Georgia’s Election System Raises Old Computer Security Concerns
Earlier this year, Georgia’s Secure, Accessible, and Fair Elections Commission held a public meeting at the state capitol to answer a pressing question: What should Georgia do to replace its aging, touchscreen voting machines, as well as other parts of its election system? In the preceding years, security vulnerabilities in the state’s election system had been repeatedly exposed: by Russian operatives, friendly hackers, and even a Georgia voter who, just days ahead of the 2018 midterms, revealed that anyone could go online and gain access to the state’s voter registration database.
Computer scientists and elections experts from around the country had weighed in during the seven months of the commission’s deliberations on the issue. They submitted letters and provided testimony, sharing the latest research and clarifying technical concepts tied to holding safe, reliable elections. Their contributions were underscored by commission member Wenke Lee, co-director of Georgia Tech’s Institute for Information Security and Privacy, and the group’s only computer scientist.
Despite this, the commission ultimately did not recommend measures backed by Lee and his colleagues at places like Stanford, Yale, Princeton, MIT, and Google — including the recommendation that the state return to a system of paper ballots filled out by hand, combined with what scientists call risk-limiting audits. Instead, the commission recommended buying a system that included another, more expensive touchscreen voting machine that prints a paper ballot. Months later, Lee was at a loss to explain: “I don’t understand why they still don’t understand,” he said.
With its decision, Georgia’s counties remain among the 33 percent of counties nationwide that use either machines with no paper trail or machines that print paper ballots, which are then scanned on separate machines. The vast majority of the rest of the counties use paper ballots filled out by hand, which are then scanned or counted by hand. With the passing of the Help America Vote Act (HAVA) in 2002, all polling places nationwide must also include at least one electronic voting machine for voters with disabilities.
But with Texas, Ohio, Pennsylvania, Delaware, and New Jersey among the many states also overhauling their election systems before the 2020 presidential election, Georgia’s decision has computer scientists and election experts worried that lessons learned over nearly two decades of computerized voting are being woefully ignored. Indeed, hundreds of millions of dollars have been or will soon be spent in these and other states on technology that experts say decreases election security and erodes election integrity. And this, they say, will only contribute to the sizeable portion of the American public who already worry that their votes are vulnerable to hacking and other threats.
The sentiments of many computer scientists were crystallized by Richard DeMillo, a colleague of Lee’s at Georgia Tech who recommends casting paper ballots filled out by hand for all voters, except those with disabilities who would benefit from using machines. “You simply can’t construct a trusted paper trail,” DeMillo said, “if you let a machine make a ballot for you.”
Computer science’s scrutiny of voting systems goes back several decades. The Federal Election Commission issued its first standards for computer-based voting as far back as 1990, but it wasn’t until the 2000 presidential election between George W. Bush and Al Gore, which hinged on the shortcomings of punch-card voting, that states across the nation began to digitize their election systems to varying degrees. Just three years later, one of the first independent computer security analyses of electronic voting systems was already raising flags.
With the global spread of computer technology and the increasingly sophisticated tactics of nefarious actors, concerns have only multiplied since then — not least because many state voting systems have not been redesigned since shortly after the Bush-Gore election. Those systems are “vulnerable to nation-states now,” said John Sebes, the chief technology officer at OSET Institute, a nonprofit organization that researches and develops election technology, “and operated by county officials with no IT experience.”
That was among the concerns raised in a 160-page report published last year by the National Academies of Sciences, Engineering, and Medicine. In that report, some of the nation’s leading experts on computer science and elections concluded that there is no “technical mechanism currently available that can ensure that a computer application — such as one used to record or count votes — will produce accurate results.” One reason, the authors noted: “[Malicious software] can be introduced at any point in the electronic path of a vote — from the software behind the vote-casting interface to the software tabulating votes — to prevent a voter’s vote from being recorded as intended.”
It was with such realities in mind that Wenke Lee tried to explain to the Georgia committee, early in its deliberative process, just what it would take to build a more secure electronic voting system. He drew on a concept that had been kicking around computer science for more than a decade called “software independence.” The idea, introduced in a 2008 paper, refers to the ability to verify computerized election results without depending on the software used in that system. Examples provided by the authors included paper ballots filled out by hand and scanned, and touchscreen machines that print out paper ballots.
That might seem like a straightforward solution, but a series of studies since 2008 have tested the notion that voters using a touchscreen or other electronic machine will or can verify their votes on a printed ballot. The answer is mostly, “no.” Last year, DeMillo collaborated on a study of voter interaction with one such system used during the 2018 Tennessee primary elections. The analysis came to two troubling conclusions: Most voters don’t bother to verify paper ballot summary cards, and a significant percentage can’t recall the selections they had made on the computer touchscreen anyway — even when they had cast their votes just moments before.
Andrew Appel, a computer science professor at Princeton University and one of the authors of the National Academies report, said DeMillo’s research “has strong implications about how we assess voting technology.” If voters don’t and can’t verify ballots printed by machines, he said, then “the average voter can’t notice if the machine is cheating.”
