Ballot Marking Devices 101

By Ion Y and Haleh S

The redacted Mueller Report is out, and we’re all trying to grapple with how the Russians interfered in our 2016 elections. But even at a whopping nearly 500 pages, the report reveals only one aspect of election interference; as we look to 2020 we need to be aware of other ways our elections might be compromised, hacked, and manipulated.

The Secure Elections Network, made up of leaders and members of Indivisible groups in several states, including California (that’s us – Indivisible East Bay), is trying to help as many people as possible understand how elections can be compromised. An April 28 webinar “BMDs: The Good, the Bad, and the Uglyaddressed concerns about the security of Ballot Marking Devices (BMDs), computerized voting devices that enable voters with disabilities to vote when they’re unable to hand mark a paper ballot. In an attempt to simplify the purchase of voting machines, a number of states and counties are now considering BMDs for use in casting all votes. However, BMDs suffer from some fundamental security problems that make them particularly vulnerable to hacking. The webinar explains the particular nature of the issues with BMDs, and importantly, explains what can be done to alleviate them.

Background – Hacking BMDs

All voting systems, electronic and otherwise, are potentially subject to hacking. The primary trait of electronic voting systems is that they make everything about the process of casting and counting votes faster than doing the same things by hand. This includes real benefits such as votes being counted and tallied faster, more cheaply, and much more accurately. On the downside, they also make tampering with votes possible at a much larger scale and much more cheaply – and, critically, they make tampering much, much harder to detect: discarded boxes of ballots or erased marks are at least possible to observe, but altered bits on disk look no different from unchanged ones. It is possible to digitally add verification that catches accidental errors, and this is widely used, leading to the higher accuracy of tallies. But any part of a digital system can be hacked, which means that just as votes can be altered electronically, electronic verification can be altered as well. And electronic hacking is particularly pernicious because while a physical ballot would have to be destroyed or physically erased, altering a digital result leaves behind no obvious trace. The overall lack of verifiability may be BMDs’ most severe problem: a voting system that is cheap and error-free but whose results can never be trusted ultimately undermines faith and trust in all elections.

Fortunately, there is a way to provide the benefits of electronic voting and also satisfy the issue of trust: using the voter’s original ballot as the basis for a risk-limiting audit (RLA), an election audit that can be used to double-check the results of the election with very high accuracy and very low cost. If the results of an audit don’t match the election results, tampering can be detected. Statistics can be arcane, but the method is sound, and done properly the odds of an election’s results not matching the audit can be made less likely than being struck by lightning multiple times on a sunny day.

For the audit process to work, the voter’s original ballot must be saved and the ballot must record the voter’s original intent. And this is where the difficulties with BMDs come in. Unlike a hand marked paper ballot, where voters mark their choices directly on paper with a pen, BMDs first tally the vote electronically and only afterward produce a paper copy of the vote. But the moment an electronic system participates there is an unverifiable step: hacking a BMD can cause the printed ballot to not match the choices a voter made, compromising the vote just as thoroughly as if there were no paper involved at all. Thus, the paper ballot must exist before the electronic system comes in.

The Webinar

Featured speaker Andrew Appel, professor of Computer Science at Princeton University and expert in voting machine security, explained to webinar participants the ways that electronic voting equipment is vulnerable to hacking. He mentioned other machines, like Direct Recording Electronics (DREs) and Precinct-Count Optical Scanners (PCOS), but the focus of the presentation was on BMDs. Professor Appel described BMDs’ weaknesses, how they can be used to steal an election, and how to run a safe election and avoid the problems BMDs produce.

There are several ways to hack an election machine, including:

  • Altering the machine’s software in its original form before it is distributed to polling places. It is not enough for a polling place to be secure if the manufacturer or distributor is hacked instead.
  • Inserting a memory card into the machine, once it is installed at a polling place.
  • Hacking machines via the internet if the machine has internet access (voting machines are not supposed to have internet access, but they often do).

