Saturday, September 29, 2018

Who's Counting Our Paper Ballots?


Guest Contributor - Paul Burke

Places like Georgia which do not have paper ballots are not democracies. They are letting themselves be run by hackers, not voters. Hackers can choose the "elected" officials, undetectably.

However states with paper ballots have a false sense of security. Like paperless states, they report results from election machines, but they don't test whether machines were hacked, and they rarely tally the paper. Paper ballots protect us only if we have practical ways to tally them. Assurances that no one has found a hack ring hollow when people rarely look.

Computer hacking of elections goes back at least 24 years to the election which put Nelson Mandela in office. That was hand-counted, but the computer summation of thousands of hand tallies was hacked and had to be redone independently. In the US, hand-counting 100 million ballots will be a nightmare if a widespread hack is noticed and changes winners all over the country. Hand-counting is slow and costs $1 to $7 per ballot, depending on the design and number of contests on the ballot.

There is a more practical approach: scan paper ballots, check that scans are accurate, and tally the ballot images on several independent computers, so no one can hack them all.

Election machines can be hacked even when they stay offline. They can be hacked at the manufacturer, when the manufacturer sends annual updates to local machines, when machines wait unguarded in precincts the night before the election, and when results are copied out electronically for posting on the web. VR Systems, which handles web posting in a lot of places, was hacked in 2016. Maryland's election web host is majority owned by a Russian; many other vendors may be owned by adversaries. And the FBI said, "there are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese." Hacking is often invisible, and the only way to check it is to count again, independently.

About 29 states spot-check election tallies (states.votewell.net). Seventeen of these only check a few contests, so hackers can change other contests. The last 12 states check all contests, but if they find problems, only five expand to 100% tallies and revise the outcome (AK, MD, NY, VT, WV). Alaska excludes small precincts, so that is where hackers can strike. Maryland and most of New York check by using a single machine different from the one originally used, which is not enough to prevent hacking. Vermont checks six towns, so can miss hacking elsewhere, and depends on a single machine. West Virginia hand-counts 3% of precincts, which gives a 97% chance of missing a hack in one precinct, worse if someone can leave that precinct out of the hat when the random sample is drawn. All states can start using scans to do better, cheaply.

Humboldt County, CA, found an error of 197 ballots in 2008. All 197 were in a batch of mail-in ballots counted three days before election day. They were included in preliminary counts on election night and again three weeks later. Then a bug in the official software omitted this batch. Humboldt re-scans and re-tallies all ballots, so they found the 197 ballots, and staff tracked down the discrepancy. The problem was a bug, not a hack, but the independent checking will work just as well for a hack. Humboldt has independently scanned and tallied every election since then.

Seven Florida counties and Vermont's Secretary of State hire Clear Ballot, a Boston company, to scan and tally all contests independently. Maryland hires Clear Ballot to tally all contests independently, using images created by official election machines. Colorado's Secretary of State independently re-tallies one contest per ballot using records from the election machines, spot-checked against paper ballots. These four states have not found significant problems, but they are ready with their alternate scans and tallies when official tallies are hacked. So far so good.

If every state tallied ballots independently like these four, and checked all contests, we would be much safer. A good project for programmers and computer courses is to adapt open source tallying programs to process local ballots. Open source programs are available from TEVS (Transparent Electronic Voting System), and FreeAndFair.org. As a country we can solve this.

Other steps are needed too. Computers at Clear Ballot or Colorado's Secretary of State can be hacked. So the files of ballot images should be available to multiple officials to tally independently. Then no one can hack them all. Digital signatures, or hash values, will ensure reliable scans and copies. Storing some digital copies offsite, such as in a safe deposit box, will foil break-ins, fire, flood, and insider risks.

When we tally ballot images, we need to find out if the images were scanned accurately. California's Secretary of State had a contractor who changed ballot images in a test, so we know it can be done. Officials need to check samples of ballots, as Colorado does. If samples of ballots match the ballot images, we can use the images. If samples show problems, we need to bring unhacked high speed scanners into election offices, scan the ballots accurately, and use independent software to tally these scans. Again, samples can test the accuracy of the new scans. This is still much faster and cheaper than hand-counting thousands or millions of paper ballots.

News reports on elections need to say how ballots were tallied and checked. Unchecked results should be suspected, not respected.

In coming elections, all jurisdictions need to scan some precincts with office scanners, tally them with independent software, and compare scans to paper ballots as a quality control measure. Scanning is cheaper than hand-counting. Scanning will deter hacks, find mistakes, and give every jurisdiction practical experience, so they can expand when they need to. Ask your elected officials to start the process.

Paul Burke (admin@Votewell.net) analyzes election security in the August Journal of Physical Security.

No comments: