Ballot Marking Devices 101

By Ion Y and Haleh S

The redacted Mueller Report is out, and we’re all trying to grapple with how the Russians interfered in our 2016 elections. But even at a whopping nearly 500 pages, the report reveals only one aspect of election interference; as we look to 2020 we need to be aware of other ways our elections might be compromised, hacked, and manipulated.

The Secure Elections Network, made up of leaders and members of Indivisible groups in several states, including California (that’s us – Indivisible East Bay), is trying to help as many people as possible understand how elections can be compromised. An April 28 webinar “BMDs: The Good, the Bad, and the Uglyaddressed concerns about the security of Ballot Marking Devices (BMDs), computerized voting devices that enable voters with disabilities to vote when they’re unable to hand mark a paper ballot. In an attempt to simplify the purchase of voting machines, a number of states and counties are now considering BMDs for use in casting all votes. However, BMDs suffer from some fundamental security problems that make them particularly vulnerable to hacking. The webinar explains the particular nature of the issues with BMDs, and importantly, explains what can be done to alleviate them.

Background – Hacking BMDs

All voting systems, electronic and otherwise, are potentially subject to hacking. The primary trait of electronic voting systems is that they make everything about the process of casting and counting votes faster than doing the same things by hand. This includes real benefits such as votes being counted and tallied faster, more cheaply, and much more accurately. On the downside, they also make tampering with votes possible at a much larger scale and much more cheaply – and, critically, they make tampering much, much harder to detect: discarded boxes of ballots or erased marks are at least possible to observe, but altered bits on disk look no different from unchanged ones. It is possible to digitally add verification that catches accidental errors, and this is widely used, leading to the higher accuracy of tallies. But any part of a digital system can be hacked, which means that just as votes can be altered electronically, electronic verification can be altered as well. And electronic hacking is particularly pernicious because while a physical ballot would have to be destroyed or physically erased, altering a digital result leaves behind no obvious trace. The overall lack of verifiability may be BMDs’ most severe problem: a voting system that is cheap and error-free but whose results can never be trusted ultimately undermines faith and trust in all elections.

Fortunately, there is a way to provide the benefits of electronic voting and also satisfy the issue of trust: using the voter’s original ballot as the basis for a risk-limiting audit (RLA), an election audit that can be used to double-check the results of the election with very high accuracy and very low cost. If the results of an audit don’t match the election results, tampering can be detected. Statistics can be arcane, but the method is sound, and done properly the odds of an election’s results not matching the audit can be made less likely than being struck by lightning multiple times on a sunny day.

For the audit process to work, the voter’s original ballot must be saved and the ballot must record the voter’s original intent. And this is where the difficulties with BMDs come in. Unlike a hand marked paper ballot, where voters mark their choices directly on paper with a pen, BMDs first tally the vote electronically and only afterward produce a paper copy of the vote. But the moment an electronic system participates there is an unverifiable step: hacking a BMD can cause the printed ballot to not match the choices a voter made, compromising the vote just as thoroughly as if there were no paper involved at all. Thus, the paper ballot must exist before the electronic system comes in.

The Webinar

Featured speaker Andrew Appel, professor of Computer Science at Princeton University and expert in voting machine security, explained to webinar participants the ways that electronic voting equipment is vulnerable to hacking. He mentioned other machines, like Direct Recording Electronics (DREs) and Precinct-Count Optical Scanners (PCOS), but the focus of the presentation was on BMDs. Professor Appel described BMDs’ weaknesses, how they can be used to steal an election, and how to run a safe election and avoid the problems BMDs produce.

There are several ways to hack an election machine, including:

  • Altering the machine’s software in its original form before it is distributed to polling places. It is not enough for a polling place to be secure if the manufacturer or distributor is hacked instead.
  • Inserting a memory card into the machine, once it is installed at a polling place.
  • Hacking machines via the internet if the machine has internet access (voting machines are not supposed to have internet access, but they often do).

As a result, according to Appel, elections are most secure when NO electronic or computer-based voting systems are used in the actual casting of ballots. Whenever an electronic device is used at any stage of voting – marking or counting – the chances of distorting the result increases. But while hacking can occur at the counting stage with any device, hacking can still be detected if everyone hand marks a paper ballot and the actual ballot is preserved for purposes of audits or recounts. BMDs, however, compromise the marking stage and leave no original ballot that can be verified in an audit as not having been tampered with electronically.

