President Obama has called Donald Trump’s suggestion of a rigged 2016 presidential election “ridiculous.” But if you’re in one of the dozens of counties that rely on paperless electronic voting machines, can you trust that your vote will be counted accurately and fairly?
It's a question that's dogged the U.S. election system for years, but seems more urgent now that U.S. officials suspect that Russia is trying to influence the outcome of the U.S. presidential elections by hacking our election systems.
Dana DeBeauvoir, a spirited 62-year-old who has overseen the election process in Travis County, Texas, since 1986, has been fending off complaints about voting for decades. In recent years, most of those complaints have been about the reliability of electronic voting machines.
So one year, when a group of voting activists asked her to deliver a keynote speech at their annual conference in Washington, D.C., she decided to give them a piece of her mind.
"I told that group, basically: 'Shame on you for picking on, and beating up on the wrong person, and for basically only throwing rocks, and not doing anything about the problem itself. All you’re doing is picking on an administrator and contributing nothing to the solution.' So I challenged them, and I said: 'YOU come up with an answer to these security issues, and I’ll help build it.'"
They did. The result is a system that could be a more secure alternative to our flawed voting mechanisms. It records votes in a public, digital, anonymous ledger so that individual voters can look up the record of their vote and see that it was counted correctly, and third parties can audit the results.
If it works, it’s a solution we need to roll out nationally as soon as possible because the current state of electronic voting is woeful. In November in the battleground states of Pennsylvania and Virginia, the majority of voters will cast their ballots using outdated touchscreen machines, including models that security researchers have demonstrated they can hack and one that “lost” 4,500 votes in a single North Carolina county during the November 2004 general election.
“In the 15 years since [the introduction of electronic voting machines] very little about this equipment has changed in the marketplace,” said DeBeauvoir at a security technology conference in San Francisco this January. “Virtually all, if not all, of the equipment on the market today has the exact same vulnerabilities as were pointed out all those years ago, even though election administrators have repeatedly asked for improvements in voting system design.”
DeBeauvoir, the Clerk of Travis County, home to Austin, is among a group of technologists, designers and cryptologists who say we need to scrap the old voting machines entirely and start fresh if we want to make our democracy work securely. Now they’re garnering the attention of federal officials, spooked by the Democratic National Committee hack.
Travis County’s search for a new voting system was sparked by a drawn-out legal battle with a coalition of voters led by the Austin chapter of the NAACP and members of the computer security research community. In 2006, a group of Texas voters sued Travis County for making people vote electronically without a backup paper trail, saying it wasn’t secure and didn’t provide a reliable method for recounts. The Texas Supreme Court ultimately sided against the activists in 2011 saying the activists couldn’t provide evidence that voters had been demonstrably harmed by the paperless voting machines.
But it turns out that DeBeauvoir was as frustrated as the voters. The computer security community kept coming to her with new discoveries about how hackers could hijack the vote. DeBeauvoir felt that taxpayers and her office of administrators were being forced to shoulder all the responsibility for the technological failures of the voting machine manufacturers.
"I was doing my honest best to respond to it, only to be met with yet another risk," DeBeauvoir told me by phone. "I was upset, I was irritated. I was angry at all of them, for allowing the criticisms to go unanswered, and for allowing the public to think that all of these hacks might really happen. Here I was, exhausting all my efforts trying to deal with these risks one by one by one, and I was getting no help from either the community that was pointing out the risks, nor the community that was building the voting systems."
So she partnered with the critics. The result was a detailed specification for a new voting system called STAR-Vote (STAR is short for “Secure, Transparent, Auditable, and Reliable”). The new system will “allow elections administrators to prove to anyone–be they a computer scientist, a losing candidate, or a no-nonsense, non-techy grandmother–that every ballot is accurately counted,” said DeBeauvoir.
The proposed voting system uses an encryption scheme known as homomorphic encryption, which is designed to enable reliable recounts. Under this system, elections administrators will be able to publish anonymized, encrypted voting records online, so that third parties, such as activists and news organizations, can tally and verify election results for themselves.
There are detailed, technical write-ups about how it works, but the simple version is that when a person votes, his or her selections are encrypted and then stored encrypted. "No one will be able to see how one individual voted," explains security technologist Garrett Robinson. Homomorphic encryption, which lets you "compute with data you cannot read," allows the counting of votes to be done while they're still encrypted to produce a sum that can then be decrypted to give the county the overall results. We could say goodbye to concerns about ballots being thrown out or tampered with.
