I worked as an election judge in the 2012 general election in Arapahoe County, Colorado. We had these exact machines. What isn't pictured is the physical security performed with them.
Typically, tamper seals that are identifiable as broken are placed on all access doors (including the power switch, data load slots, etc), access panels, and openings on the device. All seals were verified in tact before and after the election, and no voter was ever permitted in the back of the access panel where the firmware update would take place.
Before the machine starts, it gives a "zero" report which is verified independently by poll watchers, and confirms candidate choices are in place as needed. When the polls are closed, we seal everything again before the machines are sent back for reporting (at which point the seals are checked and verified prior to dumping results).
If this was really a damaging hack, the protective counter & live counters would show different numbers than what the machine read, but that didn't happen. It very clearly was tampered with, which means these physical measures would counteract any unwanted firmware updates during an election. It's preposterous to think that election judges aren't actively verifying seals during election day and making sure nobody is tampering with them.
> It's preposterous to think that election judges aren't actively verifying seals during election day and making sure nobody is tampering with them.
I've been an election worker around the country and have never been in a jurisdiction that did seal checks during the election - only once at the beginning and once at the end. Granted, I've never been in a jurisdiction using DREs, but still.
I agree physical security is a defense here, but this just reiterates, to me, how dangerous DRE voting machines are.
I hope to God you refused and reported this. That's completely illegal and could get you in a lot of hot water - not to mention the potential for enabling vote fraud.
I have no experience with non-DRE seal checking. Our seals had the machine serial numbers on them, with watermarks, etc. If a seal was mysteriously broken, it was in our best interest to take it out of service anyway, because suddenly the legitimate votes on that machine come into question.
In Alameda County, CA we use what look superficially to be the same machines, and have similar physical security measures - there are seals on all access points (e.g. on the cover protecting the power switch), and whenever we access one of them we save the seal's tag, log its ID, and log the ID of the replacement. At the end of the day you end up with basically a series of tags on a form that show chain of custody (the two people - always more than one - that handle the machine with a seal removed have to sign off on each change of tag).
EDIT: Note that we use these machines with an optional paper-printout add-on, and they're a non-default option mostly used to increase ballot accessibility - most people vote on paper ballots that are fed into a scanner on-site, so the scanner results can be cross-checked against the physical ballots in case of a disputed result.
Sure. And they could also spoil all the votes with an armed robbery - at many polling stations, there's no actual police presence until/unless someone calls them in.
The main intent of all the security measures is that any such tampering be obvious, and that it be clear whose votes (or at least, which precincts' votes) were compromised.
Sure, but that doesn't address an attack that certain precincts that vote a specific party line could be compromised. If 100 attackers at 100 precincts slit some seals than that could swing a swing state
When you have a consistent pattern of ballot spoilage, elections are not counted as normal; at that point you'd have court cases, recounts, assorted forensic attempts to verify valid votes, etc. The system is not a rigid machine - it is a set of rules for the common case, and a set of safeguards that trigger special-case handling.
But you're assuming that all the officicials dealing with the machines have the same moral standards as you.
It's not necessarily the voters that need to be watched...
At least in Arapahoe County, everything we did was in pairs of republicans and democrats, to ensure that it was a fair election as far as we could. This included seal checking, logging the zero counts, etc. Everything had a paper audit trail for who interacted with what, who signed off on what, and what was going on.
I don't know how it worked when the machines were picked up for counting, but I assume similar measures were in place.
Edit: Also, poll watchers from both parties could observe our methods. Everyone had a vested interest in verifying that no tampering was taking place, even if that didn't include election workers.
> everything we did was in pairs of republicans and democrats
Question: What constitutes a Democrat or a Republican? Is registering as one enough? What guarantee is there people aren't lying about the parties they identify with?
