By Lambert Strether of Corrente.
Readers will recall that H.R. 1, the Democrat’s flagship bill for the 116th Congress, gestures in the direction of paper ballots, but in fact allows ballot marking devices that rely on OCRs for the count and emit paper receipts for voters (often called ballots for marketing purposes, falsely, since the actual count is performed in the internals of the device). I am sure I do not need to remind readers that hand-marked paper ballots, hand-counted in public are the international standard for elections; and that they are used in the Canada, the UK, Germany, and many other countries. The United States, as in so many other ways, is
exceptional aberrational in that it has managed to commit itself to systems that are both more expensive and much more dysfunctional MR SUBLIMINAL For whom? than those used in the rest of the world). In other words, the Democrats, with HR1, have lent their official support to a horrid industry that enables election fraud, an industry that has acted with intent to corrupt state and local officials to win its contracts. In this post, I’ll define “ballot marking devices” (BMDs), explain generic problems with the architecture of all BMDs, and finally look at the entertaining forms of corruption that preceded the choice of BMDs in Pennsylvania and Georgia.
“Ballot Marking Devices” Defined
Jennifer Cohn at Bradblog explains:
A Ballot Marking Device (“BMD”) is a touchscreen computer that generates a computer-marked paper ballot or printout, which is then tallied on a computerized optical scanner. (Those computer-marked ballots can also, in theory, be counted by hand, but generally are not, as most election officials rely on optical scanners instead.)
[BMDs] introduce a second unnecessary and insecure computer system in the polling place above and beyond already insecure optical scanners, creating twice as many opportunities for electronic programming errors, paper jams, and hacking. For example, some BMD systems have already had problems with:
- Vote flipping (when election integrity advocate and journalist Brad Friedman used such a device in Los Angeles in a 2008 election, the device flipped 4 out of 12 of his selections on the computer-marked paper ballot);
- Inability to display all candidates on one screen (a problem reported by the state of Maryland, which had acquired such systems for all voters, but changed its mind even though the screen problem was eventually fixed); and
- Vendor breach of certification requirements (as occurred with vendor Election Systems & Software, “ES&S”, the nation’s largest voting system vendor).
Meanwhile, two of the most popular BMD’s — the ES&S ExpressVote and the Dominion ImageCast — produce bar-coded (or QR-coded) printouts, which cannot be read by human beings, in lieu of traditional, hand-marked paper ballots.
What could go wrong? Meanwhile — it may help to think of BMDs, and indeed electronic voting machines generally, as a very early version of the Internet of Things — there’s no reason to thing that electronic voting machine vendors will fix their software, or have any inclination to do so. Wired:
Many of the machines participants analyzed during the [DefCon security conference’s Voting Village event] run software written in the early 2000s, or even the 1990s. Some vulnerabilities detailed in the report were disclosed years ago and still haven’t been resolved. In particular, one ballot counter made by Election Systems & Software, the Model 650, has a flaw in its update architecture first documented in 2007 that persists. Voting Village participants also found a network vulnerability in the same device—which 26 states and the District of Columbia all currently use. ES&S stopped manufacturing the Model 650 in 2008, and notes that “the base-level security protections on the M650 are not as advanced as the security protections that exist on the voting machines ES&S manufactures today.” The company still sells the decade-old device, though
“We didn’t discover a lot of new vulnerabilities,” says Matt Blaze, a computer science professor at the University of Pennsylvania and one of the organizers of the Voting Village, who has been analyzing voting machine security for more than 10 years. “What we discovered was vulnerabilities that we know about are easy to find, easy to reengineer, and have not been fixed over the course of more than a decade of knowing about them. And to me that is both the unsurprising and terribly disturbing lesson that came out of the Voting Village.”
Many of the weaknesses Voting Village participants found were frustratingly basic, underscoring the need for a reckoning with manufacturers. One device, the “ExpressPoll-5000,” has root password of “password.” The administrator password is “pasta.”.
A root password of “password.” This is security somewhat below the security you get with the router you get from Best Buy. And we’re only running elections on it! But what if the software engineering was perfect?