Lee had DeMillo’s results in mind when he tried, near the end of the Georgia commission’s last meeting, to alert his fellow members to questions he had asked the voting machine vendors who had submitted proposals to the state. “Have you done [a] study to show that the voters can actually clearly verify the contents?” he recalled asking the companies. Their answer, according to Lee: “We don’t deal with that.”
Katina Granger, spokeswoman for Elections Systems & Software, the nation’s largest election technology company, according to the National Academies report, confirmed that her company doesn’t do such research. Instead, she said, the research “should be conducted by a third-party, across jurisdictions and over time, and the research should be peer reviewed.”
As it happens, the Tennessee system DeMillo studied uses the same technology Georgia is now preparing to buy for $150 million. Georgia will then have one of the nation’s most expensive election systems.
The decisions Georgia and other states are making on updating their election systems are not regulated by the federal government. Instead, since the Help America Vote Act passed in 2002, the Election Assistance Commission and the National Institute for Standards and Technology work together to develop voluntary guidelines for election systems. Most states use these guidelines in some way, but DeMillo and other computer scientists have criticized the guidelines for being vague and unenforceable.
Georgia and other states are not only changing their voting machines. They are also looking at how to ensure the validity of election results through audits. And if experts insisted to Georgia policymakers that ballots marked by hand are the only way to produce reliable paper trails for any audit, the National Academies report was clear about what kind of audit should be used: “States should mandate risk-limiting audits” before certifying election results, the authors wrote.
For decades, many states performed audits by hand-counting ballots in a fixed percentage of precincts. But a fixed percentage “may not provide adequate assurance with regard to the outcome of a close election,” the National Academies report authors wrote. Risk-limiting audits, on the other hand, examine “randomly selected paper ballots until sufficient statistical assurance is obtained.” The so-called “risk limit” refers to the largest possible chance that the audit will not correct an inaccurate result. For example, a 10 percent risk limit means there is 90 percent chance of an audit identifying the correct result of an election.
Philip B. Stark, a statistics professor at UC Berkeley, developed the idea of risk-limiting audits more than a decade ago. He says that pilots of the technique have been conducted in a handful of states. But he cautions that risk-limiting audits should not be conducted with machine-printed ballots. “If the paper trail is not reliable, all you’re doing is confirming what the papers show.”
Georgia state Senator William T. Ligon Jr. doesn’t agree that touchscreens are a less reliable method for casting votes. He was a sponsor of the bill, now signed into law, overhauling Georgia’s election system. (State Representative Barry Fleming, the bill’s lead sponsor, as well as co-chair of the SAFE Commission, did not respond to multiple requests for comment.) Ligon said he wasn’t familiar with Lee and his advice to the commission. Instead, Ligon cited the testimony of former Georgia Secretary of State Cathy Cox as one of the reasons he chose to back a system based on touchscreen voting machines that print out a paper ballot.
Cox told the legislature about “under votes, over votes, and stray votes. They all come with hand-marked paper ballots,” Ligon said. It was clear to him that printed ballots bring more certainty. When asked about research demonstrating that voters don’t or can’t verify their ballots when printed, Ligon said, “voters have to take some responsibility for verifying their ballots.”
“In my opinion, we’ve built in as many systems to protect the vote as possible — and that’s the goal,” Ligon concluded.
Meanwhile, in Europe, countries such as the United Kingdom, Germany, and the Netherlands all use paper ballots marked by hand. The Netherlands has recently taken computers out of vote tallying as well.
Until such standards are reached in the U.S., Lee said, he will not be dissuaded from speaking up on the issue of election security and integrity, and he hopes other scientists will do the same. “I would urge all scientists and engineers, when they have the opportunity… to educate about what technologies should be used, and not stay in our ivory towers.”
Timothy Pratt is a journalist based in the Atlanta area. He has written for The New York Times, The Economist, and The Guardian, among many other publications.
For readers here, please help debunk “backup paper ballots” language circulating today (like by Sen Klobuchar and the media). Use term “computer ballots” instead. Based on this logic:
1 backup paper ballots” r machine output & should be called “computer ballots”
2. “backup” term is falsely pacifying
3. “computer ballot” “paper ballot”
In France we use paper, people get together and count the ballots, they oversee each other. There is very little fraud…sometimes a corrupt official plays Jesus and gets the dead to vote but this Gogolian stunt is rare. There are people in the US who cannot be convinced that their expensive machines will not solve but rather deepen the problem. And this despite the testimony of such knowledgeable people as professor Lee. 150 million dollars indeed. Georgia desperately needs the money elsewhere. Paper ballots, counted by real human beings, it works, it’s inexpensive, it’s all so human.
I’m a computer scientist, and I think the only way you could have secure voting system via computer is every single voter was issued a token, and RSA Seure ID token before they voted, which they keep. Of course people would lose them, so still not a good solution. However, if every electronic ballet was digitally signed with the RSA token then it could, in theory be secure. The problem becomes with the electronic ballots. I would expect there to be local computer systems that would store everything locally, then transported to the main election hqs for final counting.
