How New Voting Machines Could Hack Our Democracy
• Dec 17, 2019
The United States has a disturbing habit of investing in unvetted new touchscreen voting machines that later prove disastrous.
As we barrel toward what is set to be the most important election in a generation, Congress appears poised to fund another generation of risky touchscreen voting machines called universal use Ballot Marking Devices (or BMDs), which function as electronic pens, marking your selections on paper on your behalf. Although vendors, election officials, and others often refer to this paper as a “paper ballot,” it differs from a traditional hand-marked paper ballot in that it is marked by a machine, which can be hacked without detection in a manual recount or audit. These pricey and unnecessary systems are sold by opaquely financed vendors who use donations and other gifts to entice election officials to buy them.
Most leading election security experts instead recommend hand-marked paper ballots as a primary voting system, with an exception for voters with disabilities. These experts include Professor Rich DeMillo of Georgia Tech, Professor Andrew Appel of Princeton University, Professor Philip Stark of the University of California at Berkeley, Professor Duncan Buell of the University of South Carolina, Professor Alex J. Halderman of the University of Michigan, and Harri Hursti, who is “considered one of the world’s foremost experts on the topic of electronic voting security” and is “famously known for his successful attempt to demonstrate how the Diebold Election Systems’ voting machines could be hacked.” These scholars warn that even a robust manual audit, known as a Risk Limiting Audit, cannot detect whether a BMD-marked paper ballot has been hacked. BMDs instead put the burden on voters themselves to detect whether such ballots include fraudulent or erroneous machine marks or omissions—even though studies already show that many voters won’t notice.
For this reason, many analysts have cautioned against acquiring these new ballot-marking machines for universal use, but election officials in at least 250 jurisdictions across the country have ignored their advice. Georgia (all one hundred and fifty-nine counties), South Carolina (all forty-six counties), and Delaware (all three counties) have already chosen these systems for statewide use in 2020. At least one or more counties in the following additional states have done the same: Pennsylvania (for the most populous county, plus at least four more), Wisconsin (for Waukesha, Kenosha, Chippewa and perhaps more), Ohio (for the most populous county and others), Tennessee (for at least ten counties), North Carolina (for the most populous county), West Virginia (for the most populous county and at least one other), Texas (for at least Dallas and Travis counties), Kentucky (for the most populous county), Arkansas (at least four counties), Indiana (for the most populous county and at least eight others), Kansas (for the first and second most populous counties), California (again, for the most populous county), Montana (at least one county, though not until 2022), and Colorado (for early voting). New York state has certified (that is, voted to allow) one such system as well.
Calling attention to this problem has been complicated over the past few years by vendors, election officials, and election-system lobbying groups such as Verified Voting, who have blurred the issue by referring to both hand-marked paper ballots and ballot-marking device printouts as “paper ballots,” “backup paper ballots,” “voter-marked paper ballots,” and “voter-verifiable paper ballots.” Unless voters are unusually well-informed, they have no reason to know that these catchphrases—repeated by Congress and the media, even I Am John Oliver—can refer to risky new voting machines.
The rapid proliferation of these unnecessary new ballot-marking machines comes at a time when many voters have already been losing confidence in America’s election system. The United States government has acknowledged that Russia targeted election systems in all fifty states before the 2016 election and successfully breached three election-service providers and voter-registration systems in both Florida and Illinois. But the total number of counties breached (two or more) remains unclear and the Federal Bureau of Investigation won’t now identify all of them by name. It is unclear whether the government would have acknowledged even this much were it not for the whistleblowing action of Reality Winner, the former US Air Force linguist and NSA contractor who is serving a sentence of more than five years in prison for leaking a classified report about Russia’s attack on America’s election infrastructure.
That attack reportedly began in June 2016, a few years after Russia attacked vote-tallying and election-reporting computers in Ukraine. The Senate Intelligence Committee report on Russian interference includes a section titled “Russian Activity Directed at Voting Machine Companies,” which states that Russia also “scanned” a “widely used vendor of [US] election systems” before the 2016 election. But the name of the vendor is redacted, and the unredacted portion of the report does not explain what it means by “scanned.”
