Securing the vote: How 'paper' can protect US elections from foreign invaders
In 2016, more than 20 percent of American voters cast their ballots on voting machines that did not produce a verifiable paper trail. For experts, that's a gaping vulnerability, but one that can be addressed. Part 3 of 3.
Cory Morse/The Grand Rapids Press/AP/File
Washington
When Logan Lamb visited the website of Georgia’s Center for Election Systems in Aug. 2016, what he found left him speechless.
Although the cybersecurity researcher had no password or special authorization, he was able through a Google search to download the state’s voter registration list, view files with Election Day passwords, and access what appeared to be databases used to prepare ballots, tabulate votes, and summarize vote totals.
He also discovered a vulnerability that would allow anyone to take full control of a server used for Georgia’s elections.
It was everything a Russian hacker – or any malicious intruder – might need to disrupt the vote in Georgia.
“Had the bad guys wanted to just completely own the central election system, they could have,” Mr. Lamb told the Monitor in an interview.
It remains unclear how many months or years these vulnerabilities existed prior to the 2016 election. Even more alarming, say computer and election security experts, had a hacker exploited the website’s vulnerabilities, it might have been impossible to detect.
That’s because voters in Georgia cast their ballots on electronic touch-screen voting machines that produce no paper record of each vote. Without such a record, there is no way to verify that a computer hacker didn’t reprogram the vote-counting software to systematically assign more votes to one candidate or another.
More than 20 percent of voters nationwide in the 2016 presidential election cast their ballots on voting machines that did not produce a verifiable paper trail.
Aside from Georgia, four states – New Jersey, South Carolina, Louisiana, and Delaware – also rely entirely on paperless touch-screen voting machines. In addition, paperless machines were used in at least some jurisdictions in 10 other states, including Pennsylvania, Texas, and Florida.
To a hacker such voting methods are an open invitation to mischief or worse, security experts say. To officials and experts concerned with securing the accuracy of the US election process, the methods represent a gaping vulnerability.
Mindful of the US intelligence assessment that Russian-backed hackers sought to meddle in the 2016 presidential election, The Christian Science Monitor set out to examine key vulnerabilities in the election system. In two previous stories, we touched on the potential for manipulating voter rolls and the tensions between minimizing fraud and protecting voting rights. In this story, we conclude our series with a look at measures that could help secure the accuracy of the vote count.
Only a matter of time
In 2016, officials detected repeated attempts to gain access to voter registration databases, but they say they found nothing to suggest vote totals were manipulated.
“Although there is no evidence that any past election in the United States has been changed by hacking, it is – in my opinion – only a matter of time until one is,” says J. Alex Halderman, a computer science professor at the University of Michigan. “For that reason, the US needs to urgently reform and upgrade its voting infrastructure.”
Professor Halderman made his comments during a recent panel discussion in Washington sponsored by the Brennan Center for Justice.
Until the 2016 election season, few Americans contemplated the possibility that a hostile nation-state might launch a concerted attack against the essence of American democracy. Suddenly election security became a matter of national security.
“This threat is serious and real,” says Matthew Masterson, chairman of the US Election Assistance Commission. “It is going to take a coordinated effort from state and local officials, the federal government, and private-sector partners to respond.”
The US election infrastructure is a dizzying patchwork of grassroots America, with 52 different types of voting machines counting ballots in 187,000 precincts across the country.
Local officials who actually conduct the elections do not hold the necessary security clearances to obtain the latest intelligence briefings on foreign-source hacking trends and innovations.
Many rely heavily on the expertise of a small number of voting machine manufacturers, on election-service vendors, and on their own generally underpaid IT professionals.
In addition, it is not clear that the nation’s political leaders are fully committed to responding forcefully to address widespread election vulnerabilities. Resources and attention in Washington are currently directed more at politically explosive allegations that the Trump campaign colluded with the Russians than at efforts to fortify American democracy against foreign threats.
“It is not the all-hands-on-deck kind of response I would have expected after an attack on one of the key institutions of the country,” says Walter Mebane, an election forensics expert at the University of Michigan.
For many years a group of leading computer scientists and statistics scholars have been urging local, state, and national leaders to confront America’s election vulnerabilities. They have even identified an efficient and inexpensive way to address it.