However, I don’t think it is reasonable to expect that even this system could be compromised. I like the hand filled out ballot, like cards, that are then scanned into a machine and the hand ballots are kept in a secure box sepearte from the machine. Maryland used this method for years. I think it works. Then the local machines that tabulate the results, and the physical ballots can sepeartely be transported to a HQS where both are tabulated again, and compared. Only then are the final results uploaded into the main computer (standalone only!), for final tabulation.
Tokenization is indeed one approach scientists are developing; though, its in the form of blockchains.
Nevertheless, the problem is larger than we think. The available voting machines in the market rely on a proprietary technology that was built in the 90s: not suited (nor designed) with today’s infrastructure like the internet, tokens, even a printer (for paper ballot/trail)…
We need to think out-of-the-box and come up with a better solution.
I have been studying this issue since the seventies. There was NO known solution using electronic devices back then, and NO solutions have been published, and NO design that is safe for voting has ever been proposed by anyone anywhere.
I read the entirety of the “security guidelines” produced by NIST, and they are worthless–I pity the obviously very junior person who got the job of writing up that nonsense. The only thing we have so far are machines that are GUARANTEED to be unsafe for use in an election, and the sale of such a device for that purpose is prima-facie evidence of criminal conduct–the manufacturers know these machines are not capable of producing a correct result. because this is still an UNSOLVED problem in Computer Science. DO NOT ALLOW THE USE OF THESE THINGS if you desire or expect to see a free and fair election ever again.
Looking at the map of who uses these things (shown in purple) you can see the problem we already have. No offense to the people in those states–not your fault–someone has clearly been tampering and will do so again. Take back the vote. Get rid of those machines. Your freedom and ours depends on you.
In New Jersey the old mechanical machines there is still one in Hudson County had visible counters and hidden counters and a big roll of paper which recorded each vote cast on the machine which could be unrolled and a visual count of the vote could be made if the need arose during a recount. The machines were decommissioned for modern technology which has none of these protections. An inspection of the current machines is worthless because all you can do is print out a slip which has the results but if someone tampered with the computer that prints those results or even just the printer to print out results favorable to your candidate there is no paper trail. For those following this issue and concerned go to the Hudson County Board of Elections and check out the machine (the last one existing, I believe) and copy that mechanical voting machine.
Does is really matter? In 2015-2016 Hillary Clinton cheated Bernie Sanders out of the DEMOCRAT primary nomination using DNC Chairwoman Debbie Wasserman Shultz and SUPER-DELEGATES. Hillary did not even campaign and won a majority. The voting machines DID NOT MATTER… Bernie has a majority of the votes. The DNC prevented then Democratic contender Donald Trump from entering the Democratic Primary. Donald Trump then fled to the Republican primary and won to later become the President over Hillary Clinton in the GENERAL ELECTION.
Wow good reply, An article about the taking of and tallying of votes and security issues all made pointless and irrelevant by one political genius on the internet.
JK my point is your comment is wildly off topic out of bounds and pointless, recognize the article and its comments section have little do do with larger political events. It’s only a micro view of one aspect of the process, but then you seem fairly aware and smart already without me needing to explain the obvious, thus it follows your reasoning and rationale on the political tangent must be well informed and considered. So i guess what we have determined here is i should start parroting whoever you are parroting and we can all be a bunch of birdbrains. (Malice intended only to murder obvious idiocy)
I guess it doesn’t matter when you try to take apart a big mechanism and fix individual portions when real progressive political types can come along and say nothing matters abandon all hope effort and discussion. Sounds like some sort of anti-patriotic give up and roll over self hate speech to me. One of the real problems with modern politics. People like that who can be led misled and confused so easily that the obvious become a secret self defeating message probably from the CIA broadcast into fillings.
This article is certainly bringing out valid points to be concerned about. The ability to have code that operates and then erases itself was obvious to student programmers back in 1970, and things have certainly come a long way since then. But the option of controlling results still appeals to many government people, and a really good sales person can sell the uninformed almost anything, and so some groups love that touch screen because it is so very easy to clean, and it leaves no trace. Paper ballots marked by hand are rather more difficult to manipulate, and thus a much more secure arrangement.
They first should have everyone that wants to vote produce ID. Either a drivers license or passport. Then sign a register next to their name. They would have had to register before the deadline if they wanted to vote. If not registered they couldn’t vote.
Then use paper ballots and place them in a sealed box through a opening observed by a law enforcement officer. After the voting booth is closed have that officer accompanied with another officer take the ballots to wherever they are to be counted.
All this would be under strict supervision. This would be done by each town in all the districts.
Well, if there are any broken parts you didn’t put in there, they must have been in the pralines you’re eating.
An important aspect of election officials’ endorsing electronic voting systems is their cozy relationships with the system vendors. Besides offering other emoluments, vendors regularly treat state officials to lavish vacation “conventions” and expensive entertainments. State election officials have been appointed to vendors’ corporate boards and have appeared in vendor advertising materials. If that doesn’t create a huge conflict of interest for those state officials who determine how (if) our votes are counted, I do not know what would!