While voters have been told there’s “no evidence” that US vote tallies were changed, no meaningful manual recount was conducted after the 2016 election because, among other reasons, most large Wisconsin counties refused, Michigan law made it impossible, the court in Pennsylvania blocked it, and some counties lacked paper ballots. In 2017, the Department of Homeland Security acknowledged that it had conducted no forensic analysis to see if vote totals had been hacked and said that it did not intend to do so in the future.
Election-security expert Professor Rich DeMillo of the Georgia Institute of Technology says that, “like all voting machines, BMDs receive programming before each election via memory cards or USB sticks prepared on centralized election-management computers systems that are likely connected to the Internet on occasion.” Thus a hacker or corrupt insider could transfer malware to every BMD within the county or state by compromising either these centralized computers or the memory cards or USB sticks.
Election security expert Professor Alex J. Halderman of the University of Michigan agrees that election management systems “sometimes are connected to the Internet or the data that’s programmed into them passes through an internet-connected system,” so that “we’re just one or two hops away from an online attacker.” As he testified to the House Appropriations Subcommittee earlier this year, “hackers who compromise an election management system can… spread a voter-stealing attack to large numbers of machines.” Moreover, he says that:
A small number of election technology vendors and support contractors program and operate election management systems used by many local governments. The largest of these services over 2,000 jurisdictions spread across thirty-four states. Attackers could target one or a few of these companies and spread an attack to election equipment [including BMDs] that serves millions of voters.
Last week, Democratic Senators Elizabeth Warren, Ron Wyden, and Amy Klobuchar, and Representative Mark Pocan (Democrat of Wisconsin) announced that they have opened an investigation into the “vulnerabilities and shortcomings of election technology industry with ties to private equity.” The reason the issue of private equity matters is that the top two vendors of these ballot-marking machines, Election Systems and Software LLC (ES&S) and Dominion Voting, account for more than 80 percent of US election equipment. They thus hold between them a near-monopoly on the industry, and their form of ownership means there is no way of discovering the details of who really owns them or even whether they are legitimate competitors.
ES&S was founded in the 1970s by two brothers, Bob and Todd Urosevich, of Omaha, Nebraska. In July 2000, Bob Urosevich was named president of another vendor, Global Election Systems. Its largest shareholder, and senior vice-president as of September 2000, was a convicted embezzler named Jeffrey Dean, whose crimes involved computer tampering. In 2002, ATM manufacturer Diebold, Inc. acquired Global and changed its named to Diebold Election Systems. Diebold told the Associated Press that Dean had left the company, but internal Diebold memos showed that he had remained as a consultant. Dean’s involvement with Global/Diebold was unearthed by Bev Harris, author of Black Box Voting: Ballot Tampering in the 21st Century (2004). His whereabouts today are unknown.
Diebold sold its election subsidiary to ES&S in 2009. But in 2010, the Department of Justice’s Antitrust Division forced ES&S to sell some of Diebold’s assets because the combined company accounted for more than 70 percent of US election equipment. Dominion Voting, a Canadian company that outsources some of its programming to Serbia, bought those assets that same year, as well as another, smaller vendor named Sequoia Voting. In recent years, ES&S has made a series of misleading statements about remote access to some of its election systems and Internet connectivity. For its part, Dominion won’t say if it has installed remote access software in its systems or not.
Experts agree that all computerized election equipment—including ballot-counting machines (scanners and central tabulators) and these new ballot-marking machines—can be hacked. But the opportunities for hacking are fewer when only counting machines are used. Universal use ballot-marking devices are an unnecessary electronic addition to these existing systems (not a substitute for them), and thus increase the exposure of the system to potential cyber-attack.
The ability to detect and recover from any such attack is critical to election integrity. Any effort at forensic analysis to detect a possible security breach, however, is typically hampered or prevented by vendors’ claim of proprietary ownership of their software. This is what the former presidential candidate John Kerry discovered when he requested a forensic analysis of equipment before the 2004 election (and his court petition was denied). Election security experts, including Halderman, say that sophisticated hackers could erase forensic evidence in any case. They also say that a machine recount, which merely reruns potentially hacked voting equipment, would be unlikely to detect evidence of tampering.
