Credit...Photo illustration by Javier Jaén. Source photograph: Getty Images

Feature

The Crisis of Election Security

As the midterms approach, America’s electronic voting systems are more vulnerable than ever. Why isn’t anyone trying to fix them?

It was mid-July 2016 when Neil Jenkins learned that someone had hacked the Illinois Board of Elections. Jenkins was a director in the Office of Cybersecurity and Communications at the Department of Homeland Security, the domestic agency with a congressional mandate to protect “critical infrastructure.” Although election systems were not yet formally designated as such — that wouldn’t happen until January 2017 — it was increasingly clear that the presidential election was becoming a national-security issue. Just a month before, Americans had been confronted with the blockbuster revelation that Russian government actors had hacked the Democratic National Committee’s servers and stolen private email and opposition research against Donald Trump, the Republican presidential candidate.

And now, it emerged, someone was trying to infiltrate the election system itself. The Illinois intruders had quietly breached the network in June and spent weeks conducting reconnaissance. After alighting on the state’s voter-registration database, they downloaded information on hundreds of thousands of voters. Then something went wrong, and the attackers crashed a server, alerting officials to their presence.

It soon became clear that this would not be the last attack. In early August, Jenkins learned of another breach, this one on an Arizona state website, and it appeared to come from one of the same I.P. addresses that had been used to attack Illinois. This time, the intruders installed malware, as if setting the stage for further assault. Then reports from other states began to pour in, saying that the same I.P. addresses appeared to be probing their voter-registration networks. Against that backdrop, the D.N.C. hack was looking less like an isolated incident.

“We started to ask: Are these things related?” Jenkins recalled. “Are they the same actors? Is this some kind of concerted effort?” He and his team realized that if Russian hackers were trying to disrupt the coming elections, D.H.S. needed to quickly get in touch with the state and local officials who ran them. But whom do you call when there are more than 10,000 election jurisdictions in the United States?

Jenkins at first assumed that each state had a chief information officer who oversaw election security — but this turned out to be wrong. A staff member suggested that the Federal Election Commission must be the governing body over elections — but the F.E.C., they quickly realized, was focused on campaign finance, not election systems. Then a colleague did a Google search on election administration and came across the U.S. Election Assistance Commission, the federal body created by Congress in 2002 to serve as a federal liaison with state election officials. “I’m embarrassed to admit I didn’t know that the E.A.C. existed,” Jenkins said. “I would say that I’m not the only person working in the federal government that this was true for. This topic is not something that was really on anybody’s big radar.”

Jenkins planned a call for mid-August for his boss, Secretary of Homeland Security Jeh Johnson, to discuss the problem with members of the E.A.C. and the National Association of Secretaries of State. But Jenkins’s knowledge of election hacking was limited to a conference panel he was on six months earlier about the security of internet voting. Although most American voters cast ballots in person or by mail, 31 states and the District of Columbia offer some form of internet voting to military personnel and citizens living overseas. Jenkins, concerned that Russian hackers might interfere with those ballots, intended to offer election officials a simple plan: “We were going to tell them that internet voting wasn’t safe, and it was a risk factor and you need to not do it.”

But when Jenkins met E.A.C. officials and the executive director of the National Association of Secretaries of State for a brief discussion before the scheduled call, what was supposed to be a half-hour meeting bled into four hours, as he and his staff got a crash course in election administration. Internet voting, they learned, was the least of their concerns; the real problems were the machines used to cast and tally votes and the voter-registration databases the Russians had already shown interest in hacking. The entire system — a Rube Goldberg mix of poorly designed machinery, from websites and databases that registered and tracked voters, to electronic poll books that verified their eligibility, to the various black-box systems that recorded, tallied and reported results — was vulnerable.

In August 2016, though, there was no time to address systemic problems. Many states would begin early voting in five to six weeks, and the machines themselves had to be programmed and locked down well in advance of Election Day. The Department of Homeland Security had to settle for doing Band-Aid security before the election, and even then only with states that requested help — mostly this involved remote-scanning internet-facing servers for known software vulnerabilities that could be patched, and providing a list of security best practices, like making sure vote-tabulation machines were not connected to the internet. Jenkins said the problems the agency couldn’t address were “troubling” but beyond its control. “You could spend years working on connectivity between voting machines and ballot-creating devices and try to get those things fixed,” he said. “But when you’re trying to do something quickly with a group of people who are resource-constrained as severely as election officials are, you kind of have to focus where you can focus.”