As a result, according to Appel, elections are most secure when NO electronic or computer-based voting systems are used in the actual casting of ballots. Whenever an electronic device is used at any stage of voting – marking or counting – the chances of distorting the result increases. But while hacking can occur at the counting stage with any device, hacking can still be detected if everyone hand marks a paper ballot and the actual ballot is preserved for purposes of audits or recounts. BMDs, however, compromise the marking stage and leave no original ballot that can be verified in an audit as not having been tampered with electronically.

What makes BMDs particularly pernicious is that unlike a physical ballot, which would have to be destroyed or physically erased, altering a digital result leaves behind no obvious trace of an altered vote. BMDs provide a paper copy of a ballot, giving the illusion of auditability, without the actual benefit. Hacking a BMD is no more detectable than if voting was done completely electronically.

What is more, a little hacking goes a very long way: changing only 5% of the votes on a ballot is enough to change the outcome of an election. Most voters, however, will never detect such a small amount of changed votes; even when the voter is given a paper copy of their votes for the purposes of double-checking, only a tiny percentage of voters actually examine printouts from electronic voting machines. Worse, even if they do check and spot an error, there is nothing a poll worker can do to correct it other than voiding the bad vote and allowing the voter to vote again. There is no way to prove that the error was caused by a compromised voting machine instead of voter error. A hacked BMD could thus remain in use for years even if errors were detected. Appel emphasized the need for a process that is auditable, and thus that hand marked ballots are essential for trusting election results.

Why use BMDs at all? Access to the ballot is also necessary to democracy, and because some disabled voters are unable to use paper ballots federal law requires at least one BMD in every polling location. Some election officials thus favor using BMDs for all voters, to simplify purchasing and training, and to cut down on (perceived) costs. Some officials and elected representatives also believe, incorrectly, that any paper output is sufficient for an audit, and don’t understand the importance of the ballot being hand marked before any electronic device comes into play. As a result a large number of counties use BMDs and a number of states are considering requiring them for all voters.

Appel recommended using BMDs only as required and needed for disabled voters, and not for all voters, and minimizing the use of computer voting devices at all possible stages of the process, to ensure that elections are trustworthy. Appel’s ideal approach:

  • Hand mark a paper ballot for nearly all voters. If a BMD is required for accessibility, ensure the user verifies the vote’s accuracy and prints a paper copy.
  • Feed the paper ballot into the Precinct Count Optical Scanner, which scans and stores the vote electronically and saves the physical paper ballot in a box.
  • Paper ballots may be audited by counting a sampling of the votes and compared to the PCOS count, to verify.

On the issue of costs, Appel noted that BMDs are individually much more expensive to maintain than optical scanners. It is thus more secure and three to four times less expensive to mix predominantly PCOS systems with a much smaller number of BMDs for voters who need them, as compared to using entirely BMDs.

Appel suggested safeguards for voters in states (Georgia was a prominent example raised in the webinar) that are mandating purchase of BMDs by law, and thus have no choice but to use them. These included educating voters (perhaps by poll monitors) to check the accuracy of their votes before submitting them, and printing a copy of votes after using a BMD to preserve a paper record in case of an audit or recount. He emphasized, however, that these methods do not reliably deal with the fundamental problem: there is no way to perform an audit without a trusted record that can be proven to never have been interfered with electronically, and BMDs by definition do not provide such a record.

Voting in the East Bay

Contra Costa County uses paper ballot scanners on Election Day. It uses BMDs primarily for accessibility and it appears they’re not intended for use by default. However, in the 2018 election they were the only option to vote in person at the County’s early voting sites. It is unclear what the County is planning for the 2020 election. Alameda County uses paper ballot scanners, and for accessibility they have “touchscreen devices.” Although they’re not explicitly called BMDs, that is what they are, and they have the same concerns.

To look up what kinds of voting machines your county uses, see the California Secretary of State’s list of voting machines used by county. For an overview of the three types of voting machines you’re likely to use or read about see the Brennan Center’s overview of voting equipment.

Did you miss the webinar? You can watch it, and see the comprehensive slides from Professor Appel’s presentation, at this link. You can also see the Secure Elections Network’s past webinars at the same link.

