Of course they do. Voting machines can be rigged by domestic agents to subvert democracy.
Honestly, it's actually kind of hilarious that some people think Russian trolls and Facebook ads somehow turned the election and not socio-economic factors (for example, those outlined in the Paul Krugman article and thread).
And its an age old problem. We have expressions for it, ballot stuffing, and quips about it, vote early and often. We even had a partisan judiciary decide an election since the machines failed to fully punch cards.
Having watched this[1] talk concerning how they secured the Xbox One to the degree that it's in millions of peoples homes but it's not been hacked onced in 6 years, it's pretty disappointing they've not just lifted nearly exactly the same tech for voting.
I find this topic fascinating. Here in Brazil, anyone that dared to oppose voting machines was called anti-democratic and conspiracy-theorist by the mainstream media and public officials.
Not even oppose really, the mere act of questioning how secure they are given their track record of being prohibited in Germany, Holland, and India would attract not opposing arguments but name-calling. We are supposed to just trust that everything is well and good.
Germany's stance on voting machines is not in a small part due to the history of the CCC and their expertise. Without the CCC it might be much different, but they recognized and spoke about the risks years ago.
> Nevertheless, Democratic chair Damon Circosta reached across the aisle to join two Republican commissioners in opening the North Carolina market to a barcode ballot-marking system. The vote presents a setback to a multi-year effort to provide secure, accurate elections for North Carolina voters.
“Right now there are no mandatory federal cybersecurity standards for elections...”
And that's a good thing. Each state/county/city can implement the election however they want which makes it practically impossible to rig the vote. If we all used the same system/procedures/process then hacking the election could scale much more easily as the same tricks that works in Manhattan would work in Montana.
That would only makes sense to me if rigging only one state was near useless. It's very much not. If you rig say, Florida, there's a fairly high chance of deciding the election.
That's traditionally been the problem with voting machines: a "recount" just re-read some tally.
Combine this with voting machine companies being opaque, not recognizing obvious flaws and their executives promising to deliver states to particular candidates (https://www.commondreams.org/headlines03/0828-08.htm), and you begin to feel that all the suspicion is justified.
Not just a paper record. A hand marked paper record. If it doesn't go through a computer first it can't be altered. There are several states that do it this way. It's a "Scantron" style ballot. Fill in the vote, run it through a tally machine and save the ballot. The tally machines could be messed with, but if there is evidence of tampering with the tally there is always the authentic original ballot.
It's not a good thing when the state has ineffective processes that rely on the vendor's assurances if it has any standards at all. If the feds were imposing a preemptive monoculture that'd be bad. But that's not at issue.
This gets repeated a lot, but it directly contradicts another bit of common wisdom: security by obscurity isn't.
Not only are we vulnerable to a few key districts tipping elections, nation state actors should find it absolutely trivial to build a comprehensive program targeting the full spectrum of voting machines used in practice.
That's almost like saying that if there isn't a company-wide security policy, every department will implement security whatever way they want, making company-wide data breach impossible.
Hand marked is better than just observable. Takes the machine out of the equation except for the tally and the tally could be confirmed with multiple machines.
There should still be minimum security standards required.
Air gapped counting machines with hand marked ballots is a good start.
The federated security you describe holds as long as the Electoral College holds. If elections are decided by popular vote, just one or two hacked/corrupt county-administrated systems could decide national elections.
This statement confuses me. What one or two counties contain the majority of the US population? If elections moved to a popular vote, it would be much harder to rig the election because you'd need to manipulate the whole country, rather than a few key states.
The popular vote difference between candidates sometimes comes within 0-2 million votes. LA County has 10 million people, and there are over 40 other counties that have more than 1 million people. If elections are decided by popular vote, then just LA County alone, or a combination of the others, could artificially add or flip enough votes to overcome that 0-2 million vote difference.
Would it really be so bad for people in LA County to have as much of a vote as the rest of the country? If we switched to a popular vote, I bet the number of voters would shoot way up, which is undoubtedly a good thing!
That would take us back to the (original) Tea Party. A few cities would rule the country. Large groups generally magnify the effects of groupthink and become unstable if left to make the decisions for everyone else.