IBM researcher Craig Gentry, one of homomorphic encryption’s creators, compares it to running a jewelry manufacturing shop with untrusted jewelry makers in which the owner of the store provides the jewelry makers with the valuable raw materials, such as gold and diamonds in a locked box, and then has the makers create jewelry by sticking their hands into the box with gloves and manufacturing their creations without ever seeing them.
The design of the voting system is technologically complex but the voting experience wouldn’t feel or look very different for voters as they go through the process, notes Josh Benaloh, a senior cryptographer at Microsoft, who worked on the proposal with DeBeauvoir and other cryptologists and user experience design experts.
Voters would still make their choices on a touchscreen showing their ballot. They’d get a chance to review their choices on screen. After finishing, they’d print out their ballot and deposit it or scan it into the ballot box, in the same way that voters do today with optical scanning voting machines. After that, they’d be given a receipt with their unique cryptographic code identifying their vote. All voters would just be unique numbers to county officials, not identified by name.
“Yes, there's mathematics in the background, but there still will be paper ballots that can be counted,” Benaloh said. “The cryptographic stuff can be thought of as extra assurance to provide voters and the public extra confidence in election results.”
This is especially important in close elections where disputes over the accuracy and methodology of recounts sometimes result in endless litigation and distrust over the legitimacy of election results.
The proposed system includes a paper-ballot auditing process as backup, but third parties would also be able to check the encrypted list of cast votes for themselves. Travis County plans on publishing certain aspects of the voting system’s code online so that tech-savvy people could use it to build an app to validate election results.
DeBeauvoir’s office is budgeting $4 million for a pilot project for next year (a million of which still has to be approved by the county commissioners’ court). She envisions the county controlling the rights to the software, and a commercial company like IBM coming in to provide services and tech support. Other jurisdictions would be free to use the software for their own voting systems.
The problem with the homomorphic encryption scheme is that it’s a relatively new idea, can be expensive and can slow down the speed at which software operates. The sectors that have started to use it, such as the financial and healthcare industries, have money to burn.
“Homomorphic encryption is a pretty incredible technology,” says Patrick Townsend, CEO of the security company Townsend Security in Olympia, Washington. “The problem is that the security of it is unknown. It hasn’t had the time to be properly vetted by the cryptographic community.”
Another big question mark over Travis County’s project is who will vet and build the system, and ensure it’s secure. One interesting contender, who’s been tracking Travis County’s efforts closely, is security researcher and software engineer Joe Kiniry.
Kiniry has been part of what over the years has developed into a movement to create more trustworthy and reliable elections. He’s conducted demonstrations over the years for various European leaders, showing them why voting through the Internet is insecure and vulnerable to hacking—once even conducting a denial-of-service attack on a prototype Internet voting system that legislative officials in the Netherlands were demonstrating for high-level ministers.
Kiniry was an academic who worked on software engineering and security in Europe for 12 years. He left academia in early 2014 to join the computer security company Galois in Portland, Oregon. Galois specializes in building open-source, secure software for government clients, including the Department of Defense, Scotland Yard and the National Security Agency. Earlier this year, Kiniry launched a spinoff startup for Galois called Free and Fair that aims to provide secure voting system software.
There’s a reason there aren’t a plethora of voting machine companies in the United States. Local governments, in an effort to protect taxpayers from fly-by-night fraudsters, often have onerous rules that preclude them from buying services from unproven startups. And the security certification for new products in this area is expensive and currently being rehashed at the federal level. Juan Gilbert, an engineering professor at the University of Florida, for example, told me that he and his students created an open source voting system called Prime II several years ago, but he hasn’t had the $500,000 to million dollars needed to have it certified.
But given the new federal focus on election security, Kiniry’s start-up looks like it has a chance. This April, Rep. Hank Johnson, D-Ga., introduced a bill that would provide local governments $125 million for new machines and create a program that would enable states to apply for grants to develop their own open source voting systems as in Travis County and Los Angeles (which is also building its own election system.)
All of this work bodes well, but only for the long term. This work will not materialize in time for voters during this election cycle: Most of the projects on revamping voting machines won’t come to fruition until 2020 or 2018 at the earliest. Given that, and given the predictions for a close election in some states, it may be time to brace for a long night come November 7, with conspiracy theories galore.
Sarah Lai Stirland is a freelance journalist in the San Francisco Bay Area. Send feedback and thoughts to firstname.lastname@example.org.