I don't know about the system in that particular county, but the system in most democracies is that any candidate has the right to appoint a representative to be present. In practice this means that the parties run down their lists of volunteers; depending on how many volunteers they have in a particular area it might be very easy for someone to get appointed as such. (In the last Canadian election, I turned up on election day to volunteer for a friend who was a candidate for a major party, and six hours later I was an Official Candidate Representative scrutinizing the vote counting.)
that's a risk you have to take, at some point. you eventually have to trust that someone isn't lying, somewhere along the chain.
what else could be done to further vet volunteers? you can't interrogate people or drug them with serums for the truth, so I think it's safe to assume registering is enough.
so, to answer your question, I doubt there is any "guarantee" other than the fact that these are volunteers and you'd have to be a real idiot to falsely register to ensure you can tilt the scales...of bipartisan pairs of Arapahoe County poll volunteers.
Well, obviously. But the risk can be high or low, right? You could either let any random voter you don't know walk in and become a volunteer after filling out a form, or you could let maybe ~50 people that the party's head/nominee personally trust pick a set of volunteers nationally based on e.g. personal knowledge or some concrete evidences of their past contributions and allegiance to the party. Or something else; there are lots of possibilities here. So I'm asking what the criteria are so I can understand how likely it is for something to go wrong here... I obviously understand nothing 100% bulletproof, so there's no need to point that out.
Maybe it's just me, but I think I would be more comfortable pulling 50 random people off the street to count votes than I would be with 50 volunteers appointed by the candidates, who have a much bigger incentive to violate the integrity of the vote (if needed).
let's take this a step further: two republicans, one falsely registered as a democrat, have been paired off at the polling station in Araphaoe County. the lie was bought, the fraud complete. now what?
The "real" Republican sees his "Democrat" counterpart attempt to tamper with the machine and saying "trust me, I'm doing it for the Republicans". They yell for assistance.
that's about what I figured. I can't see a clear benefit or advantage to having one rogue false registrant make a single pair weighted towards one party or the other.
> let's take this a step further: two republicans, one falsely registered as a democrat, now have been paired off at the polling station in Araphaoe County. the lie was bought, the fraud complete. now what?
I don't know, but you seem to be completely ignoring my point. I'm trying to figure out the probability of this happening. I'm NOT trying to figure out what to do after this happens.
Not sure about elsewhere, but in Canada, any candidate on the ballot is usually allowed to appoint up to two agents or scrutineers per ballot box, usually to spell each other off (it can be a very long day)
The answer to many physical security questions is "it depends." I don't have my materials on me anymore, but in general, seal tampering means a lot of extra scrutiny on the people watching the machines and transporting them. The chain of custody will pin the blame on the last person who signed off, and things get investigated as needed.
The system doesn't have something in place typically that says "if (sealVoided) { throw out election }" it just means that additional precautions are taken to ensure everything is good. It's never a binary answer, unfortunately.
Internally applied seals would be one form of defense against this vector.
Breaking the external seals would put the device into the "needs further investigation" category. After the election the device would be inspected and the internal seals confirmed. If those were still intact, the results from the machine could be certified.
Yes. With paper ballots, cheating is at least detectable because there is literally a paper trail. With touch screens, maybe the results are correct, maybe the machine miscounted. There is no way to really know.
The machine I used in early voting also had a paper trail - when you submitted the votes, it printed them as a secondary record. It was moving too fast for me to read all the votes as the paper went by, but the ones I caught were correct. So there is a literal paper trail there.
There are digital records more than just a tally. Sure, maybe it's possible (with physical access) to destroyed or altered them, but the same holds for paper.
It's much harder to undetectably destroy or alter large numbers of paper records than it is to do the same to digital records.
It's also sometimes possible to do this to digital records without ever being physically present in their vicinity. Once again, this is much harder with paper.
It's very easy to forge paper records, though. I seem to recall reading about a rigged election in a questionable democracy where the ballot counters were given several file boxes full of fake ballots in addition to their local precinct ballots, with official anti-tampering seals intact.
Exactly. You could tamper with most systems if you had that much physical access, including paper counts. Which is why there are procedures in place to minimize that potential.
Plus an attack like this would be isolated to the single machine (not that it wouldn't be bad, but it wouldn't be applied in a distributed fashion).
