The Real “Safeguards” on Voting Machines – and the Real Threat
My goodness, the doom and gloom about paperless voting machines seems palpable recently. Amidst concerns about election “rigging”, I hear worries that the lack of a “paper backup” for some DRE voting machines might create fundamental issues for election verification. Goodness knows I am not a fan paperless voting of any kind, nor of the current generation of DREs generally. But the current media blitz of fear, uncertainty, and doubt (FUD) is getting disconnected from the facts. If this post of “back to the facts” sounds like venting, well, maybe it is just a bit.
Here’s one bit of flotsam in the news stream that floated by recently, and struck me as odd – dinging paperless DREs as lacking a basic “safeguard” of a paper backup. Well, not exactly. It’s not that paperless DREs lack a safeguard; there are plenty of those, too many. What they lack is fundamental feature – an actual ballot from each voter. By now, finally, most people realize it was a Really Bad Idea to have voting machines that threw away the ballot that recorded each voter’s intent. We tossed out the ballot baby with the hanging chads bathwater.
It’s kind of like saying that a “brakeless racing bike” is missing the safeguard of a way to stop, when in fact a pair of brakes is a fundamental requirement for a racing bike. You could still ride it, but “safeguards” is what you’d need to compensate for this basic omission: limiting riding to only over flat ground, with riders wearing shoes that work as brake pads, and so on.
Paperless DREs are like that. They need extra safeguards to compensate for the fundamental shortcoming of no ballot. And it is election officials and poll workers that work hard to make that bike level and smooth.
The Real Safeguards
The safeguards are “too many” in that
- they require a lot of extra work for hardworking election officials and poll-workers to do, and
- they are all absolutely needed to compensate for the major shortcomings of DREs, especially paperless.
I’ve seen this firsthand, as a poll worker before CA decertified its voting machines, developed safeguards sufficient for the deficiencies found in the “Top to Bottom Review”, and re-certified with the proviso that each county needed to demonstrate adequate staff and poll worker training to operate the systems with all the required safeguards. The re-training was intense, and the additional work on election night was easily an hour or more per precinct on election day, and night, alone.
We had new tamper-evident seals (TES) on every part of the DREs, check sheets for every step in set-up and tear-down, bags for each of several kinds of evidence, a TES-sealed bag of TESs to apply the bags at the end of the day, double-sign-off sheets, new rules for ballot reconciliation, new procedures for physical chain of custody of pretty much everything.
And that was the tip of the iceberg, considering what the election officials and their temp staff had to do to set all this up, plus the back-office safeguards that the public doesn’t see. For the ultra-geeks, I’ll provide a specific couple examples later, explaining why each bit of extra work is necessary — but I hope you get the idea here.
The Five P’s for an Election Outcome
Another way of putting this is that with today’s DREs the technology platform has deficiencies that require a complex set of safeguards by people and process. Those two “P’s” are always required, but can get hairy when the 3rd “P”, the platform, wasn’t designed with self-protections that create a reasonable amount of activity from people and process.
Sure, there is a risk to the platform being compromised (or malfunction unnoticed) if the people don’t do the process adequately. We had that risk for years, with election tech that’s worse that we have now, and we still had election verification – just with a really vexing amount of work, both for the protection, and the oversight that it was done properly. And that’s part of the 4th “P”, policies, including the policy that the public must be able to verify the first 3 “P”s as part of the election outcome.
The procedures, and documentation of their performance, are both essential. It’s not enough to do the extra work to implement the safeguards required by the platform. Election officials must also prove that they did so, by following policies on documentation and record keeping. The election outcome is an important concept here.
Election outcome is not just the election results, the vote counts, who won, who lost. It is that plus all the evidence that the election was performed well enough to have confidence in the result. That’s the ultimate purpose of elections – a result that’s believable and does not create an impediment to the ordinary transfer of power.
The Federal election of 2000 is the example of what happens when the election outcome is not sufficient, and the transfer was power was in doubt for days. And that was in a calmer time, pre-Ferguson, pre-Occupy-Wall-St., before the computer in your pocket that can spread real or feigned outrage to millions in moment.s
The Real Threat
What we can see in this campaign of 2016 is the greater threat to election integrity – the 5th “P” of politics. This election is politically unique with the campaigns’ messaging on “rigging”, on cyber-risk to elections, on cyber-operations against campaigns and parties, and even foreign government influence.