Their solution boils down to one word: paper.
No matter what type of voting machine is used, a person’s vote should be recorded on a paper ballot, election security experts advise.
By preserving and protecting every paper ballot cast in an election, officials are safeguarding evidence that can later be used in an audit to verify genuine votes cast by real people.
It isn’t just the threat of hackers. A computer glitch or programming mistake could swing a close election or render electronic results useless.
The good news is that an estimated 77 percent of American voters cast ballots on voting machines that either use or create a paper record of each vote.
In addition, 31 states have passed laws authorizing post-election audits to help verify election results.
The bad news is that the vast majority of these states either aren’t conducting robust post-election audits or they are auditing the performance of the voting machines rather than verifying that the correct candidate was declared the winner.
Who won?
“The question that was being asked and answered is not the question that we really want to have asked and answered,” says Susannah Goodman, director of the national voter integrity campaign at Common Cause.
“The question is: Did the winner win? Is the right person in office?” she says. “That’s the question, but the question we were asking was, ‘Are these machines working?’ and let’s check that by checking some of the machines.”
Audits that check the machines are not useless. They can verify that the tabulator counted the ballots properly. And they can detect a machine miscount, particularly by using a different type of machine with different software that might better interpret certain kinds of marks on a ballot.
But a machine recount will not tell officials anything about whether a computer hacker reprogrammed a voting machine to steal an election.
“They test hard drives, but what’s on the hard drives?” asks Neal McBurnett, an election security consultant working with election officials in Colorado. “What’s on the hard drives is whatever some Russian attacker put there, or some Iranian, or North Korean, or whoever.”
The key to conducting a robust audit is that it relies on the ability to compare machine-counted vote totals against voter-verifiable evidence – actual paper ballots, Mr. McBurnett says. That is the solid foundation upon which a trustworthy audit must be built, experts say.
There are only a handful of states in the US that are currently performing audits that start with a voter-verified paper record. Many counties in California have conducted pioneering work with such audits. New Mexico hires an independent CPA to oversee an audit of a few key races in that state. And Rhode Island recently enacted a law to develop a voter-verified audit system.
But the single most important development in this area is about to take place in Colorado.
'All eyes are on Colorado'
The election in Colorado is today, Nov. 7. More important for election security experts who will be watching closely from across the country, the key dates for the audit are Nov. 16, 17, and 18.
“All eyes are on Colorado. It is immensely important,” says Marian Schneider, president of the election integrity group, Verified Voting.
“This is going to be a blueprint for the rest of the country, hopefully,” adds Susan Greenhalgh, also of Verified Voting.
“A cool thing about Colorado is that we are going to gather evidence about every contest,” McBurnett says. That means that races and issues on the ballot in Colorado, large and small, will be subject to what is called a “risk-limiting audit.”
Such an audit is a systematic post-election comparison between actual paper ballots and the computerized vote totals that are produced by Colorado’s machine tabulators.
Colorado conducts its elections exclusively with mail-in ballots. The ballots are collected at the county level and organized into batches for counting.
The basic concept behind a risk-limiting audit is that it is not necessary to perform a full hand-count of all the ballots to reliably verify an election outcome.
The “magic” in this process – based on the science of statistics – is in the calculation of how many randomly selected ballots must be inspected to guarantee an acceptable level of certainty.
The advantage of a risk-limiting audit is that it sharply reduces the number of ballots to be counted and speeds up the process of election verification.
Here’s how it works:
First, election officials must set the parameters of the audit by deciding on an acceptable risk limit. The risk limit reflects the level of risk officials are willing to tolerate that the election process identified the wrong person as the winner during the initial uncertified tabulation of votes.
For example, a 9 percent risk limit would mean that election officials were willing to accept a 9 percent chance that the election result is incorrect. Put differently: If there is a discrepancy in the election process, the resulting audit could be expected to detect it 91 percent of the time.
Once the risk limit is agreed upon, officials must determine the margin of victory in each contest.
McBurnett uses the 2016 Clinton-Trump race in Colorado to illustrate the process. He calculates Hillary Clinton’s margin of victory as 4.77 percent.