Two years later, as the 2018 elections approach, the American intelligence community is issuing increasingly dire warnings about potential interference from Russia and other countries, but the voting infrastructure remains largely unchanged. D.H.S. has now conducted remote-scanning and on-site assessments of state and county election systems, but these are still largely Band-Aid measures applied to internet-facing servers. They don’t address core vulnerabilities in voting machines or the systems used to program them. And they ignore the fact that many voting machines that elections officials insist are disconnected from the internet — and therefore beyond the reach of hackers — are in fact accessible by way of the modems they use to transmit vote totals on election night. Add to this the fact that states don’t conduct robust postelection audits — a manual comparison of paper ballots to digital tallies is the best method we have to detect when something has gone wrong in an election — and there’s a good chance we simply won’t know if someone has altered the digital votes in the next election.

How did our election system get so vulnerable, and why haven’t officials tried harder to fix it? The answer, ultimately, comes down to politics and money: The voting machines are made by well-connected private companies that wield immense control over their proprietary software, often fighting vigorously in court to prevent anyone from examining it when things go awry. In Ohio in 2004, for example, where John Kerry lost the presidential race following numerous election irregularities, Kerry’s team was denied access to the voting-machine software. “We were told by the court that you were not able to get that algorithm to check it, because it was proprietary information,” Kerry recalled in a recent interview on WNYC’s “Brian Lehrer Show.” He was understandably rueful, arguing how wrong it was that elections are held under “the purview of privately owned machines, where the public doesn’t have the right to know whether the algorithm has been checked or whether they’re hackable or not. And we now know they are hackable.”

The ballot box is the foundation of any democracy. It’s not too grand to say that if there’s a failure in the ballot box, then democracy fails. If the people don’t have confidence in the outcome of an election, then it becomes difficult for them to accept the policies and actions that pour forth from it. And in the United States, it’s safe to say, though few may utter it publicly, that the ballot box has failed many times and is poised to fail again.

There are roughly 350,000 voting machines in use in the country today, all of which fall into one of two categories: optical-scan machines or direct-recording electronic machines. Each of them suffers from significant security problems.

With optical-scan machines, voters fill out paper ballots and feed them into a scanner, which stores a digital image of the ballot and records the votes on a removable memory card. The paper ballot, in theory, provides an audit trail that can be used to verify digital tallies. But not all states perform audits, and many that do simply run the paper ballots through a scanner a second time. Fewer than half the states do manual audits, and they typically examine ballots from randomly chosen precincts in a county, instead of a percentage of ballots from all precincts. If the randomly chosen precincts aren’t ones where hacking occurred or where machines failed to accurately record votes, an audit won’t reveal anything — nor will it always catch problems with early-voting, overseas or absentee ballots, all of which are often scanned in county election offices, not in precincts.

Direct-recording electronic machines, or D.R.E.s, present even more auditing problems. Voters use touch screens or other input devices to make selections on digital-only ballots, and votes are stored electronically. Many D.R.E.s have printers that produce what’s known as a voter-verifiable paper audit trail — a scroll of paper, behind a window, that voters can review before casting their ballots. But the paper trail doesn’t provide the same integrity as full-size ballots and optical-scan machines, because a hacker could conceivably rig the machine to print a voter’s selections correctly on the paper while recording something else on the memory card. About 80 percent of voters today cast ballots either on D.R.E.s that produce a paper trail or on scanned paper ballots. But five states still use paperless D.R.E.s exclusively, and an additional 10 states use paperless D.R.E.s in some jurisdictions.

The voting-machine industry — an estimated $300-million-a-year business — has long been as troubling as the machines it makes, known for its secrecy, close political ties (overwhelmingly to the Republican Party) and a revolving door between vendors and election offices. More than a dozen companies currently sell voting equipment, but a majority of machines used today come from just four — Diebold Election Systems, Election Systems & Software (ES&S), Hart InterCivic and Sequoia Voting Systems. Diebold (later renamed Premier) and Sequoia are now out of business. Diebold’s machines and customer contracts were sold to ES&S and a Canadian company called Dominion, and Dominion also acquired Sequoia. This means that more than 80 percent of the machines in use today are under the purview of three companies — Dominion, ES&S and Hart InterCivic.

