America’s electronic voting infrastructure is laughably insecure, but security experts know how to solve the problem. Only the political will is lacking to make it right.
Numerous bills have been introduced in Congress to address the issue, and presidential candidates are releasing their proposals to secure our elections. Do any of them really make U.S. elections more secure?
CSO investigated. Here’s our scorecard of the good, the bad and the ugly.
What makes an election secure?
Securing elections isn’t rocket science. Nor is it–or should it be–a partisan issue. Preventing hackers, foreign or domestic, or even corrupt local election officials from interfering in an election is a solved problem. In 2018, The National Academy of Sciences, Engineering, and Medicine published Securing the Vote: Protecting American Democracy, laying out the overwhelming consensus of security experts for how to make it so we can trust our election results again.
Any proposal that does not include the following three elements to secure our elections does not get a passing grade.
1. Hand-marked paper ballots
All ballots must be marked by hand on paper. Touchscreen–so-called direct-recording electronic (DRE)–voting is not secure and cannot be made secure. Don’t even ask “but what if….” DRE voting machines cannot be trusted because there will always be a way for a malicious adversary to attack the integrity of the voting results.
Hand-marked paper ballots can be counted two ways: using optical scanners or by hand. Either is acceptable, but security experts recommend optical scanners for speed and to avoid human error when counting long, complicated ballot papers.
2. Risk-limiting audits
Optical scanners can be more accurate and less error-prone than human volunteers counting ballots, but optical scanners themselves can be hacked, and so to ensure the integrity of voting results every election should be followed by a risk-limiting audit. That’s just a fancy way of saying “let’s check some of those hand-marked paper ballots after an election to be on the safe side.”
This is why hand-marked paper ballots are so important. Election officials can actually do a recount by hand–something impossible to do with touchscreen electronic voting.
During a risk-limiting audit, election volunteers recount a select percentage of a random sampling of the total ballots to ensure there are no discrepancies. In the event of a landslide, a risk-limiting audit might recount a few percent of total ballots cast, enough to be statistically confident in the result. In the event of a squeaker of an election, a risk-limiting audit might involve a complete recount by hand of all ballots cast.
The only way to be sure a software bug or a hacker hasn’t interfered with an election result is to double-check after every election. Not some of the elections. Not some of the time, but all the time, and doing it the old-fashioned way–by a team of bipartisan volunteers marking a chalkboard.
3. Funding for state and local election officials
Hostile nation-state hackers want to interfere with U.S. election results. This is a fact. The U.S. has thousands of voting jurisdictions, most of them tiny, and few of them have the resources to defend against a foreign power trying to hack their computer systems. Asking Peoria to defend its election systems against Russian or Chinese hackers is like asking the town to defend against a tank invasion by a foreign country.
Worse, many jurisdictions run outdated, insecure operating systems like Windows XP or 2000. Ensuring transparent, secure elections means funding for better equipment, training for staff, and standardizing election procedures to ensure election results that all Americans can trust.
CSO’s election security scorecard
The following are the leading proposals to secure our elections with our analysis of which ones deserve to be taken seriously, and which should be launched via trebuchet into the mouth of an active volcano.
Protecting American Votes and Elections Act (PAVE) of 2019
The best proposal currently circulating on the Hill comes from the tech-savviest person in Congress: Senator Ron Wyden (D-Or). PAVE not only requires paper ballots and risk-limiting audits be used in all federal elections, it budgets half a billion dollars to help states by secure optical scanning machines, and includes a quarter billion extra to help states provide secure ballot-marking devices to voters with disabilities or who aren’t fluent enough in English to vote.
The proposal would ban all voting machines from connecting to the internet in any way and authorizes the U.S. Department of Homeland Security (DHS) to set minimally acceptable standards for all voting infrastructure, including voting machines, registration databases, electronic poll books and election reporting websites.
“The PAVE Act scraps insecure voting machines that are juicy targets for hackers and replaces them with reliable, secure hand-marked paper ballots,” Wyden said. “It gives states the funding they need to defend their election systems and puts the Department of Homeland Security in charge of setting strong security standards for every federal election.”
Secure Elections Act
Bipartisan Senate bill S. 2593, dubbed the Secure Elections Act, was introduced in 2018 by a bipartisan group of senators seeking to secure federal elections nationwide. The original bill called for both hand-marked paper ballots and mandatory risk-limiting audits, as well as additional funding for state and local jurisdictions.
Amendments introduced this spring, however, removed both the legal requirement to use hand-marked paper ballots as well as mandatory risk-limiting audits–essentially gutting the bill. In its current form the Secure Elections Act would be better called the Insecure Elections Act.
Senator Warren’s campaign proposal
Senator and Democratic presidential candidate Elizabeth Warren (D-Ma) has proposed a strategy similar to PAVE as part of her campaign for the Democratic presidential nomination. Full of sound bites like “Our elections should be as secure as Fort Knox. But instead, they’re less secure than your Amazon account,” her proposal is refreshing in that it reflects a candidate listening to actual technical experts.
Senator Warren’s proposal to secure elections follows the National Academy’s recommendations almost to a ‘t’–hand-marked paper ballots, risk-limiting audits and federal funding to secure federal elections are all spelled out in her proposal.
Warren’s proposal goes further than the minimum baseline for security the National Academy calls for and includes ideas like creating a Secure Democracy Administration to replace the dysfunctional Election Assistance Commission (EAC).
Candidate Yang’s blockchain voting proposal
Dear Andrew Yang,
Your blockchain idea is stupid. There. We said it. Blockchain is not the answer to securing our elections and deserves to be laughed out of the room. The idea that a serious presidential candidate like you would even suggest the idea should raise eyebrows about the rest of your policy proposals.
In a misguided attempt to increase voter turnout–an otherwise noble goal–you propose that “Americans should be able to vote via their mobile device, with verification done via blockchain.” There’s a reason the secret ballot is a cornerstone of democracy. How long before people start selling their vote, or abusive partners coerce their significant other into voting for one candidate over the other?
This lack of a secret ballot is a stake in the heart of any “voting by blockchain” proposal. There are three non-negotiable requirements to ensure a secret ballot, software engineer Ben Adida, CEO of Voting Works, wrote in this 2017 analysis: enforced secrecy (no way for a voter to prove how they voted), individual verifiability (voters know their vote was recorded correctly), and global verifiability (all ballots are correctly counted and only eligible voters vote once).
A blockchain is by definition a public, distributed database that anyone can download and inspect. “A distributed database of all cast votes, where everyone sees the same state of the world, would certainly be useful for global verifiability and to some degree for personal verifiability,” Adida writes. “That said, it won’t get us all the way there on those, and it won’t get us anywhere on enforced secrecy.”
Voter turnout is a serious issue that deserves a serious solution–one that does not involve fetishizing the latest fad among Silicon Valley tech bros. You’re a VC. We get it. But you’re barking up the wrong tree.
Online voting, of the blockchain or any other variety, is not secure and cannot be secured. Not now, not ever. Online voting is so stupid even debating it is stupid. Any proposal that involves online or blockchain voting should be laughed out of the room. You might as well use an umbrella to defend yourself against a missile strike. Good luck with that.
Securing America’s voting infrastructure is not rocket science. We know how to do it. Security experts are screaming from the rooftops how to do it. Delivering safe drinking water or natural gas for cooking to people’s homes is not a partisan political issue. We listen to infrastructure experts. It’s time we did the same for securing our elections.