You can read the code, or you can believe in magic.
— Old Saying
In the world of software development, the term “magic” is commonly used to refer to code you incorporate into your codebase that you did not write and do not fully understand. It has a negative connotation. Magic is dangerous. It saves you the time of coming up with a solution to a problem someone else has solved, but it can bring about the worst bugs at the worst times in your life. To prevent errors (and to solve them) you generally need a thorough enough understanding of the system that you can predict where and how things could go wrong. Magic is a blindspot.
If I didn’t know how to code, I would likely trust electronic voting machines. Or at least, I did before I knew how to code, even though it appears in retrospect that “technical people” have been warning about the lack of security around voting machines for years. The problems with voting machines are philosophical and practical; abstract and concrete “facts on the ground.”
Much more convincing than any abstract arguments I can make, I think, is a presentation by J. Alex Halderman called Cybersecurity and U.S. Elections at DEF CON 26 in 2018. Halderman is a computer science professor at the University of Michigan, with a resume that includes co-founding Let’s Encrypt.
Halderman began the presentation by demonstrating a hack he personally created for a model of machine that’s still in use (or was as of 2018). The machine was an AccuVote TS-X. It’s a paperless, touchscreen, direct recording machine. He bought it on eBay. It had previously been used by the state of Ohio.
In the demonstration, Halderman first swiped a memory card similar to one that an election officer would use. The card initialized the state of the machine with the parameters of an election. For this demonstration, it was an election between George Washington and Benedict Arnold, starting with 0 votes a piece. He then had 3 volunteers cast votes. Before voting, each volunteer had to insert a voter access card for the machine to accept their vote. The first 2 voted for George Washington. Before the third person voted, Halderman handed him his own “infinite voter card” — a card that looks exactly like the others, but this one was loaded with a malicious script.
The third person voted for Benedict Arnold. At that point, the volunteers had actually voted 2 to 1 for George Washington. Halderman printed the results of the machine, however, and it showed a flipped count of 1 to 2 with Benedict Arnold winning.
Halderman said that the firmware on the hacked machine was not the latest, but that the same version and even older versions “are in widespread use across the US today.” He said that there’s no requirement that an electronic voting machine’s firmware be kept up-to-date. Further, Halderman said that “something like 41 states use election equipment that’s more than 20 years old.” Some of those were designed in the 1980’s, often not getting security updates. Halderman asserted that “the only safe assumption is that all of them have exploitable vulnerabilities.”
Halderman ended his presentation countering common arguments that we don’t need to worry about electronic voting machine security. The arguments were that 1) we have a diversity of technology and decentralized processes 2) the machines aren’t connected to the internet and 3) more than 70% of votes are recorded on a piece of paper.
Diversity, Halderman argued, can actually be a weakness, or is at least ineffective. Those who believe it to be a strength may argue that having different processes and machines makes it difficult for someone to rig an entire national election, because any given vulnerability will be limited in scope. Whereas, if all states and counties had the same machines, a single vulnerability may expose the entire country.
Halderman asserted this argument only clearly applies in cases where an election isn’t close. If an election is close, diversity could instead be an advantage for hackers; the hypothetical hackers need only target the highly contested states with the weakest security. One state or even a single county could have uniquely weak security and jeopardize the legitimacy of the entire election.
The second point — that the voting machines are never connected to the internet — would be an advantage if it were true. Connecting a machine to the internet could allow a virus to spread from machine to machine. Also, just being connected to the internet at all provides an open portal for attackers.
Halderman stated, however, that some machines do make a “brief” connection to the internet to send back results. Others may not technically connect to “the” internet as we know it, but they may connect to each other via an intranet, or a large group may all be programmed by an election management workstation (“EMS”) with propriety software offering a centralized point of attack. An EMS could be run by a contracted voting machine vendor or some other small business. It could connect machines in one county or multiple states. Halderman stated that he’s visited the central location of an EMS before, and described it as “just an office somewhere.”
He displayed the website of a small business in Michigan that’s contracted to provide such services to the state. Their marketing website didn’t use HTTPS and showed personal data from all employees in the company. Halderman offered a hypothetical scenario where a successful phishing attack on one such employee could result in the contamination of all machines handled by that company.