Many of the products they make have documented vulnerabilities and can be subverted in multiple ways. Hackers can access voting machines via the cellular modems used to transmit unofficial results at the end of an election, or subvert back-end election-management systems — used to program the voting machines and tally votes — and spread malicious code to voting machines through them. Attackers could design their code to bypass pre-election testing and kick in only at the end of an election or under specific conditions — say, when a certain candidate appears to be losing — and erase itself afterward to avoid detection. And they could make it produce election results with wide margins to avoid triggering automatic manual recounts in states that require them when results are close.

Hackers could also target voting-machine vendors and use this trusted channel to distribute their code. Last year a security researcher stumbled across an unsecured ES&S server that left passwords exposed for its employee accounts. Although the passwords were encrypted, a nation-state with sufficient resources would most likely be able to crack them, the researcher noted. Since ES&S creates ballot-definition files before each election for some customers — the critical programming files that tell machines how to apportion votes based on a voter’s screen touch or marks on a paper ballot — a malicious actor able to get into ES&S’s network could conceivably corrupt these files so machines misinterpret a vote for Donald Trump, say, as one for his opponent, or vice versa.

Did anything like that happen in 2016? The Department of Homeland Security, the intelligence community and election officials have all insisted that there is no evidence that Russian hackers altered votes in 2016. But the truth is that no one has really looked for evidence. Intelligence assessments are based on signals intelligence — spying on Russian communications and computers for chatter or activity indicating that they altered votes — not on a forensic examination of voting machines and election networks. “We should always be careful to point out that there hasn’t been any evidence that votes were changed in any election in this way, and that’s a true fact,” said Matt Blaze, a computer-science professor at the University of Pennsylvania and a voting-machine-security expert. “It’s just less comforting than it might sound at first glance, because we haven’t looked very hard.” Even if experts were to look, it’s not clear what they would find, he added. “It’s possible to do a pretty good job of erasing all the forensic evidence.”

Image
Credit...Photo illustration by Javier Jaén. Source photograph: Getty Images

And targeting voting machines is just one way to subvert elections. A hacker (or inside operator) could target voters themselves by deleting their names from the voter roll and electronic poll book — the device used at polling places to verify a voter’s eligibility. Or change their precinct assignments to send them to the wrong location, creating chaos and frustration that causes them to leave without voting. Bad actors could also undermine election results by altering tallies as they are transmitted to county offices on election night or posted to public websites. Although these are unofficial results, any discrepancy between these and official tallies compiled days after an election would sow distrust in the outcome, particularly if the winner of a race changes.

The stakes are high when it comes to election security, and the concerns about Russian hackers are warranted. But the focus on Russia, or any would-be election manipulators, ignores the underlying issue — the myriad vulnerabilities that riddle the system and the ill-considered decisions that got us here. The mad history of election security in the United States is a history of how misguided politicians and naïve election officials allowed an unregulated industry to seize control of America’s democratic infrastructure.

[Read about Amendment 4, the ballot that could enfranchise more people at once than any single initiative since women’s suffrage, but could also change the Florida electorate.]

The ballot box is in the distressed state it is in today because of an overreaction — or rather a wrong reaction — to a previous systemic electoral breakdown: the presidential-election fiasco in Florida in 2000. Everyone remembers the dangling chads that led to a landmark Supreme Court decision and a nation divided over who won. But another election mishap occurred that night that got less attention, despite the fact that it played a significant role in pushing the presidential race into the hands of the justices. This one involved a memory card in Volusia County.

Deborah Tannenbaum had a front-row seat for what occurred that night. A Democratic Party field director in Florida, she refreshed her web browser frequently as returns came in from around the county. At 10 p.m., Al Gore was ahead in Volusia, with 83,000 votes to George W. Bush’s 62,000. Things were going well for Gore across the state, and exit polls projected a six-point lead for him. But then something changed. “I had stepped out, and one of the assistants came, and he’s just like, ‘I need you to come here and verify the numbers,’ ” Tannenbaum recalled. When she looked at the county’s website, Gore’s total had dropped 16,000 votes. Tannenbaum called the county election office, alarmed. “I don’t know what’s going on down there, but you can’t take away votes!” she said.

