News
Computing Profession

Election Security: A Scientific View

Posted
Barbara Simons, former ACM president and board chair of Verified Voting.
Barbara Simons, former ACM president and board chair of Verified Voting.
Former ACM president Barbara Simons received ACM's Policy Award in 2019 for her work on improving reliability of and public confidence in elections.

In 2011, Barbara Simons traveled to Tallinn, the capitol of Estonia, at the invitation of that nation's former prime minister, who hoped Simons could help with the fight against the country's use of Internet voting. A retired IBM researcher and past ACM president, Simons is an internationally recognized expert on voting technology.

In the mid-2000s, Estonia had become one of the first countries to introduce Internet voting in a substantial way in its national elections, a point of pride for this small Baltic nation. Yet by 2011, politicians from the former prime minister's party suspected Internet votes were being rigged; they hoped Simons could confirm their suspicions.

She could not. The votes of many Estonians had been sent over the Internet and stored electronically, with no auditable paper trail to verify voters' intentions. "Maybe the votes were [rigged], maybe they weren't," Simons said. "There's no way to know." The Estonian example, she said, "illustrates a worst case of what could happen, which is that [the voting system] can sow doubt in the results."[1]

Doubt can also be sown without Internet voting, as the most recent U.S. presidential election demonstrated. When then-President Donald Trump repeatedly asserted his election loss was due to massive fraud, many of his supporters believed him. The belief persisted even when the allegations, formalized in scores of lawsuits brought by the Trump campaign, were dismissed by multiple courts for lack of evidence.

The vast majority of votes in the 2020 U.S. Presidential election were cast on paper ballots, making possible the many audits and recounts that were carried out in several states. These procedures uncovered mistakes and glitches, but no evidence of fraud on a scale that could turn the election, and they showed that the election had actually been very secure.

In fact, the 2020 election was more secure than the 2016 contest in which Trump had been elected. One factor in the improvements made in the time between the two elections was the years-long work of Simons and other technologists, who have pressed for appropriate use of technology in voting systems, for paper ballots, and for robust election auditing. 

Paper is a solution, not a problem

Simons has long been active in issues at the intersection of technology and public policy. After serving as ACM Secretary from 1990 to 1992, she founded what the association now calls the U.S. Technology Policy Committee (formerly USACM). Today she chairs the board of directors of the nonpartisan, nonprofit Verified Voting Foundation, which advocates responsible use of technology in elections. In 2019, ACM presented her with its Policy Award for her work on improving reliability of and public confidence in elections.

Simons became interested in voting systems after the 2000 presidential election, which was marred by vote-counting chaos in Florida. The state ran into problems with the card-punch machines used to record votes. The machines sometimes made faulty cuts, leading to ambiguous ballots. In carrying out a recount to check the razor-thin vote margin, Florida election officials struggled to interpret such inadequately punched cards. Finally, the U.S. Supreme Court, in a 5-4 decision, ended the recount and declared George W. Bush, rather than Al Gore, the victor.

This episode led many to believe paper ballots were the problem, and that computers would be the solution. "It's not that paper was an issue, it's that bad technology that uses paper was an issue," Simons said. Nevertheless, the backlash against paper led to widespread adoption of paperless systems called Direct Recording Electronic (DRE) voting machines. 

A DRE displays candidates' names on a screen; after the voter makes a choice, the DRE is supposed to record the vote in its memory. However, "just because you see something on the screen doesn't mean that's what's stored in memory," Simons said, since the software could contain bugs or malware. Early examination of DRE code by independent computer scientists uncovered glaring vulnerabilities, demonstrating that security was often inadequate or nonexistent.

Hacking is also a threat. In a widely viewed video posted on The New York Times website in April 2018, University of Michigan computer scientist J. Alexander Halderman illustrated the vulnerability of a DRE machine produced by the company Diebold. One doesn't even need physical access to a Diebold DRE to hack it; Halderman demonstrated a simple method to hack it remotely. The same type of machine was used for all in-person voting in Georgia from 2002 through 2018.

Efforts by Simons and others led to some DREs being retrofitted with a continuous roll of thermal-printed paper that created a paper record of the votes.  While better than paperless, the retrofits were poorly designed and produced paper that was hard to read, compromising its reliability as a backup. Together with a lack of understanding of why paper was needed, the inadequate readability might explain why some studies found that most voters didn't even bother to check the paper to verify their votes had been recorded correctly.

Newer machines called Ballot Marking Devices, which print the voter's choice onto a paper ballot, also have raised concerns that voters might not take the time to verify their ballots. In addition, some badly engineered Ballot Marking Devices have built-in scanners, an insecure design feature that makes it possible for the printer to modify the ballot without the voter's knowledge. 

