When someone hacks voting machines...
How will we count 100,000,000 paper ballots?
Use scans of the ballots.
Count the scans.
Yes, people can hack voting machines,
by hacking manufacturers of the machines, which
1. Are web-connected
2. Are soft targets
3. Send annual updates before every election, which can infect all the local voting machines
Low Risk: Scan Paper Ballots after Elections, to make Electronic Backup Copies. Then Anyone Can Count Them.
1. Most election machines already create scans. Store these separately from ballots.
2. If there are no scans, or they are hacked too, scan the paper ballots with commercial scanners, independent of election computers.
3. Multiple independent officials can count scanned images, using different software on different computers. They will compare results and resolve discrepancies. They will not all be hacked at once.
5. Legal structure stays the same, where county and city clerks and recorders manage the election and ballots. They can manage scans the day after the election, like seven Florida counties (below).
6. Legal basis of past scanning projects has relied on general state laws which did not mention scanning, as described below.
7. Detailed research paper: "Scanners, Hashes, and Election Security"
Election Computers Are High Risk at Manufacturers
1. "Vendors represent an enticing target" ~US Senate Intelligence Committee
3. Loading candidate list for each election
8. Backdoors, see pages 55-61 in Georgia case for paper ballots.
9. Machines are also vulnerable to physical access if delivered to polling places the night before the election.
10. If bad software is installed in advance, any one ballot can tell the bad software what to do: For example a write-in for Alyx Brown can be an instruction to shift votes to or from a real candidate named Brown.
11. Software from Scytl, a Spanish company, delivers ballots to US military and other citizens overseas for 1,400 counties (half). Scytl's software also transfers results between vote-tabulation computers and the internet in 7 states with 44,000,000 registered voters (a fifth). The only software Scytl has shown to the public, for a Swiss vote, was insecure, with a flaw which let insiders or hackers change all the votes. Two outsiders found the flaw, which had not been found by Scytl or the reviewers hired by Scytl and Switzerland.
Paper Ballots after a Week in Storage: What Could Go Wrong? High Risk
· "Election officials should re-examine current practices for securing the chain of custody of all paper ballots" ~US Senate Intelligence Committee
1. Water damage
3. Lock picks
4. Security alarms and cameras are vulnerable computers
5. Single lock so one person can enter
6. Broken seals prevent trust in ballots
8. Precinct summary counts are usually even less secure than ballots
1. Courts prevented complete recounts in 2016 (MI, PA, WI) and 2000 (FL).
3. Public cannot see ballots in most large places; if they could, arguments over interpretation could delay counting
1. Join the discussion list and add your comments.
2. Ask your Election Officials to store scans from election machines in a safe deposit box, which no one goes into until needed.
3. Ask Election Officials to scan ballots from at least some precincts in the next election, to be ready when we need to scan more.
4. See your State's current policies.
Stories of Scanning Ballots
Humboldt County California has scanned ballots since 2008. They use a county scanner, count images with open-source software, and make copies of the images for candidates and the public to count independently. In 2008 the scan found 197 more ballots than the official machines. When they investigated, the scan was right and official machines were wrong. The County Clerk and Recorder "said that adopting open source software made her life easier and much more pleasant. She found that her constituents appreciated her transparency and commitment to democracy."
In California, six other counties scanned ballots in 2011 and five did in 2012 for a pilot study of auditing. Alameda, Madera, Marin, Merced, Monterey, Napa, San Luis Obispo, Santa Cruz, Ventura and Yolo Counties used their own scanners. Stanislaus rented one. The scans sometimes found discrepancies of a vote from official machines. The number of ballots scanned ranged from 1,000 to 124,000. In Orange County they analyzed 294,000 scans created by the official election software.
Seven Florida counties hired a private company, Clear Ballot, to scan all their ballots in 2016 and will again in 2018. The scans sometimes found discrepancies of 1-2 ballots from official machines. (Bay, Broward (Fort Lauderdale), Columbia, Leon (Tallahassee), Nassau, Putnam, and St. Lucie Counties)
Vermont's Secretary of State hired Clear Ballot to scan all races on ballots in six random towns, in 2014, 2016 and 2018 as a check on official counts. The scans found discrepancies of 1-6 ballots in each town. In the past they had hand-counted two state-wide races in four towns.
