A mouse arrow clicking on the "VOTE" button on a website

Georgia’s Election System Raises Old Computer Security Concerns

Earlier this year, Georgia’s Secure, Accessible, and Fair Elections Commission held a public meeting at the state capitol to answer a pressing question: What should Georgia do to replace its aging, touchscreen voting machines, as well as other parts of its election system? In the preceding years, security vulnerabilities in the state’s election system had been repeatedly exposed: by Russian operatives, friendly hackers, and even a Georgia voter who, just days ahead of the 2018 midterms, revealed that anyone could go online and gain access to the state’s voter registration database.

Computer scientists and elections experts from around the country had weighed in during the seven months of the commission’s deliberations on the issue. They submitted letters and provided testimony, sharing the latest research and clarifying technical concepts tied to holding safe, reliable elections. Their contributions were underscored by commission member Wenke Lee, co-director of Georgia Tech’s Institute for Information Security and Privacy, and the group’s only computer scientist.

Despite this, the commission ultimately did not recommend measures backed by Lee and his colleagues at places like Stanford, Yale, Princeton, MIT, and Google — including the recommendation that the state return to a system of paper ballots filled out by hand, combined with what scientists call risk-limiting audits. Instead, the commission recommended buying a system that included another, more expensive touchscreen voting machine that prints a paper ballot. Months later, Lee was at a loss to explain: “I don’t understand why they still don’t understand,” he said.

With its decision, Georgia’s counties remain among the 33 percent of counties nationwide that use either machines with no paper trail or machines that print paper ballots, which are then scanned on separate machines. The vast majority of the rest of the counties use paper ballots filled out by hand, which are then scanned or counted by hand. With the passing of the Help America Vote Act (HAVA) in 2002, all polling places nationwide must also include at least one electronic voting machine for voters with disabilities.

But with Texas, Ohio, Pennsylvania, Delaware, and New Jersey among the many states also overhauling their election systems before the 2020 presidential election, Georgia’s decision has computer scientists and election experts worried that lessons learned over nearly two decades of computerized voting are being woefully ignored. Indeed, hundreds of millions of dollars have been or will soon be spent in these and other states on technology that experts say decreases election security and erodes election integrity. And this, they say, will only contribute to the sizeable portion of the American public who already worry that their votes are vulnerable to hacking and other threats.

The sentiments of many computer scientists were crystallized by Richard DeMillo, a colleague of Lee’s at Georgia Tech who recommends casting paper ballots filled out by hand for all voters, except those with disabilities who would benefit from using machines. “You simply can’t construct a trusted paper trail,” DeMillo said, “if you let a machine make a ballot for you.”

Computer science’s scrutiny of voting systems goes back several decades. The Federal Election Commission issued its first standards for computer-based voting as far back as 1990, but it wasn’t until the 2000 presidential election between George W. Bush and Al Gore, which hinged on the shortcomings of punch-card voting, that states across the nation began to digitize their election systems to varying degrees. Just three years later, one of the first independent computer security analyses of electronic voting systems was already raising flags.

With the global spread of computer technology and the increasingly sophisticated tactics of nefarious actors, concerns have only multiplied since then — not least because many state voting systems have not been redesigned since shortly after the Bush-Gore election. Those systems are “vulnerable to nation-states now,” said John Sebes, the chief technology officer at OSET Institute, a nonprofit organization that researches and develops election technology, “and operated by county officials with no IT experience.”

That was among the concerns raised in a 160-page report published last year by the National Academies of Sciences, Engineering, and Medicine. In that report, some of the nation’s leading experts on computer science and elections concluded that there is no “technical mechanism currently available that can ensure that a computer application — such as one used to record or count votes — will produce accurate results.” One reason, the authors noted: “[Malicious software] can be introduced at any point in the electronic path of a vote — from the software behind the vote-casting interface to the software tabulating votes — to prevent a voter’s vote from being recorded as intended.”

Map source: Pew Research Center, November 8, 2016. Data source: the Verified Voting Foundation.

It was with such realities in mind that Wenke Lee tried to explain to the Georgia committee, early in its deliberative process, just what it would take to build a more secure electronic voting system. He drew on a concept that had been kicking around computer science for more than a decade called “software independence.” The idea, introduced in a 2008 paper, refers to the ability to verify computerized election results without depending on the software used in that system. Examples provided by the authors included paper ballots filled out by hand and scanned, and touchscreen machines that print out paper ballots.

