Electronic voting systems are touted as a modern solution for fast and accurate vote tallies, but without appropriate safeguards, these systems run the very serious risk of eroding public confidence in election results. In Georgia, we’ve been using the iconic AccuVote TSX machines from Diebold for as long as I’ve lived here. The way it works with this system is that voters are given a ‘smart’ card similar to a chip-based credit card. This card is then inserted into an available voting machine to load the correct ballot. The voter uses a touch screen to complete the ballot, which is then reviewed on-screen before being submitted. The smart card is then ejected from the machine and returned to a polling place worker who will reprogram it for use by another voter. Rather than using paper ballots to track votes, each machine is responsible for accurately recording and counting the votes. Georgia is one of the few states where there are no paper ballots used at the polling stations. The integrity of our election rests in no small part on the security of an aging fleet of computers, yet there has been no apparent attempt to even keep the custom Microsoft Windows installation up to date with security patches over the years. In general, many people would likely assume the risks are largely mitigated through strong physical protections of voting machines and networks, but the reality is that election workers often take the machines home with them the night before an election. This practice is so common that it is casually referred to as a “sleepover.” Thanks to unpatched OS vulnerabilities and cheap locks, it is next to impossible to know with certainty whether a given machine has been tampered with. The roaring national and local debate on this topic has spurred action from Georgia lawmakers who are now working to pass legislation authorizing the purchase of new equipment for future elections. Unfortunately, the pending bill, marked as HB 316, fails to adequately address many of the most serious problems with electronic voting systems. With the remainder of this post, I will attempt to highlight my concerns and provide recommendations for improvement if Georgia or other states do, in fact, move forward with new electronic voting systems rather than the more secure paper ballot systems.
1. HB316 establishes that the voting system will have a paper ballot which is ‘inserted for casting into a ballot scanner’ and used used for recounts as the official ballot
This is certainly a step in the right direction but, it is still incredibly problematic as there is no stipulation that the paper ballot must be readable by a human. In fact, the AJC has suggested that the paper ballots may use bar codes rather than text to record the vote. In the event of a recount, these papers would be virtually worthless since there is still no practical way to perform a manual recount. This is also problematic as far as whether voters can have confidence that their ballot accurately reflects their intention. This has been a problem in the past, as some voters have said that malfunctioning touch screens have actually changed votes. It would seem that the most fundamental requirements of any electronic voting system are that the voter has confidence in the accurate recording of their vote and that election officials can conduct an observable manual recount if results are called into question. Bar code ballots clearly do not meet this standard unless the code is accompanied by something legible to humans.
2. All systems involved in the election process must be maintained with software security updates on a regular basis.
Responsibility for this maintenance needs to be codified in law to ensure that security does not fall through the cracks. In order for this process to be effective, election equipment vendors should be required to provide a comprehensive list of all included software with minimum support commitments for all components.
3. Ballot marking devices and other specialized election equipment need to undergo a higher degree of scrutiny than many other systems.
From my understanding of this bill, there are no strong provisions that anyone outside of the vendor will seriously look at this system from the standpoint of technical security vulnerabilities. Any bill authorizing the purchase of election equipment should also be making provisions to enable security analysis. A great way to do this is to require open source for all election systems, but another option is to require that vendors make full product source code available in escrow for the purpose of privately contracted security assessments. This allows for a far more comprehensive security review and can help restore faith in the underlying systems. There are other steps the law can take to further enhance confidence in the system, as well. For example, it would be appropriate to require that any party providing a security assessment must have demonstrated expertise in the specific technologies and must employ both manual and automated review processes. Security analysts can also be incentivized to conduct more thorough assessments by introducing something similar to a bug bounty that would be open to vetted security researchers or other qualified groups. At the end of the day, the most important aspect of any election system is that voters will have strong confidence that their intentions were accurately reflected by the ballot and that the ballots will be accurately counted. I believe the steps outlined in this blog are fundamental requirements for establishing this confidence. It is unavoidable that concerns will arise surrounding the use of any system, but the use of a more open system allows for healthy public debate and discussion of these problems. Ultimately, though, I’m unconvinced that there is a strong reason to use electronic voting machines over paper ballots. I’m not entirely opposed to the use of electronic voting machines, but I believe the official vote counts should always come from a properly observed hand count of paper ballots. For those who think it is impractical or infeasible for states to do this, I would point to Germany as an example to the contrary. Germany uses paper ballots and has a larger population and land area than the state of Georgia. There are some electronic systems involved in vote counting, but they are not critical to the integrity of the election because the official count relies on paper ballots. In fact, there were considerable flaws found by Chaos Computer Club (CCC) in the vote tabulation software, but it seems unlikely that a successful exploit would do more than create a few hours (or perhaps days) of confusion regarding the election results thanks to the paper ballots.