Maryland's Secretary of State (or here) hired Clear Ballot in 2016, not to scan, but to analyze scans created by the state's official election machines. These scans were shipped to Boston on hard drives. It cannot find hacks of the images, but it can find hacks and other errors in the analysis of the images. Errors can be as simple as a scratched lens or dirt on a machine causing the machine to see marks where there are none. They found that the analysis of scans omitted 1,960 Baltimore ballots and 10 Harford ballots, and ignored write-ins where the oval was not marked, though Maryland law counts these. Audits cost $275,000 for the 2016 general (10 cents per ballot) and $704,000 for 2018 primary and general.
This history of finding and fixing small discrepancies deters hackers from these locations, and show they can find and correct bigger mistakes when bugs or hackers strike in the future. The scans let officials issue correct results, and give confidence that future hacks can be deterred, and any problems can be corrected in the same way.
Researchers at the University of California in San Diego in 2010 tested another way to scan: a rack of video cameras filming a sheet feeder which displayed each ballot for 2 seconds. The rack can hold video cameras from multiple organizations for improved trust. They wrote software in two weeks which processed the video images into a single copy of each ballot, read the votes on each ballot, and issued counts.
In 2013 these California researchers reported on software which self-adjusts to varying order and races on different ballots, by reading the title and candidates for each office, even if the candidate names rotate in different order on different ballots. They tested it in the 2011-12 California counties mentioned above, with up to 294,000 ballots. The code is available.
Vulnerable to Hackers
Domain registrars for entire countries in 2018-19, letting hackers spy on and change emails and web results throughout the country. The registrars succumbed to phishing.
Attacks rising in 2018
Amazon, Apple, and almost 30 other companies probably had extra Chinese chips placed on servers 2015-2018, giving backdoor access to the Chinese. Reviewers say backdoors can be hidden better inside chips which are supposed to be there.
Deloitte in 2017
DoD in 2007, Jan and June 2015, 2016, so DoD pays bug bounties. In 2018, GAO staff "were able to take control of [DOD weapons] systems relatively easily and operate largely undetected." Alarms went off so often the operators ignored them.
Mozilla in 2015
General Electric/Safran aircraft engine designs hacked by China 2010-2015
Boeing (jet fighters) in 2008-2014
Nuclear and other companies in 2006-2014
Symantec in 2012
In 2016 all states' election systems were scanned for vulnerabilities by foreigners:
· "We can assume that the majority of states were probably a target... I want to make clear today on the record, it's likely that all 50 states were likely affected... Every organization is scanned a lot, sometimes thousands of times a day. What we were trying to differentiate between: we saw very concerning activity from known suspicious servers in this case... They were targeting to look for vulnerabilities... Probably tried all the states. These are the states we could see they were trying. That's right." ~US Department of Homeland Security Senate hearing at 41 minutes
· They attacked "in alphabetical order by state name... voter registration and election results sites... to identify and exploit SQL database vulnerabilities in webservers and databases. The FBI and DHS... noted that they had no information on how many of those attempts were successful, aside from two instances"
· August 24, 2016, hackers sent phishing emails to seven workers at VR Systems, which provides voter registration systems and election-night reporting. "At least one of the employee accounts was likely compromised." Then on October 27 they used VR Systems credentials to send phishing emails to 122 local election officials. If they opened it, it installed malware which opened a persistent back door into the computer. At least 10 computers were harmed (¶77b). The government has not said and may not know what the hackers did with their back door. Mueller's indictment July 13, 2018 confirms these events (¶73-77) and adds that the hackers targeted more than one election company (¶69).
· Also in 2016 hackers sent emails pretending to be from another election vendor, offering "election-related products and services." The same hackers sent emails to election workers in American Samoa "mimicking a legitimate absentee ballot-related service provider." NSA does not know what they accomplished with any of these attacks.
In August 2017 the biggest manufacturer of voting machines, Election Systems & Software, created a public file on Amazon Web Services with "encrypted versions of passwords for ES&S employee accounts. The encryption was strong enough to keep out a casual hacker but by no means impenetrable...The worse-case scenario is that they could be completely infiltrated right now".