Despite these problems, improvements to voting security have been steady and substantial. Currently about 70% of votes in U.S. elections are cast on hand-marked paper ballots.[2] "The good news is that in 2020, the vast majority of the country was voting on paper ballots finally," Simons said.

Risk-Limiting Audits

The counting of paper ballots is usually carried out by scanners. Just as with DREs, scanners could have software bugs or malware, so there has to be a way to verify them.

A manual recount of a randomly selected portion of the paper ballots can serve as a check, but how many do you need to recount? Almost a decade ago, University of California, Berkeley statistician Philip Stark developed a method called a Risk-Limiting Audit (RLA), which can help detect when a declared outcome is wrong. 

While there are several types of RLAs, all of them depend on randomly sampling and manually tabulating voter verified ballots until there is sufficiently strong evidence that the declared outcome is correct. If such evidence is not found, the RLA will lead to a full manual count that will determine the correct outcome.

Presidential Elections

The 2016 presidential race was unlike any other in modern times. Donald Trump was a norm-shattering candidate whose ultimate victory strongly contradicted polling in swing states and astounded many in both parties. It was a tight race in which his opponent, Hillary Clinton, won the popular vote, while he won the Electoral College, assuring his victory. A tight race, a controversial outcome: exactly the conditions under which verifying the vote can bolster trust and acceptance.

Simons, Halderman, and several other voting technology experts initiated an effort to conduct recounts in certain states crucial to the election outcome. As a New Republic article put it, these experts "were scientists, and they thought like scientists: they wanted to review the ballots to gather evidence and test a hypothesis." 

Obstacles, practical and political, soon emerged. One was the archaic recount laws in some states (many of which remain on the books). Another was the lukewarm reaction of the Clinton campaign, which saw little point in a recount because the scientists were not predicting a change in the election's outcome.

"The idea in 2016 was to validate the results because they were so controversial," Simons said. No one was claiming the election had been rigged or stolen.  "What people were saying was, 'it's controversial, it's close…  it would be better if the results were validated.'  And that didn't really happen." 

In the end, Wisconsin conducted a statewide recount, while an attempt at a recount in Michigan was stopped by a court after the Trump campaign objected. In Pennsylvania, where the race was tight, over 80% of the state's votes had been cast on paperless machines; the low percentage of paper ballots would have compromised the reliability of a recount, had one been carried out. A Pennsylvania recount also was blocked by a court.

By the time of the 2020 presidential election, many improvements had been made. Paperless DREs, which Simons said "should be illegal," were far less common than in 2016.  All of the contested states used paper ballots in 2020, including Georgia, which wound up carrying out three counts. Several states and localities had come to understand the value of RLAs, and some had even began requiring them.

Nevertheless, voting equipment manufacturers came in for withering attacks by Trump's legal team, who alleged the machines had been rigged to change votes. In January of this year, the two companies that produce the machines sought billions of dollars in damages through defamation lawsuits against those publicly denigrating their equipment. Simons' view: "While these systems have vulnerabilities, there is no evidence that any of them was rigged to change the 2020 election results."

Overall, she said, "There just is no evidence that there were any significant, successful attacks on the election." In November 2020, about 60 technology and computing experts with decades of experience in voting systems signed an open letter that flatly stated, "To our collective knowledge, no credible evidence has been put forth that supports a conclusion that the 2020 election outcome in any state has been altered through technical compromise."  Simons and Halderman were among the signatories, along with ACM A.M. Turing Award recipient Ronald Rivest, and several ACM Fellows.

The trustworthiness of the 2020 election is encouraging, but much work remains to be done. "It would be nice if one of the outcomes of all of the misinformation around the election, all the concerns and all the fears, could be channeled into doing the right thing: getting paper ballots—primarily hand-marked ballots—everywhere, requiring strong custody of those ballots, and implementing RLAs throughout the country," Simons said. "And states and localities should be provided with the money they need to hold secure elections.

"This isn't a Republicans versus Democrats thing. We are citizens. We are patriots. And we all care about making our elections secure."

 

Allyn Jackson is a journalist specializing in science and mathematics, who is based in Germany.

 

[1] In "Internet Voting in the U.S.", Communications of the ACM, October 2012, Barbara Simons and Douglas W. Jones present the case against Internet voting.

2 The Verifier, accessible on the website of the Verified Voting Foundation, is an interactive U.S. map illustrating which type of voting system was used at the state and county levels for the years from 2006 to 2020.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More