Ballad Of The Magical Ballot Fairies
Election security is a thankless task, even on a good day. There’s a joke among election officials that the two most important laws during election season are Murphy’s Law (if something can go wrong, it will) and The Law of Unintended Consequences. This is something that election administrators and pollworkers are conditioned to take in stride. Folks who aren’t in the polling place trenches and focus more on election security tend to be a bit taken aback by our “Damn the Torpedoes” attitude and wonder how we can seem so cavalier about matters of security. It’s not that we aren’t concerned. As a matter of fact, most of us wake up screaming from nightmares about botnets of zombie ballot on demand printers and malicious nation-state actors trying to breach voter registration databases. The difference between the two factions is that security professionals have the relative luxury of being open about worst case scenarios. Election administrators decidedly…do not. They have to strike a delicate balance between taking security concerns with the appropriate level of seriousness, getting the logistics of an election done by a very tight deadline, and staying optimistic so they don’t strike terror into the hearts of the voters they swear to protect.
Sometimes neither side has the most realistic expectations. No matter how much we communicate, there is always going to be a gap because we don’t always understand how each group must order their priorities. And what seems realistic to one group is like expecting the other group to believe in magical ballot fairies. Many debates center around the age old battle of electronic voting vs. paper voting, because….
You Can’t Hack Paper!!
Fair enough. Performing a SQL injection on a paper ballot is rather unlikely. However, paper ballots can be overvoted, marked with glitter pen, have the barcode cut out, coffee stained, ripped, torn, bent at the corner ever so slightly, water damaged, incinerated, eaten by pets or wayward toddlers, delivered to the wrong address, stolen out of the mailbox, wrinkled by humidity, misplaced under a table, scanned twice accidentally, assigned to the wrong precinct, or fail to arrive at the election office by the deadline.
And this is the most secure voting system we’ve got, folks.
I have no issue with paper ballots. I’ve personally never voted on anything BUT an optical scan paper ballot, and I’ve voted in every election since the 2000 primary. Florida is a paper ballot state, and has been one since 2007. Optical scan paper ballots are a nice, efficient way to vote. I just get amused when very intelligent and educated folks go “Well, if we did all vote by mail elections and only do paper ballots, all our election security problems would be solved!”
I like to ask them where they think their ballot came from.
Repeat after me folks : THERE ARE NO MAGICAL BALLOT FAIRIES.
Sadly, magical ballot fairies that wave a magic wand and POOF! Your ballot is perfectly designed, laid out, printed straight with the proper readable ink with the correct candidates in the correct order with instructions on how to vote your ballot in clear, easy to understand language DO NOT EXIST. The magical ballot fairies WILL NOT personally fly your ballot to you, glittering wings aflutter.
Vote By Mail is fantastic. It makes voting so much easier for all parties involved. However, switching to all Vote By Mail isn’t a magical process where all security issues disappear with the wave of a magic wand and a splash of pixie dust. Mass scale ballot production is cheaper and more efficient for election departments, they outsource the printing process to dedicated election printers in an industrial setting and instead of having to distribute hundreds of precinct level ballot scanners, they use gigantic high speed central count tabulation scanners that can process 20,000 ballots per hour, cost as much as the median home price in Polk County and are the size of a 1987 Cadillac Fleetwood.
Ballot design is done on a computer. Automated software tools are used to determine placement of every last oval that will need to be filled in. Every millimeter of spacing is checked by human and machine. It can take up to two dozen separate computer databases to design a paper ballot. Then that file needs to be transported to the company that prints the ballots, and every single marking on that ballot must be proofed, and then approved. Then the ballot envelopes for vote by mail and overseas ballots must be created (on a computer) and printed as well. Once those are printed and returned to the election office, ballots must be sent to the ever expanding list of voters in the registration database who request one, usually online or by email . The Post Office then uses their computers and determines what the bulk rate election mail postage is, and ballots get mailed out in batches-using a computerized sorter to group and seal those batches into groups of 100. What machine do you suppose tracks your ballot’s journey? Or verifies your signature on the back of the ballot envelope? Or ensures that your ballot counts as cast?
