Are We Making Elections Less Secure Just to Save Time?

Something strange happens on election night. With polls closing, American supporters of both parties briefly, intensely align as one: We all want to know who’s going to win, and we don’t want to wait one more minute. The ravenous national appetite for an immediate victor, pumped up by frenzied cable news coverage and now Twitter, means delivering hyper-updated results and projections before any official tally is available. But the technologies that help ferry lightning-quick results out of polling places and onto CNN are also some of the riskiest, experts say.

It’s been almost two years since Russian military hackers attempted to hijack computers used by both local election officials and VR Systems, an e-voting company that helps make Election Day possible in several key swing states. Since then, reports detailing the potent duo of inherent technical risk and abject negligence have made election security a national topic. In November, millions of Americans will vote again — but despite hundreds of millions of dollars in federal aid poured into beefing up the security of your local polling station, tension between experts, corporations, and the status quo over what secure even means is leaving key questions unanswered: Should every single vote be recorded on paper, so there’s a physical trail to follow? Should every election be audited after the fact, as both a deterrent and check against fraud? And, in an age where basically everything else is online, should election equipment be allowed anywhere near the internet?

The commonsense answer to this last question — that sounds like a terrible idea — belies its complexity. On the one hand, the public now receives regular, uniform warnings from the intelligence community, Congress, and other entities privy to sensitive data: Bad actors abroad have and will continue to try to use computers to penetrate or disrupt our increasingly computerized vote. Just this past March, the Senate Intelligence Committee recommended that “[a]t a minimum, any machine purchased going forward should have a voter-verified paper trail and no WiFi capability.” Given that a hacker on the other side of the planet will have trouble connecting to a box in Virginia that’s not connected to anything at all, it stands to reason that walling off these sensitive systems from the rest of the world will make them safer.

Tammy Patrick, a former Arizona election officer and current senior adviser at the Democracy Fund, which, like The Intercept, is funded by eBay founder Pierre Omidyar, said that although she isn’t aware of a jurisdiction that “connects their voting equipment using Wi-Fi,” other wireless technologies are sometimes built in. Additionally, computers only one degree removed from the digital ballot boxes themselves will often connect to the internet, Patrick explained. “What does happen more frequently is that the vote storage unit may be removed [from the voting machine] and used to modem in results,” she said. Some election workers send vote tallies from tablets using Wi-Fi, while in other jurisdictions, poll workers come to centralized locations that have either hard-wired or wireless internet access. You can think of it as a sort of malware cross contamination, whereby a computer kept segregated from the internet is vulnerable nonetheless because of the internet-connected computers it comes into contact with. It’s the same basic concept that U.S. and Israeli hackers used to attack Iranian centrifuge computers that were technically walled off from the net.

Despite all these warnings, experts worry that wireless features — which could save a skilled hacker or other meddler the trouble of having to get physically close to the systems in question — are being pushed hard for reasons that just aren’t good enough, at a time when many other security issues remain unresolved. “At the local level, it is a serious struggle to get the basics right,” security researcher and cryptographer Kenneth White told The Intercept. “When we add in, for example, cellular or Wi-Fi connectivity to the actual voting equipment, it only makes security that much more difficult and the risk of compromise so much greater.”

According to one former federal election official who spoke to The Intercept on the condition of anonymity because he was not permitted to speak to the press, many states already employ wireless connections in one form or another and are loath to give them up now, even in the name of making the vote harder to hack. “Election officials do understand that it’s a security issue,” this person told The Intercept, “but this capability is already embedded into their election process and they rely upon it. Making that sort of logistical change to their process – during an election year – is arduous. This is especially true for results transmission on election night.”

Some voting machines allow preliminary results to be beamed to a county office using the same kind of modem found in smartphones, rather than being physically carried from each polling station. This means early results can be shared instantly — but it also means that the data is only as secure as the cellular company carrying it. Such connections, which not only transmit data but also receive it, provide yet another potential weak point that hackers could use to pry into a machine and compromise it. Wi-Fi skeptics like George Washington University computer science professor Poorvi Vora have argued that such vulnerabilities must be eliminated. “We have to reduce all opportunities for interference. Our systems are only as secure as their weakest links,” Vora wrote earlier this year on an election security email list maintained by NIST, the National Institute for Standards and Technology.

Modern voting systems — the equipment used to set up a ballot, cast votes, tabulate those votes, report them, and audit the entire process — are essentially just extremely specialized computers that, like your home laptop, run software, store inputs, and send outputs. As with any computer, it’s possible that some clever person can trick the machine into doing something it’s not supposed to, whether for a personal thrill or to serve a more sinister agenda.

Most methods of beefing up a computer’s security are accompanied by minor drawbacks: Putting a password on your phone means having to unlock it; anti-virus software on your computer will eat up some of its memory; and encrypting your email with PGP requires a small seminar on the fundamentals of cryptography. Securing the vote is a tradeoff like any other, and the wireless debate exposes a perennial tension: The easier we make it to run an election, the easier we may make it to meddle in that election.

Additionally, so much of the voting process, from registering voters to counting their ballots, now occurs digitally and across a patchwork of computers that rendering all these computers unable to talk to one another looks increasingly impractical. It’s also the case that many people involved in both the private-sector manufacturing and public-sector administration of elections want wireless connectivity for the same reasons you want it on your iPhone and laptop: It makes life a lot easier. Imagine you’re relying on wireless connections to administer an important vote, where delays and snags on Election Day could make your district the subject of humiliating headlines and local scorn.

“We don’t need to look far to see examples of what happens when a jurisdiction doesn’t report quickly,” Tammy Patrick cautioned. “When there are delays in reporting, it can jeopardize the reputation of the election official, their office, and call into question the legitimacy of the election itself — even when the delays are clearly documented and understood.” The former federal election official agreed, saying that the push for early results push is potentially perilous:

“In my opinion our nation is overly concerned with obtaining the results on election night. Election administrators will have already been putting in extreme overtime heading up to a larger general election. And now they must stay and continue to work after a 12-15 hour day to tabulate the results. These conditions can create an environment where corners are sometimes cut and mistakes made – although administrators work hard to prevent that from happening”

Disagreements over wireless electoral gear can get ugly. On the obscure email list run by NIST, where a diverse crowd of academics, private-sector executives, and voting officials are trying to hammer out voluntary election security guidelines, the wireless question is at an impasse.

In the exchange with Vora earlier this year, an executive at Votem, a company that sells smartphone voting software, scoffed at the demand for a blanket ban on election-related wireless as “lazy,” taking particular issue with “the idea that any of us in this discussion can possibly know enough about the future to say with certainty X technology should be banned or not.” (In a Votem blog post published a month earlier, the executive, David Wallick, wrote that the company’s “greatest challenge” was “pushing the envelope” with regard to technologies that make the public uncomfortable.)

Piling on, Bernie Hirsch, an executive at e-voting firm MicroVote, suggested that just like Wi-Fi, e-voting paper trails could be “hacked” by some malicious mailman — so why should one be forbidden while the other was left alone? Duncan Buell, a professor of computer science at the University of South Carolina, wasn’t amused, calling Hirsch’s response “at least hugely facetious and at worst a genuine troll.”

“Ballot corruption in a paper system involves complicit human actors on-site dealing with physical objects,” Buell noted. “As is well-known to all of us, corruption/disruption of electronic systems (ballot or otherwise) can be done without detection by almost anyone from almost anywhere on the planet.”

It’s not just vendors, loath to ban a feature today that they might be able to market tomorrow, who are pushing for wireless despite emphatic warnings against it. Running an election is an enormous, thankless undertaking, and being able to transmit data through the air means fewer steps required in person. On a recent conference call between NIST email list members, an election administrator in Texas argued that permitting wireless connections to their machines meant that they could turn them on remotely en route to the warehouse where they’re stored, saving everyone time spent standing around and waiting for computers to boot up, according call participants.

Although it’s possible to “harden” a wireless connection against an attacker for applications like this, doing so “is not child’s play and is the kind of thing that can be easily misconfigured,” cautioned Joseph Lorenzo Hall, chief technologist with the Center for Democracy & Technology and a scholar of voting insecurity. As with any kind of computer security, there are many, many opportunities for someone to quietly screw up. “There are stronger wireless protocols that could be used,” added cryptographer Kenneth White, “but they are considerably more difficult to administer and maintain.” Even the best security precautions on paper can be undone instantly by a single error, what White refers to as the “church basement volunteer problem.”

The desire to effortlessly beam unofficial election results “is definitely a real pressure” in the debate over wireless, agrees Hall. “Both voters and the press feel that there should be an almost immediate answer, when in fact the real answer takes 15 to 30 days in many places.” Patrick concurs, adding that “the pressure comes from all sides — media, candidates, parties, voters,” and that “no one is immune from wanting instant gratification, and perhaps catharsis.”

To White and many of his peers, there’s one simple takeaway: Get rid of as many of those screw-up opportunities as possible. “Do we want to assure the integrity of our votes or not? If we do, and we want it at scale, then paper-verifiable, electronic voting systems [are] our best path forward,” White said. “The less complex and connected we can make those systems, the more faith we can have that every citizen’s vote cast is recorded.”