Can you help work on these critical issues with the Indivisible East Bay Voter Rights & Election Integrity team? Email: info@IndivisibleEB.org, or join the #voting-issues channel on IEB’s Slack. For an invitation to join Slack, email: info@IndivisibleEB.org

 

Haleh S. is an Engineer turned Lawyer, turned Activist

Featured photo: Quadriplegic voter using a BMD, photograph by Joebeone

H.R. 1 is Priority One

By Ion Yannopoulos and Ann Daniels

Even little kids know how voting works: you vote, your vote gets counted, everyone else’s vote gets counted, the totals are added up, and the winner is the one who gets the most votes. Simple.

Or not. In real-life elections, there are so many ways this goes wrong. Let’s look at “your vote gets counted” – how do you know? And how do you know that the total of votes they announce is actually the same as the number of people who voted? There could be cheating or tampering. Even in honest elections, people can make mistakes all along the line. Bottom line: it’s so easy for there to be lost votes, miscounted votes. So how can you trust election results?

That’s why one of the first (if not the first) priorities of the new Democratic House of Representatives is H.R. 1, the For the People Act, which among other things lays the foundation for (more) secure elections. And that’s why we need you to tell your Member of Congress that you want them to support H.R. 1. Read on for more info and what to say.

Background

There are a lot of reasons why voting machines can be vulnerable to problems – and unfortunately, voting machines in the U.S. are subject to most of them. But there’s good news: it’s possible to count votes to a very high degree of accuracy, detect interference in elections, and prevent election tampering, all by using paper ballots and something called a risk-limiting audit – essentially, double-checking the election by using a specific statistical method of analyzing the votes cast.

H.R. 1 requires, among many other things, that new voting machines always start with paper ballots, and that those ballots be retained until the election is over. Why paper ballots? Digital data is cheap, fast, and very flexible – but it has a fatal flaw, because it can be changed nearly undetectably. The only way an audit can tell if there’s been tampering is if there’s a trusted source to verify the electronic vote against: namely, the voter’s original ballot. There are electronic voting machines that produce a paper ballot, but if they are hacked, the paper part produced by the electronic voting machine is just as tainted as the electronic part. In fact, there are even ways that the votes can be hacked based on the paper record produced by the electronic machine! Experts agree: Paper ballots are an indispensible part of election security.

What you can do:

1. Contact your Member of Congress. Let them know you support H.R. 1. All three of our East Bay Representatives have cosponsored the bill; thank them. Barbara Lee is on the House Appropriations Committee, which will have to come up with the money to address the funding needed for the states to agree.

What to say:

My name is _____, my zip code is ____, and I’m a member of Indivisible East Bay. I’m calling to thank ______ for cosponsoring H.R. 1 to make our elections trustworthy by making them secure. Please make sure other Members of Congress understand how dangerously insecure our current voting machines really are, and convince them to support H.R. 1. Thank you.

For Barbara Lee, who is a member of the House Appropriations Committee, you can add:

I’m also asking you to make sure the provisions for funding voting machines with paper ballots are rock solid, to resist criticisms about “unfunded mandates.”

  • Rep. Mark DeSaulnier: (email); (510) 620-1000 • DC: (202) 225-2095
  • Rep. Barbara Lee: (email); (510) 763-0370 • DC: (202) 225-2661
  • Rep. Eric Swalwell: (email); (510) 370-3322 • DC: (202) 225-5065

2. Contact the California Secretary of State. The Secretary of State oversees elections. The National Association of Secretaries of State (NASS) is having a conference in Washington from Feb. 1-4, 2019, and one of the topics they will address is voting on a resolution opposing any federal attempts to decide how state money is spent on elections – essentially leaving decisions about election machines in the hands of the states. Tell Secretary of State Alex Padilla that we don’t believe our elections can be safe nationally if any states are vulnerable, and that a minimum standard needs to be set for all elections.

What to say:

My name is ______, my zip code is _____, and I’m a member of Indivisible East Bay. I’m calling to thank Secretary of State Padilla for speaking out about the need to defend election integrity, and I want to ask him to speak against the NASS Interim Position on Potential Federal Election Funding. Our elections can’t be safe nationally if any states are vulnerable. For us to be secure and for our elections to be trusted they need to be verified by audit, and we need both paper ballots and risk-limiting audits in order to make that happen.

