LEIPZIG, Germany―Just days before heading to Australia for his wedding, University of Michigan computer science professor and electronic voting-machine security expert J. Alex Halderman shipped an AccuVote electronic voting machine via FedEx to Germany, then flew here, to the 35th annual Chaos Communication Congress, to update the gathered hackers on the state of election security in the United States.

The voting machine has been held up in German customs for more than a week. But Halderman’s message has arrived intact: Election security is getting better but is still in dire straits.

“On the whole, 2018 was, well, eerily quiet,” Halderman said. But he also noted that the U.S. Senate Intelligence Committee report on the 2016 election hacking by Russia found that the Russian hackers were in a position in several states to alter or destroy voter registration data—and didn’t.



READ MORE ON ELECTION SECURITY


The hackers could have caused “massive chaos” during the past two U.S. elections, Halderman said, but chose not to act.

“It was quiet, not because we had adequately protected our election systems, but because our adversaries chose not to pull the trigger,” he said. “They’re waiting for the bigger prize in 2020, when we’re likely to once again have a close and divisive presidential contest.”

Halderman’s concerns have been echoed by many others, from the former director of elections for Denver, who helped implement the states’ vote-by-mail system, to California’s secretary of state, to cybersecurity experts and innovators. But with the federal government partly shut down over funding for a southern border wall, as Democrats prepare to gain power in the House of Representatives, signs aren’t good that the nation’s political leaders will be able to quickly come together on election security.

After Halderman’s presentation to several hundred of the hackers here, he sat down with The Parallax to discuss what he thinks needs to be done—and what could actually be accomplished in today’s political climate. What follows is an edited transcript of our conversation.

Q: Is Colorado’s vote-by-mail system a model the rest of the United States, and even other countries, should emulate?

Colorado is a model for a strongly protected voting process because it was the pioneering state to implement risk-limiting audits statewide. Adapting risk-limiting audits to other states is the next hurdle. Some states have very different equipment or requirements than Colorado does. But there is a diverse set of methods of carrying out a risk-limiting audit that can be implemented in states with differing requirements.

What are the different risk-limiting audit models?

They’re all designed to achieve the same result, in terms of integrity. The process is a bit different. The main styles of risk-limiting audits are called polling and comparison.

In a comparison risk-limiting audit, you have to start with a set of ballots, and a set of computer records with what is allegedly on each individual ballot. So let’s say ballot 17 is a vote for the Democrat, and ballot 157 is a vote for the Republican. If you have that kind of record, you can sample by asking about ballot 17, comparing it on paper to the electronic record, and you get a certain amount of information back.

“The experience almost everywhere risk-limiting audits have been piloted is that election officials love them, that they end up being much easier than people believe before they’ve become more familiar with the techniques, and that they align very well with election officials’ desire to instill voter confidence.”

A lot of states, though, don’t have an electronic record that says specifically what’s on ballot 17. All they have is an electronic record of the total count—in this stack of ballots, there are 500 votes for the Republican and 499 for the Democrat. If you’re doing precinct optical scan, for example, the scanner is just scanning each ballot, totalling them up, and dropping those ballots into a ballot box where, for privacy reasons, they’re supposed to get jumbled up.

When you have that type of system, you can’t directly use comparison auditing. You have to use a different style of auditing, called polling auditing. In polling auditing, you just pick random ballots, and don’t ask about the specific content, and you just add them up. It’s like doing an exit poll of voters, except instead of asking voters, you’re looking at a random sample of ballots.

Then you ask, “Is it close enough to the electronic result?” in a very well-defined sense of “close enough.”

That sounds a lot easier. Is it?

It’s easier, but it turns out that in close elections, you have to look at a lot more ballots if you’re doing polling than if you’re doing comparison auditing.  

What do you mean by “a lot more ballots”? How many more are we talking about?

Maybe 10 times as many for a very close margin, though that’s a bit misleading because it’s just mathematical curve that has a different shape. It depends where on the curve. It could be 10 percent more or 10 times as many. It could be drastically more.

Do you have a preference as to which risk-limiting audit states adopt?

