2018. Supported by Carnegie Corporation of New York and the William and Flora Hewlett Foundation, the report identifies steps to secure Americans’ votes, emphasizing the need for coordinated preparedness at the federal, state, and local levels.
“This is a critical time for our country,” said Committee on the Future of Voting cochair and Columbia University president Lee C. Bollinger. “As a nation, we need to take collective action to strengthen our voting systems and safeguard our democracy. In addition, the nation’s leaders need to speak candidly and apolitically about threats to election systems. The American people must have confidence that their leaders place the larger interests of democracy above all else.”
For example, shortly after the report was released, it was revealed that the state of Georgia has invoked the “exact match” law, which requires that voter registration applications perfectly match information on file with the state’s department of motor vehicles or the Social Security Administration. (In November 2018 a federal judge subsequently ruled that Georgia’s exact-match voter ID law would not apply to the midterm elections because it placed a “severe burden” on prospective voters.) Such “exact matching” procedures tend to disenfranchise minorities, who are more likely to have names with hyphens or less common spellings.
Elderly people and students without driver’s licenses are also more likely to be prevented from voting by strict voter-ID laws, as are Native Americans, many of whom do not have standard residential addresses, living on reservations without named and numbered roads. Compared to the middle class, poor Americans as well as young people tend to move frequently, increasing the likelihood of being purged from the rolls because their current address does not match voter registration records.
Reading the NAS report, it’s hard to decide which of its revelations is most worrying. For example, we learn that the bipartisan U.S. Election Assistance Commission (EAC) — created by HAVA as a national clearinghouse tasked with various electoral duties, including certifying voting systems and guiding the use of HAVA funds — is currently short two commissioners out of the possible four, and is thus unable to sustain a quorum to carry out its business. This isn’t a temporary aberration either; the EAC had no quorum of commissioners in 2010 and then no commissioners at all from 2011 to 2014, no executive director from 2011 to 2015, and no general counsel from 2012 to 2015. Congress simply hasn’t filled these seats. In July 2018 President Trump nominated former Virginia elections official Donald Palmer for a Republican seat, and Ben Hovland was next nominated to fill the Democratic vacancy. However, still lacking a quorum, the commission was unable to take any policy action going into the 2018 midterm elections. (On January 3, 2019, the Senate confirmed both men by voice vote, giving the Election Assistance Commission a quorum for the first time since March 2018).
About one third of the country uses some type of direct-recording electronic (DRE) voting system. Manufactured by a handful of companies, DREs deploy proprietary software, which is typically accessible only to the manufacturer. Some DRE voting systems do produce a voter-verifiable paper audit trail (VVPAT), but these are used in very few actual audits because there are no systems in place for such reviews. The electronic count is the figure used.
According to the NAS report, actors “sponsored by the Russian government” were found to have “obtained and maintained access to elements of multiple U.S. state or local electoral boards” in the run-up to the 2016 election. The Department of Homeland Security (DHS) accordingly designated electoral infrastructure as “critical.” However, this designation only allows DHS to give support to “the private sector and state, local, tribal, and territorial governments in the management of their cyber risk” and “provide technical assistance in the event of a cyber incident, as requested.” The locally administered nature of elections in the United States creates significant challenges to addressing the vulnerabilities embedded in our system.
Audit and Verify
Perhaps the biggest and most obvious problem is one that has received a lot of public attention: about one-third of the country uses some type of direct-recording electronic (DRE) voting system. Manufactured by a handful of companies, DREs deploy proprietary software, which is typically accessible only to the manufacturer. Some DRE voting systems do produce a voter-verifiable paper audit trail (VVPAT), but these are used in very few actual audits because there are no systems in place for such reviews. The electronic count is the figure used.
At least 14 states (in some or all jurisdictions) use electronic machines with no means of audit or recount via a paper trail. In some precincts, DREs are used to meet accessibility requirements, while other forms of voting are available for people who do not need special accommodation. After years of effort by academics and security researchers, a number of states have allocated funding for upgrades and ditched their DRE machines. However, Delaware, Georgia, Louisiana, New Jersey, and South Carolina still rely exclusively on DREs. Verified Voting, a foundation that keeps track of voting-machine types by precinct, lists 9,396 precincts with DREs that have no paper trail whatsoever — about 7.5 percent of the total number of voting machines.