Secretary of State Alex Padilla: email; Main phone (916) 657-2166; Legislative Office: (916) 653-6774

3. Help work on these critical issues with the Indivisible East Bay Voter Rights & Election Integrity team — email heidi@IndivisibleEB.org, or join the #voting-issues channel on IEB’s Slack. Want an invitation to join Slack? Email info@IndivisibleEB.org

4. Find out more: For more information, read our past articles about election security and risk-limiting audits:

Town Hall on Securing Our Elections

By Ted Landau

For Representative Mark DeSaulnier’s 61st Town Hall since taking office, he focused on a single critical and timely issue: Securing Our Elections. Free and fair elections are the foundation of our democracy. Unfortunately, as evidenced by Russian interference with the 2016 election, the integrity of our voting process has never been under greater threat. The purpose of the Town Hall, held in Walnut Creek on August 13, 2018, was to consider what we should do about this — for the 2018 midterms and beyond.

The Town Hall began with a brief slide show presentation followed by opening statements by Rep. DeSaulnier and California Secretary of State Alex Padilla. Next, three election experts, Dr. David Jefferson, Professor Philip Stark and Mark Kumleben, joined the panel discussion. Taking questions from the jam-packed audience of about 300, they delivered both good and bad news.

Let’s start with the bad news: Here in California, attempts to “break in” to our election hardware continue unabated. Efforts to employ social media as a means to disrupt our elections also remain ongoing. We need to be more vigilant than ever if we expect to safeguard our election process. And unfortunately, with Trump at the helm and his GOP enablers downplaying Russian interference and blocking the Democrats’ attempt to increase election security funding, we can’t depend on much help from the federal government.

The good news: DeSaulnier continues to work to get Washington to act. He is currently the co-sponsor of at least 5 bills to improve election security (such as the aptly named Election Security Act, H.R. 5011). While none of these bills has made it to the GOP-controlled floor as yet, this is a start. If you live in CA-11, DeSaulnier’s district, thank him and urge him to keep pushing! Meanwhile, Secretary of State Padilla claimed that no one has yet succeeded in “hacking” California voting equipment. To help keep things that way, the state has allocated over $134 million dollars to upgrade our voting machines and to provide additional election protections. One caution came from Professor Stark, who pointed out that just because you’ve found no evidence of hacking, that doesn’t guarantee none has taken place; hackers may have succeeded in preventing your ability to detect them.

So what should we be doing? The panelists agreed on several key recommendations:

  • Paper ballots are essential. Electronic voting, online voting, whatever: they’re all bad. Only paper ballots allow us to reliably track, audit and verify the authenticity and accuracy of the vote. Accept no substitute. Further, no voting machines should be connected to the Internet; it’s too much of a risk. California has gotten the message: it keeps its machines offline and uses only paper ballots unless people with disabilities need an accessible voting machine. As for the rest of the country, while the Constitution prohibits most federal regulation of the electoral process, it allows for the federal government to require states to use paper ballots. We should demand that they do so!
  • Beware of bots. As discussed primarily by Mr. Kumleben, bots are mini-programs designed to imitate humans on social media. We can’t outlaw them but we should be aware of them. They can create an illusion of consensus or popularity that can unduly influence people’s perceptions and thus how they vote. Always be skeptical of what you read and view online — especially from unfamiliar sources! We should also demand that politicians reveal not only where their campaign money comes from but where it goes. If they’re spending money on bots, the voters should know!
  • Gerrymandering and voter suppression are rooted in white supremacy; their goal is to inhibit minorities from voting or having their vote matter. That was the strong assertion made by the Secretary of State to open this topic, which drew applause from the audience. The ideal goal should be for every eligible person to vote — and to do so within fairly-drawn districts. Again, California has led the way here with its recent bipartisan redistricting. All states should move in this direction.
  • Make the move to open source: non-proprietary software that anyone can see, explore and even modify. As elucidated by Dr. Jefferson and Professor Stark, most voting machines in use today run on proprietary software, owned entirely by the same companies that manufacture voting machine hardware. Even though election officials “purchase” voting equipment, they are prohibited from viewing or modifying the machine’s software source code. This leads to a quasi-monopoly that costs the government dearly. If voting machines were instead truly owned by the public and ran on open source software, it could reduce election costs by a factor of five, leading many experts to urge that we should push for a move to open source. While it is not a panacea for security concerns, and while it’s controversial (because, among other things, it is open to modification), open source makes the process much more transparent and accountable. Yet again, California is ahead of the curve. Both San Francisco and Los Angeles counties are planning to transition to open source. Other districts are expected to follow.

