Campaign 2016

Secure the Vote Today

By Nicholas Weaver
Monday, August 8, 2016, 12:42 PM

As Dan Wallach (a Computer Science professor at Rice and a world-recognized expert on voting systems) eloquently put it, election security is a national security issue. The computer security field has intensely studied the problem of conducting elections for more than a decade. From the very beginning of this effort, the computer experts have almost universally agreed: we can’t secure purely electronic voting systems. It may be surprising to outsiders, but computer scientists believe in paper ballots, either directly marked by the voter or created by a machine and placed in the ballot box.

Voting systems need to convince rational losers that they lost fairly. In order to do that, it is critical to both limit fraud and have the result be easily explained. It is impossible to prevent all fraud but we must ensure that the cost of fraud scales with the size: it should take 100 times more effort to change 100 votes compared with the effort associated with changing one vote. Any voting system in which fraud is constant—that is, in which changing 100 votes takes the same effort as changing one—must be viewed as critically flawed.

Thus, the security community views electronic voting machines, usually called Direct Recording Electronic (DRE) voting machines, which do not print a paper record of the voter’s vote (Voter Verifiable Paper Audit Trail or VVPAT) as fatally flawed. Anyone with physical access to a voting machine can sabotage that machine, and this sabotage can affect all votes cast with that machine (or simply turn it into a Pac-Man machine). Others have proposed building worms or viruses that can spread through all voting machines in a district. Some (now thankfully decertified) DRE systems were even worse, enabling anyone within half a mile to modify all votes.

At the same time, it is critical to ensure that the voting process is explainable. It is almost a sport among academics to develop computer-only voting schemes where, thanks to cryptographic magic, a voter can verify that her vote was correctly counted. Yet such schemes invariably fail the “parent test.” I can’t understand them myself without considerable effort, so there is no hope for me to explain them to my mom and dad. Such systems may work for a board election of the International Association for Cryptologic Research, but they can’t work for a regular election.

As a consequence, this perhaps surprising conclusion is effectively universal amongst computer security practitioners: the voter must either directly mark a paper ballot or the voting machine must clearly print out a record of the vote, which the voter then puts in the ballot box. Unless a DRE machine has such a Voter Verifiable Paper Audit Trail, we must assume it can be compromised. Worse, as Dan Wallach explains, a DRE without VVPAT system can be compromised without actually being compromised: if someone, including a simply unhinged candidate, gives the losers a credible reason to believe the result is fraudulent, the voting system has failed whether it has failed in a technical sense or not.

Where I differ from Wallach is in short-term recommendations. This nation is faced with Donald Trump, an apparently unhinged and irrational candidate who is already claiming the election is rigged against him. To make matters worse, Roger Stone, a Trump confidant, is already predicting at least a rhetorical “bloodbath” if the election is “stolen” from Trump. Although Trump and his most diehard followers may not qualify as “rational” losers, it’s still critical that the election be seen as fair to as many as possible.

Thus, while there is still time, election officials in swing states should take immediate action. It is clearly not feasible for those states which still use DRE machines without VVPAT to switch the entire ballot to paper. Yet they could use paper for just the presidential vote. So all the rest of the races can use the existing (dangerously insecure) systems, but at least the presidential election would have protection against (nonexistent) mass tampering.

I’m not so naive as to believe such a change would convince everybody. After all, implicitly racist (and explicitly class-based) voter ID laws are legally predicated solely on preventing voter impersonation fraud, a type of fraud that is not only expensive to conduct but almost never happens. Yet whenever someone brings up the topic of voter fraud, it seems inevitable that somebody mentions the need for voter ID requirements. But enabling recounts with paper ballots in critical swing states might prove a decisive factor in limiting unrest should Trump lose and he or his followers follow through on their threats to claim back a “stolen” election.

There is time to prevent such a crisis now.