The mysterious drop would later be traced to Precinct 216, a community center in DeLand, where Gore’s total was showing negative 16,022 votes. It wasn’t the only mathematical absurdity in the tally. A Socialist Workers Party candidate named James Harris had 9,888 votes. But the DeLand precinct had only 585 registered voters, and only 219 of them cast ballots at the center that day.

Unfortunately for Gore, reporters were focused on overall state returns and didn’t notice the funny numbers. At 7:52 p.m., Voter News Service — a consortium of media outlets reporting election results — projected Gore the Florida winner based on exit polls. But when the Volusia County numbers changed at 10 p.m., and Brevard County subsequently posted results inadvertently missing 4,000 votes for Gore, Bush shot into the lead; news outlets retracted their call for Gore and called the state for Bush. Gore was on his way to make a concession speech at 3 a.m. when he learned the numbers were wrong.

Volusia officials blamed the mishap on a faulty memory card. The county used optical-scan machines made by Global Election Systems (a Canadian company later acquired by Diebold and renamed Diebold Election Systems), which the county had used since 1996. When the election ended, poll workers were supposed to transmit results to the county election office via modem; but the transmission failed, so a worker drove the memory card in, where officials inserted it directly into the election-management system to tally results. Logs for that computer, however, showed two memory cards for Precinct 216 inserted, an hour apart. The vote totals went haywire after the second card was loaded.

Beyond the mystery of the two cards, there was another problem with this explanation. A faulty memory card should produce an onscreen error message or cause a computer to lock up, not alter votes in one race while leaving others untouched. And what kind of faulty card deleted votes only for Gore, while adding votes to other candidates?

Ultimately, the phantom card was forgotten in the battle that ensued over dangling chads in other counties. Gore’s team requested manual recounts in four counties, including Volusia, but a Supreme Court ruling on Dec. 12 halted them, though not before Volusia completed its recount. The manual tally of optical-scan ballots in Precinct 216 gave Gore 193 votes, Bush 22 and Harris 0. Bush won Florida, and by extension the presidency, by just 537 votes.

To this day, questions about the Volusia card remain unanswered. Internal emails from Global Election Systems later leaked to Bev Harris, an election-integrity activist, show that the manufacturer itself remained unsure about what happened. When a Volusia County elections worker named Lana Hires requested an explanation from Global, the response was vague. Talbot Iredale, a Global developer, responded that a corrupt memory card remained “the most likely explanation for the problem but since I know nothing about the ‘second’ memory card I have no ability to confirm the probability of this.” He then suggested a more ominous explanation. “There is always the possibility that the ‘second memory card’ or ‘second upload’ came from an unauthorized source.” To which a Global colleague replied: “Heh. Second shooter theory. All we need now is a grassy knoll.”

The memory card in Volusia vividly demonstrated the kind of problems that could occur if states expanded their use of electronic voting machines without proper safeguards. But even as security experts showed how malicious insiders and outsiders could subvert the machines, the warnings went ignored.

A month after the Supreme Court decision, Representative Steny Hoyer, a Maryland Democrat, met with Representative Bob Ney, an Ohio Republican and his colleague on the House Administration Committee, to talk about election reform. Hoyer wanted to make sure that what happened with Florida’s punch cards didn’t happen again. So, unmindful of the lessons of Volusia County, they decided to draft a bill that would push states to get rid of punch-card systems as well as lever voting machines, a century-old mechanical technology still being used in some states, and replace them with new electronic voting systems. But beyond setting parameters to protect civil rights and prevent disenfranchisement, the federal government couldn’t tell states how to run elections.

So Hoyer and Ney devised a workaround: money. Their bill, the Help America Vote Act, or HAVA, offered states $3.9 billion to help administer federal elections and buy new voting equipment. But the money came with a few conditions: States couldn’t spend it on punch-card or lever machines, and if they wanted to use HAVA funds to replace these systems, they had to do so in time for the 2004 presidential elections (or by 2006 if they sought an extension). They also had to offer at least one accessible voting machine at each polling place so that disabled voters could cast ballots without assistance. And they had to consolidate county voter-registration files into a single statewide database to prevent voters from registering in multiple counties. HAVA also created a new agency — the U.S. Election Assistance Commission — to administer the funds to states and to serve as a clearinghouse for election best practices.

