TPC 2: Electronic Voting is a Threat to Democracy

In the impeachment trial of Donald Trump, the spectre of election interference in the upcoming 2020 Presidential Election was raised again and again. But everyone continues to ignore the actual underlying threat to democracy in the United States: the dangers of electronic voting.

Welcome to the second episode of The Private Citizen. As long as I’ve reported on technology topics, one idea has been advanced again and again by many: Why don’t we do electronic voting? If you understand anything about IT security and privacy, the answer is obvious. Because it is a really bad idea. Today, I’m going to explain why.

Why am I doing this on a privacy show, you might ask? Not only is it an extremely important topic for any citizen, but privacy plays a big role in casting your vote. There are important reasons for your vote to be anonymous. And none of these matter when your vote gets manipulated, obviously. So it’s imperative for democracy to function that your vote is both intact and anonymous.

Fear, Uncertainty and Doubt

In a time, when democratic leaders, like the lead House impeachment manager Adam Schiff, cast absolute doubt on elections before they even happen, democracy is in peril.

But as it turns out, you don’t even need to construct questionable arguments about whether President Trump solicited election interference from Ukraine officials to cast doubt about the upcoming 2020 Presidential Election. Because as long as you use electronic voting machines, any results in these elections aren’t trustworthy at all.

Political pundits all over the US are already virtually certain that the election will be hacked. Here’s The Washington Post, representative of many of those voices: The loser of November’s election may not concede. Their voters won’t, either.

What would happen if President Trump had an early lead that evaporated as votes were counted, and then he refused to concede? The idea isn’t too far-fetched; Trump has raised it himself.

It’s not just Trump who might not accept election results. During Trump’s impeachment trial this past week, Rep. Adam Schiff (D-Calif.) said that “we cannot be assured that the vote will be fairly won” in November because of the allegations that Trump was trying to “cheat” by pressuring Ukraine to announce an investigation into Joe Biden and his family.

External forces could cause an election meltdown, too. A recent NPR-News Hour-Marist poll found that “almost 4 in 10 Americans believe it is likely another country will tamper with the votes cast in 2020 in order to change the result.” What if Russians hack into Detroit’s power grid and knock out electricity on Election Day, seriously depressing turnout – and Trump wins the electoral college because he carries Michigan? Most states do not have a Plan B to deal with a terrorist attack or natural disaster affecting part of a presidential election.

The vote this year is particularly vulnerable to a crisis of legitimacy because Americans’ trust in elections is already low; that NPR poll found that only 62 percent of Americans think our elections are fair.

The combination of these four factors – Republican voter suppression, pockets of incompetence, dirty tricks and increasingly outrageous language about stolen elections – creates a volatile mix in our hyperpolarized era. Unfortunately, we don’t have any good short-term fixes available between now and November. It’s not clear that we can rely on responsible leaders of both parties to assure democratic transitions and acceptance of election results.

Rolling Stone is spreading even more fear, uncertainty and doubt.

Four years ago, for an embarrassingly modest price, Russia pulled off one of the more audacious acts of election interference in modern history. The Internet Research Agency, the team of Kremlin-backed online propagandists, spent $15 million to $20 million and wreaked havoc on the psyche of the American voter, creating the impression that behind every Twitter avatar or Facebook profile was a Russian troll. Russian intelligence agents carried out the digital version of Watergate, infiltrating the Democratic Party and the Clinton campaign, stealing tens of thousands of emails, and weaponizing them in the days and weeks before the election. Russian-based hackers tested election websites in all 50 states for weak spots, like burglars casing a would-be target.

And you don’t even need Russian hackers or very many people who need to cast votes to make a total mess of it, as the Democratic caucus in Iowa has just proven conclusively.

People saw it coming, too. Let me quote from the article “Iowa Will Be the First Test Case for 2020 Election Security” which ran in The New York Times a few days before the primary:

The good news is that caucuses are inherently safer than traditional elections. But campaigns remain dangerously exposed to hackers, and election systems in many states are still vulnerable.

Weeks before the Iowa caucuses and the start of the 2020 presidential election season, one of the few senior Democratic campaign staff members whose full-time job was guarding against hackers and stopping a repeat of 2016 quit in frustration. The campaign – in this case, Pete Buttigieg’s – simply did not care enough about security, Mick Baccio, its former chief of information security, wrote in a five-page resignation letter this month, a portion of which was obtained by The New York Times.

“The campaign continues to mimic the relaxed behavior and poor security posture that led to the Russian intelligence compromises in 2016,” he wrote.

But in the end, you didn’t even need hackers to turn this thing into a giant clusterfuck – they managed on their own, just by rolling out untested, broken software without training.

All of this fear, this partisan bickering, all of the breaking news, the shouting and the panic could be avoided. Simply by employing a system that has centuries of experience and trust behind it: Paper ballots. We know it works. So why not use it and save us all of this trouble?

Why Electronic Voting is a Terrible Idea

First, let’s explain why electronic voting machines, of any type, are a terrible idea. It’s an idea that gets brought up again and again, but that doesn’t change that it’s fundamentally flawed. And that isn’t changing either. There’s plenty of evidence for it, too.

Towards the end of last year, I was at an infosec conference in Prague. The first keynote there was by Computer Science and Engineering professor and cryptologist J. Alex Halderman from the University of Michigan. Among a number of other people in the field, he’s spent years researching the problems with electronic voting machines. Here’s a video of him on C-SPAN in August, explaining the results of the annual voting machine hacking village at the DEF CON security conference in Las Vegas. At that event, hackers get together to find flaws in electronic voting machines. And they find multiple issues every single year. In 2018, Halderman even demoed such a hack live at DEF CON 26.