We already have a problem with counties reporting more registered voters than should be possible, and a problem with poll workers who vote on behalf of missing voters after the polls officially close. Currently the damage is limited to flipping one state.
If we used a popular vote, a malicious county could supply an extra 50 million votes. Just one corrupt county could change the election results, even when the results would not have been close, and there is nothing that could be done about it after the election day.
The US Election Assistance Commission develops testing and certification standards for voting equipment. They also certify 3rd party laboratories that certify equipment. States are not required to use the recommendations but some states have passed laws that only certified equipment be used.
You don’t need to corrupt all of the voting processes though, you only need to do it in a few key states. Funnily enough, the states you’d need to do it in would be the poorer ones who’d have no ability to discern a good voting solution from a bad one.
The real solution is to use paper. There’s no way to fuck with a paper ballot system other than to go to every polling station and fuck with their counts - an expensive and highly visible attack.
I think the key issue is that these machines are internet or network connected.
If we're really concerned about this - get rid of the network connectivity.
Obviously this is over simplified, but just make a simple locally ran app or web application that refreshes once a vote has been cast. Store the vote in a simple SQLite database and at the end of the day, have a voting official go to the machine, and unlock the case, press a button on the back, which prints out or shows vote counts on the back on a small screen or something. They then can report that to whatever commission, committee, or otherwise is monitoring the election.
It's all locally stored, maintained, and under lock and key.
Why does this seem so difficult? We don't need democracy hindered by "network connectivity", just make it more environmentally friendly so however millions of people times the size of the paper ballot isn't wasted needlessly.
How do you make sure that the firmware image deployed on those machines wasn't compromised from the beginning?
What happens when a bug occured and machines need to be updated? Do you bring all machines in for maintenance or does a local IT shop do it? Maybe the manufacturer send a person but can the person be trusted to update multiple machines all over the country?
About a decade ago, a researcher demonstrated a worm that could be implanted in one machine, that over the course of months would spread to a large number of machines as election workers did routine maintenance. Since physical protection of the machines was typically weak, the initial compromise wouldn't have been that difficult for anyone able to pick a lock.
I don't understand why you need sophisticated technology like a worm when you can bribe or blackmail a developer and get whatever results you want. The weakest link here is the human that loads the firmware. Just offer him a promotion if candidate X wins and that could be enough.
> I think the key issue is that these machines are internet or network connected.
If we're really concerned about this - get rid of the network connectivity.
They (generally) aren't.
(Almost) every demo of voting machine hacking involves physical access to the machine, tools, and keys/lockpicks.
How does the voter verify that their vote was counted correctly?
All electronic voting machines should output a paper human readable 'scantron' type ballot that is safely stored for verifying the internal digital tally.
> All electronic voting machines should output a paper human readable 'scantron' type ballot that is safely stored for verifying the internal digital tally.
And then that ballot should be what is actually tabulated and the internal digital tally ignored, or not even kept. The machine should be a device to facilitate creation of accurate, easily tabulated paper ballots, period.
>All electronic voting machines should output a paper human readable 'scantron' type ballot that is safely stored for verifying the internal digital tally.
We should just have paper scantron style ballots that people fill out. Then have scantron counting machines to tally them up after all voting nationwide has closed.
All the other issues people are trying to do to "fix" some aspect of voting are fundamentally flawed and those who are advocating for them are either desiring the ability to violate election integrity or don't understand the requirements of voting. Or trying to get money because someone in power sits in one of the two prior camps.
"We should just have paper scantron style ballots that people fill out. Then have scantron counting machines to tally them up after all voting nationwide has closed."
Vote counting machines are just as problematic as voting machines. We should just get rid of all of the machines and both vote and count by hand.
What a nice and opaque technology. Bribe (or blackmail if you are from NSA) a developer or sysadmin and ask them to make so that every second vote for candidate A goes to candidate B and candidate B wins. It doesn't matter how people will vote, it only matters whom sysadmin chooses.