Instead, they advise that if we want to detect hacking, we should conduct a manual recount or audit, such as a Risk Limiting Audit, that compares paper ballots with electronic outcomes. But as Professor Philip Stark, the inventor of Risk Limiting Audits, has explained, comparing paper ballots to reported electronic outcomes can only detect hacking of ballot-counting machines (scanners and tabulators); it cannot detect similar interference in ballot-marking machines (that is, BMDs). Likewise, although a careful accounting of the chain of custody between election night and the audit can provide reliable evidence that hand-marked paper ballots are trustworthy source documents for conducting an audit, it cannot certify this for machine-marked paper ballots because it cannot detect hacking of BMDs.
Ballot-marking systems can also have problems with the touchscreen interface: hypersensitivity or hyposensitivity, inability to fit all candidates on a single screen, and miscalibration resulting in vote-flipping. And they can shut down or fail to activate while in use, disenfranchising voters or creating long lines at polling stations. Last month in Georgia, for example, BMDs could not be activated without functioning electronic poll books (used to confirm voter registrations and create BMD “access cards” at the polling place), which didn’t work, causing significant delays.
We’ve been down this road before. After problems with punch cards in the 2000 presidential election and the GOP’s successful campaign to stop a manual recount, Congress passed the Help America Vote Act of 2002, ushering in a generation of glitchy, vote-flipping Direct Record Electronic (DRE) touchscreen voting machines. Initially, many of these machines were paperless—which, in addition to problems with vote-flipping and electronic failure, made manual recounts and manual audits impossible. Despite this, some such machines remain in use today.
Voter Verifiable Paper Audit Trails, cash-register style rolls of paper attached to touchscreen voting machines were a popular industry response to concerns about paperless voting. The assumption was that voters would “verify” that the voting machines had correctly marked their selections on the VVPATs, which would then be used to conduct meaningful manual audits. A series of later studies, however, proved these assumptions incorrect.
A 2004 video study of voters during an election in Nevada found that fewer than 40 percent of voters reviewed the machine’s (VVPAT) printout to check whether their vote had been accurately marked. In 2005, a study conducted by Professor Ted Selker and Sharon Cohen of the Massachusetts Institute of Technology found that “[o]ut of 108 [mock] elections that contained [VVPAT] errors… no errors were reported [by the participants],” and only 8 percent of the participants agreed with the statement that there had been errors. Selker of MIT has explained how a malicious actor might thus commit fraud:
In a more likely scenario, the defrauder will change the electronic ballot and depend on the statistics for reading and contesting bad receipts. If a person calls their receipt into question and asks for another receipt to be printed, the hacked VVPT machine can print the ‘duplicate’ receipt correctly, fixing the mistake. By printing the correct receipt when a person asks for it a second time it could literally eliminate the changed ballot, thus eliminating the possibility of detection. Although the program has to give up this one changed ballot it won’t happen often.
The findings of the 2004 and 2005 VVPAT studies have been reinforced by similar subsequent ones. In 2007, a Rice University study of a mock election reported that a clear majority of study participants did not notice that the voting machines had added to, deleted, or switched their selections, even though this was apparent on the review screen. According to the report: “over 60 percent of voters do not notice if their votes as shown on the review screen are different than how they were selected. Entire races can be added or removed from ballots and voter’s candidate selections can be flipped and the majority of users do not notice.”
In 2008, Professor Doug Jones of the University of Iowa conducted a study that found, in a mock election, one third of voters instructed to verify a voting machine review screen did not notice that the screen had switched their selections at the top of the ticket from Obama to McCain (or vice versa). And a majority of those who did notice assumed that the discrepancy was caused by their own error in using the machine, as opposed to a problem with the machine itself.
These and other concerns with touchscreen systems, including reports of vote-flipping, have persuaded most experts to instead recommend hand-marked paper ballots, which do not interpose an insecure machine between voters and their ballots. Hand-marked paper ballots can also “help reduce lines at the polls, allowing workers to quickly set up additional voting stations,” as ES&S itself recently acknowledged. Touchscreens tend to create longer lines because they limit the number of voters who can mark their ballots concurrently to the number of machines at the polling place, which can create a bottleneck.
