New "hybrid" voting system can change paper ballot after it's been cast

Paper ballots are safe only if marked by hand, not by machine

Published March 28, 2019 4:00AM (EDT)

 (Getty/Joe Raedle)
(Getty/Joe Raedle)

The original article appears on WhoWhatWhy.org.

WWW-refresh_concept_single

For years, election security experts have assured us that, if properly implemented, paper ballots and routine manual audits can catch electronic vote tally manipulation.

Unfortunately, there is no universal definition of “paper ballot,” which has enabled vendors and their surrogates to characterize machine-marked paper printouts from hackable ballot marking devices (BMDs) as “paper ballots.” Unlike hand-marked paper ballots, voters must print and inspect these machine-marked “paper ballots” to try to detect any fraudulent or erroneous votes that might have been marked by the BMD. The machine-marked ballot is then counted on a separate scanner.

Most independent cybersecurity election experts caution against putting these insecure BMDs between voters and their ballots and instead recommend hand-marked paper ballots as a primary voting system (reserving BMDs only for those who are unable to hand mark their ballots). But vendors and many election officials haven’t listened and are now pushing even more controversial “hybrid” systems that combine both a BMD and a scanner into a single unit. These too are now sold for use as a primary voting system.

Unlike hand-marked paper ballots counted on scanners and regular non-hybrid BMDs,  these new hybrid systems can add fake votes to the machine-marked “paper ballot” afterit’s been cast, experts warn. Any manual audit based on such fraudulent “paper ballots” would falsely approve an illegitimate electronic outcome.

According to experts, the hybrid voting systems with this alarming capability include the ExpressVote hybrid by Election Systems & Software, LLC (ES&S), the ExpressVote XL hybrid by ES&S, and the Image Cast Evolution hybrid by Dominion Voting.

The potential for hybrid systems to add fraudulent votes without detection was identifiedby Professor of Statistics Philip B. Stark of UC Berkeley, an expert in postelection manual audits, in September of last year. At the time, he told TYT Investigates that the ExpressVote hybrid, which Johnson County, Kansas, had purchased a few months before the 2018 gubernatorial primary, could be maliciously programmed or hacked to create an entirely fraudulent machine-marked “paper ballot” because the machine includes an option that allows the voter to “AutoCast” the ballot without first printing and inspecting it.

Moreover, as explained by Stark, the machine does not mark the ballot at all until the voter decides whether to exercise that option, which means that the machine receives advance notice of which ballots are “AutoCast” and thus safe to fraudulently mark.

Another election expert, Computer Science Professor Andrew Appel of Princeton University, subsequently confirmed the existence of this stunning defect and dubbed it “Permission to Cheat.” Appel further reported that the ExpressVote XL and Dominion ImageCast Evolutioninclude the same defect.

Moreover, even if “AutoCast” is disabled so that all voters must print and inspect their ballots before casting them, Appel says these machines could still be programmed or hacked to fraudulently fill in undervotes (races that voters left blank) with no possibility of detection in a manual audit. According to Appel, this is because the machines again route the machine-marked “paper ballots” under the printer head (the part of the machine that marks the ballots) after they’ve been reviewed and cast. This additional defect is called a “Ballot Stuffing” defect and has been confirmed by Professor Richard DeMillo, Georgia Tech’s former Dean of computing and director of its Information Security Center.

These are serious concerns that call to mind the infamous Volkswagen “dieselgate” scandal because, similar to the illegal emissions in dieselgate, fraudulent votes enabled by these defects would be undetectable during the inspection (the manual audit or recount of the “paper ballots”). As explained by Stark, “If a system can tell that it is not being checked, it can be programmed to misbehave only when it is not being checked.”

On March 7, 2019, the co-chair of the New York State Board of Elections became the first election official in the nation to finally acknowledge these significant concerns. He requested that the Election Operations Unit of the State Board re-examine the state’s certification of the Dominion Image Cast Evolution machine.