It’s hard to be sure amidst all the rhetoric, but it sure looks like there is a higher risk of a situation where Federal election results aren’t enough, and the “prove that you ran the election right” demand might be placed on election officials in an unprecedented way that is far more public and adversarial than the usual and relatively gentlemanly activity of election law, litigation, recounts, and so on. The Minnesota Senate Al Franken Norm Coleman fracas could look positively quaint by comparison.
As a result, there’s the possibility of far higher stakes for the people and process to generate the evidence that proves that the election results are legitimate. The preparation for, and, heaven forbid, the execution of that proof, will be even more work than usual. Preparation could be huge, both literally in terms of work, and figuratively in terms of importance.
Preparation Is Huge
When you possibly have an election where the second place candidate says, “prove that these are the exactly correct vote totals”, you can never do that regardless of the election technology, including ancient Greek marbles and jars. That’s why “rigging” rhetoric will always be attractive.
But you can prove that all the required protective measures were done, and that there is no reasonable doubt about the result as supported by the technology. In jurisdictions with op-scanned paper ballots and documented chain of custody, the proof is relatively simple: here’s why we know that these are the legitimate paper ballots; we did a manual ballot audit and found no significant discrepancy with the machine counts. Done.
But here’s the bummer for election officials in all the paperless jurisdictions: there is more work to do. They need to prove that there is no reasonable doubt that the DREs accurately recorded each voter’s intent; and recorded the votes properly as tally datasets on removable media; and the that media used in tabulation were those same media; and the data on the media was not modified en route from polling place to election result. The proof, in other words, is complicated.
Collecting that proof is more work, and yields much more complex records, but it is not mysterious. Election officials have been doing this for years. But the complexity is an inherent vulnerability. The complexity makes it easy to have political rhetoric that points fingers at the many places it could have gone wrong, casts doubt on the proof. And it could be very effective FUD, if the proof is more complex than the public at large is willing or able to digest.
Where’s the Risk?
The risk is essentially equal for all the paperless jurisdictions, not jut the ones that the campaigns are currently pointing to, and the media scrutinizing. They all have tech with the same shortcomings and vulnerabilities, and the same extra work to implement safeguards to compensate. With this voting technology, you have to work even harder prepare to respond to claims of rigging, and even if you do a great job, it could still get ugly because of the complexity.
I don’t worry so much about the jurisdictions currently in the limelight (or hotseat) because the very limelight itself provides a great incentive to properly prepare and execute. In the so-called battleground states, the state election leadership understands the issues, and the local election officials on the ground have the experience.
Where I really worry is around the edges Perhaps if FL turns out to be the narrowest-margin state, and we see a repeat of a county’s previous breakdown in physical chain of custody. Or perhaps if GA turns out to be closer than anybody would every have expected a year ago, and election officials did not prepare as carefully to defend against claims of “rigging”.
That’s what we face in this election, and I say “never again”. We can replace all the aging-out voting systems, paperless and otherwise, with far better platform that requires reasonable efforts from people to implement processes that create comprehensible proof, enabling meaningful policies of public oversight that much less vulnerable to the politics of fear, uncertainty and doubt.
— John Sebes
NBC News, Voting Machines, and a Grandmother’s PC
I’d like to explain more precisely what I meant by “your grandmother’s PC” in the NBC TV Bay Area’s report on election technology. Several people thought I was referring to voting machines as easily hacked by anyone with physical access, because despite appearances:
Voting machines are like regular old PCs inside, and like any old PC …
- … it will be happy to run any program you tell it to, where:
- “You” is anyone that can touch the computer, even briefly, and
- “Program” is anything at all, including malicious software specially created to compromise the voting machine.
That’s all true, of course, as many of us have seen recently in cute yet fear mongering little videos about how to “hack an election.” However, I was referring to something different and probably more important: a regular old PC running some pretty basic windows-XP application software, that an election official installed on the PC in the ordinary way, and uses in the same way as anything else.
That’s your “grandmother’s PC,” or in my son’s case, something old and clunky that looks a exactly like the PC that his grandfather had a decade plus ago – minus some hardware upgrades and software patches that were great for my father, but for voting systems are illegal.
But why is that PC “super important”? Because the software in question is the brains behind every one of that fleet of voting machines, a one stop shop to hack all the voting machines, or just fiddle vote totals after all those carefully and securely operated voting machines come home from the polling places. It’s an “election management system” (EMS) that election officials use to create the data that tells the voting machines what to do, and to combine the vote tally data into the actual election results.