That might seem like a straightforward solution, but a series of studies since 2008 have tested the notion that voters using a touchscreen or other electronic machine will or can verify their votes on a printed ballot. The answer is mostly, “no.” Last year, DeMillo collaborated on a study of voter interaction with one such system used during the 2018 Tennessee primary elections. The analysis came to two troubling conclusions: Most voters don’t bother to verify paper ballot summary cards, and a significant percentage can’t recall the selections they had made on the computer touchscreen anyway — even when they had cast their votes just moments before.

Andrew Appel, a computer science professor at Princeton University and one of the authors of the National Academies report, said DeMillo’s research “has strong implications about how we assess voting technology.” If voters don’t and can’t verify ballots printed by machines, he said, then “the average voter can’t notice if the machine is cheating.”

Lee had DeMillo’s results in mind when he tried, near the end of the Georgia commission’s last meeting, to alert his fellow members to questions he had asked the voting machine vendors who had submitted proposals to the state. “Have you done [a] study to show that the voters can actually clearly verify the contents?” he recalled asking the companies. Their answer, according to Lee: “We don’t deal with that.”

Katina Granger, spokeswoman for Elections Systems & Software, the nation’s largest election technology company, according to the National Academies report, confirmed that her company doesn’t do such research. Instead, she said, the research “should be conducted by a third-party, across jurisdictions and over time, and the research should be peer reviewed.”

As it happens, the Tennessee system DeMillo studied uses the same technology Georgia is now preparing to buy for $150 million. Georgia will then have one of the nation’s most expensive election systems.

The decisions Georgia and other states are making on updating their election systems are not regulated by the federal government. Instead, since the Help America Vote Act passed in 2002, the Election Assistance Commission and the National Institute for Standards and Technology work together to develop voluntary guidelines for election systems. Most states use these guidelines in some way, but DeMillo and other computer scientists have criticized the guidelines for being vague and unenforceable.

An investigator with the Georgia Secretary of State’s office examines new voting machines being tested at a polling site in 2017. Cybersecurity experts say that too many American voting districts use technology that makes it hard to unequivocally verify results. Visual: David Goldman/AP

Georgia and other states are not only changing their voting machines. They are also looking at how to ensure the validity of election results through audits. And if experts insisted to Georgia policymakers that ballots marked by hand are the only way to produce reliable paper trails for any audit, the National Academies report was clear about what kind of audit should be used: “States should mandate risk-limiting audits” before certifying election results, the authors wrote.

For decades, many states performed audits by hand-counting ballots in a fixed percentage of precincts. But a fixed percentage “may not provide adequate assurance with regard to the outcome of a close election,” the National Academies report authors wrote. Risk-limiting audits, on the other hand, examine “randomly selected paper ballots until sufficient statistical assurance is obtained.” The so-called “risk limit” refers to the largest possible chance that the audit will not correct an inaccurate result. For example, a 10 percent risk limit means there is 90 percent chance of an audit identifying the correct result of an election.

Philip B. Stark, a statistics professor at UC Berkeley, developed the idea of risk-limiting audits more than a decade ago. He says that pilots of the technique have been conducted in a handful of states. But he cautions that risk-limiting audits should not be conducted with machine-printed ballots. “If the paper trail is not reliable, all you’re doing is confirming what the papers show.”

Georgia state Senator William T. Ligon Jr. doesn’t agree that touchscreens are a less reliable method for casting votes. He was a sponsor of the bill, now signed into law, overhauling Georgia’s election system. (State Representative Barry Fleming, the bill’s lead sponsor, as well as co-chair of the SAFE Commission, did not respond to multiple requests for comment.) Ligon said he wasn’t familiar with Lee and his advice to the commission. Instead, Ligon cited the testimony of former Georgia Secretary of State Cathy Cox as one of the reasons he chose to back a system based on touchscreen voting machines that print out a paper ballot.

Cox told the legislature about “under votes, over votes, and stray votes. They all come with hand-marked paper ballots,” Ligon said. It was clear to him that printed ballots bring more certainty. When asked about research demonstrating that voters don’t or can’t verify their ballots when printed, Ligon said, “voters have to take some responsibility for verifying their ballots.”

“In my opinion, we’ve built in as many systems to protect the vote as possible — and that’s the goal,” Ligon concluded.

Meanwhile, in Europe, countries such as the United Kingdom, Germany, and the Netherlands all use paper ballots marked by hand. The Netherlands has recently taken computers out of vote tallying as well.

Until such standards are reached in the U.S., Lee said, he will not be dissuaded from speaking up on the issue of election security and integrity, and he hopes other scientists will do the same. “I would urge all scientists and engineers, when they have the opportunity… to educate about what technologies should be used, and not stay in our ivory towers.”

Timothy Pratt is a journalist based in the Atlanta area. He has written for The New York Times, The Economist, and The Guardian, among many other publications.