What if a system is hacked? What if a tally is altered? What if voter intentions are distorted? In an electronic-only system, it can be quite difficult — if not impossible — to determine that any of this happened, let alone to figure out the actual results of the election. Clearly, this presents a challenging set of circumstances, especially in an already polarized environment characterized by extremely close elections governed by a winner-takes-all system. Unsurprisingly, the NAS report strongly recommends the removal of machines without audit options “as soon as possible.” In reality, this is unlikely to happen by the 2020 election unless there is a major policy push accompanied by adequate funding (many jurisdictions that would like to replace their DRE machines are hobbled by the enormous expense of this undertaking). The report presents other troubling details. For example, the fact that there are only a handful of voting-systems manufacturers creates a vulnerable choke point. According to NAS researchers, a mere three firms, Election Systems & Software, Dominion Voting Systems, and Hart InterCivic, “comprise 92 percent of the voting-systems market by voter reach.” The largest of the three has only about 460 employees. These firms are prime targets for insider and outsider hacking. (Insider threats are notoriously difficult to guard against in the world of software development, requiring extreme vigilance and attention.) Overall, the report recommends that voting machines without audit options should simply be phased out as rapidly as possible and that systematic audits should be put in place for the rest.
The small number of voting-machine manufacturers underscores one of the more ambivalent aspects in our system: the lack of uniformity of voting systems across the nation. As the NAS report states, the United States is almost alone among nations in having “no centralized, nationwide election authority”; instead, regulations differ state by state and implementations vary county by county. On the one hand, this is surely one of the biggest challenges to overcome in the quest to improve electoral infrastructure. However, it makes the threat of mass hacking somewhat harder to execute, since individual precincts have different combinations of vendors, machines, and configurations. Hacking such systems, which requires local presence and specific knowledge, is not easy to do at scale. In the past, election officers have cited this as a reason to have confidence in voting in the United States, saying that our “decentralized, low-connectivity electoral process is inherently designed to withstand such threats.” But if the great majority of American voting machines are produced by just three centralized companies, much of the protective shield of decentralization evaporates.
While systematic mass hacking is difficult to pull off, the Electoral College system and the winner-takes-all structure of our elections mean that it would be possible to hack or disrupt a small number of electorally critical states — and thereby potentially change the outcome of a presidential election. For example, Florida and Pennsylvania have large numbers of Electoral College votes (29 and 20, respectively) and a history of close elections. Both states also use electronic voting machines (and in both states some precincts use machines that are not equipped with VVPATs). In the 2016 election, Pennsylvania was decided by 44,292 votes out of more than six million cast, a negligible difference indistinguishable from preelection polling or exit polls. Think about it: if an election came down to Pennsylvania, with a negligible difference between winner and loser, any allegation of cyber fraud could trigger enormous chaos. Furthermore, there would be no realistic way of settling the claim, as it would not be possible to conduct audits in some districts of the state. (It may be possible to demonstrate fraud or cyber-hacking, but it is nearly impossible to prove its absence without paper trails, audits, and similar mechanisms. Claims of cyber intrusion are also difficult to prove, as digital fingerprints can easily be erased without leaving a trace.)
Read more stories like this in the Carnegie Reporter
Paper vs. Digital
The potential hacking of voting machines receives a lot of attention, as it should, but the process of voting has many other moving parts in the United States. With the exception of North Dakota, voters must register to vote proactively (several states do now offer same-day registration on election day). The fact is that voter information is held by states with varying degrees of security, meaning that security at the polling place — the integrity and accuracy of registration lists and pollbooks used to verify voter eligibility — takes on added importance.