What if the voting mechanism is sll open source, simple image with has that is verified by many eyes. The international watchers and local ones can verify the machines at random by cloning the disk and comparing hash?
There are several solutions to the problem you have described. First, when the watchers appear, you can pretend that the machine got "broken" so they have to wait until it gets "fixed" (reflashed with original firmware). Of course, you can "fix" it once again after they leave. Second, you can make it return original firmware when cloning the disk for verification or store modifications in RAM only. Third option, you can have two disks, one with original firmware for verification and other that is actually used. Fourth option, you can install additional microcontroller and connect it to the printer so that it prints what you want instead of actual results.
> I think the key issue is that these machines are internet or network connected.
This is a very important issue, certainly. There is no excuse for voting machines not to be air-gapped. But that's not the only very important issue with voting machines.
If we just disconnect from the internet, then the local politicians will still be able to fix the elections. Unscrupulous local politicians are a bigger problem than foreign interference.
Why can't we just have block-chain based voting where the vote is secret, but you get a paper receipt, and you can run open-source code (like scan a QR code) to check the blockchain if your vote was counted the way you expected. Everything is immutable, and cryptographically verified.
Block-chain seems to be a failure for money so far, but voting seems like the killer application. The technology is there, well understood, there are even companies that offer a solution along those lines. Why don't we use them? Isn't it so much better than electronic voting machines in every way?
Because if you can check how your vote was counted, you may be coerced to check it with, say, your boss standing behind your back - so, your vote is no longer secret.
But, of course, voting by mail is even worse, and most of the US seems to not care about it a slightest bit.
To start you'd want voters to register first I think, so you can't just invent people, at least not without being able to infiltrate the systems that manage birth certificates, tax records, and social-security ids.
That raises the question of how do you avoid double-voting or voting for people who didn't vote. I think there's technical solutions to both.
Even if there is registration, that only helps if I can verify that the entire chain only includes registered people. So how can I verify everyone who voted is registered, without also knowing which vote is from which person?
Maybe have a separate record for "this person voted" and another record for "1 vote for X", with encrypted references back and forth? Then you could at least verify that there are an equal number of both records, that all the identities are valid and only used up to once, and tabulate the final results. It would still be possible for someone who didn't vote to have a false vote logged, but that is a more narrow attack.
It's an interesting idea, but I am skeptical of any system that requires voters to do the verification themselves after the election is complete. I suspect that there wouldn't be enough people to actually do that to make any sort of difference.
I think you'd do it in a way that you can verify your own vote, but nobody else's, the government can see all the votes, but not who voted what, so they're private. Then you'd have some kind of confirmation system (e.g. paper receipts which are kept at the polling stations and statistically sampled to look for irregularities. You wouldn't have to check every receipt to be sure there was no funny business to a high degree of certainty.
I don't see how that addresses my concern, though. What I'm saying is that a system that relies on the voters themselves to validate that their vote was properly recorded is a system that won't work, because voters won't do that in sufficient numbers.
But you would need to ensure that your sample was statistically representative, which means that you shouldn't allow voters to self-select whether or not their vote is in the sample.
I would add that (at least in my state), validating a sample of votes to provide an indication of a problem has been done for at least as long as I've been alive, so we already have that. But my state doesn't use electronic voting machines.
Since it is software, there's virtually no chance it will be implemented in a bug-free way, so even leaving out malice, things are liable to go horribly wrong at some point.
I'm going to disagree. We have evidence of foreign agents interfering in US elections and no evidence of actual attacks on US elections carried out via voting machines.
Foreign agents are always discussed because frankly, they are almost completely outside of the law. But what about non-foreign agents? Surely, they exist, and the ones that break the laws to get their way should be thrown in jail, but when do you ever see that?
It sounds like there was a more-or-less professional election rigger involved:
"According to prosecutors, McCrae Dowless, a contractor for the Harris campaign, oversaw extensive election fraud in Bladen County, in the district’s rural east, affecting potentially hundreds of votes."
When people talk about voter suppression, we don't always talk about these highly effective methods such as:
- requiring a specific ID that is difficult for certain segments of the population to get. Either by requiring non-existent documentation, or making the in-person process onerous.
