Can Your Vote Be Hacked?

Bruce Maples
Bruce Maples
Views:

In our first article on election security, we tried to learn what steps are taken to keep the state’s voter registration data secure. Unfortunately, we were unable to get much information from the Secretary of State’s office beyond “trust us – it’s safe.”

It was a different story with the local election staff in Jefferson County. We talked multiple times with the bipartisan leadership of the staff, making sure we understood what steps are taken to keep the actual process of voting as secure as possible. In addition, after some initial “who are you and why are you asking” responses from ES&S, the voting machine manufacturer (which was understandable), they responded to our questions about the machines in some detail.

Some Background

This idea for this series of stories on election security started when we noticed that the Jefferson County Board of Elections was getting all new voting machines, and was having an open house to show them off. With all the discussion around the 2016 election and the possibility of Russian hacking, we thought the arrival of new voting machines would be a good time to look into election security.

Jefferson County uses a combination of paper ballots and scanning machines as their voting system: the voter marks a paper ballot, then that ballot is scanned by the voting machine and the marks of the voter are tabulated. As we will discuss further in our Analysis and Recommendations article on Thursday, this is one of the more trustworthy ways to do elections.

Even so, you are still trusting a machine to count your votes, and you are trusting the software in that machine to be free of bugs (either accidental or intentional), and you are trusting the people who program and handle those machines to be trustworthy themselves. That’s why we delved so deeply into how this work is done.

The Election Boards

In Kentucky, the election infrastructure is led by the Secretary of State and the state Board of Elections. As noted on their site:

The State Board of Elections consists of the Secretary of State Alison Lundergan Grimes, who serves as Chair and the chief election official, and six members appointed by the Governor from lists supplied by the two political parties in the Commonwealth.

Further down in the election infrastructure, each county has their own local election board that is bipartisan, and is appointed by the state Board of Elections. The state board also trains the local election board, to make sure each board member understands and follows federal and state election laws.

As explained on the Secretary of State’s web site:

The County Board of Elections has four members: the County Clerk serves as chair, the County Sheriff, and two members appointed by the State Board of Elections.  The State Board of Elections appoints from lists submitted by each county political party executive committee, one Democratic member and one Republican member, to the County Board of Elections. The county board of elections, at the direction and under the supervision of the State Board of Elections, shall administer election laws and supervise registration and purgation of voters within the county.

Here is a list of the current board of elections members for each county across the state.

The New Voting Machines

The new voting machines that Jefferson County will be rolling out are model DS200s from Election Systems & Software (ES&S). This particular voting machine is certified by the bipartisan Election Assistance Commission, and has a number of features to make it both more secure and easier to use:

  • The ballot setup for each machine is installed via duplicate USB flash drives, only one of which is accessible to the officials at the precinct.
  • The USB openings and the paper ballot containers are sealed with numbered security seals.
  • The machine not only reads the submitted ballot, it also takes a picture of the ballot as it is being scanned.
  • The machine informs the voter if the voter has overvoted (marked too many choices in a given race), rather than accepting and counting the overvotes.
  • The machine can be purchased with wifi capability – but Jefferson County chose not to even have the card installed.

After doing some research on the DS200, we sent questions to ES&S about some issues that had arisen in the past with the machine. Their responses are included toward the end of this article.

How Jefferson County Does Voting

As we mentioned earlier, every county has a bipartisan election board. In addition, Jefferson County has an election staff that is also bipartisan. As you read through the processes below, remember that all the steps are carried out by that bipartisan staff.

Ballot Preparation

  • Paper ballots are laid out according to the order of races (federal, state, local, and so on), then by order within each race as drawn by lot.
  • Once paper ballots are laid out for each precinct, each ballot is programmed for the DS200 machines in that precinct by a bipartisan committee, using the ES&S Electionware software, and transferred to a USB drive for testing.
  • A test deck of paper ballots is run to check the programming for that precinct. Every combination of possible votes is tested, including write-ins. The USB drive is then reprogrammed to erase the vote counts from the test deck.
  • That programming is then transferred to two USB flash drives for each voting machine.

Voting Machine Preparation

  • The USB drives are then taken to the warehouse where the voting machines are stored, and installed in each machine by bipartisan staff. (Note that having the warehouse staff be bipartisan is not required by statute; Jefferson County does it as an additional check against tampering.)
  • Once the drives are installed in the voting machines, each machine is tested using another set of test deck ballots, then a totals tape is run for those ballots, to ensure the machine is functioning properly. This test for logic and accuracy is mandated by state law (31 KAR 2:020).
  • At that point, each machine is sealed using numbered seals, and the number of the seal recorded on both a master list and on the Ballot Accountability Envelope that accompanies the machine to the precinct. Both the access to the USB drives and to the ballot storage bins are sealed.
  • The sealed voting machines are delivered to each voting location a few days before the election and stored.