What makes BMDs particularly pernicious is that unlike a physical ballot, which would have to be destroyed or physically erased, altering a digital result leaves behind no obvious trace of an altered vote. BMDs provide a paper copy of a ballot, giving the illusion of auditability, without the actual benefit. Hacking a BMD is no more detectable than if voting was done completely electronically.

What is more, a little hacking goes a very long way: changing only 5% of the votes on a ballot is enough to change the outcome of an election. Most voters, however, will never detect such a small amount of changed votes; even when the voter is given a paper copy of their votes for the purposes of double-checking, only a tiny percentage of voters actually examine printouts from electronic voting machines. Worse, even if they do check and spot an error, there is nothing a poll worker can do to correct it other than voiding the bad vote and allowing the voter to vote again. There is no way to prove that the error was caused by a compromised voting machine instead of voter error. A hacked BMD could thus remain in use for years even if errors were detected. Appel emphasized the need for a process that is auditable, and thus that hand marked ballots are essential for trusting election results.

Why use BMDs at all? Access to the ballot is also necessary to democracy, and because some disabled voters are unable to use paper ballots federal law requires at least one BMD in every polling location. Some election officials thus favor using BMDs for all voters, to simplify purchasing and training, and to cut down on (perceived) costs. Some officials and elected representatives also believe, incorrectly, that any paper output is sufficient for an audit, and don’t understand the importance of the ballot being hand marked before any electronic device comes into play. As a result a large number of counties use BMDs and a number of states are considering requiring them for all voters.

Appel recommended using BMDs only as required and needed for disabled voters, and not for all voters, and minimizing the use of computer voting devices at all possible stages of the process, to ensure that elections are trustworthy. Appel’s ideal approach:

  • Hand mark a paper ballot for nearly all voters. If a BMD is required for accessibility, ensure the user verifies the vote’s accuracy and prints a paper copy.
  • Feed the paper ballot into the Precinct Count Optical Scanner, which scans and stores the vote electronically and saves the physical paper ballot in a box.
  • Paper ballots may be audited by counting a sampling of the votes and compared to the PCOS count, to verify.

On the issue of costs, Appel noted that BMDs are individually much more expensive to maintain than optical scanners. It is thus more secure and three to four times less expensive to mix predominantly PCOS systems with a much smaller number of BMDs for voters who need them, as compared to using entirely BMDs.

Appel suggested safeguards for voters in states (Georgia was a prominent example raised in the webinar) that are mandating purchase of BMDs by law, and thus have no choice but to use them. These included educating voters (perhaps by poll monitors) to check the accuracy of their votes before submitting them, and printing a copy of votes after using a BMD to preserve a paper record in case of an audit or recount. He emphasized, however, that these methods do not reliably deal with the fundamental problem: there is no way to perform an audit without a trusted record that can be proven to never have been interfered with electronically, and BMDs by definition do not provide such a record.

Voting in the East Bay

Contra Costa County uses paper ballot scanners on Election Day. It uses BMDs primarily for accessibility and it appears they’re not intended for use by default. However, in the 2018 election they were the only option to vote in person at the County’s early voting sites. It is unclear what the County is planning for the 2020 election. Alameda County uses paper ballot scanners, and for accessibility they have “touchscreen devices.” Although they’re not explicitly called BMDs, that is what they are, and they have the same concerns.

To look up what kinds of voting machines your county uses, see the California Secretary of State’s list of voting machines used by county. For an overview of the three types of voting machines you’re likely to use or read about see the Brennan Center’s overview of voting equipment.

Did you miss the webinar? You can watch it, and see the comprehensive slides from Professor Appel’s presentation, at this link. You can also see the Secure Elections Network’s past webinars at the same link.

Can you help work on these critical issues with the Indivisible East Bay Voter Rights & Election Integrity team? Email: info@IndivisibleEB.org, or join the #voting-issues channel on IEB’s Slack. For an invitation to join Slack, email: info@IndivisibleEB.org

 

Haleh S. is an Engineer turned Lawyer, turned Activist

Featured photo: Quadriplegic voter using a BMD, photograph by Joebeone

Protecting American Votes & Elections Act

This action will appear in the Indivisible East Bay newsletter on July 26, 2018. 

Deadline: ASAP and ongoing — Even without Russian hacking, elections can be compromised if we don’t protect the ballots! Sen. Ron Wyden (D-OR) introduced S.3049, the PAVE Act, to require that all voters have the option to use hand marked paper ballots in federal elections. Paperless voting is vulnerable and problematic (see Georgia, South Carolina). The PAVE Act also requires Risk Limiting Audits for all federal races. Midterms are coming up, and we need to tell our Senators it’s time for them to support the PAVE Act, and to demand a 2018 implementation date (it’s currently 2020) for the hand marked paper ballot clause.