Architectural Probems with Ballot Marking Devices
Software engineering can never be shown to be perfect. As computing science pioneer Edgers Dijkstra famously said: “Program testing can be used to show the presence of bugs, but never to show their absence!” (True for any firm, not just firms that use “password” for the root password!) Since the presence of bugs is one precusor to election fraud via hacking (the other being social engineering), it follows that ballot marking devices create a phishing equilibrium, best summarized as the idea that if fraud is possible in a system, it has already occurred and will occur again. Of course, that’s true for all systems, in general (see North Carolina’s problems with ballot harvesting), but one would think, would one not, that election officials in a functioning democracy would try to level-set the equilibrium to minimize the chances of fraud, not maximize them. No such luck. Politico, of the barcode BMDs both George and Philadelphia are about to purchase. “State election officials opt for 2020 voting machines vulnerable to hacking“:
The dispute over the ballot-marking devices centers on the fact that they use barcodes, which can be read by scanners but not by humans. Though the paper records also display a voter’s choices in plain text, which the voter can double-check, the barcode is the part that gets tallied.
The danger: Hackers who infiltrate a ballot-marking device could modify the barcode so its vote data differs from what’s in the printed text. If this happened, a voter would have no way of spotting it.
In a landmark report published last year, the National Academies recommended against voting devices that tally barcodes. “Electronic voting systems that do not produce a human-readable paper ballot of record raise security and verifiability concerns,” it said. “Additional research on ballots produced by BMDs will be necessary to understand the effectiveness of such ballots.”
But the issue isn’t simply barcodes; the issue is that wherever software infiltrates the voting “supply chain,” a phishing equilibrium exists. Dolly back from the electronic voting machine proper to the entire digital system that grows up around it. Jenny Cohn in the New York Review of Books:
The memory cards or USB sticks used to transfer the pre-election programming from the election management system to the voting machines, scanners, and ballot-marking devices constitute another potential attack vector. In theory, the person who distributes those cards or USB sticks to the precincts could swap them out for cards containing a vote-flipping program.
Memory cards are also used in the reverse direction—to transfer precinct tallies from the voting machines and scanners to the election management system’s central tabulator, which aggregates those tallies. Problems can occur during this process, too. During the 2000 presidential election between George W. Bush and Al Gore, for example, a Global/Diebold machine in Volusia County, Florida, subtracted 16,000 Gore votes, while adding votes to a third-party candidate. The “Volusia error,” which caused CBS news to call the race prematurely for Bush, was attributed to a faulty memory card, although election logs referenced a second “phantom” card as well.
Holy moley, the integrity of our election system depends on USB sticks. That’s peak phishing equilibrium! I mean, your firm’s IT department has absolutely no problem with you sticking a random USB stick into your PC, right? (“Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code.” ZOMG.) Paper ballots, needless to say, don’t require “pre-election programming,” except possibly in the form of a three-ring binder, for which the phishing equilibrium is very low.
Corruption in States that Chose Ballot Marking Devices
So why on earth would any responsible election official choose BMDs over paper ballots? Well, we don’t have a smoking gun (no prosecutions) but we certainly have situations that give off the stench familiar from other cases of corruption. Entertainingly, the techniques of corruption differ by jurisdiction, which I suppose is a blessing of our wonderful Federal system. First, Pennsylvania.
Granted, Pennylvania is in a bad way, from the broken HAVA act of 2002 that encouraged electronic voting systems that weren’t verifable in any way. Associated Press:
Pennsylvania is one of 13 states where some or all voters use machines that store votes electronically without printed ballots or another paper-based backup that allows a voter to double-check how their vote was recorded.
Better than 4 in 5 Pennsylvania voters use electronic voting machines that lack an auditable paper trail, according to election security analysts.
As a result:
Replacing voting machines ahead of 2020’s presidential election has been a priority for [Governor Tom] Wolf, and he is proposing $15 million a year for five years — $75 million total — to help counties pay for machines that leave a voter-marked paper trail, machines viewed as more secure and auditable.
(Of course, “more” “secure and auditable” does not mean “secure and auditable”; see above.
So, given this vital task, how did the vendor selection process go? From the Delco Times:
Pennsylvania’s elected auditor said Friday that officials in 18 of the state’s 67 counties reported accepting gifts, meals or trips from firms competing to sell or lease new voting machines ahead of the 2020 elections.
Auditor General Eugene DePasquale said accepting the gifts is wrong, even though it’s a legal practice and officials may have taken no action in return.
“Anyone who took them, period, could be swayed by the perks,” he said. Public officials, he said, should not “accept this nonsense.”
The gifts included expense-paid travel to destinations including Las Vegas, tickets to a wine festival and private distillery tour, dinners at high-end restaurants, tickets to an amusement park and an open bar at a conference for elections officials, DePasquale said. A promotional folding chair, doughnuts and candy, were among other gifts.
That’s what you call “the appearance of corruption,” right there. Of course, it’s penny ante stuff, for a penny ante $75 million contract, which I guess might not be penny ante if you were a penny ante firm whose engineers used “password” for the root password.
