It’s not just Iowa: Election tech is messy

Open Sourced logo

Election security in the United States seems more precarious than ever. As the November 2020 election grows closer, states and counties have charged ahead with their own plans to secure — and improve — their voting systems. Congress, meanwhile, has failed to send much-needed reforms to the president’s desk.

Anxiety over the mechanics of this year’s election has spiked following the disaster that was the Iowa Democratic caucus. While there’s no reason to believe that the very poorly developed app used in the caucus was hacked, the fiasco does have lawmakers spooked on a number of fronts, as it’s increasingly becoming clear that the integrity of the nation’s elections can be compromised in a variety of ways. In fact, after the phone number for reporting precinct results was posted online, supporters of President Donald Trump managed to flood phone lines and interfere with the counting of results, according to Bloomberg.

You could say the country is more vulnerable to election interference than ever. Some worry, with good reason, that the worst is yet to come.

Congress is struggling to agree on election security

On Tuesday, Sen. Mark Warner (D-VA) said in a statement that the Iowa mess demonstrated the “overall failure” of efforts to protect the integrity of US elections. And across the aisle, Sen. Marco Rubio (R-FL) warned in a tweet that the “meltdown” hinted at how “Russian or Chinese hackers [could] tamper with preliminary reporting system[s].”

But protecting the electoral process has hardly been a point of bipartisan cooperation. Several common-sense bills proposed in the wake of Russian interference in the 2016 presidential election have stalled, including legislation that would require campaigns to report any contact from foreign governments to the FBI and a proposal that would make it a federal crime to hack into a federal voting system. Meanwhile, none of the several bills that would require voting systems to create a paper trail, among other reforms, have moved forward.

Regardless, states have been making their own improvements since the 2016 election, like moving to voting machines with paper trails and instituting procedures for auditing election results. And last year, the federal government sent $425 million to states to beef up their election security, though that funding actually comes from the Help America Vote Act, a Bush v. Gore-inspired 2002 law. Importantly, lawmakers and the president did come together to create the Cybersecurity and Infrastructure Security Agency, which focuses, in part, on election security. A spokesperson told Recode that the agency is remaining in contact with the Democratic National Committee.

The Brennan Center for Justice, a public policy nonprofit, says the cost of securing American elections is actually closer to $2.2 billion. The director of its Election Reform Program, Lawrence Norden, told Recode that Congress has generally handled this issue “poorly” and that the Iowa fiasco makes clear why elections need to be secure and backed up on paper.

At the same time, companies pushing other forms of new election tech — which have raised security concerns of their own — are distancing themselves from whatever happened in Iowa. Meanwhile, the Nevada Democratic Party, which had been working with Shadow Inc., the company that produced the app used in Iowa, announced it won’t be using “the same app or vendor” for its own caucuses. A security firm told ProPublica that the app was so badly safeguarded, it could have been hacked, and information sent to and from the app could have been intercepted.

An assault on US elections could occur at many levels of voting infrastructure. As a 2018 Vox investigation into the state of the US elections infrastructure reported, these attacks might target election websites, government officials’ email accounts, voter registration systems, and even the voting machines themselves. Securing all of these systems throughout the country is a difficult task that involves not only technical improvements and cybersecurity but also training and coordinating with local elections officials on how their systems could be implicated by national security threats.

Still, what happened in Iowa highlights how the introduction of new technology and insufficient back-up procedures can disrupt the voting process. It also raises new concerns about the best way to ensure the security and integrity of elections. Meanwhile, ongoing doubt over the Iowa results continues to raise questions: On Thursday morning, the New York Times reported on inconsistencies in the results from more than 100 precincts.

States and counties are moving forward with simple reforms: Paper backups and audits

One of the most important security “innovations” that election authorities are pursuing is actually pretty boring: voting machines that produce a paper trail of every vote. While there’s no federal law requiring that results of national elections are backed up with a hard copy, Norden says that in 2016, nearly 28 million people voted on machines that didn’t produce paper records. In the 2020 general election, however, he expects that number to drop to roughly 16 million. In fact, no more than eight states are expected to use such voting machines this November.

That might seem a little bit like technological backtracking, but it’s not.

“The concern has always been, if the paperless machines are hacked, [if] there’s a software bug, or [if] they fail in some way,” Norden told Recode, “you may not be able to confirm vote totals.”

The move to more machines that produce a paper trail is hardly the only enhancement that states have made since the last presidential election. For instance, Illinois has turned to so-called “cyber navigators,” who are essentially cybersecurity experts sent to conduct risk assessments at election offices and determine what sort of security improvements they might need. These navigators can also conduct assessments of phishing attempts, test voting systems with simulated attacks (also known as penetration testing), and evaluate election authorities’ physical security, according to the Illinois State Board of Elections’s executive director.

Meanwhile, the Department of Homeland Security has been offering consultations and resources to local election officials and pushing a slew of defensive technologies and procurements they can adopt. And officials have also turned to simulations of potential cyberattacks — such as those provided by the Belfer Center’s Defending Digital Democracy Project — to better prepare themselves.