In March 2018 the security site CSO found on the dark web over 100 emails of ES&S workers and smaller numbers at smaller voting machine companies. They also found passwords for the accounts, though the companies said these passwords did not meet their current standards, so would have been changed. Nevertheless with valid emails, attackers can spray password variations until they log in on at least one of the accounts and install malware. Hackers share tips on the dark web.
In July 2018 the FBI told Maryland officials that a local web hosting company they used for voter registration, candidacy, online ballot delivery, and election results had been owned since 2015 (or 2011) by a company financed by Vladimir Potanin, a Russian oligarch close to Putin. The manager is a Russian millionaire, Guerman Aliev, who took an American name, Gerald T. Banks. Maryland's Senate President said the FBI "weren't really anxious for us to come forward" to tell the public (quote is at 6:54 in video). FBI also told state officials in 2017 not to tell the public about foreign intrusion attempts (pages 146-151 of court filing).
Ukraine's 2014 election results were hacked, but officials removed a virus and believe they had correct totals. South Africa's 1994 election was hacked, and officials hand-compiled the counts, as noted at right.
· "Every piece of commercial software... has hundreds if not thousands of vulnerabilities, most of them undiscovered." Over 100,000 software vulnerabilities are publicly known (besides zero-days, which are not public). Many thousands have been found by each big web company, such as Oracle, Google, Microsoft, Cisco, IBM, Adobe, Qualcomm. Over a thousand companies pay bounties for bugs. Election companies are not immune. "The potential for high-tech catastrophe is embedded in the fabric of day-to-day life" Scanning ballots will let us recover.
· What the FBI said about hacking emails applies widely: "we don’t have direct evidence that the server was successfully hacked. We wouldn’t, though, expect to see that evidence from sophisticated adversaries, given the nature of the adversary and given the nature of the system."
· Wired says, "the average time between a malware infection and discovery of the attack is more than 200 days, a gap that has barely narrowed in recent years. 'We can’t operate with the mindset that everything has to be about keeping them out,' says Rich Barger, ThreatConnect’s chief intelligence officer. 'We have to operate knowing that they’re going to get inside sometimes. The question is, how do we limit their effectiveness and conduct secure business operations knowing they’re watching?' Accomplishing that means building networks that are designed to limit a hacker’s ability to maneuver and creating better ways to detect anomalous behavior by allegedly authorized users.
· Why don't these key industries filter all clickable links out of their incoming emails? Convenience? On average 4% of recipients open any particular phishing message, and 22% open at least one per year. At 4%, sending a phishing message to 30 recipients gives a 70% chance that someone will open it. Even at 1%, sending to 120 recipients gives a 70% chance that someone will open it. There is no reliable way to tell phishing emails from legitimate emails. When people think an email looks suspicious, and send it for checking, 90% are "legitimate" (p.5 Phishing 2018), which means most people cannot tell them apart. Sending them for checking simply prevents access to the 90% which are legitimate, since checkers rarely send them back. At least staff in key industries who click on a test phishing email need all clickable links removed from future incoming emails.
· Protect, Detect, Respond Recover. We must strengthen all four steps.
Minnesota hand-counted a Senate race with 2.9 million ballots from Nov. 19 to Dec. 5, 2008 at 120 locations. One precinct lost 133 ballots, which were never found, so that precinct used election day results. Both candidate challenged about 3,300 ballots and argued about including 2,000 absentee ballots. The state supreme court denied an appeal, the final recount overturned the original winner, and Franken was sworn in.
Minnesota also hand-counted the Governor's election in 2010, 2.1 million ballots, from November 29 to December 8, confirming the original winner, while reducing his margin from 8,856 to 8,770.
Washington recounted the Governor's election with 2.9 million ballots in 2004, first by machine then by hand. The machine count confirmed the original winner, but the manual count found 500-700 more ballots and overturned the original winner.
Washington also recounted the Senator and Secretary of State in 2000, by machine, and confirmed the original winners.
Georgia tested hand counts in 2006, and decided they took too much time and space, so they do not require hand counts.
