On October 25, President Barack Obama returned to Chicago, Illinois, walking into the Martin Luther King Community Center in the city's Bronzeville neighborhood to cast his vote. Like about a third of American voters, he did so before Election Day. And also like many Americans, he used an electronic voting system — he submitted his ballot using a 15-inch touchscreen machine known as the Sequoia AVC Edge.
That seemingly minor detail holds significance for only the collection of computer scientists, security professionals, statisticians, and activists who've spent the last decade or so monitoring the seemingly inevitable rise of electronic voting machines. And they've been sounding the alarm, or at least cautioning that Americans ought to pay more attention to the way our votes are cast and counted. You've probably heard them recently, maybe sounding a little exasperated when quoted in publications as diverse as The Christian Science Monitor, Computerworld, and The Wall Street Journal. And depending on your long-term memory or Google skills, you might remember them speaking to The New York Times Magazine on the eve of the last election.
When it comes to the Sequoia AVC Edge with which President Obama submitted his ballot, this is what they're saying: it has “significant security weaknesses.” In fact, a 2007 analysis of California's electronic voting machines concluded, regarding the Edge, “The nature of these weaknesses raises serious questions as to whether the Sequoia software can be relied upon to protect the integrity of elections.” Yet these machines are still in use in part or all of 13 states, according to the database at VerifiedVoter.org, including potentially close races in Colorado, Florida, and Virginia.
Five years ago, security experts declared the machine, in effect, unfit for public use. Weeks ago, the President used it to cast his vote. How did this happen? And what does it say about the state of voting in this country, where, as we've seen, just a few hundred votes might determine the next president?
Into the machine
“Remarkably, there's very little money to study election security in this country, which I find amazing,” says Roger Johnston, head of the Vulnerability Assessment Team (VAT) at Argonne National Laboratory outside Chicago. But security is Johnston's job. In 2009 he and the VAT team began trying to crack voting machines. They knew computer scientists had demonstrated software vulnerabilities (more on those later), but wanted to see if a simpler hardware attack might be possible. They started tinkering, spending weekends with Sequoia AVC Advantage — a machine currently used in four states and serving about 9 million people.
In considering how the mighty Sequoia found its way into our polling places and from there to Johnston’s workbench, we can look back to the 2000 election. Yes, there was the interminable ballot battle, which improbably transformed the phrase “hanging chad” into a late-night punchline, but as a recent Harper's article helpfully recalls, the Bush v. Gore carnival began with a glitch. A single precinct in Volusia County, Florida, late on Election Night — where voters used optical scan, fill-in-the-bubble ballots — reported that Gore had inexplicably received 16,022 negative votes. That magic number put Gore behind in Florida, prompting Fox News to award the state and the presidency to George W. Bush. Only at 3AM did the Gore campaign realize the machines had failed. On the verge of conceding, Gore instead dug in, leading to a legal and political showdown settled — if it’s ever truly been settled, as even a basic timeline of what happened that night provokes disagreement — thanks to a Supreme Court decision the Justices wrote could set no legal precedent, as “our consideration is limited to the present circumstances.”
In the aftermath of our long national debacle, Congress passed the Help America Vote Act (HAVA). Signed by George W. Bush in 2002, it provided states $3.9 billion to update their election equipment and administration. The federal largesse led states to begin buying Direct Recording Electronic (DRE) voting machines from companies such as Sequoia and Diebold. Early DREs left no auditable paper trail: votes were recorded directly to digital memory. As they became more widely used, reports surfaced of glitches, including disappearing and “flipping” votes. By 2006 there was an HBO-backed documentary about the issues, Hacking Democracy; the next year California conducted its top-to-bottom review, asking a group of computer science experts to rigorously examine the voting machines certified for use in the state. Every one had significant security problems.
You should be a little on edge, not necessarily afraid, but skeptical and aware
So by 2009, Roger Johnston was not the only person looking skeptically on DREs. And he wasn’t intimidated by manufacturers’ claims or the secrecy surrounding their products. “We felt very comfortable when we started working on voting machines because we were very familiar with the psychological aura of it,” he says, “It's very much the same kind of thing you see in airport security. There is a preference and a great love of security theater.” That comfortable illusion that everything of safety, he says, is precisely the wrong mindset when it comes to thinking about security. You should be a little on edge, not necessarily afraid, but skeptical and aware.
When he brought that skepticism to bear on the Sequoia AVC Advantage Voting Machine, an older, push-button cousin to the device used by President Obama, the results were almost anti-climactic. It took just two hours to find a workable man-in-the-middle attack, using a cheap microprocessor to record a vote different than the user intended. Testing another machine, a touchscreen Diebold Accuvote TS Electronic Voting Machine, produced similar results: a $10 microprocessor available at RadioShack would monitor input and change votes. For $26 you could have a deluxe hack with wireless connectivity. Unlike the software flaws Johnston had read about, the attacks required physical access, but could likely be accomplished in less than a minute.
So what did Johnston’s weekend tinkering prove? The hacks were easy to execute and provided complete, surreptitious access. But an outside attacker, without access to many machines over a lengthy time period, probably couldn’t have much effect. Local elections, with fewer voters and fewer target machines, might still prove tempting, but the real danger lies with insiders: those with continual access to the machines, which often sit in schools and church basements, with little security before Election Day.
