By Ion Y and Haleh S
The redacted Mueller Report is out, and we’re all trying to grapple with how the Russians interfered in our 2016 elections. But even at a whopping nearly 500 pages, the report reveals only one aspect of election interference; as we look to 2020 we need to be aware of other ways our elections might be compromised, hacked, and manipulated.
The Secure Elections Network, made up of leaders and members of Indivisible groups in several states, including California (that’s us – Indivisible East Bay), is trying to help as many people as possible understand how elections can be compromised. An April 28 webinar “BMDs: The Good, the Bad, and the Ugly” addressed concerns about the security of Ballot Marking Devices (BMDs), computerized voting devices that enable voters with disabilities to vote when they’re unable to hand mark a paper ballot. In an attempt to simplify the purchase of voting machines, a number of states and counties are now considering BMDs for use in casting all votes. However, BMDs suffer from some fundamental security problems that make them particularly vulnerable to hacking. The webinar explains the particular nature of the issues with BMDs, and importantly, explains what can be done to alleviate them.
Background – Hacking BMDs
All voting systems, electronic and otherwise, are potentially subject to hacking. The primary trait of electronic voting systems is that they make everything about the process of casting and counting votes faster than doing the same things by hand. This includes real benefits such as votes being counted and tallied faster, more cheaply, and much more accurately. On the downside, they also make tampering with votes possible at a much larger scale and much more cheaply – and, critically, they make tampering much, much harder to detect: discarded boxes of ballots or erased marks are at least possible to observe, but altered bits on disk look no different from unchanged ones. It is possible to digitally add verification that catches accidental errors, and this is widely used, leading to the higher accuracy of tallies. But any part of a digital system can be hacked, which means that just as votes can be altered electronically, electronic verification can be altered as well. And electronic hacking is particularly pernicious because while a physical ballot would have to be destroyed or physically erased, altering a digital result leaves behind no obvious trace. The overall lack of verifiability may be BMDs’ most severe problem: a voting system that is cheap and error-free but whose results can never be trusted ultimately undermines faith and trust in all elections.
Fortunately, there is a way to provide the benefits of electronic voting and also satisfy the issue of trust: using the voter’s original ballot as the basis for a risk-limiting audit (RLA), an election audit that can be used to double-check the results of the election with very high accuracy and very low cost. If the results of an audit don’t match the election results, tampering can be detected. Statistics can be arcane, but the method is sound, and done properly the odds of an election’s results not matching the audit can be made less likely than being struck by lightning multiple times on a sunny day.
For the audit process to work, the voter’s original ballot must be saved and the ballot must record the voter’s original intent. And this is where the difficulties with BMDs come in. Unlike a hand marked paper ballot, where voters mark their choices directly on paper with a pen, BMDs first tally the vote electronically and only afterward produce a paper copy of the vote. But the moment an electronic system participates there is an unverifiable step: hacking a BMD can cause the printed ballot to not match the choices a voter made, compromising the vote just as thoroughly as if there were no paper involved at all. Thus, the paper ballot must exist before the electronic system comes in.
Featured speaker Andrew Appel, professor of Computer Science at Princeton University and expert in voting machine security, explained to webinar participants the ways that electronic voting equipment is vulnerable to hacking. He mentioned other machines, like Direct Recording Electronics (DREs) and Precinct-Count Optical Scanners (PCOS), but the focus of the presentation was on BMDs. Professor Appel described BMDs’ weaknesses, how they can be used to steal an election, and how to run a safe election and avoid the problems BMDs produce.
There are several ways to hack an election machine, including:
- Altering the machine’s software in its original form before it is distributed to polling places. It is not enough for a polling place to be secure if the manufacturer or distributor is hacked instead.
- Inserting a memory card into the machine, once it is installed at a polling place.
- Hacking machines via the internet if the machine has internet access (voting machines are not supposed to have internet access, but they often do).
As a result, according to Appel, elections are most secure when NO electronic or computer-based voting systems are used in the actual casting of ballots. Whenever an electronic device is used at any stage of voting – marking or counting – the chances of distorting the result increases. But while hacking can occur at the counting stage with any device, hacking can still be detected if everyone hand marks a paper ballot and the actual ballot is preserved for purposes of audits or recounts. BMDs, however, compromise the marking stage and leave no original ballot that can be verified in an audit as not having been tampered with electronically.