Michigan started a Presidential recount in 2016, partly by hand, and found that 11% of precincts could not be recounted because storage seals were broken or the stored paperwork from precincts did not match the number of stored ballots.
Holland hand-counts 10.6 million single-race ballots in a national election, and had expected to use software to compile the regional and national totals. It decided to compile by hand in March 2017, because they realized their software could be hacked.
North Carolina recounted the Governor's election in 2016, a Supreme Court election in 2014, and Court of Appeals judges in 2006 and 2010, by machine, and confirmed the original winners.
Virginia recounted Attorney General elections in 2013 and 2005, largely by machine, and confirmed the original winners.
Pennsylvania recounted a Superior Court election in 2009, by machine, and confirmed the winner.
Florida recounted the state-wide Presidential race in 2000 by machine, and Gore requested hand-counts in four counties, which were interrupted by court challenges, culminating in the US Supreme Court ruling for Bush on December 12.
WE CAN DETER AND RECOVER FROM THESE AND OTHER ATTACKERS:
FEDERAL OFFICIALS DO NOT STOP ELECTION CRIMES before or during elections. Their policy is to investigate and prosecute after elections. The Justice Department has published Federal Prosecution of Election Offenses in eight editions from 1976 to 2017, under Presidents Ford, Carter, Reagan, Clinton, Bush and Trump. The link compares six of the editions which are online.
However sentencing guidelines are too light to deter major fraud. Election offense levels start at 8 to 14, which give prison terms for a first offender of 0-21 months and a $2,000-$75,000 fine. Sentences can be adjusted up or down depending on circumstances.
LEGAL BASIS FOR PAST SCANNING OF BALLOTS
· Humboldt County CA: News reports said state law let stored ballots be accessed if "officials suspect there might be something wrong with the ballots," and public worries gave officials reason to have that suspicion and quell it. This probably refers to Section 15304, which allows opening ballot containers.
· Other California counties: A 2010 law, AB2023, allowed a pilot study of auditing, which did not mention scanning. The Secretary of State allowed scanning to simplify the audits.
· Vermont: State law 17 V.S.A. § 2493 requires audits to follow §§ 2581-2588, and 2588 allows automatic tabulation of ballots. The Secretary of State does this tabulation by using scanners, and software to count the scans.
· Maryland: Election law 2-102(b)(7) says to "maximize the use of technology in election administration" which the Secretary of State reads as authority to recount ballot images created by election machines.
OTHER BASIC STEPS TO SECURE ELECTIONS:
1. Publicly showing each ballot box starts empty
2. Rapid alternatives when machines fail or jam or staff are absent
3. Machines compatible with local humidity and moisture from wet hands when voters come in from the rain
4. Adequate voting places, equipment, parking and/or public transportation
5. Convoy to take ballot box securely to central counting/scanning station
6. Copies of eligible voter lists, with appeals of errors
7. Notice and chance to testify in decisions on provisional ballots
8. Notice and chance to cure signature defects on mailed ballots
9. Care with indelible ink
11. International observers monitor some elections around the world and occasionally in the US (1999, 2011 and 2017). They can greatly increase trust if they are allowed to arrange for ballot scanning and independent counts of the scans, while respecting local authority over the elections.
12. Enforcement of campaign finance laws
SCANNING ROLLS OF PAPER: Some voting machines, such as iVotronic, print votes on long rolls of paper (82 feet), which a few scanners can handle:
· Fujitsu fi7600 can process up to 200 meters of paper tape without cutting it, and can divide the image into sections of any length up to 220 inches. Normal speed is 100 pages per minute, or 850 inches per minute, so 82 feet in 1.2 minutes, $4,155. More details on the listserv.
· Contex IQ 2490 can pull paper through at 14 inches per second, so 82 feet in 1.2 minutes, $3,895
· HP T830 can process 4.5 inches per second, so 82 feet in 3.6 minutes, $3,245
Save money by rental, if possible, or by re-selling scanner after the election, or by transferring it to an office which would otherwise buy a new one.
Scanning rolls of music for player pianos has addressed some of these same issues.
Maryland spent 10 cents per ballot ($275,000) to analyze scans created by their election machines. They did not use independent scans, which would have added cost.
Other election reform activities