Voter registration rolls and pollbooks exhibit a tension between their paper and electronic forms: paper is safer and harder to hack, while electronic records are dynamic but less secure. Paper can cause inconveniences that discourage voter participation. Right now, a voter can arrive at a polling station only to be turned away due to an outdated paper pollbook. But even if she’s allowed to cast a provisional ballot, the process can involve long lines and plenty of frustration. Such scenarios suggest that using electronic pollbooks, which are already employed in a number of states, should be a positive step toward making voting easier through technology.
Unfortunately, electronic pollbooks are not standardized, nor are the security protocols meant to safeguard them. The integrity of pollbooks falls squarely under the jurisdiction of each state. Ideally, the EAC and DHS would create standardized systems and recommendations for these databases to ensure their security. But the current system is far from ideal. Many jurisdictions use a mix of electronic and paper pollbooks, and some states provide little or even no guidance at all on how e-pollbooks should be kept or secured.
The threat isn’t limited to deliberate and advanced hacking. In some cases, disrupting and sowing confusion is enough to significantly undermine the integrity of elections and erode our trust in the process.
The NAS report lists several incidents of breaches of voter registration lists held by states: in Illinois, Russian actors penetrated an online voter database; in California, hackers gained access to personal information of a large number of voters; and in Georgia, a server error exposed 6.5 million voter records. The fact remains that states seem unable to secure data in spite of the best intentions.
The threat isn’t limited to deliberate and advanced hacking. In some cases, disrupting and sowing confusion is enough to significantly undermine the integrity of elections and erode our trust in the process. There could be a connectivity issue. Or an easily launched distributed denial-of-service (DDoS) attack, when a network of websites, possibly using bots, ping a single site so often that it is overwhelmed. Or outright hacks rendering electronic pollbooks inaccessible on the day of an election.
Hacked or stolen voter information, as the report notes, can also be used to fraudulently request absentee or mail-in ballots. Security protocols for absentee and mail-in ballots, such as signature verifications, make it difficult to actually engage in voter fraud, but stolen information could be used to simply gum up the process and sow confusion. Therefore, despite the low probability of voter fraud, given the record of past breaches, even states that seem to do well with absentee or mail-in ballots could fall under suspicion.
Pollbooks and e-pollbooks, which contain lists of registered voters, also play an important role in facilitating the voting rights of vulnerable communities. Many civil rights organizations, like the Brennan Center for Justice, the American Civil Liberties Union (ACLU), and the National Association for the Advancement of Colored People (NAACP), argue that voting rights have come under attack as a deliberate method of voter suppression. Inadequately maintained voter rolls or excessive purging of registration lists can result in a voter being inconvenienced (e.g., being forced to vote via provisional ballot); or, worse, she can be turned away at the polls, completely barred from voting.
The NAS report also addresses the human side of the electoral infrastructure, pointing out that many jurisdictions have a hard time hiring an adequate number of poll workers. Training them properly is difficult because the job is seasonal, the pay is low, and the hours are long. Furthermore, elections are held on weekdays, which limits the pool of potential applicants because people with the requisite skills may not be able to take the day off from work. Under current conditions, it’s hard for a precinct to recruit and train a large enough pool of workers with the technical savvy required by a voting environment that is becoming ever more digitized.
Given the current realities of the U.S. electoral system, the report accordingly recommends that, for the foreseeable future, electronic pollbooks be used in tandem with paper ones. Ideally, the report’s fundamental recommendations — that we pay more attention to voter registration and pollbook security, and that improvements should be urgently coordinated by the EAC, the DHS, and state officials — should be followed to the letter.
Internet Voting, Blockchain Voting
Two questions come up often: whether Internet voting is feasible, and whether newer ledger technologies like blockchain or end-to-end verified voting can help prevent voter fraud while also providing voter verification.
The NAS report notes that no Internet-based voting scheme can come close to providing the kind of assurances needed. For one thing, all Internet-based schemes are vulnerable to DDoS attacks. Any web-based system can be attacked this way, regardless of its underlying security. More importantly, the threat of malware and cyber intrusion simply cannot be eliminated using current technologies, making Internet-based voting systems infeasible.