Assuming a risk limit of 5 percent, factoring in the margin of victory, and using a unique algorithm, McBurnett concludes that auditors would need to compare 131 randomly selected ballots (out of more than 2.78 million votes) with 131 corresponding vote records from the computer tabulation to reliably confirm the outcome.
Moment of truth
This is literally the moment of truth in any audit. It is the point where the auditors would begin to notice any discrepancy between the paper ballots and the vote totals reported by machine tabulators. If a discrepancy is found, it would lead auditors to compare a larger sample of ballots against the corresponding electronic vote records.
If all goes well, it may also be the moment when skeptical voters watching this procedure begin once again to trust an American election process.
“We’ll have contests like this in real time. Anyone can watch 131 pieces of paper pulled out and verify that it was random and see that they just entered what the paper said and that it matches,” McBurnett says.
He calls the process a “new and complicated miracle.”
In addition to reassuring American voters, such an audit is likely to send a clear warning around the world.
“What Russian is going to say, ‘Wow, there is a 91 percent chance I will be found out. Even if I do everything perfectly, they will still actually notice this,’ ” McBurnett says.
But there’s a catch. Any deterrent benefit may not extend beyond Colorado. “It [also] says go hack Pennsylvania or Georgia where they don’t have voter verifiable paper ballots,” the security consultant adds.
Hackers tasked by a foreign power aren’t the only threat challenging election integrity.
McBurnett says audits like that in Colorado can also help deter election fraud in a small, rural county. He uses the example of someone who stands to benefit from a $100 million bond issue. The person may be tempted to employ a hacker-for-hire to guarantee the bond issue is approved at the polls.
A risk-limiting audit would likely expose the plot, he says, or deter it in the first place.
On the other hand, election security experts emphasize that an audit alone will never be enough to fully protect the election process.
For instance, a risk-limiting audit is powerless to detect old fashioned ballot stuffing. If someone fraudulently obtained and voted a large number of absentee ballots, the finest risk-limiting audit would misread the fraudulent ballots as genuine ballots since there would be no discrepancy between the paper ballots and the computerized cast vote totals.
Since audits aren’t a panacea, experts say, election officials must also upgrade their cybersecurity defenses by restricting administrative privileges, updating firewall protections, maintaining data backups, and performing regular risk analysis and penetration testing to anticipate an attacker’s next move.
There is also a broader threat to American democracy if voters embrace the suggestion that we cannot trust that the 2016 election wasn’t hacked.
“That cannot be the standard,” says David Becker, executive director and co-founder of the Center for Election Innovation and Research.
“We could never be sure that any election wasn’t hacked,” he says. “What we can be is pretty darn sure that the election results were accurate and counted as cast.”
He adds: “This is probably the most investigated election in history.”
In many cases an audit alone won’t be enough to investigate elections. That’s where Professor Mebane enters the picture.
The election detective
Mebane is a professor of political science and statistics at the University of Michigan and a specialist in an emerging academic discipline called election forensics, which uses statistical analysis to identify potential manipulation of voting processes.
“My expectation is that forensic analysis might be able to tell you stuff like if voters were intimidated or had their votes bought or were paid to stay home,” he says.
These are election discrepancies that would not be detected by an audit. Mebane is hopeful that his brand of post-election sleuthing can help uncover such problems and ultimately help restore confidence in the democratic process.
Last year, Mebane and Matthew Bernhard, a PhD candidate in computer science at the University of Michican, used their expertise to investigate whether a computer hacker might have played a part in President Trump’s narrow victory in Wisconsin and Michigan.
In Michigan, Mr. Trump won by a 10,702-vote margin (.22 percent), and in Wisconsin by 22,748 votes (.76 percent).
An attempt to force a total recount of votes in both states was undertaken at the request of the Jill Stein campaign, but the counting was halted in the courts before it could be completed. Although they only had data from a partial recount in both states, Mebane and Mr. Bernhard set out to see what they could find.
“We were checking to see whether the original count and the re-counted count varied across different types of [voting and tabulation] machine technology being used in the particular jurisdiction,” Mebane explains.
“The idea was if the machines had been hacked then presumably they would have shown asymmetry in the way the two candidates were treated,” he says. “That could have been shown in the re-counted tallies versus the original tallies.”