What happens if they find tampering of the seals? Does all the votes of that particular machine become questionable?
If someone were to tamper with the seals on many of the machines, and they target precincts that tilt heavily in favor of one party or the other, couldn't they theoretically invalidate a lot of ballots that are likely to help their opponents?
Suppose the election ends, and it's time to verify the seals. Oops, they are broken. Now what?
All the seals can do is cast doubt on the results. You can't bring back the voters to try again. Even if you could, time has passed and they might vote differently. You could toss out the results, but that affects things too.
If you toss out the results, an example attack is: break the seals in areas with undesired voters
Similar attacks can be done if you call voters back. Maybe this allows for more-favorable hours or different media exposure.
Results were printed out from the machines and posted outside the actual vote center after the election (Colorado law requires publishing the results of all electronic votes). If you were to visit a vote center after the polls closed, you'd see a tally report per machine on the window, visible for anyone to see.
The machines themselves were sent back and dumped. I don't actually remember if we printed 2 copies of everything (such as a copy for someone to tally up too).
In CA (Alameda County), we print out two copies - one to be posted publicly, and one to be returned to the central collection center. The collection center gets the paper printout of results, the memory card, and a printout of the system logs.
Why can you not just do paper voting with simple ballots, like in Canada?
Yes, you have 10x the people, but just get 10x the human counters and scrutineers. Counting is parallelizable.
We run elections and get accurate, verifiable results in the same day.
Ours aren't as nasty as yours are, and we still have better anti-fraud than you do, since every paper ballot can be counted, as many times as needed. And since the thing which is counted is the same physical thing which can be audited, we can always verify the results if anything goes wrong.
You've had some problems with your ballots 16 years ago, and we're not sure why you haven't fixed this by now. After all, you've gotten people to the moon and robots to Mars--surely you'd want a fair, verifiable presidential election? (Especially when one of the two candidates is, frankly, terrifying to all your friends around the world.)
Why can you not just do paper voting with simple ballots, like in Canada?
As much as I like Canada's easily audited voting system, there's a good reason for the US to not use a simple way of counting votes: They don't have simple ballots. Rather than just voting for one MP, as we do, a typical American might be asked to vote for a President, a Senator, a Representative, yes/no on 17 state propositions, a State Senator, a State Representative, the BART Director, the City College of San Francisco Board of Trustees, the San Francisco Public Schools Board of Education, a Superior Court Judge, and yes/no on 25 city measures.
In order for those to be counted the same way as we do in Canada, you'd need to hand the voter a book of 51 ballots and have them dropped into 51 separate boxes...
How do you even come up with these weird convoluted non-arguments, we have many choices on a single ballot here too. It's called a list. You can put lists on paper.
In Canadian federal elections, the vote counting process is:
1. Open the box.
2. Dump the ballots onto the table.
3. Make sure the box is empty.
4. Pick up ballots one by one, say "this looks like a vote for "Mr. X", and place into the appropriate pile.
5. Count how many ballots are in each pile.
This particular process doesn't work if you have multiple choices on one ballot. I'm not saying that you can't use paper ballots for more complex elections -- you absolutely should, for the well-known verifiability reasons -- just that the counting process is never going to be as simple as the Canadian (or UK) process.
Where I live, the ballots we use are cut into one piece per question. Then the pieces are counted separately.
There was a court argument over the use of scales by some municipalities. The scales are used to weigh piles of votes to determine vote count. So ballots with multiple question are cut, sorted, then weighed. I'm looking into lead pens to give my vote more weight :-)
"Do you know one state in USA is as big as Switzerland." That's the kind of an answer a big part of population tend to give when you point other countries as examples.
Exactly, more people counting is not a problem. It's actually a good thing. Why not get more people involved in the electoral process? It's beyond me why anyone would want to undermine this.
Plus, I don't get the mail in states. What's up with that? Why mess with a process that works?