What makes BMDs particularly pernicious is that unlike a physical ballot, which would have to be destroyed or physically erased, altering a digital result leaves behind no obvious trace of an altered vote. BMDs provide a paper copy of a ballot, giving the illusion of auditability, without the actual benefit. Hacking a BMD is no more detectable than if voting was done completely electronically.
What is more, a little hacking goes a very long way: changing only 5% of the votes on a ballot is enough to change the outcome of an election. Most voters, however, will never detect such a small amount of changed votes; even when the voter is given a paper copy of their votes for the purposes of double-checking, only a tiny percentage of voters actually examine printouts from electronic voting machines. Worse, even if they do check and spot an error, there is nothing a poll worker can do to correct it other than voiding the bad vote and allowing the voter to vote again. There is no way to prove that the error was caused by a compromised voting machine instead of voter error. A hacked BMD could thus remain in use for years even if errors were detected. Appel emphasized the need for a process that is auditable, and thus that hand marked ballots are essential for trusting election results.
Why use BMDs at all? Access to the ballot is also necessary to democracy, and because some disabled voters are unable to use paper ballots federal law requires at least one BMD in every polling location. Some election officials thus favor using BMDs for all voters, to simplify purchasing and training, and to cut down on (perceived) costs. Some officials and elected representatives also believe, incorrectly, that any paper output is sufficient for an audit, and don’t understand the importance of the ballot being hand marked before any electronic device comes into play. As a result a large number of counties use BMDs and a number of states are considering requiring them for all voters.
Appel recommended using BMDs only as required and needed for disabled voters, and not for all voters, and minimizing the use of computer voting devices at all possible stages of the process, to ensure that elections are trustworthy. Appel’s ideal approach:
- Hand mark a paper ballot for nearly all voters. If a BMD is required for accessibility, ensure the user verifies the vote’s accuracy and prints a paper copy.
- Feed the paper ballot into the Precinct Count Optical Scanner, which scans and stores the vote electronically and saves the physical paper ballot in a box.
- Paper ballots may be audited by counting a sampling of the votes and compared to the PCOS count, to verify.
On the issue of costs, Appel noted that BMDs are individually much more expensive to maintain than optical scanners. It is thus more secure and three to four times less expensive to mix predominantly PCOS systems with a much smaller number of BMDs for voters who need them, as compared to using entirely BMDs.
Appel suggested safeguards for voters in states (Georgia was a prominent example raised in the webinar) that are mandating purchase of BMDs by law, and thus have no choice but to use them. These included educating voters (perhaps by poll monitors) to check the accuracy of their votes before submitting them, and printing a copy of votes after using a BMD to preserve a paper record in case of an audit or recount. He emphasized, however, that these methods do not reliably deal with the fundamental problem: there is no way to perform an audit without a trusted record that can be proven to never have been interfered with electronically, and BMDs by definition do not provide such a record.
Voting in the East Bay
Contra Costa County uses paper ballot scanners on Election Day. It uses BMDs primarily for accessibility and it appears they’re not intended for use by default. However, in the 2018 election they were the only option to vote in person at the County’s early voting sites. It is unclear what the County is planning for the 2020 election. Alameda County uses paper ballot scanners, and for accessibility they have “touchscreen devices.” Although they’re not explicitly called BMDs, that is what they are, and they have the same concerns.
To look up what kinds of voting machines your county uses, see the California Secretary of State’s list of voting machines used by county. For an overview of the three types of voting machines you’re likely to use or read about see the Brennan Center’s overview of voting equipment.
Did you miss the webinar? You can watch it, and see the comprehensive slides from Professor Appel’s presentation, at this link. You can also see the Secure Elections Network’s past webinars at the same link.
Can you help work on these critical issues with the Indivisible East Bay Voter Rights & Election Integrity team? Email: info@IndivisibleEB.org, or join the #voting-issues channel on IEB’s Slack. For an invitation to join Slack, email: info@IndivisibleEB.org
Haleh S. is an Engineer turned Lawyer, turned Activist
Featured photo: Quadriplegic voter using a BMD, photograph by Joebeone