Will a hacker choose the next president of the United States? If you’ve been following the news on the state of electronic voting, you might have reason to be concerned.
Machines manufactured by Election Systems & Software (ES&S), Hart InterCivic, Sequoia Voting Systems, Premier Election Solutions (formerly Diebold) and others have recently been decertified by election officials in one or more states. Among the reasons cited for the decisions that have been made in Colorado, New Mexico, Pennsylvania, California and elsewhere is lack of security. The bleak situation facing these manufacturers is caused by the increasing belief that their products are not safe from hackers. Hearings on this issue are being scheduled by state and county officials who need to get their respective technical election infrastructures in place soon. Electronic voting equipment vendors have some serious explaining to do.
Punched-card technology, introduced in polling places in the 1960s, allowed election results to be tabulated quickly, and less expensively, than was possible when votes were processed manually. Optical scanning technology, which came along a little later, allowed for a much more accurate count. Direct-recording electronic (DRE) voting systems, developed still later, improved speed, cost and accuracy to an even greater extent, and had the added benefit of user-friendly interfaces such as touchscreens that improve accessibility for disabled voters. Internet voting holds the promise of enfranchising thousands of voters who currently have difficulty getting to the polls. But this dream will be realized only if and when the current technology trend is reversed.
A few weeks ago, the Ohio Secretary of State’s office issued their “Evaluation and Validation of Election-Related Equipment, Standards and Testing (EVEREST)” report. The report discloses the results of a nine-week independent security study of equipment manufactured by the primary vendors with which the State of Ohio does business. The results were dismal. All of the tested systems contained “critical security failures.” It might be argued, in defense of the vendors, that these evaluators had extraordinary access to the design details of the tested systems, including source code. But the report findings are clear on this point: “… most of the problems that we found could have been identified with only limited access to voting equipment. Thus, it is safe to assume that motivated attackers will quickly identify – or already have – these and many other issues in these systems. Any argument that suggests that the attacker will somehow be less capable or knowledgeable than the reviewer teams, or that they will not be able to reverse engineer the systems to expose security flaws is not grounded in fact.”
Can this situation be resolved? Several information security researchers have proposed some novel approaches. Dr. Rebecca Mercuri, in her doctoral dissertation, developed what has come to be known as the “Mercuri method.” She introduces a low-tech element into a high-tech solution. A Mercuri method voting system might include a DRE user interface, but it would not store votes locally. Instead, the DRE machine would produce a completed paper ballot that the voter would check for accuracy and then deposit in a physical ballot box. These paper ballots would be processed at a later time to produce the needed vote totals.
This approach solves the audit trail problem in that the intermediate paper ballots could be stored for a period of time during which interested parties might request a manual recount. It does not address the possibility of ballot secrecy being compromised by a hacker who gains unauthorized access to the DRE device. Neither does it necessarily solve the problem of a malicious programmer manipulating the tabulating system and thereby rigging a major election. The National Institute for Standards and Technology (NIST), in fact, has stated that a voter can never fully trust software that he or she did not write personally.
For close elections, allegations of fraud and demands for a recount are almost a foregone conclusion. We’ve come a long way since Richard Nixon refused to question the result of the 1960 presidential election on the grounds of the impact that such a challenge would have on voter confidence. Claims of rigged elections are now seen as a normal continuation of the campaign by alternate means.
The advantage of living in a democratic society is not that we always put the right person in the right job (although, we welcome this event when it occurs). The real value of our democratic institutions is that we settle public questions with ballots rather than bullets. But this works – we subordinate our personal wills to the will of the majority – only when we believe the system is fair.
We trusted hand-counting of paper ballots in the past because all interested parties had an opportunity to have their representatives present to look over the shoulders of the people doing the counting. When we introduced technology into the vote-counting process to improve efficiency, we undermined this confidence because no one can look over the shoulders of a computer.
Will we ever see a programming team that is so skilled that they will be able to develop an electronic voting system that is guaranteed to be hack-proof? Will there ever be a blue-ribbon commission of such unimpeachable integrity that they could vouch for such a system? Until we can answer both of these questions in the affirmative, it might be the wisest course to put all purchases of electronic voting solutions on hold.