Paperless voting machines a hacking risk
Allentown, Pa. — Jill Stein’s bid to recount votes in Pennsylvania was in trouble even before a federal judge shot it down Dec. 12. That’s because the Green Party candidate’s effort stood almost no chance of detecting potential fraud or error in the vote — there was basically nothing to recount.
Pennsylvania is one of 11 states where the majority of voters use antiquated machines that store votes electronically, without printed ballots or other paper-based backups that could be used to double-check the balloting. There’s almost no way to know if they’ve accurately recorded individual votes — or if anyone tampered with the count.
More than 80 percent of Pennsylvanians who voted Nov. 8 cast their ballots on such machines, according to VotePA, a nonprofit seeking their replacement. A recount would, in the words of VotePA’s Marybeth Kuznik, a veteran election judge, essentially amount to this: “You go to the computer and you say, ‘OK, computer, you counted this a week-and-a-half ago. Were you right the first time?’ ”
These paperless digital voting machines, used by roughly 1 in 5 U.S. voters last month, present one of the most glaring dangers to the security of the rickety, underfunded U.S. election system. Like many electronic voting machines, they are vulnerable to hacking. But other machines typically leave a paper trail that could be manually checked. The paperless digital machines open the door to potential election rigging that might not ever be detected.
What’s more, their prevalence magnifies other risks in the election system, such as the possibility that hackers might compromise the computers that tally votes, by making failures or attacks harder to catch. And like other voting machines adopted since the 2000 election, the paperless systems are nearing the end of their useful life — yet there is no comprehensive plan to replace them.
“If I were going to hack this election, I would go for the paperless machines because they are so hard to check,” said Barbara Simons, a former IBM researcher and co-author of “Broken Ballots,” a history of the unlearned lessons of flawed U.S. voting technology.
Although Stein premised her recount effort on the need to ensure that the 2016 election wasn’t tainted by hacking or fraud, there’s no evidence of either so far — a fact federal judge Paul Diamond cited prominently in his decision halting the Pennsylvania recount. “Suspicion of a ‘hacked’ Pennsylvania election borders on the irrational,” the judge wrote in his opinion.
Stein also pursued recounts in Wisconsin and Michigan, to little avail. Those states use more reliable paper-based voting technologies.
But a cadre of computer scientists from major universities backed Stein’s recounts to underscore the vulnerability of U.S. elections. These researchers have been successfully hacking e-voting machines for more than a decade in tests commissioned by New York, California, Ohio and other states.
Stein and her witnesses said their fraud concerns were justified given U.S. charges that Russia meddled in the 2016 presidential campaign. Emails of top Democrats were hacked and leaked in what U.S. intelligence officials called Russian subterfuge against Democrat Hillary Clinton.
Over the summer, hackers also tried to breach the voter registration databases of Arizona and Illinois using Russian-based servers, U.S. officials said. Election networks in at least 20 states were probed for vulnerabilities.
“It’s a target-rich environment,” said Rice University computer scientist Dan Wallach. Researchers would like to see the U.S. move entirely to computer-scannable paper ballots, since paper can’t be hacked. Many advanced democracies require paper ballots, including Germany, Britain, Japan and Singapore.
Green Party lawyers seeking the Pennsylvania recount called the state’s election system “a national disgrace” in a federal lawsuit, noting that many states outlaw paperless voting. They asked a judge to order a forensic examination of a sampling of the electronic machines, saying that’s the only way to know for sure that votes weren’t altered.
That would involve examination of all of the systems involved in the election — voting-machine computer chips and memory cards that store operating software and ballots, the computers that program the ballots, and even the machine vendors’ source code — to detect any “bugs, holes or back doors” a hacker could have exploited, said Daniel Lopresti, chairman of the Lehigh University computer-science department.
But forensic analyses aren’t foolproof, especially if hackers were good at covering their tracks. “What you’re hoping for is some evidence that was left, some degree of clumsiness or carelessness, a belief by the individual that we won’t dig quite that deep,” Lopresti said.
The U.S. voting system — a loosely regulated, locally managed patchwork of more than 3,000 jurisdictions overseen by the states — employs more than two dozen types of machinery from 15 manufacturers. Elections officials across the nation say they take great care to secure their machines from tampering. They are locked away when not in use and sealed to prevent tampering.
All that makes national elections very difficult to steal without getting caught. “It would take a ‘large conspiracy’ to hack the results of a presidential election,” said Kay Stimson, speaking for the National Association of Secretaries of State.
But difficult is not impossible. Wallach and his colleagues believe a crafty team of pros could strike surgically, focusing on select counties in a few battleground states where “a small nudge might be decisive,” he said.
Studies by Halderman, Wallach and others proved years ago that it’s possible to infect voting machines in an entire precinct via the compact flash cards used to load electronic ballots.
An infected machine “could do anything you can imagine,” said Wallach. “It could flip votes from one candidate to another. It could delete votes. It could cast write-in votes for Mickey Mouse for president.”