Congratulations! We’ve just traded maddening Enterprise IT problems for a brand new and equally vexing set of ICS/SCADA problems. Industrial grade printing presses, high capacity ballot scanners that can handle 20,000 ballots an hour, postal grade mail sorters, and robotic automation in election warehouses are all variations of industrial control systems, and are full of unexpected attack surfaces.
Imagine a worm infecting a ballot printing press that shifts the bar code printed on a ballot, making it undetectable to the ballot scanner. Or ordering the candidates the wrong way on the ballot. Or printing incorrect addresses. Or a high speed scanner overheating to the point of incineration, melting the cartridges that hold the thermal ink. Or just eating every 15th ballot, making tabulation a nightmare.
Fortunately, the industrial machines have far more tightly controlled physical access than the traditional Enterprise IT systems do. But they still require inspection and testing periodically to avoid serious problems that stem from being controlled by an Internet-facing supervisory component.
“But Genya”, you say, “They’re air gapped!”
So were the Iranian centrifuges that got hit by Stuxnet.
You aren’t going to be able to avoid technology in elections. So stop worrying and learn to love (and secure) the Election Management Systems.
There will never be a perfect system. Election officials will be making tradeoffs between the devils they know and the devils they don’t know until we decide democracy was a better idea in theory than reality and we let our robot overlords pick our leaders. Wait…then someone’s going to be alleging that they got hacked too.
nice…Report
Very good post. No one ever wants to talk about the tradeoffs in election mechanisms.
(And you guys on Twitter should follow Genya. I’ve followed her for years and she’s awesome.)Report
Now take all of that, and apply the broad concepts to security in all domains.Report
I miss the big, green, curtained machines with toggles and big, noisy levers that NYers used to vote on. They worked — at least until some of them got very old and nobody was making replacements — couldn’t be hacked, and were easy to understand. If I had the money, I’d buy the rights to them, sell the idea of reviving them, and manufacture them again.Report
We had these when I was a lad in Iowa. There were regular stories about unintentional mal-adjustments and undercounts. There were occasional stories about intentional mal-adjustments (hacking). Even when new, they failed basic statistical tests — vote totals ending in “9”, “99”, and “999” were much more common than they should have been. No audit trail whatsoever.Report
The very first time I voted, in 1992, I voted on one of those. It was the last time I’ve ever seen one in use.Report
Great post.
I’m a big fan of the scanned paper ballots; it’s what we use in the county in which I’m pollworker. We’ve never any problems with the print job on the paper ballots in any precinct I’ve been in. It’s also faster than voting machines, because the small number of voting machines create a much more significant bottleneck than even that caused by only having a single scanner. The only time we almost had a problem with paper ballots is when we almost ran out of GOP ballots in the 2016 Prez dual primary, due to underestimating how many Dem -> GOP crossover voters there would be (normally the ratio for those that chose Dem ballot over the GOP one is 4 or 5 to 1, that day was 2-1. Though also people weren’t feeling the bern yet at that point)
There’s also another check that I think is generally underappreciated – when precincts call in their instant results right after the polls close. Anyone with the history of how a precinct did should have a good feel of whether these early numbers pass the smell test. Then, they can also go back and see that the official results are close enough to what the prelims were, and keep a warch out for shenanigans.Report
This all makes me grateful for the simplicity of Canadian elections – I’ve voted in every provincial and federal for the last 22 years, and the only technological problem that could have stopped me would be if the lead in the pencil was broken. And I suspect there are pencil sharpeners on hand at polling places.