As of 2016, however, about a quarter of the country still used either paperless touchscreen voting machines or touchscreen voting machines with unsatisfactory “voter-verifiable” paper trails. The rest of the country still used primarily hand-marked paper ballots and scanners.
Ballot-marking devices, which cost nearly twice as much as hand-marked paper ballots and scanners, are the latest industry gambit to put machines between voters and their ballots. Although they’ve been around for years to assist voters with disabilities—and should remain available for this purpose—the new versions are intended for use by all voters, regardless of need. Most generate a paper “summary card,” rather than a full-face ballot.
No studies suggest that these summary cards are any better than the previous generation of machines that produced a supposedly voter-verifiable paper record. On the contrary, one recent study (from 2018, awaiting peer review) found that most voters did not review them even when instructed to do so. And of those who did, most didn’t notice changes on the face of the cards.
Experts caution that some of these BMDs, the ES&S ExpressVote XL and Dominion ICE, can be programmed to give voters the option to forego printing and reviewing the printout at all. They also warn that even if this option is disabled, the machines can be maliciously programmed to add fraudulent marks to the machine-marked printout after it’s been inspected and the vote cast.
Another concern is that almost all new BMDs place a large barcode or matrix-style QR code above the human readable text on the summary card. The barcode, which humans can’t of course read, is the only part of the ballot counted as their vote. According to election-security expert Richard DeMillo, a professor of computer science at Georgia Tech, “malevolent actors could manipulate the barcodes to do various things, such as instructing the scanners to flip votes, and voters would have no idea.” As Professor Jones lamented (in an email to me):
We have a longstanding habit in the United States of adopting voting systems for use in the polling place without any real studies of how well they work. We only learn about human-factors failings after the machines are deployed and widely used… We followed exactly [this] pattern with the move to touchscreen voting systems, we followed it again with the move to voter-verified paper trail add-on equipment for touchscreen machines, and we are following it again with ballot-marking device technology.
So why, given their inherent security problems, are these new ballot-marking devices being taken up in more and more jurisdictions across the country? Proponents of these systems sometimes say they make it easier to retrieve ballot styles in multiple languages and eliminate stray marks. But ballot-on-demand printers can already print ballots in multiple languages at the polling place, and precinct scanners can alert voters to stray marks. During a recount in Minnesota in 2008, a bipartisan panel was able to agree on the intent of all but fourteen hand-marked ballots out of 2.9 million.
Ion Sancho, who served as supervisor of elections in Leon County, Florida, for eighteen years, told me that his successor “uses a ballot on demand system” for early voting sites, which produces a “full ballot, in English or Spanish, for the voter to mark by hand and drop in the tabulator. This procedure does not use BMDs except for those who cannot mark the ballot by hand.” According to Sancho, “those who push BMDs ignore current available technologies, which are simple to use and completely auditable—as well as truly being voter-verifiable, as the voter sees what the scanner is counting, not barcodes or QR codes.”
As with so much in American politics, following the money sheds light on the motivation of some of the election officials choosing these systems. It makes quite an audit trail of its own.
In 2018, the McClatchy news agency broke a story that ES&S “has for at least nine years coaxed state and local elections officials to serve on an ‘advisory board’ that gathers twice annually for company-sponsored conferences, including one last year at a ritzy Las Vegas resort hotel.” In 2017, as many as a dozen election officials attended ES&S’s Las Vegas event, for which they accepted “airfare, lodging, meals and, according to one participant, a ticket to a show on the Strip.” The event also included an open bar and recreational outings.
In 2019, it was reported that South Carolina’s election commission director, Marci Andino, had accepted nearly $20,000 in expenses during her decade as a member of ES&S’s advisory board. The state has since signed a $51 million contract for ES&S ExpressVote ballot markers and scanners, ignoring concerns raised by the South Carolina League of Women Voters.
New York City’s top election official, who also sat on ES&S’s secret gift-giving advisory board from 2014 until December 2018, wants to buy ES&S’s ExpressVote XL machines for early voting and is pushing the state election board to certify them despite warnings from election security experts. The board has already certified Dominion ICE ballot-marking devices, again despite their warnings.
