America's election security is pretty bad, but there are signficant signs of improvement, said cryptography and election-security expert Matt Blaze at the Shmoocon hacker conference this past weekend in Washington, D.C.
"Does new voting technology enable voting fraud, or does it prevent voting fraud?" rhetorically asked Blaze. "Yes."
He explained that the American election process has computers and software at every stage of the process, including voter registration and verification, the designing and distribution of ballots, the actual voting itself, and the tallying of votes and the communication of results. Machines at almost every step have been shown to be vulnerable to hacking, yet we can't just go back to dropping envelopes in ballot boxes.
"U.S. elections are the most complex in the world," Blaze said. "You're gonna need computers somewhere."
Fortunately, he said, policymakers and the general public are now aware of how vulnerable electronic voting systems are to tampering, and many states have taken at least initial steps to make them more secure.
"Voting security is by far the hardest problem I have ever encountered," said Blaze, who was recently a professor of computer and information services at the University of Pennsylvania but now holds the McDevitt Chair of Computer Science and Law at Georgetown University.
That's partly because voting in the United States has tough requirements. The voting process must be transparent, yet every ballot has to be secret. Every vote should be counted, but you shouldn't be able to trace a specific ballot back to a specific person. It makes verification very difficult — you can't prove your ballot was altered or lost if you don't know which one was yours.
Adding to that, the U.S. voting system is maddeningly complex — "both decentralized and hierarchical," Blaze said. The federal government sets broad standards, but leaves it up to the states to set and enforce rules and laws. Elections are managed at the county level, but voting is held in neighborhood precincts.
The multiplicity of federal, state, county and municipal governments means that people voting in one neighborhood will often receive a slightly different ballot, with different issues to be voted upon, than people voting in the next precinct. In some cases, a single precinct will offer two or more different ballots, depending on a voter's street address.
In the 2016 general election, Blaze said, there were 117,000 polling places in the U.S., and 178,000 distinct ballots. Nearly 139 million ballots were cast, although about 43 percent of voters cast early ballots or voted by mail, leaving about 82 million people showing up at polling places on Election Day.
So of course the election process needs to be partly computerized — "computers solve real problems that election officials have," Blaze said.
But that doesn't mean it's been done well. We've heard about the (apparently) Russian intrusion into the voter-rolls databases in several states during the run-up to the 2016 election. We've heard about how unsafe electronic voting machines have turned out to be, a situation that arose after Congress forced the states to rush into electronic voting after the mess of Florida recount process in the 2000 presidential election.
"Every current voting system that's been examined is terrible," Blaze said, with numerous ways to intercept, alter or destroy votes at several stages of the process. Back in 2007, he and several of his students examined the first batch of electronic voting machines and found that every single one could be compromised.
Among the worst, he said, were the direct-recording-election (DRE) machines that let you vote on a touchscreen, tallied up the votes in software and transmitted the results electronically to a county election facility. There was no "paper trail" to independently verify the vote tabulation — if someone ever got into one of those machines to change the votes, we'll never know.
It's ironic, Blaze said, that the famous picture of an election official examining a paper ballot during the Florida recount "was used to illustrate the primitivism" of punch-card voting machines, "but now is used to demonstrate the robustness of paper ballots."
Optical-scanner machines, which scan the bubbles filled in by a voter on a paper ballot, are also pretty easy to hack, but at least there are paper records of votes if there is any dispute. Yet it's still difficult to tell if a voting machine or a central vote tabulator has been compromised, or if the communications between the voting precinct and the central counting facility have been tampered with.
Light at the end of the tunnel
Two things really helped spur general awareness of election-security problems in the past few years, Blaze said. One was the Voting Village workshops begun in 2017 at the annual DEF CON hacker conferences, which have generated a lot of mainstream media attention by showing how easy it is to hack into voting machines.
Blaze helped set up and run the Voting Village, and said that its results showed that "yep, everything is worse than we thought."
The other big development was the release in September 2018 of a study conducted by the National Academies of Science, Engineering and Medicine called "Securing the Vote: Protecting American Democracy." Ordinary Americans may not be reading it, but you can bet congressional staffers have had to.
It recommends that all polling precincts use human-readable paper ballots by the time of the 2020 general election, that state and local election officials conduct regular randomized "risk-limiting" audits to check the integrity of voting machines, and under no current circumstances should voters be allowed to cast their votes over the internet.
Blaze called the report "the single best document ever on voting security." You can buy a copy or download a free PDF of the 180-page report here.
And there have been some positive results. The DRE machines introduced with the first wave of electronic voting have begun to age out, Blaze said, and they're being replaced with optical-scanner machines that use paper ballots.
Several states now implement risk-limiting audits to test their voting machines, and a few bills have been introduced in Congress to mandate that all states both use implement audits and use only paper-trail machines.
It's possible that we may get all these safeguards into place before anyone tries to exploit them. Asked by an audience member about the probability that electoral-machine weaknesses would be exploited to change an election's results, Blaze replied that so far, there was no evidence than anyone had actually done so in a U.S. election.
"Maybe we've got a honeymoon before the attacks begin," Blaze said.