In Georgia, the vendors didn’t go the perks route; they went the crony route. From the Atlanta Journal-Constitution:
When Gov. Brian Kemp hired an election company’s lobbyist this month, the move raised alarm bells about one company’s influence on Georgia’s upcoming purchase of a new statewide voting system.
Concerns from government accountability advocates only grew days later, when a commission created by Kemp recommended that the state buy the type of voting machines sold by the lobbyist’s company, Election Systems & Software. Several other vendors also offer similar voting machines.
But it gets better. It’s not just one hire; the voting machine vendor infested the entire state government:
The latest moves fueled suspicions that cozy connections between lobbyists, Kemp and other elected officials will lead to ES&S winning a rich contract to sell its computerized voting products to the state government.
Kemp and Georgia election officials have supported ES&S for about 10 years:
- The ES&S lobbyist, former state Rep. Chuck Harper, now serves as Kemp’s deputy chief of staff. Prior to lobbying for ES&S, Harper was a lobbyist for the Georgia Secretary of State’s Office under Kemp from 2012 to 2017.
- Kemp’s new executive counsel, David Dove, was a member of ES&S’ advisory board when he attended a Las Vegas conference hosted by the company in March 2017. Dove served as Kemp’s chief of staff when he was secretary of state.
- Kemp chose ES&S’ voting system for a test run during a Conyers election in November 2017.
ES&S is Georgia’s current election company, responsible for providing technical support and repairs of the state’s 27,000 direct-recording electronic voting machines, which the state originally purchased for $54 million from Diebold Election Systems in 2002.
Everything really is like CalPERS, isn’t it?
See what HR1 enabled? The electronic voting industry shouldn’t even exist. Why does it? And how did it get itself written into HR1?
The problem: in the US in most jurisdictions, you vote on everything down to the county dog-catcher, where most countries you have a non-elected civil service, with elections limited to representative bodies at several scales. This plethora of votes makes counting expensive, complex and thus easily corrupted.
The laudable but naive goal is to increase accountability by civil servants. But it’s practically non-sense — it shifts what can be a semi-transparent civil service process into an opaque political system. How can I vote on a judge, prosecutor or even for the school board in a meaningful way without inside knowledge? It makes the voter feel powerful, but in fact it’s an illusion of power, rather than focusing on policy-level elections at reasonable scales.
The American mental model of democracy is just essentially broken and unworkable. It’s based on the incorrect belief that people can judge the “character” of a large number of individuals that they have no personal contact with, rather than throw in their lot with a party with a historically trackable agenda (problematic, but at least to some extent possible).
This play obviously advantages a small number of insiders who actually know the character of the individuals, and the rest of us are left with impressions from publicity. Thus, the faking of ballots is the least of our problems — even if every last one is properly counted, what are we counting?
I’ve followed and contributed money to nakedcapitalism since 2008.
My company develops and sells election technology. We once sold punch card central count systems.
Thanks Lambert for compiling a number of objections to how technology is used and how it’s grown stale.
My company these days develops and sells voter check-in kiosks that allow the voter to have agency throughout the check-in via a touch screen facing the voter. The poll worker’s duties are reduced to typing information and verifying IDs when required. The kiosk also offers accessibility via the touch screen and other assistive devices. I’ll encourage readers to contact their local and state elections authorities to recommend kiosks for check-in. Else they will be watching poll workers playing with iPads or paper.
Poll workers may be fine people but they don’t often do a good job quoting the law. The kiosk format removes the responsibility to speak as a lawyer.
As background info, the Help America Vote Act has a section on “Uniform and Nondiscriminatory Election Technology and Administration Requirements”. The Rehabilitation Act of 1973 as amended requires access for all including specifically those with disabilities to public information technology. The Voting Rights Act requires secondary language support for languages used by 5% of a population in a precinct or jurisdiction. A kiosk format allows even more language support. A kiosk format allows all the above mandated benefits for citizens to be provided. Paper or single computer check-in does not.
Regarding voting technology – BMD are helpful and can be made sensible by removing the bar code and having the only statements on the ballots be the offices and names of selected candidates and question choices in a font readable by persons and OCR.
Am I missing something other than of course the preliminary results transferred on USB sticks or the like need to be confirmed in a public central count taken at a pace as demanded by the public.
I would like to see auditing and independent testing of said automation. I’d also want to see a mechanism to ensure that the audited and tested version (from prior to the election) is ‘indeed’ the version that is deployed for actual ballot harvesting and counting.