But at these elections, we’re only answering one question – whom do we prefer for our single representative at the relevant level of government. I understand US elections often have a dozen or more questions to answer, since election authorities take advantage of everyone’s presence at the polls to cram municipal election questions onto the same ballot, as well as a lot of states allowing ballot initiatives.Report
@dragonfrog
It’s similar in New Zealand, we have only two boxes to tick so our ballots are ink on paper and hand counted.Report
Nice piece. I live in a vote-by-mail state. I have noticed that neither the people who tell me that there must be huge amounts of fraud going on, we’re just not smart enough to find it, and the ones who simply declare security victory, are interested in actually understanding the large (and growing) set of audits that are run on the process.Report
Imagine a worm infecting a ballot printing press that shifts the bar code printed on a ballot, making it undetectable to the ballot scanner. Or ordering the candidates the wrong way on the ballot. Or printing incorrect addresses. Or a high speed scanner overheating to the point of incineration, melting the cartridges that hold the thermal ink. Or just eating every 15th ballot, making tabulation a nightmare.
Yes, but every single one of those things is trivially detectable. And they do not alter the vote in any particular way as much as they are a denial-of-service attack against the voting process as a whole.
And.DRE elections are as much, possibly _more_, vulnerable to public disruptions anyway, as far as I can see. The inability to easily move the vote to another room or deal with power outages, for example, presents some obvious problems. DDoS attacks against the internet-facing sites. Physically damaging the voting machines.
I’m pretty certain that introducing a large, required electronic device into a process isn’t going to result in _less_ places the process can be disrupted. In fact, voting machines are often, by themselves, disruptive of the process because they tend to _slow it down_…as Kolohe pointed out above, they often end up being the bottleneck!
Saying ‘There are a lot of unseen issues with making sure elections work smoothly.’ is not really any sort of argument in the ‘electronic voting vs. paper voting’ debate.
Unless the point is just ‘We cannot switch instantly to paper, the system is more complicated to set up than you think.’. Which I think is where a bit of context is needed for what _I_ think this article is written in response to, although it weirdly doesn’t mention it:
People in Georgia are currently pushing a lawsuit demanding that Georgia stop using insecure DRE systems. And it looks like they’re going to win. And the important thing is: The plaintiffs also tried to get an injunction against the state using the current machines for the 2018 election, except the state whined it couldn’t set up a new system for 2018 that quickly, and so the judge didn’t grant that.
Now, I don’t know if this is actually where the article is coming from. That’s happening Georgia, the writer is in Florida.(1) But if that’s where it is coming from…election officials shouldn’t be annoyed at security experts for trying to force changes through. Security experts have been screaming and yelling about these machines for almost two decades. Hell, the state legislature had a bill to change this all last session, which would have given plenty of time to change things…and failed to pass it.
Sometimes the people who’ve been screaming about how unsafe a building is, for years, give up trying to convince the people in charge, and just call the fire marshal. This will result in major hassles. Don’t blame the people who called the fire marshal. Blame the people in charge who were repeated presented with evidence of the problems but failed to do anything.
1) People in states who do not have to worry about DRE machines undetectably changing their votes sound like men dismissing the physical safety concerns of women. ‘What do you mean, the parking lot isn’t safe? Sure, I’d never be attacked walking to my car, I’m a man…but I think you’re worried about nothing!’/’What do you mean, your vote could be trivially altered in the computer with a line of code? Sure, I live in a state where election observers, including me if I want to, sit and watch the ballot box I put my paper ballot in until the ballots are all dumped out and votes counted…but I think you’re worried about nothing!’Report
I don’t think the OP was trying to make an argument one way or another, but rather just saying that there is not perfect voting system that can not be ‘hacked’ or otherwise compromised in some fashion or another. And that the security of such systems, regardless of what they are, involve balancing security and access. If someone is telling you they’ve got the perfect system (best security, best access), they are probably trying to sell you something, or they haven’t thought the problem out fully.
Just like in every other domain where security is a going concern.Report
I don’t think the OP was trying to make an argument one way or another, but rather just saying that there is not perfect voting system that can not be ‘hacked’ or otherwise compromised in some fashion or another.
There is a large difference between things being disrupted to the level they clearly are broken, and things being completely subverted but appearing normal.
In a general sense, literally, no security is perfect. There’s not a bank people can’t break into with enough explosives, or a person that cannot be kidnapped with enough firepower, or a website that cannot be taken offline if enough bandwidth is available to attack it.
