ALLENTOWN, Pa. — Jill Stein’s bid to recount votes in Pennsylvania was in trouble even before a federal judge shot it down Dec. 12. That’s because the Green Party candidate’s effort stood almost no chance of detecting potential fraud or error in the vote — there was basically nothing to recount.
Pennsylvania is one of 11 states where the majority of voters use antiquated machines that store votes electronically, without printed ballots or other paper-based backups that could be used to double-check the balloting. There’s almost no way to know if they’ve accurately recorded individual votes — or if anyone tampered with the count.
More than 80 percent of Pennsylvanians who voted Nov. 8 cast their ballots on such machines, according to VotePA, a nonprofit seeking their replacement. A recount would, in the words of VotePA’s Marybeth Kuznik, a veteran election judge, essentially amount to this: “You go to the computer and you say, ‘OK, computer, you counted this a week-and-a-half ago. Were you right the first time?’”
These paperless digital voting machines, used by roughly 1 in 5 U.S. voters last month, present one of the most glaring dangers to the security of the rickety, underfunded U.S. election system. Like many electronic voting machines, they are vulnerable to hacking. But other machines typically leave a paper trail that could be manually checked. The paperless digital machines open the door to potential election rigging that might not ever be detected.
What’s more, their prevalence magnifies other risks in the election system, such as the possibility that hackers might compromise the computers that tally votes, by making failures or attacks harder to catch. And like other voting machines adopted since the 2000 election, the paperless systems are nearing the end of their useful life — yet there is no comprehensive plan to replace them.
“If I were going to hack this election, I would go for the paperless machines because they are so hard to check,” said Barbara Simons, a former IBM researcher and co-author of “Broken Ballots,” a history of the unlearned lessons of flawed U.S. voting technology.
FRAUD AND THE U.S. VOTING SYSTEM
Although Stein premised her recount effort on the need to ensure that the 2016 election wasn’t tainted by hacking or fraud, there’s no evidence of either so far — a fact federal judge Paul Diamond cited prominently in his decision halting the Pennsylvania recount. “Suspicion of a ‘hacked’ Pennsylvania election borders on the irrational,” the judge wrote in his opinion.
Stein also pursued recounts in Wisconsin and Michigan, to little avail. Those states use more reliable paper-based voting technologies. (The Electoral College certified Republican Donald Trump’s presidential victory last week.)
But a cadre of computer scientists from major universities backed Stein’s recounts to underscore the vulnerability of U.S. elections. These researchers have been successfully hacking e-voting machines for more than a decade in tests commissioned by New York, California, Ohio and other states.
Stein and her witnesses said their fraud concerns were justified given U.S. charges that Russia meddled in the 2016 presidential campaign. Emails of top Democrats were hacked and leaked in what U.S. intelligence officials called Russian subterfuge against Democrat Hillary Clinton. Over the summer, hackers also tried to breach the voter registration databases of Arizona and Illinois using Russian-based servers, U.S. officials said. Election networks in at least 20 states were probed for vulnerabilities.
“It’s a target-rich environment,” said Rice University computer scientist Dan Wallach. Researchers would like to see the U.S. move entirely to computer-scannable paper ballots, since paper can’t be hacked. Many advanced democracies require paper ballots, including Germany, Britain, Japan and Singapore.
Green Party lawyers seeking the Pennsylvania recount called the state’s election system “a national disgrace” in a federal lawsuit, noting that many states outlaw paperless voting. They asked a judge to order a forensic examination of a sampling of the electronic machines, saying that’s the only way to know for sure that votes weren’t altered.
That would involve examination of all of the systems involved in the election — voting-machine computer chips and memory cards that store operating software and ballots, the computers that program the ballots, and even the machine vendors’ source code — to detect any “bugs, holes or back doors” a hacker could have exploited, said Daniel Lopresti, chairman of the Lehigh University computer-science department.
But forensic analyses aren’t foolproof, especially if hackers were good at covering their tracks. “What you’re hoping for is some evidence that was left, some degree of clumsiness or carelessness, a belief by the individual that we won’t dig quite that deep,” Lopresti said.
PENNSYLVANIA: A PERFECT TARGET
The U.S. voting system — a loosely regulated, locally managed patchwork of more than 3,000 jurisdictions overseen by the states — employs more than two dozen types of machinery from 15 manufacturers. Elections officials across the nation say they take great care to secure their machines from tampering. They are locked away when not in use and sealed to prevent tampering.
All that makes national elections very difficult to steal without getting caught. “It would take a ‘large conspiracy’ to hack the results of a presidential election,” said Kay Stimson, speaking for the National Association of Secretaries of State.
But difficult is not impossible. Wallach and his colleagues believe a crafty team of pros could strike surgically, focusing on select counties in a few battleground states where “a small nudge might be decisive,” he said.
As a battleground state with paperless voting machines, Pennsylvania is a perfect candidate. In affidavits for the recount, computer scientist J. Alex Halderman of the University of Michigan laid out how attackers could conduct a successful hack:
• Probe election offices well in advance to determine how to break into computers.
