Roughly 130 million Americans voted in national, state, and local elections in 2016. Last year, numerous articles were also written about the security of the voting system, many citing claims that the Russian government had hacked the presidential election. Green Party candidate Jill Stein even asked for recounts in Michigan, Wisconsin, and Pennsylvania, following suspicions that states’ voting systems were compromised. Despite controversial reports, a central question remains: Are American voting systems secure? If not, what can we do about it?
Research recently conducted by Princeton University faculty and alumni attempts to answer these questions by shedding new light on the way elections are conducted and what can be done to increase security.
Two Princeton faculty members have identified key shortcomings in election technology. In 2006, Professor Ed Felten showed that uploading malicious software onto voting machines could alter vote counts with little risk of detection. Two years later, Professor Andrew Appel ’81 famously hacked a New Jersey voting machine, successfully changing 20% of votes to the opposing candidate.
Felten explained that the primary issue with today’s voting machines is that there is no way to verify whether or not they have been tampered with.
“It’s best for a voting machine to keep an electronic record of each vote, as well as a paper record that the voter saw,” Felten said. Currently, machines do not keep voter-verified paper records. There is no way for officials to spot-check that the electronic vote count is correct, or for Americans to know that their vote was properly recorded.
Carnegie Mellon Professor Michael Shamos ’68 disagreed with Felten. An official examiner of voting machines in Pennsylvania and Texas, Shamos thinks it would be difficult to implement a paper trail of votes while still preserving the ballot’s secrecy. “Ballots aren’t secret if I record every person’s vote on a piece of paper in sequential order,” he said. “If I want to know how the first person voted, I can just go and look at the first record on the list.”
The hackability of voting machines is another major issue. “We have demonstrated through our research that the cartridges used in voting machines can carry viruses,” Felten said. The machines themselves are not connected to the Internet, but they are programmed by voting officials who may inadvertently compromise their security. In New Jersey and Pennsylvania, for example, a centralized system programs cartridges that are then loaded into the voting machines.
If the programming location for cartridges is compromised, then vote-stealing viruses could infect all the voting machines that use those cartridges. Additionally, when the cartridges are re-inserted into a computer to count votes, a virus could spread onto the computer and infect it. This could lead to a distortion of previously loaded voting results from uninfected machines.
In the early 2000s, an anonymous source approached Felten and his then-PhD student, University of Michigan Professor J. Alex Halderman ’03, *09, offering to provide them with a working voting machine so that they could determine its security risks. After dismantling and reverse engineering it, Halderman discovered how easily the machine could be subverted to steal votes. He showed that malware could spread as a virus from the central election-management system. To make matters worse, only a small group of companies programs cartridges. An attack on just one company could affect votes across America.
However, Shamos noted that in Pennsylvania, prior to an election, officials check for viruses by loading cartridges into all the machines before the election and then selecting about 20 random machines to conduct sample votes. If the sample votes cast match the final output of the machines, officials can certify that the machines are trustworthy.
“If there is any malware on the machines that operates during the election [in Pennsylvania], we will know, because the total count will not correspond to what the predetermined total should be,” Shamos said.
In order to make current systems more secure, Shamos suggested changing the procedures of conducting elections, rather than voting technology. Machine security should be enhanced, but use of a physical medium, like paper, should be avoided. He reasoned that while a paper ballot may easily be tampered with, it is much harder to hack a computer.
“People assume that once they mark a paper ballot, that ballot will be preserved unaltered…[but] there is no mechanism for achieving this,” Shamos stated. He also noted that since elections are administered at state and county levels, it is easy for paper ballots to “go missing” or to be “accidentally” discarded.
“There is no standard chain of custody to make sure that the paper ballots that were cast are not augmented,” he said. Finally, he suggested that the model of random spot-checks done in Pennsylvania be extended to all states and localities.
Halderman, who helped orchestrate the 2016 presidential election recount, disagreed. He explained that two things are required for an election to take place.
“We want high integrity, that is, the results of the election aren’t easy to change due to foul play,” he said. “We also want to have a strongly secret ballot, which is what protects you and everyone else from being coerced into voting a certain way.”
For elections to be secure, he suggested that all votes be recorded on paper. After the election, enough of the paper should be spot-checked in order to ensure that the results of the computers can be certified with high confidence.
“None of this is very high tech or expensive,” Halderman said. “Existing technology can do this and provide a strong defense for high-profile elections.”
He concluded that progress is slowly being made. About 70% of the votes cast in 2016 were recorded on a physical medium, but few states spot-check the paper to validate the electronic results.
One potential solution is to use physical paper ballots that people can fill out by hand, and then electronically scan the ballots into a computer. Lehigh University Professor Dan Lopresti ’87 has done research to develop new image analysis algorithms that process paper ballots. In order for the voting to be kept anonymous, the paper ballots cannot have voters’ names on them, and computers should not keep track of the order in which the ballots were scanned.
“At the end of the day, if a controversy arises, we can always go back to the original paper ballot and interpret it as the voter originally intended,” Lopresti said.
THE FUTURE: ONLINE VOTING?
The advent of the smartphone has led many people to question why governments have not yet moved voting systems online completely.
“Today, it’s not feasible to do it in a way that’s really secure,” Felten explained. “It’s difficult to prevent malicious software from getting inside computers, and it’s difficult to detect when [malware] is there.”
All the problems that exist with current electronic voting machines, such as hackability and lack of a paper trail, hold true for online voting systems too. Lopresti noted that over the past few years, large companies and government agencies have been hacked despite the existence of strong security systems. Like Felten, he said that currently, there is no way to guarantee the security of an online ballot.
“There are always flaws that can be exploited by an attacker,” Lopresti said. “It’s more important that we get elections right than that we make them convenient.”
Additionally, there is not yet a way to maintain a secret ballot while voting online. Felten explained that unless people were willing to give up the secret ballot, there is no feasible method at this time to conduct online elections.
Halderman explained an additional problem: Officials would have to check that each individual’s device is secure enough to vote on while ensuring that their Internet connections are not being hacked or monitored. “We are a long, long way from being able to secure any of that well enough to safeguard elections to the level we’ve come to expect,” he concluded.