Halderman concludes: “Every U.S. voting machine subjected to rigorous independent security review suffered vulnerabilities that would enable vote-stealing attacks.”

In a current paper he and his colleagues even showed that machines that print out a piece of paper which the voter can review and which is scanned in again and tallied aren’t safe: Can Voters Detect Malicious Manipulation of Ballot Marking Devices?

In 2009, Halderman and others pioneered the use of Return-oriented programming (ROP) to breach electronic voting machines, in what is surely one of the coolest hacks ever.

And all of this just supports a ton of other research that I’ve been aware of for years and that proves, again and again, that these machines all have flaws and should never be used.

I believe the report of the lastest DEF CON voting village summarises it best:

It is beyond the current and foreseeable state of the art to construct computerized (software and hardware based) voting devices that effectively resist known, practical forms of malicious tampering. However, this need not mean that elections must forever be vulnerable to compromise. Certain classes of voting equipment, including some (but not all) of the devices displayed at the Voting Village, can still be used to conduct high-integrity elections – in spite of their vulnerabilities – by conducting statistically rigorous post-election audits. Whether this is possible depends on the specific category of voting technology in use and, critically, whether a properly designed post-election audit process is routinely performed as a part of every election.

Systems that use paper ballots, such as optical scan voting devices, are physically designed to preserve a voter-marked record of each voter’s intended choices (the original paper ballots themselves) which cannot be altered by even the most maliciously compromised software. These paper ballots are a prerequisite for the use of routine post-election Risk Limiting Audits (RLAs), which are a state-of-the-art, statistically rigorous technique for comparing (by human eye) a sample of ballots with how they were recorded by machine. This allows us to reliably determine the correct outcome of even an election conducted with compromised machines.

In particular, we emphasize that these audits can only be performed on paper-ballot-based systems.  DRE (“touchscreen”) voting devices cannot be used to conduct reliable or auditable elections in this way, because the stored vote tallies (as well as the ballot display) are under the control of precinct voting machine software that can be maliciously altered (in both theory and practice). Unfortunately, the recommended practice of auditable paper ballots coupled with routine postelection risk limiting audits remains the exception, rather than the rule, in U.S. elections

And if you still don’t believe me or you find all of this too complicated, watch this video by Tom Scott. He explains all of this very succinctly. Thanks to Georges Walther for sending me that link.

If It Ain’t Broke, Don’t Fix It

There’s a very easy way to fix all of these problems: User paper ballots. These can then be counted – either old-school by hand or with computerised equipment – and, most importantly, re-counted in the case of a disputed result. At the very least, you need electronic voting machines that scan in a paper ballot right in the booth.

The only thing you lose with paper ballots is some speed in immediately getting results on election night, but that seems to me a very minor thing to give up for election security. Especially seeing that faults in electronic voting systems can happen (even without hacking attempts) and that will delay things a lot more – see the Iowa caucus. Additionally, you can get very accurate predictions right off the bat anyway, if you do exit polling right.

A paper trail enables you to go back and re-count results at any point if someone calls the integrity of the election into question. There have been many well documented cases of election fraud using paper ballots, of course, but these approaches don’t scale and usually only succeed in a very regional setup. We also have a lot of experience in how to fight this kind of fraud.

Why try and develop even more fancy electronic voting machines when we know the fix exists already? Why is everybody so hell-bent on going digital when it’s clearly dangerous and not necessary at all?

Let me conclude by stressing how important the integrity of elections is to a democracy. If the voters lose faith in this crucial process on a large scaled, this form of government is finished. That’s it.

Feedback

Kai wrote me a nice message from Switzerland, saying he really enjoyed the first episode. He appreciated the background on Clearview AI as most other IT outlets only report the most lurid parts of the story. He is of the opinion that data privacy is important and that it’s good that I’m doing this show now.

Fadi writes:

You mentioned that your position will be from a more “realistic” perspective. I think this is important, as I have to say, my personal position is that we are in a somewhat losing battle! Technology in advancing, and there are some aspects that cannot be avoided anymore. But on the other hand, it’s important to be aware of the possibilities and dangers, and somehow find an acceptable compromise to go through life.

Here let me also mention, that coming from a different country, where digital privacy is not a valid expectation, it’s interesting to see what new tools would be created to provide people with acceptable assurances. This is especially important when looking at this topic from what is legal compared to what is possible. For me, the Snowden revelations highlighted that what is of more importance is what is possible, because for some actors, legality is not a major concern.

Finally, you mentioned at the start of the podcast that you had friend from all over the world. I hope that you’d consider me as a friend too. It’s somehow asymmetrical, as I have been listening to you since the Linux Outlaws, although I haven’t been active.

Butterbeans says:

You seem to be very aligned with things I’m interested / concerned with, and hearing about this show was wild because I’ve become much more interested in this topic as of late and clearly you are too. I hope the show gains traction and you’re able to grow your audience to a level that sustains you. I salute your bravery in taking the leap of faith to leave a corporate environment and strike out on your own.

Shelby also wrote me to say he thinks I’m covering the right topic. They’ve been listening since the Linux Outlaws days and missed my rants to get them though the work day.

If you also have thoughts on the things discussed here, please feel free to contact me.

Support the Show

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.

Aside from the people who have provided feedback and are credited as such above, I’m thankful to Raúl Cabezalí, who recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

But above all, I’d like to thank the following people, who have supported this episode through Patreon and thus keep this show on the air: Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Georges Walther, Dave, Kai Siers, Matt Jelliman, Fadi Mansour, Joe Poser, Butterbeans, Shelby Cruver and Dave Umrysh.