Ballad Of The Magical Ballot Fairies
Election security is a thankless task, even on a good day. There’s a joke among election officials that the two most important laws during election season are Murphy’s Law (if something can go wrong, it will) and The Law of Unintended Consequences. This is something that election administrators and pollworkers are conditioned to take in stride. Folks who aren’t in the polling place trenches and focus more on election security tend to be a bit taken aback by our “Damn the Torpedoes” attitude and wonder how we can seem so cavalier about matters of security. It’s not that we aren’t concerned. As a matter of fact, most of us wake up screaming from nightmares about botnets of zombie ballot on demand printers and malicious nation-state actors trying to breach voter registration databases. The difference between the two factions is that security professionals have the relative luxury of being open about worst case scenarios. Election administrators decidedly…do not. They have to strike a delicate balance between taking security concerns with the appropriate level of seriousness, getting the logistics of an election done by a very tight deadline, and staying optimistic so they don’t strike terror into the hearts of the voters they swear to protect.
Sometimes neither side has the most realistic expectations. No matter how much we communicate, there is always going to be a gap because we don’t always understand how each group must order their priorities. And what seems realistic to one group is like expecting the other group to believe in magical ballot fairies. Many debates center around the age old battle of electronic voting vs. paper voting, because….
You Can’t Hack Paper!!
Fair enough. Performing a SQL injection on a paper ballot is rather unlikely. However, paper ballots can be overvoted, marked with glitter pen, have the barcode cut out, coffee stained, ripped, torn, bent at the corner ever so slightly, water damaged, incinerated, eaten by pets or wayward toddlers, delivered to the wrong address, stolen out of the mailbox, wrinkled by humidity, misplaced under a table, scanned twice accidentally, assigned to the wrong precinct, or fail to arrive at the election office by the deadline.
And this is the most secure voting system we’ve got, folks.
I have no issue with paper ballots. I’ve personally never voted on anything BUT an optical scan paper ballot, and I’ve voted in every election since the 2000 primary. Florida is a paper ballot state, and has been one since 2007. Optical scan paper ballots are a nice, efficient way to vote. I just get amused when very intelligent and educated folks go “Well, if we did all vote by mail elections and only do paper ballots, all our election security problems would be solved!”
I like to ask them where they think their ballot came from.
Repeat after me folks : THERE ARE NO MAGICAL BALLOT FAIRIES.
Sadly, magical ballot fairies that wave a magic wand and POOF! Your ballot is perfectly designed, laid out, printed straight with the proper readable ink with the correct candidates in the correct order with instructions on how to vote your ballot in clear, easy to understand language DO NOT EXIST. The magical ballot fairies WILL NOT personally fly your ballot to you, glittering wings aflutter.
Vote By Mail is fantastic. It makes voting so much easier for all parties involved. However, switching to all Vote By Mail isn’t a magical process where all security issues disappear with the wave of a magic wand and a splash of pixie dust. Mass scale ballot production is cheaper and more efficient for election departments, they outsource the printing process to dedicated election printers in an industrial setting and instead of having to distribute hundreds of precinct level ballot scanners, they use gigantic high speed central count tabulation scanners that can process 20,000 ballots per hour, cost as much as the median home price in Polk County and are the size of a 1987 Cadillac Fleetwood.
Ballot design is done on a computer. Automated software tools are used to determine placement of every last oval that will need to be filled in. Every millimeter of spacing is checked by human and machine. It can take up to two dozen separate computer databases to design a paper ballot. Then that file needs to be transported to the company that prints the ballots, and every single marking on that ballot must be proofed, and then approved. Then the ballot envelopes for vote by mail and overseas ballots must be created (on a computer) and printed as well. Once those are printed and returned to the election office, ballots must be sent to the ever expanding list of voters in the registration database who request one, usually online or by email . The Post Office then uses their computers and determines what the bulk rate election mail postage is, and ballots get mailed out in batches-using a computerized sorter to group and seal those batches into groups of 100. What machine do you suppose tracks your ballot’s journey? Or verifies your signature on the back of the ballot envelope? Or ensures that your ballot counts as cast?
Congratulations! We’ve just traded maddening Enterprise IT problems for a brand new and equally vexing set of ICS/SCADA problems. Industrial grade printing presses, high capacity ballot scanners that can handle 20,000 ballots an hour, postal grade mail sorters, and robotic automation in election warehouses are all variations of industrial control systems, and are full of unexpected attack surfaces.
Imagine a worm infecting a ballot printing press that shifts the bar code printed on a ballot, making it undetectable to the ballot scanner. Or ordering the candidates the wrong way on the ballot. Or printing incorrect addresses. Or a high speed scanner overheating to the point of incineration, melting the cartridges that hold the thermal ink. Or just eating every 15th ballot, making tabulation a nightmare.
Fortunately, the industrial machines have far more tightly controlled physical access than the traditional Enterprise IT systems do. But they still require inspection and testing periodically to avoid serious problems that stem from being controlled by an Internet-facing supervisory component.
“But Genya”, you say, “They’re air gapped!”
So were the Iranian centrifuges that got hit by Stuxnet.
You aren’t going to be able to avoid technology in elections. So stop worrying and learn to love (and secure) the Election Management Systems.
There will never be a perfect system. Election officials will be making tradeoffs between the devils they know and the devils they don’t know until we decide democracy was a better idea in theory than reality and we let our robot overlords pick our leaders. Wait…then someone’s going to be alleging that they got hacked too.