On the third point, that more than 70% of votes are recorded on a piece of paper, Halderman said was “just great.” He asserted that paper was the “physical fail safe” of voting. Unfortunately, he feels, few states “look at the paper”; they rely purely on the totals provided by the machines. Halderman concluded that every vote should be backed by a piece of paper, and any results from a machine should be audited to a high level of statistical certainty.
The primary advantage of paper is its utter lack of magic. People understand how to count paper, how to mark paper, and can better predict how paper ballots and boxes could be manipulated. People don’t generally understand how voting machines work, and would have a harder time predicting how things could go wrong.
While I was at an election results watching party in November 2022, someone said he felt we should just be able to vote online. Another developer and I told him this was a terrible idea, that the machines would constantly be under attack and would likely get hacked. To attempt to frighten him, I told him about how the second you connect a virtual server from Amazon Web Services to the internet, some kind of bot will find it and start trying to hack it. He said that no one was out there trying to commit voter fraud on a scale large enough to actually overturn an election, and he said it seemed like if we can bank online, then surely we can vote online.
But bank fraud does happen. Credit card numbers do get stolen and used. Online checking accounts get hacked. The reason we can bank online is that the banking system can tolerate fraud. Banks are willing to incur the costs of fraud, and they have customers watching their accounts to alert their banks when fraud occurs.
In the book Web Application Security by Andrew Hoffman, Hoffman includes an aside that there is no such thing as “absolute” application security. For machines that connect to the internet, in particular, security is a function of: 1) your threat level and 2) how easy you allow yourself to be to hacked relative to other potential targets. For a federal election: 1) your threat level is state actors and 2) there are no other potential targets.
Threat level matters because we allow for the possibility that powerful entities (such as foreign states) have capabilities that we can’t predict or we otherwise believe to be impossible. The foundation of computer security is cryptography, and commonly used encryption methods rely on math that makes assumptions about the known world, including computing power. As a software developer, when I encrypt a user’s password to store in a database, or create a key that only allows the holder of that key to access a server, I use cryptographic functions that might as well be magic to me. I follow industry standard best practices, but I don’t fully understand how they work. I’m aware that best practices change from time to time, and that every so often there are rumors that a certain government or corporation quietly has a super computer that can break common encryption algorithms. Part of my skepticism of electronic voting machines stems from this widespread, fatalistic attitude towards security in the web development industry — that security is theoretical.
Beyond magic, part of what makes computer security difficult isn’t so different from what makes physical security difficult: the attacker chooses when and how to attack. There are a myriad of ways that things can go wrong, accidental or intentional. It’s up to your imagination, really. I’ve seen engineers far smarter than me just ship code to production that contained subtle logic problems that effectively allowed users to enter any password whatsoever and access the account of a valid username.
And our voting machines do seem to have physical security flaws. At DEF CON 30 in August 2022, one participant at the Voting Machine Village said that, “Basically all machines used in the United States…are designed in a time when cyber war was science fiction. So, there’s no security considerations to mention in any of these designs. So once you get physical access, the game is always over. At the same time, a lot of these machines do have a capability of being attacked remotely or in a wholesale basis.” According to CNET coverage of a DEF CON conference in 2017, one machine used as recently as 2015 had two externally exposed USB ports, allowing an attacker to plug-in a keyboard. One participant at the conference was able to hack into that machine in under 35 minutes.
I am not claiming that voter fraud has occurred in any prior US election. With the heightened publicity on election integrity, I’ve just grown intellectually curious about what security mechanisms are in place. My impression is that the overwhelming consensus amongst independent security experts is that electronic voting machines are generally easy to hack. My own intuition in dealing with application security as a software developer is that you should always be skeptical of the security of a machine; security is a nebulous process. I am supportive of Professor J. Alex Halderman’s idea that we should move away from relying on electronic voting machines, in favor of paper ballots and/or audits of electronic voting machine results via paper ballots.
Here are some more fun, uncontroversial videos on electronic voting machines: