A hackable election: 5 things you need to know about e-voting machines

E-voting machines without paper trails are still used in several U.S. states, leading to fears that a 'determined adversary' could hack this year's election

desi accuvote

Electronic voting macines are just one of the products we're surrounded by that have had serious vulnerabilities.

Credit: Joe Beone via Wikipedia, Creative Commons, CC-BY-2.5

As the U.S. heads toward an especially contentious national election in November, 15 states are still clinging to outdated electronic voting machines that don't support paper printouts used to audit their internal vote counts.

E-voting machines without attached printers are still being used in a handful of presidential swing states, leading some voting security advocates to worry about the potential of a hacked election.

Some makers of e-voting machines, often called direct-recording electronic machines or DREs, are now focusing on other sorts of voting technology, including optical scanners. They seem reluctant to talk about DREs; three major DRE vendors didn't respond to questions about security.

Here are five things to know about DREs:

1. DREs without paper-trail backups are still used in several states

Five states, New Jersey, Delaware, South Carolina, Georgia, and Lousiana, continue to use DREs without paper-trail printouts statewide, according to election security advocate Verified Voting.

Another 10 states use DREs without paper trails in some voting locations. Among those states: potential presidential swing states Pennsylvania, Virginia, and Florida, as well as Texas, Indiana, and Tennessee.

Fourteen states use DREs combined with a paper-trail backup, either statewide or in some jurisdictions.

2. Some experts worry about a hacked election

While a hacked election may be unlikely, it's not impossible, said Joe Kiniry, a long-time election security researcher. Researchers have found many security holes in DREs, and many states don't conduct comprehensive election audits, said Kiniry, now CEO and chief scientist at Free and Fair, an open-source election technology vendor.

"I would say that a determined adversary, with the standard skill that people like me have, would be able to hack an election nationally," he said. "With enough money and resources, I don't think that's actually a technical challenge."

Voting results are "ripe for manipulation," Kiniry added. 

Hacking an election would be more of a social and political challenge than a technical one, he said. "You'd have a medium-sized conspiracy in order to achieve such a goal."

While most states have auditable voting systems, only about half the states conduct post-election audits, added Pamela Smith, president of Verified Voting.

"That leaves a lot of gaps for confirming that election outcomes were correct," she said. "In such a contentious election year, well, let's just say it's never a good thing to be unable to demonstrate to the public's satisfaction that votes were counted correctly, whether in a small contest or large."

3. The use of DREs without paper trails is in decline

Twenty-three states used DREs without paper trails in the 2008 U.S. election, and 17 used them in 2012, compared to 15 states this year, according to information from the U.S. Election Assistance Commission and Verified Voting.

Many states embraced e-voting machines after the disputed 2000 U.S. election, when so-called hanging chads on paper punch ballots in Florida helped to determine the results of the presidential race.

But many DRE models didn't offer a way for election officials to double-check the electronic results. Several fair election advocates called for printers to be installed as a way to audit, and several states listened.

Other states abandoned DREs for electronic scanning technology after several studies found glaring security holes in many DREs and some states reported glitches during the 2004 and 2008 elections. 

4. Several issues have driven the decline in DRE use

Many states wanted both reliability and the ability to audit electronic voting results, said Verified Voting's Smith.

"Ballots counted by scanners give you added reliability, in that if the scanner breaks down, voters can still continue to vote -- marking their ballots to be stored in a locked receptacle at the polling place and counted later when the scanner is working again," she said. "If you have a DRE polling place, if the DREs break down, voting comes to a halt -- unless you have emergency paper ballots for voters to mark."

In addition, some DREs proved expensive to maintain and replace, Smith said. Some DREs had "shorter lifespans that some other earlier kinds of equipment," she added. "Lever machines lasted for decades; punch-cards, too. So the purchasing cycle became shorter."

States received a 2002 funding boost for election equipment from the federal government, but the money dried up. "Jurisdictions found themselves, about a decade-plus on, realizing their systems were wearing out and may need replacement," Smith said.

5. States can take simple and inexpensive steps to improve security

Even though Kiniry's company sells voting technology, he tells states they can improve security with better election audits. Many states are "extremely resistant" to recounts, he said.

States can embrace statistics-based risk-limiting audits and parallel testing audits, which use excess voting machines to test results on Election Day. Both audits are inexpensive; risk-limiting audits are "literally something you can learn to do, without being a statistician, in a day, and you can perform the recount in an afternoon," Kiniry said.

States can also hire hackers, even "an intern from a computer science department," to probe their voting systems and "think like a bad guy," Kiniry said. White hat hackers can help states "protect against accidental or malicious behavior."

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Related:
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.