• After identifying battleground states, infect voting machines in targeted counties with malware that would shift a small percentage of the vote to a desired candidate.
• After silently altering electronic tallies, erase digital tracks to leave no trace.
Just because the machines aren’t on the internet doesn’t mean they can’t be hacked. Election workers could be duped or bribed into installing malware that sat dormant until Election Day. Locks could be picked to gain access to the machines, seals compromised with razor blades and acetone.
Studies by Halderman, Wallach and others proved years ago that it’s possible to infect voting machines in an entire precinct via the compact flash cards used to load electronic ballots.
An infected machine “could do anything you can imagine,” said Wallach. “It could flip votes from one candidate to another. It could delete votes. It could cast write-in votes for Mickey Mouse for president.”
HACKING THE COUNT
Vote-tallying systems, typically at the county level, are also tempting targets. They tend to be little more than PCs running a database.
Tabulation databases at the county level, which collect results from individual precincts, are supposed to be “airgapped,” or disconnected from the internet at all times — though experts say they sometimes get connected anyway. They’re considered insecure for other reasons; many have USB ports where malware could be introduced.
Vulnerabilities notwithstanding, there are no known cases of U.S. tallying systems being hacked. But it is not uncommon for candidates who have lost elections involving electronic voting to challenge results, claiming irregularities they blame on fraud, or human or mechanical errors.
Shelby County, Tennessee, home to Memphis, has seen a flood of lawsuits related to alleged tabulation errors, the most recent stemming from a 2015 court clerk race. “Nearly every election cycle in the county in recent memory has been plagued by a myriad of errors and complaints of wrongdoing,” Tennessee Secretary of State Tre Hargett wrote in a 2012 letter to the state comptroller recently obtained by The Associated Press.
OLD AND GETTING OLDER
Most voting machines in the U.S. are at or near the end of their expected lifespans. Forty-three states use machines more than a decade old. Most run on vintage operating systems such as Windows 2000 that pre-date the iPhone and are no longer updated with security patches. Old, stockpiled machines get cannibalized; when they can’t supply parts, officials scrounge on eBay.
On Nov. 8, election officials across the U.S. handled numerous complaints of aging touchscreens losing calibration and casting votes for the wrong candidate. Such “vote flipping” tends to get exaggerated attention on social media and has become so familiar it’s been enshrined in a TV episode of “The Simpsons.”
But while many experts agree the U.S. voting system needs an upgrade, no one wants to pay to fix it.
From the private-sector perspective, it’s a tiny market. University of Iowa computer scientist Douglas Jones estimates that voting-equipment makers pull in total annual revenues of less than $200 million — roughly what Google generates in a day. The biggest player, ES&S, is private and has just 450 full-time employees. (Researchers worry that smaller companies like these are also much more vulnerable to hacking by sophisticated state actors.)
The sector boomed after the 2000 Florida recount debacle, when punch-card technology was discredited by hanging chads and a poor “butterfly” ballot design. Congress appropriated $4 billion for election upgrades, and the states raced to replace punch cards and lever machines with digital technology.
But when that money ran out, so did many states’ ability to address security concerns they’d overlooked in their initial rush. Four in 5 U.S. election officials polled by New York University’s Brennan Center last year said they are desperate to replace equipment but lack the cash.
Voters in poorer areas suffer disproportionately, the center found. The Stein campaign complained in a letter Friday to Attorney General Loretta Lynch that minority communities are also particularly vulnerable. Among irregularities it cited were 87 ballot-scanning machines that suffered malfunctions in Detroit on Election Day.
Data collected by Brennan Center researchers suggests the poor are more apt to encounter failing machines. Six Minnesota counties buying new machines had household median incomes more than $20,000 higher than jurisdictions not making purchases, the center found.
In Virginia, wealthier counties near Washington have upgraded to more trustworthy technology while lower-income counties in the state’s southwest have not been able to afford it, said Edgardo Cortes, the state elections commissioner.
“The federal money is not there and in most instances state money is not being made available, either,” said Cortes. “So the entire cost is falling to local governments.”
Just as Congress delivered a death blow to punch cards, it should also outlaw paperless touchscreen voting machines and pay for their replacement, said Andrew Appel, a Princeton University computer scientist.
But even counties that can afford better voting tech face problems.
The clerk of Travis County, Texas, Dana DeBeauvoir, has been trying for a decade to build a bulletproof electronic voting system , because even the scanners that count paper ballots can be hacked. (Of course, such hacking could be detected and remedied by recounting paper ballots manually.)
The Travis County system would have a paper trail and use encryption systems to let voters confirm online that their vote counted and wasn’t subject to tampering. For transparency, DeBeauvoir wants to use open source software that anyone can examine, not the proprietary code the industry uses.
None of the major vendors has shown interest, she says. “I don’t think it fits their profit model.”