If someone had hacked into the voting or tabulation machines during the election, there was a chance that the recounts might help expose it. But it would only show up if the recount was conducted by hand. In other words, a machine recount of hacked ballots would show no discrepancy.
“Of course there could have been hacks that were not picked up by that difference because they were not all manual tabulations of the paper [ballots],” Mebane says.
Their conclusion: They found no evidence that a hacker contributed to Trump’s victory in Michigan or Wisconsin.
“It was totally imperfect as a body of evidence,” Mebane concedes. “But it was better than nothing.”
Mebane’s research in the aftermath of the 2016 election illustrates the utility of having a uniform, protected voter-verified record of ballots in every election.
Nonetheless, there are other, more traditional ways to guarantee election security than risk-limiting audits or election forensics.
Counting by hand
In Columbia County, New York, voters fill out paper ballots that are fed into an optical scan voting machine. The ballots are tabulated by the machine, but then after the election county officials organize a small army of workers to manually count every vote cast in every contested election.
Columbia County is southeast of Albany on the east side of the Hudson River. It has about 40,000 registered voters out of a population of 63,000 people.
In the 2016 general election, 27,725 ballots were cast on Election Day. Election workers hand-counted nearly 21,000 of those ballots encompassing 65,000 separate votes for various candidates and issues.
Columbia County has been hand counting its ballots since 2010.
Virginia Martin is a commissioner on the Columbia County Board of Elections. She says she and her Republican counterpart on the board were concerned about allowing election results to be determined inside a computer.
“I can’t see inside a computer. I don’t know how a computer counts votes,” Ms. Martin says. “But I know exactly how our races are counted by doing this.”
Since paper ballots were already part of the voting process, they decided that they would simply hand count the ballots after they had been scanned into the voting machines.
The elections board reaches out to the community and creates bipartisan counting teams of two Democrats and two Republicans. Each team counts one precinct at a time. It took about a week to finish the count for the 2016 general election, well within the deadline to certify the results.
Martin says hand counting offers several advantages over relying exclusively on a machine. In some cases, the machines are unable to detect a vote because the voter placed their mark outside the bubble or wrote outside the designated area for a write-in candidate.
If the election results were based solely on the machine’s reading of the ballots, those votes would not be counted. Martin says when human eyes examine the ballot they can see the clear intent of the voter and count the vote.
“We want to make sure our local candidates get every vote they are entitled to,” she says.
This level of care in the counting is appreciated not only by the election’s winners, but more importantly by the losers.
“Isn’t that the point,” Martin says. “You want the losers to feel the result is accurate. The winners always feel the result is accurate, it is the losers you have to satisfy.”
Columbia County isn’t alone in its fidelity to hand-counted accuracy. According to the Pew Research Center about a million paper ballots in 2016 were hand-counted in 1,800 small counties, cities, and towns across the country.
Most of them were in New England, the Midwest, and the mountain region of the West, according to Pew.
A civic duty
Sheila Parks of the Boston-based Center for Hand-Counted Paper Ballots, calls the process “democracy in our hands.”
“Sitting and counting ballots isn’t so hard,” Ms. Parks says. “It feels like a civic duty to me. Why wouldn’t somebody want to do it?”
But there can be a downside to hand counts. “Virtually every study on this will tell you that hand counting something is always much less accurate than machine counting,” says Mr. Becker. “People get tired and it is really hard to look at bubbles on a sheet.”
On the other hand, there is also a tangible upside.
Last year when allegations emerged that Russia might be trying to hack the US election, unlike many other election officials Martin felt confident.
“There would be no point in anybody trying to hack our voting machines because we count the paper and we keep our paper very secure,” she says.
Some analysts see the issue of election security as an investment, a kind of down payment on the ideal of representative government in America.
“I put this in the hands of the American people,” says McBurnett. “If you care about democracy, it only costs a little bit to do it right.”
Goodman of Common Cause agrees. “If you think about it as just an administrative function it probably costs some money. If you think about it as protecting our nation and preserving our democracy, it is not expensive at all,” she says.
“If you think about what we spend on our national defense, this wouldn’t even make a blip on the radar screen.”
Part 1: Could Henny Nelson, age 131, help Russia rig an election?
Part 2: How efforts to prevent fraud, and voting rights, collide