I live in a mail-in state (WA) and in my opinion it's a pretty great system. I got my ballot almost two weeks ago and just sent it in last week. I was able to fill it out when I had free time and drop it in a ballot box (there's one about 5 minutes from where I live by foot, and I could always just mail it in if I wanted to). Lining up to vote at the polls would've been a lot more time-consuming because I would have to line up and I would've had to write down all my votes anyway, then move them onto an official ballot.
I live in a mail-in state (WA) and in my opinion it's a pretty great system.
What mechanism, if any, is in place to prevent voters from being coerced or bribed to cast their vote a particular way? This is the traditional reason for using in-person voting rather than mailed ballots; if you can't show someone how you voted, they can't bribe or coerce you.
(Maybe the answer is "there is no mechanism", but increasing the ease of voting is considered more important than protecting the system from coercion and bribery. Not a tradeoff I would make, but I can see that some people would support that.)
> What mechanism, if any, is in place to prevent voters from being coerced or bribed to cast their vote a particular way?
If imcoerced into voting a particular way on my mail-in ballot, I can go to the polling place in Election Day and fill out a provisional ballot hat will be counted in place of my coerced ballot. Not perfect, but this year it allows me to vote even though I'm out of the state next week.
How many people know that? The Washington Secretary of State's FAQs don't mention coercion or bribery as reasons to receive a provisional or replacement ballot.[1][2] King County, with over 1/4 of the state's population, only mentions voting centers as an accessibility option.[3] And does the ballot tracker[4] show if a ballot is invalidated?
Every state has provisions for absentee voting, and 3/4 allow early voting in person.
I think you're guarding against different things. If you live in a society where there are (following historical patterns here) patriarchs coercing the votes of spouses and dependents you probably have a whole slew of other problems that make this particular one just part of a larger social reform that should happen anyway.
I'd say anywhere that people can literally have to choose between their job and their vote is not "working", which is why it needed messing with. Its hard for a lot of people to get to a specific location on any given day - there's no good reason today that a week in bed with the flu should prevent you from voting. Or that it should be harder to vote if you have three kids and no babysitter, or are on crutches, or work an irregular schedule at a minimum wage job.
> or work an irregular schedule at a minimum wage job
The law in California[0] guarantees you the right to vote even if you are scheduled that day. You can take up to two hours off the beginning or end of your shift to vote if necessary. For other states...[1]
There have been polling stations reported with multi hour queues. I'm pretty sure California does not guarantee you the right to vote in person, because it doesn't say you must be given as many hours as you need. But it's ok, because california allows vote by mail.
In Florida in 2000, we had these old voting machines where the voter would go into the booth, hit a bunch of buttons, and submit the vote. The voting card in the back would fall. There were often errors on them via ineffective button pushes, incorrect push, last minute mind change, and it would result in dubious votes. Some votes were discarded. There is no doubt that sometimes the vote went to the wrong candidate.
During the very close presidential election of 2000, these voting machine issues clearly showed the need for electronic voting machine booths with the added feature of instant vote count.
The current problems that are appearing are temporary and fleeting. With enough time and research these problems will become obsolete and resolved.
But your point of paper ballots requiring greater participation of people is interesting. Indeed, when more people participate even in mundane and simple tasks, there is a healthy feeling that spreads among the community.
"... these voting machine issues clearly showed the need for electronic voting machine booths..."
The hanging chad fiasco showed the need for following established procedures. Those particular machines had not been cleaned for multiple years. So the holes filled up. Preventing new votes from being cast.
The problem electronic voting machines solved was the vendors were envious of dot com valuations. The HAVA pork triggered a gold rush by the vendors, juicing their revenue and stock prices and exec payouts. The gear didn't actually solve any technical problems. They weren't even "accessible", which was their primary stated purpose.
How does this show the need for e-voting? It just shows the need for decent engineering. It's silly to pretend a computer is the only solution here. You can add on instant counting, too, with a camera and slot to drop the ballot in.
> Why can you not just do paper voting with simple ballots, like in Canada?
Some places do - voting is handled at the state and county level, not federal. For example. I vote on paper in the county where I live.
> You've had some problems with your ballots 16 years ago, and we're not sure why you haven't fixed this by now.