These “dieselgate” defects, however, are just the latest example of the myriad problems that inevitably arise whenever you place a hackable machine between voters and their ballots. Here are some of the other well-established problems that have caused most independent cybersecurity experts to recommend hand-marked paper ballots (counted on scanners or by hand) as a primary voting system:

  • Most ballot marking devices (BMDs) that are intended for use as a primary voting system put barcodes on the paper printouts, which purport to encapsulate the voters’ selections. Although voters can’t read barcodes, the barcodes are the only portion of the printout counted as their vote.
  • The barcodes can be maliciously programmed to instruct the scanners to flip votes.
  • Although the machine-marked printouts also include human readable text purporting to summarize the voters’ selections, it is up to the voters to catch any erroneous or fraudulent machine-marked selections within that text. A recent study suggests that most voters don’t review the text, even when instructed to do so. Often, voters who do undertake such a review fail to catch inaccuracies.

A manual audit or recount based on corrupted machine-marked printouts would itself be corrupted.

  • Touchscreens lead to frequent user error. (As noted, BMDs and hybrids are touchscreen systems.)
  • Touchscreens enable corrupt officials to generate long lines by limiting the number of machines sent to each precinct.
  • Touchscreens are vulnerable to denial-of-service attacks and power outages that could prevent voters from voting at all.
  • Vendors pushing BMDs have disturbingly cozy relationships with many election officials.
  • Some BMDs test very poorly on the issue of disability access.
  • BMDs and hybrids cost substantially more than hand-marked paper ballots and scanners, which are more secure.

Nevertheless, counties in Pennsylvania, Texas, Kansas (Johnson County), Ohio, Delaware (entire state), New Jersey, and New York have already chosen ExpressVote, ExpressVote XL, or ImageCast Evolution hybrids for 2020. (There may be more; these are just examples.) Some of these decisions followed substantial public opposition, as was the case in Johnson County (the most populous county in Kansas), Delaware, and Philadelphia (the most populous county in Pennsylvania).

As noted, Johnson County deployed ES&S’s ExpressVote hybrids during the 2018 Kansas gubernatorial primary. The county’s election commissioner, Ronnie Metsker, had been appointed by then Secretary of State Kris Kobach, who was running for governor. Metsker insisted on buying these machines despite vociferous opposition from election integrity advocates and independent computer science experts, as well as negative local coverage. The system certification was rushed through the federal Election Assistance Commission (EAC) and signed by EAC commissioner Brian Newby, himself a former Johnson County election commissioner, one month before the election. Kobach had personally recommended Newby to the EAC after Newby left the county amid personal and financial scandal.

The ensuing primary election was a fiasco for Johnson County, beset by long lines, inability of the ExpressVote hybrids to display all candidates at once, confusion on the part of voters and election workers regarding the AutoCast feature, and an eight-hour reporting delay. Although Kobach was deemed to have bested his Republican opponent in the primary, he lost in the general election to Democrat Laura Kelly.

At the time, Johnson County was the first and only county in the nation to deploy ES&S’s ExpressVote hybrids in an election. Additional counties may have them in 2020.

A similarly alarming scenario is playing out in Georgia. There, House Bill 316, which would allow Georgia officials to buy “electronic ballot markers” with “integrated” ballot scanners (i.e., hybrid voting systems) for statewide use, passed both the state House and Senate last week. Concerned Georgia voters and election security experts saw this decision coming for months and fought in vain to try to stop it.

As Georgia lawmakers ignored concerns about security and cost, news about Governor Brian Kemp’s close ties with the vendor continued trickling out, including word that Kemp’s former chief of staff, David Dove, may have been a member of ES&S’s secret advisory board when he promoted ES&S’s ExpressVote system in 2017. ES&S has also donated $30,000 to the Republican State Leadership Committee (RSLC) since 2013. The RSCL houses the Republican Secretary of States Committee, of which both Kemp and Kris Kobach were executives in 2017.

US Senator Ron Wyden (D-OR) immediately lambasted Georgia’s passage of HB 316, emphasizing that Kemp has already chosen ES&S’s top lobbyist, Charles Harper, as his deputy chief of staff and that vendors like ES&S “have been able to hotwire the political system in certain parts of the country” and are “accountable to nobody.”