In November, 24 states will require post-election audits of paper records, according to the Brennan Center. And four states have laws that specifically require a particular kind of audit called a “risk-limiting audit,” which involves hand-counting a statistically determined sample of votes to check that votes have been counted accurately. (The National Council of State Legislatures provides a helpful explanation of this process on its website).

Other states are instituting electronic pollbooks, which Norden says can help make running a polling place faster as well as reduce errors. (Norden noted that new, underlying technology must also be secure.) At least one state, Alaska, has moved away from the somewhat common practice of allowing certain categories of people — often members of the military who are overseas — to vote online, which is typically done by email or via a state’s online portal. Those absentee Alaska voters will have to turn to more time-tested modes of communication, namely fax and snail mail. Those methods have their own security vulnerabilities, though they’re less susceptible to hackers.

It’s worth pointing out that West Virginia is moving in the opposite direction. Late last month, the state legislature voted to expand its electronic voting allowances to include people with physical disabilities, legislation that West Virginia Gov. Jim Justice signed on Wednesday.

One company says blockchain and biometrics will address states’ security woes. Election security experts don’t agree.

One startup, Voatz, is developing technology that could enable online, blockchain-based elections, despite the widespread concerns of election security experts. The technology has already been used by some voters in elections in Utah and West Virginia. On Tuesday, the company released a statement emphasizing that its system was not used in Iowa. Voatz also clarified that it provides a form of mobile voting, not a platform to tabulate results.

The Voatz platform uses not only blockchain technology but also biometric verification. Voters first need to download the Voatz app. (The company says that “only recently manufactured smartphone models from Apple, Samsung, and Google are supported with Voatz.”) Then they can verify their identity by taking a picture of their government ID, followed by a fingerprint scan and the use of facial recognition technology. The actual voting happens in the app, which employs blockchain technology to store the vote securely and make it available to the state board of elections or whichever entity is doing the counting. Voatz also emphasizes the fact that every vote cast via the app is backed up with a paper copy.

The details of this complex-sounding process haven’t allayed the worries of election security experts who say that blockchain-based elections — a model being pushed by a slew of startups — generally raise concerns about cybersecurity and the secrecy of the ballot. And last year, researchers published a review of their unanswered questions about the Voatz platform, questioning its data retention policies and facial recognition feature, among a wide range of other concerns. Voatz did not respond to Recode’s request for comment by the time of publication.

David Jefferson, a computer scientist at the Lawrence Livermore National Laboratory and a co-author of the paper, told Recode he’s reached out directly to Voatz with questions but never heard back.

It’s worth highlighting that the Voatz app has already been targeted in a hacking attempt, though neither the system nor any votes were compromised. In October, the Department of Justice said the FBI had launched an investigation into the apparent “attempted intrusion” of the platform, but neither agency would provide Recode with an update.

This month, the Washington State district that covers Seattle will host the first-ever election in which all voters will be able to use a web portal on their phones (or computers) provided by the company Democracy Live (which has received support from the same philanthropy — Tusk Philanthropies — that is supporting the Voatz app).

Apps aren’t the only new voting tech, but all systems need to have a paper ballot and backup

New election technology consistently raises all kinds of concerns over security, accuracy, and usability. We certainly saw those concerns on display after the app used in the Iowa Democratic caucuses malfunctioned, leading to confusion, hacking fears, and delayed results. Again, Iowa election officials insist the app was not hacked, and a CISA spokesperson says the agency has “no reporting of any malicious cyber activity.”

This year, Los Angeles County will use a new publicly owned voting system that uses “open source” technology called Voting Solutions for All People (VSAP). This new platform, which will cost the county as much as $280 million, will introduce new touchscreen pads and a paper record of every vote. Those machines will be used in the California presidential primaries, and if all goes well, they’re expected to be used in the general election as well. LA County built the platform with help from London-based election tech company Smartmatic, whose CEO recently argued on Twitter that Iowa invested too little in its election technology and therefore suffered from a “lack of technology.”

But even the new Smartmatic system being deployed in Los Angeles has drawn criticism. As the Associated Press reported in January, testers found that “seals, locks, labels, and sensors can all be bypassed” on the VSAP hardware, which could allow ballots to be inserted or removed. Testers also found that “unrestricted access to, and the ability to boot from, the USB port allows access to data.” California Secretary of State Alex Padilla has vowed to fix these issues ahead of the state’s March 3 primary.

Meanwhile, the Beverly Hills City Council has sued the county over other design flaws that it argues could disadvantage certain candidates. And in the wake of Iowa’s recent debacle, it does feel like the development of some new election technology is being rushed.

What happened in Iowa demonstrates why we need to back up our elections, the Brennan Center’s Norden says. Technical difficulties occur, whether they’re caused by a hack, a software bug, or a system that simply doesn’t work. The point is: We need paper backups and systems for checking an election’s results, even when those fail. No election is perfect, he says, but people still need to be able to vote.

Open Sourced is made possible by the Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.

Rebecca Heilweil Rebecca Heilweil https://cdn.vox-cdn.com/community_logos/52517/voxv.png Read More