What to say:

My name is ___, my zip code is ___, and I’m a member of Indivisible East Bay. I want Senator _____ to support the Protecting American Votes and Elections Act, S.3049. We need to ensure that California’s voters are protected from malicious influence. We also need the hand marked paper ballot clause implemented for 2018 to cover the upcoming midterm elections.

Sen. Dianne Feinstein: (email); (415) 393-0707 • DC: (202) 224-3841

Sen. Kamala Harris: (email); (415) 355-9041 • DC: (202) 224-3553

 

Want to learn more about, and help to work on, election integrity issues?

  • Watch the recording of the Indivisible Fair & Secure Elections Webinar at this link (here’s our background article about the webinar)
  • After you watch, you can connect with people from your state by filling out this form. The working group will follow up with an email to introduce you to other people in your state interested in taking action
  • You can also view the webinar slides and other resources at this link
  • Work on these critical issues with the Indivisible East Bay Voter Rights & Election Integrity team — email: heidi@IndivisibleEB.org, or join the #voting-issues channel on IEB’s Slack. Want an invitation to join Slack? Email: info@IndivisibleEB.org
  • Help spread the word on social media! Follow IEB member and election integrity advocate Jennifer Cohn (@jennycohn1) on Twitter, and re-tweet her  excellent content. Read Jennifer’s blog.

 

Subscribe to the newsletter. See our newsletter archive.

Graphic copyright @equalandallied1

 

 

 

Indivisible webinar to secure our elections

July 30 update: watch the recorded webinar here.

The 2018 mid-terms are mere months away – do you trust that our local elections will be fair, and that our election processes are secure? Indivisible National and several election security experts in Indivisible chapters around the country will present a webinar on July 15 to give Indivisible members and chapters critical information about how our elections can be undermined, and tools and strategies to hold our election officials accountable. 

The Safeguard Our Elections Working Group, made up of members of Indivisible groups in Maryland, Washington state, Hawaii, and California (that’s us – Indivisible East Bay), will present the free webinar, “Fair and Secure Elections: What’s at Stake and How to Take Action” on Sunday July 15 at 5 PM (PDT).

In March 2018, Congress allocated $380 million for states to secure elections against cyber attacks, and Indivisible chapters must press our state leaders to ensure that our states receive the grant money and use it wisely. The webinar will show us how to assess our states’ vulnerabilities and advise us how to lobby our state authorities to secure the elections.

The agenda and speakers include:

  • Introduction:  Jon Foreman, Indivisible Montgomery Maryland
  • Challenges and Threats and State Report Cards: Liz Howard, Counsel for the Democracy Program (Cybersecurity & Elections), Brennan Center for Justice
  • How States Can Act / Take Action Locally – Successful example of lobbying and getting action: Lisa Gibson, Indivisible Hawaii
  • How States Can Act / Take Action Locally – Rejection of public input on election security grant and Email voting insecurity : Kirstin Mueller, League of Women Voters – Washington State
  • Key Vulnerable States – Competitive states in next election and What to do at the state and local levels: Aquene Freechild, Campaign Co-Director, Democracy Is For People Campaign, Public Citizen
  • California – and We’re not Even a Red State: Melanie Bryson, Indivisible East Bay (California)
  • Looking Forward – Funding for 2019 and beyond: Congressman Jamie Raskin, Maryland, District 8
  • Discussion / questions

We Indivisible-ites are rightfully focused on taking back the House and Senate in the 2018 mid-terms. To ensure that our hard work isn’t in vain, we need to also learn how our election processes are vulnerable, and what actions we must take to ensure that each state has fair and secure elections. Indivisible must hold local officials accountable, just as we do our members of Congress! Learn how:

  • See the agenda and find more valuable background information here.
  • Sign up for the free webinar here.
  • Can you help work on these critical issues with the Indivisible East Bay Voter Rights & Election Integrity team? Email: heidi@IndivisibleEB.org, or join the #voting-issues channel on IEB’s Slack. Want an invitation to join Slack? Email: info@IndivisibleEB.org
  • For more info about the webinar, email Stephanie Chaplin: stephanie.chaplin20@gmail.com or Jon Foreman: jonforeman@gmail.com