I would feel better if the software were ‘open source’ instead of proprietary. This would make the auditing part easier, and it would provide insights for testing (i.e., just what and how much to test).
Code is law, or rather, code does the electing….rather than the voters.
Just speaking for myself here.
I’m fine for the kiosk being there as a tool for voter information but the vote must be on paper ballots counted by hand in public. Paper ballots can be provided in multiple languages including Braille. I think that covers most of the difficulties.
Here is the thing, any computerized vote system allows for wholesale vote theft. All of them. It can happen at any point of the programming. And it is hard.to find an independent, as in not employed by or invested in an election technology company or in a position to want to control the vote outcome who doesn’t consider them to be impossible to secure. While there can still be vote tampering with paper ballots counted by hand in public the logistics make outright election theft vastly more difficult.
Even without a barcode, there is no need for a machine to print out a paper receipt when you can simply mark a ballot yourself and watch it be counted by hand in public.
I’ve participated in a hand recount and it isn’t that hard or costly. What we found is that the machine that performed the original count didn’t count all the votes. While the recount didn’t overturn the result, it did point out the flaws with the machine, and in a democracy everyone deserves to know that their vote was counted, regardless of whether they filled out the circle or put an ‘x’ in it. Human beings can determine a voter’s intent and machines cannot – they can only tell if voters followed directions.
Machines are too costly, easily hackable, and add another means of corruption into the system.
In reading this article, I can see the attraction of computer-based voting. It is the fact that by doing so, you open up whole channels of perks, bribes, cronyism and the like that you would never have with simple paper-based ballots. All that loose money swishing around. All that “walking-around money” given out. The perks and bribes can even be done legally according to this article and as far as the cronyism is concerned, well, you could always say that the whole thing was just a coincidence.
Not mentioned in this article was the fact that these machines age and have to be updated or replaced. It is not a one-off cost in buying these machines. There are ongoing contracts for technical support, maintenance, training and any other number of functions that a computer-based, networked “solution” involves. That is a lot of new rice bowls that. Sooner or later, these same people will say when asked about the next generation of voting will come out with something like “We can build an app for that!” and with that the last remnants of American democracy will be DOA.
Michigan’s voting system has several desirable features:
1) Voters are checked in / registration confirmed by live human beings
2) Paper ballots are marked with ink.
3) Ballots are counted by an optical scanner.
4) Ballots are retained in a secure bin in the optical scanner if needed for a recount.
5).The scanners are simple machines, without complex and opaque software. The scanners are not connected to the internet.
6) Totals are recorded by observed poll workers using paper and ink tally sheets.
7) Note, at no time is the process of voting and counting votes not conducted ON PAPER.
8) Happily, elections in Michigan run smoothly, recounts are rare and are conducted without controversy, personally I have never been in line to vote for more than ten or fifteen minutes – most of the time for a minute or two.
9) Results are usually reported on the 11:00 PM news
Boatwright: We have the same basic system here in NC, which seems to have worked well the last few cycles. Turns out our most serious problem here are political operatives engaging in election fraud around absentee ballots, as happened in NC-9. If the system would just take election fraud more seriously than drunk driving was in the 1970’s, we might be able to clear that up too. Making an object lesson of election officials in Broward County, FL might be a good first step.
Ape: Excellent point. Maybe one strategy would be to hold elections for different levels of government on different (paid time off) days. Another might be to make some offices (like judges) appointed but mandate other issues (like budgets and wars) be subject to a direct vote.
Lyman: Given the kinds of systems used in places like MI and NC, requiring a hand count in public at each polling place would not be onerous. You’d just need more volunteers, which you’d get if election days were made paid days off.
To which they should add:
10) A random selection of polling places has ballots counted by hand to look for any systemic miscounting
In the absence of intentional fraud, optically scanned counting of ballots probably IS more accurate than a manual count. It is certainly quicker and cheaper. But at least a sample of ballots should be double checked to guard against intentional fraud.
Brian Kemp is laughably corrupt. All of our civics class homilies about preserving the public trust is lost on him. One may almost find his self-confidence and assertiveness admirable, except that it really comes from a rotten place – the nexus of privilege and gross stupidity. He’s also a phony – he no more drives a truck and carries a shotgun than Bernie Sanders does.
I keep reading BMD as ballots mass destruction.
Lambert Strether, thanks for this article. It’s so nice to have someone call a spade a spade. The pseudo-elections are being done by those BMDs. The voters pretend they’re voting and the TPTB pretends they honor the vote.
For want of a nail a horseshoe was lost….