That’s super important.
Nothing wrong with the EMS software itself, except for the very poor choice of creating it to run on a PC platform that by law is locked in time as it was a decade or so ago, and has no meaningful self-defenses in today threat environment. As I said, it wasn’t a thoughtful choice – nobody said it would be a good idea to run this really important software on something as easily hacked as anyone’s grandparent’s PC. But it was a pragmatic choice at the time, in the rush to the post-hanging-chads Federally funded voting system replacement derby. We are still stuck with the consequences.
It reminds me of that great old radio show, Hitchhiker’s Guide to the Galaxy, where after stealing what seems like the greatest ship in the galaxy, the starship Heart of Gold, our heroes are stuck in space-time with Eddie Your Ship-Board Computer, “ready to get a bundle of kicks from any program you care to run through me.” The problem, of course, is that while designed to do an improbably large number of useful things, it’s not able to do one very important thing: steer the ship after being asked to run a program to learn why tea tastes good.
Election management systems, voting machines, and other parts of a voting system, all have an individual very important job to do, and should not be able to do anything else. It’s not hard to build systems that way, but that’s not what’s available from today’s 3 vendors in the for-profit market for voting systems, and services to operate them to assist elections officials. We can fix that, and we are.
But it’s the election officials, many many of them public servants with a heart of gold, that should really be highlighted. They are making do with what they have, with enormous extra effort to protect these vulnerable systems, and run an election that we all can trust. They deserve better, we all deserve better, election technology that’s built for elections that are Verifiable, Accurate, Secure, and Transparent (VAST as we like to say). The “better” is in the works, here at OSET Institute and elsewhere, but there is one more key point.
Don’t be demoralized by the fear uncertainty and doubt about hacking elections. Vote. These hardworking public servants are running the election for each of us, doing their best with what they have. Make it worth something. Vote, and believe what is true, that you are an essential part of the process that makes our democracy to be truly a democracy.
— John Sebes
Old School, New Tech: What’s Really Behind Today’s Elections
Many thanks to coverage by Bloomberg’s Michaela Ross, on election tech and cyber-security.
Given so much at stake for this election with its credibility rocked by claims of rigging, and so much more at stake as we move ahead to replace and improve our election infrastructure, I’m rarely enthused about reading more about how some people think Internet voting is great, and others think it is impossible. However, Ms. Ross did a great job of following that discussion about how “Old School May Be Better” with supporting remarks from many long time friends and colleagues in election administration and technology worlds.
Where I’d like to respond is to re-frame the “old” part of “old school” and to reject one remark from a source that Ross quoted: “They’re pretending what we do today is secure … There’s not a mission critical process in the world that uses 150-year-old technology.” Three main points here:
- There is plenty of new technology in the so-called old school;
- No credible election expert pretends that our ballots are 100% secure, not even close; and
- That’s why we have several new and old protections on the election process, including some of that new technology.
Let me address that next in three parts, mostly about what’s old and what’s new, then circle back to the truth about security, and lastly a comment on iVoting that I’ll most defer to a later re-up on the iVoting scene.
Old and New
Here is what’s old: paper ballots. We use them because we recognize the terrible omission in voting machines from the late 19th century mechanical lever machines (can be hacked with toothpicks, tampered with screwdrivers, and retain no record of any voter’s intent other than numbers on odometer dials) and many of today’s paperless touchscreens: “hack-able” and “tamper-able” even more readily, and likewise with no actual ballot other than bits on a disk. We use paper ballots (or paper-added touchscreens as a stop-gap) because no machine can be trusted to accurately record every voter’s intent. We need paper ballots not just for disputes and recounts, but fundamentally as a way to cross check the work of the machines.
Here’s what’s new: recently defined scientific statistical methods to conduct a routine ballot audit for every election, to cross check the machines’ work, with far less effort and cost than today’s “5% manual count and compare” and variant methods used in some states. It’s never been easier to use machines for rapid counts and quick unofficial results, and then (before final results) to detect and correct instances of machine inaccuracies whether from bugs, tampering, physical failure, or other issues. It’s called “Risk Limiting Audit“ or RLA.
Here’s what new-ish: the new standard approach is for paper ballots to be rapidly machine counted using optical scanners and digital image processing software. There are a lot of old clunky and expensive (to buy, maintain, and store) op-scanners still in use, but this isn’t “150 years old,” any more than our modern ballots are like the old 19th-century party-machine-politics balloting that was rife with fraud that led to the desire for the old lever machines. However, these older machines have low to no support for RLA.