Security is not making sure those things can’t happen. Not at that level. It’s making sure those attacks are very very noticeable.
I would much prefer the attacks on the voting system end up causing some places not to be able to vote, or causing machine to misread printed ballots (which would obviously be caught with spot testing), things everyone knows about and can see and has to deal with, than to have secret attacks that secretly alter votes.
And that the security of such systems, regardless of what they are, involve balancing security and access.
In physical security, yes, but elections don’t really have physical security during them. People just…walk in. There is a slight level of physical security to part of the process in that you have to be a registered voter to interact with the machines or ballot boxes or whatever, but…that’s easy enough.
Unless by ‘access’ you mean ‘ease of voting’, but not only are there obvious ways to do that beside DRE, electronic voting machines aren’t particularly good at that anyway. They solve some problems, but introduce others. For the most obvious one, they require people to stand in line longer. And require people with bad gross motor skills to push computer screens. (And, yes, people can be bad at that and still able to write.) They can even cause problems because they often are set up as to require people to stand instead of sit down.
Even the _exact people_ that electronic voting systems are supposed to help with, blind voters, often run into problems because workers often don’t really know how to get the audio system working and headphones located for the sole blind person that comes into their precinct. And meanwhile, in this example, there are two elderly people who had to leave because the line was too long thanks to the voting machine bottleneck and they can’t stand that long, and two other people who didn’t really understand the machine instructions (One a non-native speaker, the other has a reading disability.) and never confirmed their ballot.
It is pretty unclear if computers actually made the system better, numerically speaking.
If someone is telling you they’ve got the perfect system (best security, best access), they are probably trying to sell you something, or they haven’t thought the problem out fully.
Yeah. Like the people who sold everyone DRE voting machines two decades ago, replacing a paper-based system that had slowly been almost perfected over 100s of years to near untamperability with one that…literally anyone could tamper with. (Including, for the suspicious among us, the sellers.)Report
I like paper ballots for one reason only: if you want to add an additional 10,000 votes, you need a team of people to do it. Like, even in theory, you’d need multiple people.
If you want to introduce a worm that hacks an election, you only need one person (it might help to have more, but, in theory, you’d only need the one).
The issue is not whether there is one perfect election method. Hey, the perfect is the enemy of the good and the tradeoffs for one are going to be weighed more heavily in this part of town and the tradeoffs for the other are going to be weighed more heavily in that part of town and who can say which is better?
But *I* like paper ballots because if you’re going to swing an election, it requires a team of people and it requires them to collude with each other and that introduces a hell of a lot more risk than would be introduced with a single guy with a single thumbstick with access to a particular USB port.
Is it foolproof? Of course not. But my argument is not that we should do this because it is foolproof.Report
Awesome.
I own a small business (just me) that does graphics designed specialty marketing. Every time I go to press I have nightmares that there is going to be something, something that I miss in proofs. Fortunately, I have the option of pulling my product if that happens, granted at a significant cost to me. That is not an option for you guys and I am very impressed.Report
This was a really interesting post. As someone who has never voted in a US election, only in a relatively simple Canadian one, I continue to be fascinated by the intricacies of the system.Report
I’m not worried about election security because our Kentucky Secretary of State gave our raw voter database (which even candidates can’t access) to a bunch of hackers in Finland who drink vodka with Russian generals. One of the SOS’s primary campaign donors sits on the board of the Finnish hacking company, so it’s all good.Report
If there was one way I could wave a magic wand and change the national debate about DRE-versus-paper, it would be to get everyone to stop thinking paper solves all the problems. Switching (whether from paper to DRE or vice-versa) means you need to change how you think about risks, exposures, mitigations, and so on — not that everything’s fixed. A great number of national pundits miss this.Report
XKCD had an great take regarding the maturity of software engineering in election systems vs. other engineering disciplines. (also, read the alt-text)
https://xkcd.com/2030/Report
The wearing of gloves is very important.Report