- closing polling stations, or understaffing in certain areas.
- adding regulations that are prima facie neutral, but in reality disadvantage some population segments more. (eg: unstable home addresses, no PO boxes accepted, not allowing college addresses)
- not making good faith effort to ensuring everyone has maximum access and accommodation at polls, eg: signage, language translation, advertising campaigns, technical use challenges.
A lot of these rules and restrictions are constructed in such a way that the dominant language/culture/homeowners don't have any problems meeting them, thus offering an easily defensible reasoning behind them. It seems totally reasonable to assume everyone has ID - but if you don't drive, and are well established in a community you probably won't need ID to conduct life.
The reality with the importance of the chief federal executive office and how the election swings on such narrow margins in certain states, this is a problem that constitutional we just aren't able to easily solve - deliberately so, that is the constitutional order constructed on purpose.
I think this is a hopeless goal, sort of related to Reflections on Trusting Trust.
Even the most basic version of this, a ballot-marking system, is pretty much infeasible unless you have formally verified hardware as well, which is not even possible even for commercial vendors. At least for them, selling sealed units that are somewhat resistant to physical modification is possible, but even there physical compromises have been demonstrated.
Ballot scanning machines (for hand-marked ballots) are a pretty good balance of time/accuracy/simplicity, with the auditability being a big bonus for both random checks and for disputed elections.
To take New York state as an example, it has manually marked ballots now with ballot scanners for tabulation, and I'm reasonably comfortable with the tabulation and placement aspects; where NY fails is largely in usability -- ballot design is worse than terrible, and borders on misleading. That plus the inscrutibility of NY's ballot initiative system (trying to find the actual text of the ballot measures is nearly impossible) makes the whole system a little shakey. And part of that as well is the scope of elected positions for minor things (what the hell is a Comptroller and why are we voting for one); they basically are a power transfer from the executives to the party machine to allow them to essentially give positions to people favored by the (unelected) party apparatus, which give toeholds to higher positions.
I'm of the opinion that the headline is true, but only vacuously -- foreign agents are not a threat to our elections (except where they attempt to directly compromise voting infrastructure), and similarly the threat from bad voting machines is extremely small.
There are enough checks in the system (bipartisan counting and validation committees) that a pure digital compromise of an election that would not be flagged and detected is very small.
There are much more pressing matters, like access to voting stations (both distance and time), voter roll purging, ballot design flaws that make voting fundamentally error prone, and (controversially) a lack of identification requirements for elections that make certain classes of fraud difficult to detect.
I think on balance, all-remote elections, like Oregon has had for a while, and I think Washington now too, are the best balance here. There are certain vulnerabilities around buying, compelling, and selectively harvesting votes, but with universal cell phones, "proof of vote" is too easy to obtain anyway so those ships have mostly sailed, and it seems like a reasonable tradeoff to make.
How do you do "bipartisan counting" and validation in an all digital voting system? Reading the same digital information twice, doesn't verify it.
If you have paper ballots, sure, but the US does not have paper ballots in some states and won't by the next national election. And even if they did (as many do), few states have a uniform system of random vote audits.
So I'm not sure what you're referring to with this:
> There are enough checks in the system (bipartisan counting and validation committees) that a pure digital compromise of an election that would not be flagged and detected is very small.
I literally read the Diebold Voting machine source code (and tabulator) that was leaked (twice). There's nothing remotely like that in there. There's no facility to do that. And while most of those are now retired, there's similar machines that work exactly the same way still in usage.
> US does not have paper ballots and won't by the next national election
This isn't true universally, in fact, fair to say it is rarely true [1]. Often the vote is tabulated electronically, but there is always a bipartisan committee overseeing random re-tabulations and recounts as a matter of course. In the process of rolling up results, there are cross-checks with voter rolls that make certain types of ballot stuffing infeasible (that is, an attack would have to be a read/modify/write).
There are also state departments that are tasked with overseeing the general quality of elections that will spot outliers and investigate. It's always possible that corruption or partisan efforts will bypass scrutiny (and there have been several iffy cases of precincts in previous election cycles) but that has been a problem even pre-electronic equipment.
