Daily Kos Staff
Wednesday January 08, 2020 · 3:30 PM EST
A ballot-marking device.
A study by a seven-member team at the University of Michigan has concluded that a new voting machine that will be used for the first time this year doesn’t have enough protection against hackers. These machines—known as ballot marking devices (BMDs)—will be used by at least 18% of the nation’s districts. This is the first major independent review of such machines.
Warning Signage. One of the interventions the researchers tested was to place a sign above the scanner that instructed voters to verify their ballots. They concluded that the signage was not an effective intervention.
The machines let voters choose their favored candidates in a computer kiosk. The computer prints out ballots for voters’ review before they put them in a scanner for tabulation. Thus, the voter gets a chance to make sure the machine correctly recorded their choices. Sounds good, right? An improvement over totally paperless machines. But the study team notes:
However, the security of BMDs depends on how reliably voters notice and correct any adversarially induced errors on their printed ballots. In order to measure voters’ error detection abilities, we conducted a large study [of 241 people] in a realistic polling place setting using real voting machines that we modified to introduce an error into each printout. Without intervention, only 40% of participants reviewed their printed ballots at all, and only 6.6% told a pollworker something was wrong. […] Based on these findings, we make several evidence-based recommendations to help better defend BMD-based elections.
Joseph Marks at The Washington Post reports:
“The implication of our study is that it’s extremely unsafe [to use BMDs], especially in close elections,” Alex Halderman, a University of Michigan computer science professor and one of seven authors of the study, said in an interview. […]
“There’s been a lot of discussion in the election security community about whether BMD verification works as a defense against hacking, but nobody really had any hard numbers,” Halderman told me. “Now, for the first time, we have an experimental data point and, unfortunately, the results confirm some of our worst fears.”
Marks notes that plaintiffs are suing to keep some Pennsylvania counties from using ExpressVote XL machines, BMDs built by designed by Election Systems & Software. Last November, one of those voting machines failed and chose the wrong winner in a county judge race. The researchers created a roster of recommendations to help election officials use BMDs more safely. But Halderman said that these voting districts should switch to hand-marked paper ballots if they can.
The team scrutinized its 241 subjects as they mock-voted on the BMDs. Each ballot included at least one vote for a candidate the person did not choose. Since so few of the voters reviewed their ballots, if hackers just changed a relative handful of votes, it could mean a shift of 1% or 2% in the outcome—enough to generate bogus results in a close election. Nothing the study team tried to get voters to review their ballots for errors worked “to the point that BMDs can be used safely in close or small elections.”
Marks points out that while Congress has appropriated nearly a billion dollars since 2016 for voter security, $425 million of it in the most recent budget agreement, none of that money arrives with cybersecurity requirements attached.
In May last year, Democratic Sen. Ron Wyden of Oregon introduced S. 1472, requiring that hand-marked ballots be the default for voters. It would also provide $250 million to develop secure BMDs for people who have disabilities that make it difficult or impossible for them to use hand-marked paper ballots.
The study team’s recommendations in brief, each of which is elaborated on in the study, are:
- Design polling places for verification […]
- Incorporate post-voting verbal instructions […]
- Encourage personalized slate voting […]
- Help voters correct errors, and carefully track problems […]
- Prepare contingency plans: What to do in the event that BMDs are known or suspected to be misbehaving is a more difficult question. If an elevated number of voters have a problem with a single machine, it should be taken out of service, provided there are other BMDs available for use (especially for voters with disabilities, who may have no alternative). If widespread problem reports occur—particularly problems focused on a tightly contested race or significantly exceeding the rate reported in past elections—officials could consider taking most BMDs out of service and encouraging all remaining voters who can to use hand-marked ballots. This raises logistical challenges: Polling place would need to have enough ballots available for hand-marking, or the ability to print ballots on demand, and votes already cast on the BMDs would be suspect. […]
- Educate voters about BMD operations and risks […]
- Consider the needs of voters with disabilities […]
- Require risk-limiting audits: Even perfectly verified paper ballots are of little use for security if they are not rigorously audited to confirm the results of computer-based tabulation. Fortunately, risk-limiting audits (RLAs) are gaining momentum in the United States. Colorado, Nevada, and Rhode Island mandate statewide RLAs, and states including Michigan, Virginia, Georgia, and Pennsylvania are considering implementing them soon.
Leave a Reply