If states are able to, they should adopt comparison audits because they’re going to be more efficient to carry out. If their equipment doesn’t allow them to, or their style of voting doesn’t allow for comparison audits, then polling audits also can reach a very high risk limit, with very high confidence. But polling audits may require more work in close elections.

When the elections aren’t close, both audit types are both super-efficient. When they are close—like with a fraction of a percent margin—you’re going to have to do more work, in either case. But it’s quickly going to get to the point where you might as well do a full hand recount, if you’re relying on polling audits.

What lessons can the rest of the world learn from the electronic voting machine struggles in the United States?

One lesson is that use of technology in elections creates new risks. That doesn’t mean that we shouldn’t use technology anywhere [in elections], but we’ve got to be smart about where we’re using it, and careful about how it’s designed.

Around the world, there’s a diversity of different systems of voting, of course. Different countries may have some of the kinds of safety features we’re looking for in the United States, in particular making sure that every vote is on paper. But for countries that already have a paper-based system, now the American experience in 2016 is an important reminder of why that system is valuable.

There may have been pressure in the past to try to modernize and adopt something fully electronic. A lot of European countries in the last decade started using electronic systems, and some of them got rid of them. In Germany, there’s the constitutional prohibition on electronic voting, which is a helpful protection against any incentive to move too quickly ahead.

Another big lesson is about voting online. There are many countries doing experiments with online voting: Estonia, Switzerland, Australia, to name a few. What happened in 2016, and the continued cybersecurity concerns in the United States, just underscores why it would be a horrible idea to place greater reliance on Internet-attached voting systems in the current threat environment. We just do not know how to build Internet-voting systems that are going to be secure against nation-state adversaries.

What’s being done to secure voter registration systems from attack?

The $380 million Congress appropriated in the spring of this year was a big help for that. Many states had taken some of that money to bring in security experts to audit their online voter registration systems, or replace their voter registration systems as Michigan is doing. The Department of Homeland Security also offers some security assessment and security-scanning services that are for registration systems, and a large number of states have taken advantage of that assistance.

In registration systems, we’ve probably made the most significant progress since 2016, beyond just increasing the security posture and training and awareness of state election authorities. But again, one of the major lessons of my talk was that we risk fighting the last war by focusing too much on registration systems when the actual polling place infrastructure in both casting and counting remains in much of the country badly outdated and vulnerable. That is the next major target that we have to get moving more quickly in order to secure.

We’ve got 22 months before the next presidential election. What are you hopeful will actually change before then?

I’m particularly hopeful that many of the states that don’t have paper trails yet are going to. The problem is that it will be many but not all. Whether they buy new equipment is a further question. But I do have some level of optimism because the message is getting through to election officials that without a paper trail, you’re badly at risk.

I’m less optimistic about widespread adoption of any meaningful audits of that paper. While I think we will see a handful of other states implement risk-limiting audits by 2020, it’s going to be far from universal. That would be a place where Congressional action would be a huge benefit in order to have a strong incentive requirement that states do the necessary work to figure out how to implement risk-limiting audits themselves.

The experience almost everywhere risk-limiting audits have been piloted is that election officials love them, that they end up being much easier than people believe before they’ve become more familiar with the techniques, and that they align very well with election officials’ desire to instill voter confidence.

But the obstacle continues to be that there are many voting jurisdictions—more than 13,000 local jurisdictions running elections—so without national leadership, or many more states tooling up to design and implement risk-limiting audits, it could be a very long time before that protection is in place.

Hackers and cybersecurity researchers have played an important role in sounding the alarm about the risks of electronic voting machines, at least as early as 2007, and it seems like they’re finally being heard. Is there a role for them to step in once again and raise awareness about risk-limiting audits, even though there may not be a direct, technical, or technological risk?

I should hope so, yes. It’s because of not only computer science research, but also many years of advocacy and public engagement that has taken place in the broader security and hacking community that we see such broad public recognition now that electronic voting is risky. Auditing is the next battle.

Explaining to election officials, to voters, why ideas like statistical sampling as a quality control measure can go a long way. But the people should demand evidence that election results are right. They should demand that accuracy is a function of the system. Helping people understand that it’s something they even can demand presents an opportunity for the hacking community to become more civically engaged.

Anything else?

I hope that my voting machine arrives before the end of the conference.