Here’s what’s newer: many people have mobile computers in their pocket that can run optical-capture and digital image processing. It’s no longer a complicated job to make a small, inexpensive device that can read some paper, record what’s on it, and retain records that humans can cross check. There’s no reason why the op-scan method needs to be old and clunky. And with new systems, it is easy to keep the type of records (technically, a “cast vote record” for each ballot) needed for easy support for RLA.
And finally, here’s the really good part: innovation is happening to make the process easier and stronger, both here at the OSET Institute and elsewhere ranging from local to state election officials, Federal organizations like EAC and NIST, universities, and other engines of tech innovation. The future looks more like this:
- Polling place voting machines called “ballot marking devices” that use a familiar inexpensive tablet to collect a voter’s ballot choices, and print them onto a simple “here’s all and only what you chose” ballot to
be easily and independently verified by the voter, and cast for optical scanning.
- Devices and ballots with professionally designed and scientifically tested usability and accessibility for the full range of voters’ needs.
- Simple inexpensive ballot scanners for these modern ballots.
- Digital sample ballots using the voter’s choice of computer, tablet, or phone, to enable the voter to take their own time navigating the ballot, and creating a “selections worksheet” that can be scanned into a
ballot marking device to confirm, correct if needed, and create the ballot cast in a polling place …
- … or to be used in a vote-by-mail process, without the need to wait for an official blank ballot to arrive in the mail.
- And below that tip of the iceberg for the critical ballot-related operations, there is a range of other innovations to streamline voter registration, voter check-in, absentee ballot processing, voter services
and apps to navigate the whole process and avoid procedural hurdles or long lines, interactive election results exploration and analytics, and more …
- … and all with the ability for election official to provide open public data on the outcome of the whole election process, and every voter’s success in participation or lack thereof.
That’s a lot of new tech that’s in the pipeline or in use already, but in still in the old school.
Finally, two last points to loop back to Michaela’s article.
Election Protection in the Real World
First, everyone engaged in elections knows that no method of casting and counting ballots is secure.
- Vote by mail ballots go to election officials by mail passing through many hands, not all of which may seem trustworthy to the voters.
- Email ballots and other digital ballots go to election officials via the Internet — again via many “virtual hands” that are definitely not trustworthy — and to computers that election officials may not fully control.
- Polling place ballots in ballot boxes are transported by mere mortals who can make mistakes, encounter mishaps, and as in a very few recent historical cases, may be dishonest insiders.
- Voting machines are easily tampered with by those with physical access, including temp workers and contractors in warehouses, transportation services, and pre-election preparations.
- The “central brains” behind the voting machines is often an ordinary antique PC with no real protection in today’s daunting threat environment.
- The beat goes on with voter records systems, electronic poll books, and more.
That’s why today’s election officials work so hard on the people and processes to contain these risks, and retain control over these vital assets throughout a complex process that — honestly, going forward — could be a lot simpler and easier with innovations designed to reduce the level of effort and complexity of these same type of protections.
The Truth About iVoting Today
Secondly, lastly, and mostly for another time: Internet voting. It’s desirable, it will likely happen someday, and it will require a solid R&D program to invent the tech that can do the job with all the protections — whether against, fraud, coercion, manipulation, and accidental or intention disenfranchisement — the we have today in our state-managed, locally-operated, and (delightfully but often frustratingly) hodge podge process of voting in 9,000+ jurisdictions across the US. I repeat, all, no compromises; no waving the magic fairy wands of trust-me-it-works-because-it-is-cool or blockchains or so-called “military grade” encryption or whatever the latest cool geek cred item is.
In the meantime short-term, we have to shore up the current creaky systems and process, especially to address the issues of “rigging,” and the crazy amount of work election professionals have to do get the job done and maintain order and trust.
And then we have to replace the current systems in the existing process with innovations that also serve to increase trust and transparency. If we don’t fix the election process that we have now, and soon, we risk the hasty addition of i-voting systems that are just as creaky and flawed, hastily adopted, and poorly understood, the same as the paperless voting machines that adopted more than a decade ago.
We can do better, in the short-term and long, and we will. A large and growing set of election and tecnology folks, in organizations of many kinds, are dedicated to making these improvements happen, especially as this election cycle has shown us all how vitally important it is.
— John Sebes