EDIT: the parent post has been modified to be slightly less aggressive in its claims, including limiting the scope to "some states". Also added "And even if they did (as many do), few states have a uniform system of random vote audits", but can easily be refuted [2].
Washington state does this. Random precincts are post-election audited by matching the electronic count with hand counted ballots, this is done before the counts can be certified.
there are a few states on there that are "DRE w/o paper trail" which is "pure digital voting".
Some of those states are now, or will become swing states. As we saw in 2016, where the presidential race was decided on a 400k margin of error across 3 states, it doesn't take much.
I don't see any swing states on that list -- the pure DRE w/o paper trail states are Delaware, Georgia, Louisiana, and South Carolina, none of which are swing states, and all of which are being actively challenged.
The non-pure ones (that is, paper + DRE w/o paper trail) only include one swing state, Pennsylvania, which is switching to paper ballots for the next election cycle.
So I guess voting machines pose a hypothetical threat, if they were adopted more broadly, but the opposite is the trend.
I would agree. If the worst we have to worry about from outside influences is that they're sharing posts on FB, I really think their power is over stated.
> a lack of identification requirements for elections that make certain classes of fraud difficult to detect.
Go on, because let me tell you what this looks like in practice here in NC. Here, you currently have to register and then provide your name to a poll worker, then sign that you voted. The only plausible fraud I can imagine if I wanted to vote more than once is to give the name of someone else and hope they don't show up to vote. There's no way I can imagine to do this at a significant scale without it going undetected. (You'd have to somehow get a bunch of fake names registered or figure out names of people who aren't likely to vote, then find people who are willing to commit fraud to vote under those names and get them to do so during early voting I guess.)
Beginning next year, we need to present ID to vote, but the acceptable IDs are fairly restrictive[1,2]. In particular, my college aged daughter who will be voting for the first time next year is not able to use her state college issued ID[3]. Nor can she use her expired DMV learner's permit. Now fortunately, she has a passport and she'll use that. But otherwise, she'd have to get some form of acceptable ID.
This is not well-publicized, and I guarantee there will be first time student voters next year who will be surprised to learn they can't vote with their college ID, and must instead to submit a provisional ballot.
I am certain this will suppress many many more votes than fraudulent votes, if fraudulent votes even exist.
2. "Of the approximately 850 universities, colleges, state and local employers, including charter schools, and tribal entities that were eligible to have their identification cards approved, 81 institutions submitted requests to the State Board of Elections. We do not in all cases know why the majority of institutions chose not to request approval, but in some cases institutions raised concerns that they believed they could not meet the current statutory requirements."
Implementation of voter ID laws leaves some room for improvement, to understate it, and there's a reason why I put it last on the list. That said, it does appear that NC will accept student ids from most schools [1], thought of course it's possible that your daughter goes to a school that does not conform to the voter id standards.
The attack vector for signature-based roll verification is mostly along the lines of submitting votes for non-voting eligible voters, whose names can easily be harvested from voter rolls and looking at historical voting records (coupled, of course, with inside knowledge of which identities have already been used in previous election cycles, so appear to be active even though the agent in question knows that they are actually inactive). I don't know how common this is -- nobody does -- because it's almost impossible to detect without more information about who is voting. You may be right, and it may be insignificant.
It is easy for voter id to verge into voter suppression territory, but to throw an old meme on its side, "voter id is impossible to implement, says only country that does not implement voter id".
America has a problem with too little voting, not too much. NC could just ask you to present your voter registration card. That would be sufficient in preventing the type of fraud you imagine, unless you imagine ID fraud too.
And most school IDs, including all but two of the UNC schools, are not eligible. I assure you my daughter's school ID is not.
The voter ID laws are a pretty transparent attempt to suppress Democratic votes. I'd be okay with IDs if they created zero additional friction in the voting process, but they do not.
The National Academies wrote a report not long ago that gives a nice overview, has lots of detail, and makes specific policy recommendations to Congress: https://www.carnegie.org/media/filer_public/34/9d/349d3207-d...