In Texas, a Dallas County election administrator named Toni Pippins-Poole, who attended the ES&S event in Las Vegas, asked ES&S to pay for campaign T-shirts and buttons, which the company agreed to do, writing: “In the past we simply wrote a check to Toni… We can send a check made out to you (Toni) for the $1500 amount.” That was in 2017. In 2019, the county inked a $30 million contract with ES&S for new ExpressVote ballot-marking devices. Another Texas county, Harris—the largest in the state—is currently soliciting vendor proposals for new machines.
In North Carolina, election integrity advocates and experts tried to stop the state from certifying ExpressVote ballot-marking devices from ES&S, whose agent in the state is a company called Printelect. Printelect is owned by Owen Andrews, who has reportedly donated to state officials for years. In August 2019, the state certified the system despite security concerns, and Mecklenberg County, the most populous county, promptly decided to buy it. On December 6, however, journalist Jordan Wilkie, writing for the Carolina Public Press, reported that ES&S had asked the state to “administratively” approve a different version without certification testing because it said it wouldn’t have enough units of the certified version to satisfy demand. The state granted the request on December 15, despite a firestorm of criticism from election integrity advocates and experts who advised that the new system is even more concerning than the one initially certified, and that the system will cost substantially more than hand-marked paper ballots and scanners.
In early 2019, Pennsylvania Auditor General Eugene DePasquale reported that election officials in at least eighteen Pennsylvania counties had accepted donations or other gifts from voting-machine vendors. Philadelphia then proceeded to ignore experts and election integrity advocates by choosing ES&S ExpressVote XL ballot-marking devices. The Philadelphia Controller, the city’s official finance watchdog, later discovered that ES&S lobbyists had donated to the decision makers’ campaigns, providing grounds to cancel the contract. The city fined ES&S $2.9 million for failing to disclose the lobbyists’ donations, but reaffirmed the contract.
Other Pennsylvania counties followed Philadelphia’s lead, including Northampton County, where XL machines failed so spectacularly in voting last month that they had to be cracked open so that the machine-marked printouts could be counted on different machines, revealing that “a candidate that the XL showed getting just fifteen votes had won by about 1,000.” Some voters during that election also reported that the machines were “hypersensitive” and mysteriously “defaulted” to the Republican Party. One such voter quoted by The New York Times said:
I walked into my booth, and I knew that I was going to vote straight Democratic and I’m voting that way until we get some balance back into the government, but when I hit straight Democratic, straight Republican is what registered.
A post-mortem examination of the machines concluded (among other things) that dozens of them “weren’t properly calibrated,” even though an ES&S representative had previously claimed during a sales pitch in Lebanon County, Pennsylvania, that “you don’t have to worry about calibration. There is a calibration routine, but I’ve never had to use it. Scout’s honor.”
As Bloomberg reported, Republican officials in Northampton County were no less skeptical of the machines—a local party chairwoman “said the results can’t be trusted and the experience has shaken voters’ trust… ‘We think voters were disenfranchised,’ she said.” In the wake of the Northampton County debacle, critics of the new devices have formally requested, for a second time, that the state decertify the system. That request is still pending, as is a lawsuit filed on December 13, which seeks to enjoin the use of these systems in the state.
California has jumped on the ballot-marking bandwagon as well. Los Angeles County, the largest county in the US, has built its own $300 million QR code ballot-marking system, in partnership with voting-machine vendor Smartmatic. Although the county had boasted that its system would be “open source,” a public-records request for the code was reportedly denied. Election security expert Alex Halderman recently told Fortune magazine that the system “raises its own security questions that I don’t think LA County has yet satisfactorily addressed.”
In Georgia, election integrity advocates managed to stop state lawmakers from passing a bill in 2018 (SB403) that would have enabled universal use ballot-marking devices. But lawmakers went ahead and passed a new bill (HB316), enabling them in 2019. Georgia has since purchased BMDs from Dominion, whose lobbyist, Jared Thomas, was Governor Brian Kemp’s chief of staff and press secretary from 2012 to 2015 when Kemp was secretary of state. Dominion’s partner in the state is KNOWiNK, a supplier of electronic poll books, which are used to sign in voters and confirm voter registrations. KNOWiNK’s founder and CEO, Scott Leiendecker, is a former Republican election official whose wife donated $2,500 to the campaign of Georgia’s current secretary of state, Brad Raffensperger, in November 2018.