And that goes back to what he calls a lack of “security culture.” Ours is a patchwork system, with elections administered by the states and with widely varying degrees of technology and security-consciousness. Few election officials have the resources or expertise do this work for themselves. “You have to have a mentality that security is hard and you're going to welcome all viewpoints, seek out security professionals, and a more open attitude toward security in general,” he says, “It's also a realization that – oddly enough and kind of counterintuitively – security's actually better with transparency.” The secrecy around voting machines, which manufacturers guard with trade-secret and intellectual-property claims, is counterproductive. It flies against principles of openness and peer review.
And the conversation needs to involve more than just security professionals, he says. It needs to involve citizens who want their voting rights protected, and it needs to involve politicians who can pay for necessary changes. In Virginia, an important battleground state, a ban on wireless-enabled voting machines was reversed in 2008 because there was no money for replacements; Advanced Voting Solutions, the company that built the machines, is long defunct, but its aging machines will likely tally over a million votes in the Old Dominion. Two Congressional bills designed to improve things have stalled, leaving many election officials with the aging machines they bought during the heyday of HAVA funding. And despite nearly a decade of stories about hacks and glitches, there’s been little meaningful discussion among the public. “It's great that we're getting all wound up about this every four years,” he says, “But on November 7, unless there's some evidence of vote tampering, we're done with the issue for another four years.”
An aging system
Another researcher trying to open the conversation to more people is Alex Halderman, an assistant professor of electrical engineering and computer science at the University of Michigan. He served on the California review in 2007, and he also helped crack Washington, D.C.’s pilot test for internet voting. He owns a Diebold device hacked to play the Michigan fight song. Unfortunately, a spontaneously corrupted memory card recently left the machine mute. Through online university Coursera, he just finished teaching “Securing Digital Democracy.” The course had over 15,000 enrollees, he says, most of whom arrived with a healthy skepticism about the current voting system.
DREs, he suggests, may be on their way out. “I think the early enthusiasm for this technology has faded,” he says, “and what we're seeing is a shift toward what should be the next phase, which is hybrid systems combining an electronic record and a paper record. This really should be seen as an advance and not as a reversion or anything like manufacturers were originally painting it. It's really a big security improvement over both paper and purely electronic systems.”
"It's just common sense that you want to have paper trail."
While touch screens and push buttons may offer benefits in terms of accessibility, many activists have come to see paper trails as a necessary check on a purely electronic record. “It's just common sense that you want to have paper trail,” Halderman says, and the trend seems to be headed in the right direction, with 33 states now requiring such paper records. That's an important (and disturbingly low) number to keep in mind when videos of malfunctioning machines such as this one begin circulating. And they will.
He describes electronic balloting as the latest point along the historical arc of voting technology. In the early 19th century, Americans voted by voice — there was no secret ballot. Public voting meant the opportunity for coercion and vote buying, leading eventually to secret, paper ballots based on the Australian model. By the late 19th century, manipulation of printed ballots spawned a move to mechanical ballot marking, using the products of the Industrial Revolution. And in the middle of the 20th century, IBM-style punchcard machines became the technological norm, along with optical scanners. By these lights that the personal-computer revolution would impact voting seems almost inevitable. But, Halderman stresses, “There are ways to use this technology intelligently, based on the state of the the art, but what we now know is that we can't just rely on a black box computer system to behave honestly and correctly. We need a way to publicly check and verify that it's correct.” Thus the need for paper verification.
In fact, he says, the state of the art — if you define that as touchscreens with ATM-style thermal printers for paper verification — may not even be the best option. “Probably the best we know how to do today is a precinct-count optical scan system,” meaning the SAT-like sheets where voters darken ovals to mark their choice. Those sheets feed into a computer, which checks the ballot for errors and displays its record for verification. If verified, the ballot then gets sequestered, providing a check against the electronic record.
What should happen after the polls close, says Halderman, is a public, physical audit of the paper ballots. That doesn’t mean a time-consuming full recount, but a statistical sampling designed to verify the initial count. With some smart math and random sampling, this can easily add confidence to the voting process.
So why don’t we see more examples of this best-possible system rather than, say, Florida’s audit law? In March 2012, a municipal election in Palm Beach County, conducted on DREs swapped the results of two races, turning winners into losers. Florida’s weak audit provisions discovered the error almost by chance rather than by design. Halderman’s recommendation of post-election auditing runs up against the systemic realities of limited resources, political wrangling, technological ignorance, and long policymaking timelines.
And he grants that irresolvable tensions that prevent an ideal system. Efficiency, flexibility, access, reliability, cost, accountability, and security are just some of the considerations in building a better system. Not all of those goals are reconcilable; there have to be trade-offs. From a purely scientific standpoint, Halderman says, he can evaluate certain technologies in light of those trade-offs, but not prescribe a single “correct” system. “Fundamental trade-offs that are to the largest extent a policy question and not a technological question,” he says, and the essential question is one rarely being asked, let alone debated: Just what are our goals as a society for our election system?