Several additional points of interest were raised by the panel:

  • You may not be aware of this, but a significant change is coming to the voting process in California, perhaps as early as 2020 in Contra Costa County, as a result of the Voter’s Choice Act. Most significantly, the law provides a new voting option, intended to facilitate in-person voting: No longer will you be restricted to vote only on election day at just one specified polling location. Instead, for the 11 days prior to an election, you will be able to vote at any of numerous “vote centers” located throughout the county. If you currently use a mail-in ballot, you already can come close to achieving this flexibility. You don’t have to mail your ballot in, risking problems with postal delivery or interference en route. You can drop it off at a city hall or, on election day, at a polling location.
  • Here is a truly cool tip revealed by Secretary of State Padilla: Did you know you can check the status of your vote after an election — and even get a history of your previous votes? To do so, start here.
  • Professor Stark explained the benefits of “risk-limiting” audits. These are partial audits that, combined with statistical analyses, determine when a full audit of a vote is needed. This allows the county to save time and money that would otherwise be wasted on full audits when they have little or no chance of changing the results. Expect to see the implementation of these audits here in California.

Are you interested in working with the IEB Voter Rights and Election Integrity team? Send us an email or join the voting-issues channel on IEB’s Slack.

Ted Landau is a retired professor of psychology. He has also spent several decades as a tech journalist/author — writing primarily about Apple products. He has been politically active in the East Bay since moving here in 2004.

Protecting American Votes & Elections Act

This action will appear in the Indivisible East Bay newsletter on July 26, 2018. 

Deadline: ASAP and ongoing — Even without Russian hacking, elections can be compromised if we don’t protect the ballots! Sen. Ron Wyden (D-OR) introduced S.3049, the PAVE Act, to require that all voters have the option to use hand marked paper ballots in federal elections. Paperless voting is vulnerable and problematic (see Georgia, South Carolina). The PAVE Act also requires Risk Limiting Audits for all federal races. Midterms are coming up, and we need to tell our Senators it’s time for them to support the PAVE Act, and to demand a 2018 implementation date (it’s currently 2020) for the hand marked paper ballot clause.

What to say:

My name is ___, my zip code is ___, and I’m a member of Indivisible East Bay. I want Senator _____ to support the Protecting American Votes and Elections Act, S.3049. We need to ensure that California’s voters are protected from malicious influence. We also need the hand marked paper ballot clause implemented for 2018 to cover the upcoming midterm elections.

Sen. Dianne Feinstein: (email); (415) 393-0707 • DC: (202) 224-3841

Sen. Kamala Harris: (email); (415) 355-9041 • DC: (202) 224-3553

 

Want to learn more about, and help to work on, election integrity issues?

  • Watch the recording of the Indivisible Fair & Secure Elections Webinar at this link (here’s our background article about the webinar)
  • After you watch, you can connect with people from your state by filling out this form. The working group will follow up with an email to introduce you to other people in your state interested in taking action
  • You can also view the webinar slides and other resources at this link
  • Work on these critical issues with the Indivisible East Bay Voter Rights & Election Integrity team — email: heidi@IndivisibleEB.org, or join the #voting-issues channel on IEB’s Slack. Want an invitation to join Slack? Email: info@IndivisibleEB.org
  • Help spread the word on social media! Follow IEB member and election integrity advocate Jennifer Cohn (@jennycohn1) on Twitter, and re-tweet her  excellent content. Read Jennifer’s blog.

 

Subscribe to the newsletter. See our newsletter archive.

Graphic copyright @equalandallied1