During a test election of Georgia’s new voting system last month, the KNOWiNK e-poll books failed in four out of six counties. Although a federal court had ordered Georgia to have paper voter registration lists as backups, they did no good because the ballot-marking devices were set up so that they could not be activated without functioning electronic poll books. Even after that problem resolved, some ballot-marking devices cycled on and off while in use. Consistent with the earlier “human factor” studies, observers during that election, including Professor Rich DeMillo of Georgia Tech, reported that most voters did not review the ballot-marking device printouts. The Coalition for Good Governance, a nonpartisan election-integrity nonprofit, has already obtained a landmark federal court ruling banning Georgia’s current paperless voting machines. The group’s ultimate goal is to bring hand-marked paper ballots to Georgia, with ballot-marking devices only for those voters who are unable to hand mark.
In this quest, however, election integrity advocates face a tough battle—not only at state level but also in Congress. ES&S and Dominion both donated to Kentucky’s senior senator and Senate majority leader Mitch McConnell’s campaign earlier this year. McConnell subsequently agreed to an appropriation of $250 million for purported “election security” funding that actually mandated no election security requirements whatsoever. Senator Ron Wyden, Democrat of Oregon, who supports hand-marked paper ballots, has called this funding (provided in an amendment to Senate bill 2524) a “sham,” noting that the money “can be used for anything relating to elections. Including giving states taxpayer dollars to buy insecure voting machines.”
Verified Voting, a powerful national organization that lobbies Congress and states for election security reform and once supported voter-verifiable paper audit machines, has called McConnell’s new “no strings” funding bill a “step in the right direction.” Verified Voting’s president has also misrepresented ballot-marking devices’ capacity to provide reliable evidence for a Risk Limiting Audit that electronic outcomes are legitimate. On November 21, 2019, Professor Stark resigned from Verified Voting’s board of directors in protest, citing such repeated “false” representations by the organization, which he says have served to gloss over the failure of multiple jurisdictions to satisfy the “fundamental requirement” of a “trustworthy paper trail.” Stark wrote that the organization has in effect said: “Don’t worry: VV will teach you to sprinkle magic RLA dust and fantasies about parallel testing on your untrustworthy election. All will be fine; you can use our authority and reputation to silence your critics.”
On December 1, 2019, a second expert, Professor DeMillo, resigned from Verified Voting, citing similar concerns regarding the organization’s “unpredictable” and “contradictory” policy statements regarding universal use BMDs and what a Risk Limiting Audit can accomplish with BMD printouts as opposed to hand-marked paper ballots.
The Securing America’s Federal Elections Act, SAFE Act (S. 2238), which was written primarily by Wyden, is the only federal legislation that would ban at least some ballot-marking machine systems in 2020—those that count votes with barcodes, which applies to most of the current systems, and hybrids that can add machine marks to the printouts after they are cast, such as the ES&S ExpressVote XL and Dominion ICE. The SAFE Act would also mandate that jurisdictions give voters the option to hand-mark their ballots in 2020, although it would allow them to satisfy this requirement with vote by mail; it would not require that polling places give voters the hand-marking option, an omission that concerns some advocates. It would, however, require that jurisdictions conduct Risk Limiting Audits for federal elections held within one year of the date of enactment of the Act.
Yesterday, House and Senate negotiators reached a deal to increase the previously agreed upon election security funding to $425 million. As before, this funding (which is presumably a part of S. 2524) includes no election security conditions. If voters want the bill to exclude funding of DRE touchscreen voting machines and Ballot Marking Devices (with an exception for voters with disabilities), the time to tell their senators and representatives is now.
The stakes couldn’t be higher. Voting machines that make it difficult or impossible to detect hacking can leave voters susceptible not only to stolen elections, but also to false claims of election-rigging. That is a high price to pay for unnecessary electronic pens.
You can read the full article by Jennifer Cohn here.