Furthermore, blockchain — a system of decentralized ledgers that creates append-only logs (meaning a database can only grow and not be altered backward) — is not suitable because elections, as the report describes, are “inherently centralized.” Election administrators make many of the decisions about ballots, eligible voters, and more. These actions need to be verifiable, and a blockchain system would require software verification, which, once again, brings up the threat of malware and cyber intrusion. A blockchain can also be manipulated through collusion by multiple actors or stakeholders (those who can add items to the blockchain). In fact, these concerns apply to any digital scheme: malware and hacking are threats that we are simply not able to fully guard against using current technologies in connected systems.
Advanced software technologies allowing high levels of integrity and security are one thing, but in the end voting requires political legitimacy and verification processes that are relatively transparent to ordinary people. For example, with systems like optical-scan ballots, which are counted by computer but subject to risk-limiting audits (RLAs), it’s at least theoretically possible for political parties and ordinary citizens to participate in the verification process. (RLAs are audit procedures where a random sampling of ballots is chosen for verification.) So, if an election outcome is called into question, it is possible to recount the vote of an entire state, using optical-scan ballots as the basis of a recount overseen by multiple, adversarial observers (people from different political parties) as well as a selection of randomly chosen ordinary citizens. Such a process provides something that Internet and digital schemes cannot: assurances that offer more than a “trust the experts” rationale. The NAS report carefully examines digital-only solutions, correctly recommending that they should not be considered.
Dear States: You’re on Your Own
Why hasn’t HAVA funding, totaling billions of dollars at the act’s inception plus substantial funds allocated subsequently, made more progress tackling the issues with voting in America — or even solved the problem?
In fact, some real improvements came out of HAVA. For one, the dreaded punch-card voting machines were phased out, replaced with electronic voting machines providing increased access to voting for people with disabilities — one of HAVA’s goals. A positive change, but this obviously is not enough, and the lack of progress on a broader scale is tied up with other aspects of politics in the United States.
The truth is that state and precinct officials can find themselves overwhelmed by the range of technical options — more than willing, but unable, to implement the required digital security. The Voluntary Voting System Guidelines (VVSG), advanced under HAVA by the EAC and the National Institute of Standards and Technology (NIST), can provide direction. Forty-eight states rely on the VVSG to certify voting equipment, using the guidelines as a basis for their own standards, while some states utilize an EAC-certified test lab to do their testing. These are promising developments, but as the report finds, many election offices have few, if any, dedicated staff, let alone employees with the requisite IT skills. And even when the money is allocated, as it was in the 2018 omnibus budget bill, researchers suspect that cash-starved localities will find it very tempting to direct federal dollars toward replenishing ongoing activities rather than using the new funds to shore up security practices. After all, many localities can barely pay for their existing functions. Moreover, even when election offices invest in the latest technology, they need updated guidelines to ensure that their new machines meet standards. The VVSG are in the final stages of revision and may be ready for a vote soon.
Despite lingering problems, there are bright spots — and we can outline concrete next steps. Currently, almost two-thirds of counties in the United States use either optical-scan ballots or paper ballots, both of which provide the potential basis for sensible next steps for election integrity, at least in terms of tallying votes. I use the word potential because, as the NAS report makes clear, the possibility of meaningful audits is important — a possibility denied by electronic machines with no paper trail. But in and of itself a paper trail isn’t enough without a procedure in place for system-wide audits.
Given all the risks outlined, it is more important than ever that trustworthy and systematic audit processes are in place and functioning, to assure voters that their votes are counted as cast — especially now that optical-scan ballots are increasingly stored as digital snapshots. This means that optical-scan ballots are counted by computers, which means that they can be hacked and election outcomes distorted. And, as history has shown, without oversight even human counting is prone to many types of fraud and mistakes.
What would meaningful audits look like in the United States? The important point here is that it’s not enough for us to hope that everything will work as planned, or even that the experts believe that everything probably did work out as planned. Voters need verifiable assurances that everything did work out exactly as planned. Hence, audits are as much about providing confidence to the public as they are about anything else.