There seems to be no one who is both willing and able to stop jurisdictions from putting these insecure BMDs and hybrids between voters and their ballots. The federal Election Assistance Commission (EAC), which is responsible for certifying voting systems, has already certified these machines and does not require or conduct penetration testing, which is the type of testing that would determine if equipment is secure. A recent report also suggests that the EAC has provided misinformation about how voting machines are tested, while downplaying the risk that adversaries could subvert “software and foreign-made parts … to hack U.S. elections “

Thus far, the EAC has not called for paper ballots, much less specified paper ballots marked by hand. Nor has the Department of Homeland Security (DHS), which also acknowledges that it did not forensically analyze voting equipment after the 2016 election.

Nor has the FBI. In September 2016, then FBI Director James Comey told the House Judiciary Committee that it would be “very, very difficult” for someone to hack into the US voting machine system because it’s so “clunky and dispersed” and “those things aren’t connected to the internet.” In reality, however, ES&S and Dominion account for more than 80 percent of US election equipment, creating a centralized avenue of attack for corrupt insiders or hackers.

Moreover, contrary to Comey’s suggestion, all hybrids, BMDs, voting machines, and scanners must receive programming before each election from centralized county or state computers called election management systems that can and do connect to the internet. These election management system computers also include the central tabulators, which aggregate all electronic vote tallies from the precincts. Those tallies are then sent from the central tabulators to online reporting systems with flash drives or USB sticks that, in some jurisdictions, go back and forth between the online system and the central tabulator throughout the night as results are uploaded. This creates yet another central target for hackers to wreak havoc on an election.

Equally alarming: despite initial denials, ES&S admitted last year that it has installed remote access software in election management systems in 300 jurisdictions that it refuses to identify. This news was broken by cybersecurity journalist Kim Zetter, who asked Dominion if it too has sold its systems with remote access software installed. Dominion declined to respond.

And although Dominion recently sent a letter purporting to address the New York Election Board’s concerns about the ImageCast Evolution hybrid, the letter did not deny that the machine routes the machine-marked ballot under the print head after it’s been cast, explain why Dominion designed the machine to do that, or explain why that should not be considered a design defect. Instead, it attempted to distract from these concerns by discussing the undisputed importance of disability access and referencing unspecified “physical and procedural processes” that supposedly “exist to ensure the integrity of the election.”

On the bright side, the House Oversight and Reform Committee, which has subpoena power, recently announced that it has opened an investigation into voting machine irregularities during the 2018 midterm election in Georgia. As part of that investigation, the committee has requested communications involving ES&S, which is Georgia’s current vendor and the anticipated beneficiary of HB 316, the controversial voting system bill that just passed the Georgia legislature and that would enable the state to buy BMDs or hybrids. But when Rolling Stone asked Representative Jamie Raskin (D-MD) if the investigation would extend to the controversy over new voting equipment, Raskin was noncommittal, stating only that he’s “been interested in this problem of the election vendors and vulnerable technology for a long time.”

Election security advocates are now circulating a petition specifically asking the House Oversight Committee to investigate Georgia’s decision to ignore election security concerns in its selection of new voting equipment for 2020. They are encouraging voters from other states to sign as well, as multiple jurisdictions seem to be engaged in similarly alarming decision-making.

In the meantime, as we barrel toward 2020, Congress has allocated $380 million in federal taxpayer money for states to buy new voting equipment, but included “no strings” as to what type of equipment to buy, opening the door to both BMDs and hybrids.

And although both Ron Wyden’s Protecting American Votes and Elections (PAVE) Act and Representative John Sarbanes’s For the People Act (HR 1)  would require that jurisdictions at least give voters the option to mark their ballots by hand, the bills do not specify whether jurisdictions must provide this option at the polls or if they can instead satisfy the requirement by allowing all voters to vote by mail (which has its own significant chain-of-custody issues). Moreover, not a single Republican has endorsed either bill.

Meanwhile, election experts charge, the American public remains largely in the dark as to what it would take to secure our elections — hand-marked paper ballots — and the reality that certain new equipment purchases are making things worse.


By Jennifer Cohn

MORE FROM Jennifer Cohn