Those were paper ballots, what you see now is largely an attempt to avoid similar multi-day challenges and recounts due to hanging chads and ambiguous markings on paper ballots.
I think it's high time we start taking these concerns seriously. If state actors can accomplish stuxnet, then hacking a voting system seems well within the realm of technical possibility.
Fortunately, there are pretty simple policies we can enact to prevent fraud and give faith in elections (both in America, as well as other countries). If you care, I'd perhaps start at https://www.verifiedvoting.org/
They don't even need to throw the election. Two or three machines with absurd results in favor of Clinton or Trump would be enough to push the county into civil unrest.
Absurd results aren't what you want, since they're readily dismissed as localized, and people could believe that hacking had no effect on the overall result. You want to prove that hacking took place, but subtly, so that people can imagine it was widespread.
More effective would be to preselect a precise number of votes for a few machines in a swing state, with totals just 3-4 percentage points higher than what polling indicates for that precinct. Email a few journalists before the election: "I'm a engineer working to hack the election for Clinton, but I'm sickened by it and I want to blow the whistle... attached are encrypted tallies for the voting machines we compromised in precinct XXX. I know we have a team in YYY and I think in ZZZ, but I wasn't able to get data for those machines out. Decryption keys will follow Nov 15th."
If you used a one time pad you could skip the whole hack the election part and generate a key that reflects the actual totals after they've been published.
Hm... Is it a crime to write an email, not under oath, to a journalist accepting responsibility for a crime that one didn't commit (and had no idea was taking place)? I'd like to answer no but I'm sure a judge would use the "fire!" In a crowded movie theater analogy to answer in the affirmative.
Not saying there is any evidence this has happened or will happen, but:
If I were Russia, I would arrange something so one or two polling stations end up casting many fraudulent votes for Clinton, just to call the entire election into question and give more ammo to the Trump campaign. Even if those instances had no serious impact on the results, the uncertainty alone could definitely cause significant civil turmoil.
verifiedvoting.org looks like a good resource for taking action. If you're interested in learning more about verifiable/auditable voting systems, Wikipedia has some useful references:
The disturbing thing is that Stuxnet is more sophisticated than what it would take to control most voting machines. I think NSA type agencies for many countries and corporate espionage departments complete more complicated tasks every day.
I bet you that's the main reason they don't want to open-source it for independent verification -- you would find code so dirty and hackable that you would wonder which state actors actually did NOT hack.
There are 3 volunteers to tell, write and cross-check the paper ballot; and it's a public audience, meaning that there are a bunch of witnesses, including families who want to teach kids why the votes can be trusted, and party representatives who want to check that the election is not tampered with. It's hard to cheat when so many people can testify.
Getting a few hundred people to do anything without it leaking is hard. Plus, the paper records are retained, so a recount could specifically identify the culprits.
It's not easy, candidates have the right to appoint agents to verify the voting process, the ballot counts, the correctness of the markings and to certify the count and confirm the ballots are properly sealed in case of a judicial recount.
It is also worth pointing out that while this is labor intensive it can be
- scaled reasonably down. Which allows polling places staffed by fewer people.
- allows a higher number of voting stations as only a low tech physical curtain is needed to ensure privacy.
- throughput is primarily limited by identity verification which takes a cross check of ID document and voting notification card that is mailed to any eligible person once they reach their 18th birthday.
Democracy must not only be done, but also seen to be done. Trust in that most essential of democratic processes - vote counting - must be absolute.
Approaching vote counting as a mere technical problem that can be solved with enough technical safeguards misses the point. You cannot just ask a democracy to beta test vote counting and fix the bugs post-election - that will kill trust in the process.
Politics is polarised enough as is and you will find demagogues who will latch on to anything to reduce the legitimacy of an election.
It shouldn't even be up for discussion that trust and legitimacy are the most important goals in vote counting. Stick to paper voting and only introduce e-voting in parallel and not as the authoritative and final vote counting solution.