Voting

  • On the day of the election, the voting officials for that precinct set up the voting machines, then run a “zero tape” to make sure that the machine is starting its counting for all races at zero.
  • Voters proceed to mark a paper ballot to vote, then insert the ballot into the scanning machine. If the voter has overvoted—voted for more than one candidate in a given race—the machine informs the voter that they overvoted, and on which race. The ballot is documented as a spoiled ballot, and the voter is given a second ballot to vote on. Voters are only allowed three ballots by law. Note that even though overvoting is not allowed, undervoting is permitted.
  • Once the election is over, the election officials run two totals tapes out of the scanning machine. One is placed on the door of the voting location, publicly displaying the votes recorded at that location. The other is taken, along with one of the USB drives, to a central location.
  • The ballots, and the other USB drive, remain sealed inside the machine, which is shut down and stored at the voting location. The next morning, the bipartisan election staff begins picking up the machines at 6 AM and transporting them to the warehouse. The ballots stay locked and sealed in each machine, in the warehouse, for 30 days.

Questions About the Voting Process

We submitted these questions to the Jefferson County election staff. Here are their answers.

  • Would it be possible for someone to swap out the USB drive in the machine in order to install a hacked one? Theoretically, it would be possible. However, there are substantial barriers:
    • The paired USB drives are programmed by a bipartisan staff, transported to the warehouse by a bipartisan staff, and installed in each machine by a partisan staff. The access door is then sealed with a numbered seal.
    • The warehouse is guarded 24×7 by a bipartisan staff.
    • At the precinct, only one of the two USB drives is accessible. If a different drive was installed, the person doing the swapping would have to have another seal with the same number as the original. And, the machine would not function, because the two USB drives would not match.
  • What happens if a voting machine fails during the election?
    • Election officials are trained on fixing basic issues, and on how to keep the voting going while working to get the scanning machine back in operation.
    • The Board of Elections maintains a hotline on election day that is manned by election machine technicians. If the technician cannot solve the problem over the phone, then a bipartisan technician team is dispatched to the precinct to fix the machine.
    • If the technicians cannot repair the machine, then the ballots cast to that point are taken out of the machine and run through a different machine. (The paper ballots are the “source of truth,” in other words.)

Questions About the DS200

We submitted a series of questions to ES&S about some past issues with the DS200. Here are their responses, verbatim.

ForwardKY: There were some problems found in earlier versions of the DS200, documented here. What has been done to address the issues listed below?

  • Unresponsive touch screens caused by memory overruns due to error logging when a USB device is not present.
  • Failure to log all normal and abnormal voting system events.
  • Skewing of the ballot resulting in a negative effect on system accuracy.

ES&S response: “The items you reference above (pulled from a third-party site) appear to be referencing an earlier version of the software, which exhibited some of these issues during testing in one jurisdiction. We continuously update and enhance our software, so the version of software noted above was updated long ago, and these reported items have been addressed. In fact, the version of software used by Jefferson County is an entirely different election management platform than what is noted above from the third-party site.”

ForwardKY: What has been done about the overvoting problem identified in the Virgin Islands?

ES&S response: “The Virgin Islands had a unique straight party requirement not used by any State in the U.S. At the time of their election; the DS200 did not accommodate this particular type of straight party voting. The DS200 did not malfunction in any way – it simply was not designed to accommodate the form of voting that the USVI was using at that time. The USVI has since changed their statutes.”

ForwardKY: What has been done about the machine-generated overvoting caused by overheating, noted here and here? 

ES&S response: “The NY issue stemmed from a problem reported on a single unit in 2010. The State and ES&S both determined that the issue reported on this single unit was attributed to the unit needing to be cleaned and calibrated.”

ForwardKY: What does ES&S consider to be an “acceptable” rate of ballots rejected due to overvoting in a normal election? (Asking this question because one election security consortium stated that the DS200 had higher rates of accepted overvoted ballots than other machines.)

ES&S response: “The DS200 did not have a higher number of rejected ballots than other systems. It is up to each state or jurisdiction to determine how they wish to handle over and undervote notifications. The DS200 notifies the voter if their ballot is overvoted and allows the voter an opportunity to correct their ballot. If the voter wishes to cast the ballot with overvotes, then the jurisdiction can allow the voter to have that discretion. This is not a failing or issue with the unit – it is a voter and jurisdiction’s choice.”

Wrapping Up

First of all, we want to give a big Thank You to Stephanie Campbell and James Young, the bipartisan directors of the Jefferson County election staff. As you can see, we went way into the weeds on the process, just to be sure we understood all the nooks and crannies where hacking could theoretically take place, and what was done to prevent it. They were patient with our questions, and as determined as we were to get it right. Thanks to you both!

Secondly, we were struck by the overall level of professionalism and processes involved in our local elections. While every human endeavor can be improved, the processes and approaches laid out above match the seriousness of the task. That in itself is reassuring.

At this point, we have looked at voter registration data and at the act of voting. But, we still have to do the third leg of our three-legged stool: we have to count the votes! A look at that process is coming tomorrow (Wednesday). Then on Thursday, we’ll conclude with our Analysis and Recommendations. Thanks for reading!

–30–

Thoughts? Comments? Add yours in the comment section at the bottom of the page!

Print Friendly and PDF

Bruce Maples Twitter

Bruce Maples has been involved in politics and activism since 2004, when he became active in the Kerry Kentucky movement. (Read the rest of his bio on the Bruce Maples Bio page in the bottom nav bar.)

Comments


Clicky