Nothing terrible needs to actually happen for electoral chaos to ensue; widespread suspicion alone can disastrously undermine the legitimacy of elections — and thus of governance. According to polls, in 2016 fewer than half of all Americans had a great deal of confidence that their votes would be counted correctly. In 2018, after the widely publicized attempts by Russia to meddle in the 2016 election, one in three Americans believed that a foreign country could change vote tallies, and almost half believed it was very likely or likely that votes would not be counted correctly. Whether hacking happened in 2016 or 2018 (or will happen in 2020), widespread distrust in the electoral process is inevitably damaging to any democracy, especially in the absence of strong audit and assurance mechanisms.
Luckily, there are methods that can reassure voters, at least in places that use optical-scan ballots or electronic machines with paper trails. For example, a random sampling of ballots can be subjected to a risk-limited audit for verification: Were the ballots recorded as filled? Were they counted as recorded? The RLA can provide confidence — with a high degree of probability — that the results weren’t tampered with. As long as the random selection is truly random, the audit is quite difficult to corrupt. Colorado became the first state to establish RLAs statewide, for the 2018 election, and Michigan piloted such audits in some precincts. This method of auditing election results can and should be implemented as quickly as possible — anywhere the voting method allows. (This is another reason to replace all DRE machines.)
Luckily, there are methods that can reassure voters, at least in places that use optical-scan ballots or electronic machines with paper trails. For example, a random sampling of ballots can be subjected to a risk-limited audit for verification: Were the ballots recorded as filled? Were they counted as recorded?
Securing the Vote makes several recommendations, including: routinize and standardize the integrity of voter databases; create a reporting system for breaches and probes; cross-match voter databases so that eligible voters are not removed from voter rolls; and subject organizations engaged in managing voter information to external audits to ensure the security and integrity of these important files. Much work has already been done on developing Common Data Formats (CDFs) for elections: a voter registration information spec is currently in its final approval stages at NIST, while the election results reporting spec is in use in a handful of states. Also, the Election Registration Information Center is a consortium of states leveraging their department of motor vehicles records and other data sets both to maintain more accurate voter rolls and to reach out to eligible but unregistered voters. All of this work needs to be continued, broadened, and implemented as soon as possible.
In September 2018 President Trump signed an executive order outlining a review and sanction process for any foreign party caught meddling in U.S. elections. As the NAS report documents, U.S. intelligence agencies, as well as other independent investigations, have demonstrated that substantial foreign meddling occurred in the 2016 election, including misinformation campaigns and hacking. However, as important as it is to prevent foreign meddling in the public sphere, U.S. electoral infrastructure should be designed to be secure from any interference, whether foreign or domestic.
After years of warnings from academics and security researchers, a number of states have been making progress on their own. Some have begun replacing their electronic-only systems with paper-based voting technologies such as optical-scan ballots. Virginia has replaced its insecure voting machines with paper ballots, and other states are considering making such a move. All of this is a good start, but much more needs to be done. The NAS report provides a clear look at the vulnerabilities, along with a concrete list of suggestions that would go a long way toward securing elections in the United States. At a minimum, RLAs should be put in place as quickly as possible, and local election authorities should allocate more resources to grapple with potential Election Day problems, including using backup paper copies for pollbooks and beefing up the training of poll workers so they are prepared for all contingencies.
The totality of the NAS report is sobering. But a country with the resources and technical expertise of the United States can make great progress, and quickly — with sufficient political will and a commitment to devote the resources needed to fix the problem. One hopes that people from across the political spectrum will grasp the importance of this issue, and take up the report’s sensible, doable, and terribly urgent recommendations with all due speed. If they do, come next election, we will be fully assured of the integrity, safety, and security of the vote, the most important element of a truly democratic government. ■
A member of the inaugural class of Andrew Carnegie Fellows in 2015, Zeynep Tufekci is an associate professor at the University of North Carolina and an opinion writer at the New York Times. Her research revolves around the interaction between technology and society. Published by Yale University Press in 2017, Tufekci’s first book, Twitter and Tear Gas: The Power and Fragility of Networked Protest, examines how digital connectivity has transformed the public sphere, social movements, and politics. She is currently working on a book on the impact of artificial intelligence on society. @zeynep | technosociology.org