I wonder why countries don't use India's simple and scalable electronic voting systems. The latest ones have voter verified paper audit trails. They even have pooling systems to prevent counts from any single voting booth become known to prevent voter intimidation.
Really what it seems is that we need more audits on machines. If democracy is to be a pivotal part of our election process we need to release the source code of these machines to ensure that we find and solve problems.
Seems like a decent place to apply formal verification as well to show the machines are bug free. Voting machines are critically high impact if they have bugs and (famous last words) the complexity of the software seems low.
The counting app itself might be low-complexity, but I'm pretty sure the app runs on some kind of off-the-shelf OS with hundreds of millions of lines of code and at least a few known vulnerabilities.
A somewhat outdated version of Windows is a common choice, as is some random non-LTS version of Ubuntu. I don't think OpenBSD is particularly popular among self-serve kiosk manufacturers.
I think it's worth adding that if it doesn't use some off-the-shelf OS, then the complexity of the software just jumped a few levels because you're talking about writing a lot more lower-level components to make it work. Using an off-the-shelf OS is almost definitely the better way to go unless there's some obvious reason that it won't work (Like architecture issues). I would also add that the choice of OS matters a lot less then configuration - If you do your configuration carefully and strip down the active components in the system, then you can make any of them secure enough for this task. And if you do a poor job of it, then even OpenBSD isn't going to save you.
That said, while I do agree the voting software should be open-source in principle, I'm not really as concerned with hackable bugs in that software that can only be exploited through physical means. If they have physical access to the machine like in this video then you're already shot - ideally you have preventive measures that will make it obvious when physical access has occurred. If you don't physically secure the machine, then it doesn't really matter how good the code is.
Is there any way you can prevent hacks like this that require physical access? I guess cryptographically signing the updates, adding tamper proof seals and requiring multiple people to approve updates would help. The general mantra however is that once a hacker has physical access to your machine all bets are off.
Also, what happens if there's a random hardware/software glitch where incrementing one vote actually increments 10 votes? Is this checked for? How much reliance is there on the software and hardware being error free?
We definitely have seals, but for technical solutions, look at how Apple secures their devices. Signed firmware updates, public key crypto, and a well thought chain of trust solve these issues.
The problem is that the actual poll creation is done on a per county basis. I don't know how you would do this in such a way that every random county an precinct in America could have signing keys, firmware updates, etc., just sitting around ready to roll to build elections with.
> The problem is that the actual poll creation is done on a per county basis. I don't know how you would do this in such a way that every random county an precinct in America could have signing keys, firmware updates, etc., just sitting around ready to roll to build elections with.
You mean creating and distributing the keys would be problematic if every county had their own keys? Are there any practical solutions to this?
Couldn't you only have a few keys that are used for many counties and updates should be verified and signed by multiple people? Each county could still verify the contents of the update was correct (e.g. correct names on the ballot).
The software/firmware would have its own signing keys. Counties would not have access to it. Counties could only load their specific voting profiles, which would be published similar to certificate transparency logs. The voting machines could display a signature of the ballot data in structured format for public auditing, that way each voter could check the signature (QR code, short generated phrase, etc) against a public record (newspaper, website, fliers printed in advance, etc).
not sure are aware, but the actual quote is "The decision to announce the research findings was intended to encourage remediation of the vulnerabilities prior to Election Day".
Typically, tamper seals that are identifiable as broken are placed on all access doors (including the power switch, data load slots, etc), access panels, and openings on the device. All seals were verified in tact before and after the election, and no voter was ever permitted in the back of the access panel where the firmware update would take place.
Before the machine starts, it gives a "zero" report which is verified independently by poll watchers, and confirms candidate choices are in place as needed. When the polls are closed, we seal everything again before the machines are sent back for reporting (at which point the seals are checked and verified prior to dumping results).
If this was really a damaging hack, the protective counter & live counters would show different numbers than what the machine read, but that didn't happen. It very clearly was tampered with, which means these physical measures would counteract any unwanted firmware updates during an election. It's preposterous to think that election judges aren't actively verifying seals during election day and making sure nobody is tampering with them.