Computers had been used in elections ever since the 1960s, when punch cards and computerized card readers and tabulators were introduced. And experts had been warning for just as long about the danger of placing too much trust in them. A 1969 front-page article in The Los Angeles Times described a “war games” exercise to determine if Los Angeles County’s new computerized punch-card readers and tabulators could be rigged without detection. Three computer scientists on the offensive team faced off against three computer scientists on defense. “In each test, the offensive team won,” the paper reported; the team’s “highly sophisticated techniques” were neither detected nor prevented. The importance of paper ballots to back up and verify digital vote tallies was also underscored by numerous election mishaps over the years. In Rock Island County, Ill., in 1984, for every one vote cast for a particular candidate, a computer tabulator gave him two; it also failed to count “no” votes on a referendum. In Moline, Ill., in 1985, a punch-card reader elected the wrong candidate for City Council by failing to properly count some votes; a recount flipped the race.

Hoyer insists that the subject of security and paper trails didn’t come up when lawmakers were developing HAVA. But Rebecca Mercuri disputes this. A computer scientist at Bryn Mawr at the time, she told the House science committee — in a hearing that was meant to inform the lawmakers writing HAVA — that “any programmer can write code that displays one thing on the screen, records something else and prints out something else as an entirely different result. I have freshmen, by the way, who can do this. There is no known way to ensure that this is not happening inside of a voting system.”

The experts also recognized even then that voting machines wouldn’t be secure if there weren’t adequate standards for testing and certifying them. Douglas W. Jones, a computer-science professor at the University of Iowa and the chairman of a board that tested and approved machines used in his state, testified to the science committee that the voting machines available to replace punch-card and lever machines weren’t secure, largely because the standards didn’t require them to be. The standards were created in the 1980s, when security was a nascent field and touch-screen D.R.E.s didn’t exist. He advised lawmakers against issuing large-scale funding for new machines until better standards and machines were available.

But few in Congress took the critics seriously. Although lawmakers did include a provision in HAVA mandating the creation of new standards — with the aim that machines bought with HAVA funds would meet them — the purchasing deadlines they included in the bill forced states to buy their machines before the new standards could be completed in 2005 (they took effect in 2007). In October 2002, the bill passed with broad bipartisan support, and the clock began ticking down to the November 2004 deadline to replace punch-card machines.

And with that, the gold rush was on, as a small group of vendors with little security expertise began lining up to win billions of dollars of federal money. Most of that money ended up going to buy D.R.E.s. In 2000, just 9 percent of American voting precincts were using D.R.E.s. After HAVA passed, the proportion ballooned to 67 percent. The basic technology was not new; the first direct-recording electronic voting machines went on sale in 1974, and touch-screen versions were introduced in the mid-90s. But before HAVA, election officials who wanted electronic machines generally chose optical-scan systems. Each machine was more expensive, but you needed fewer per polling place, because voters could fill out the ballots in simple booths and then quickly scan them.

The new D.R.E. machines did offer real advantages. With direct recording, counties no longer had to print hundreds of thousands of paper ballots or store them for 22 months after a federal election, as federal law required. And the machines could be adapted to voter needs, by displaying digital ballots in multiple languages and font sizes. They also satisfied the accessibility requirement in HAVA, offering Braille keyboards, audio instruction and other aids for physically impaired voters.

Under HAVA, states had to purchase only one accessible machine per precinct and could provide optical-scan systems for other voters. But some counties bought D.R.E.s exclusively, swayed in part by the National Federation of the Blind, which insisted that HAVA, in calling for “uniform and nondiscriminatory election technology,” required states to provide identical equipment for all voters. This interpretation benefited vendors, of course, who were more than happy to sell counties their most expensive systems.

In November 2002, just days after Bush signed HAVA into law, Georgia underwent the nation’s first major test of D.R.E.s. The state had signed a $54 million contract with Diebold to use its paperless D.R.E.s exclusively statewide. As the November midterm elections approached, the company scrambled to get the machines in place for one of the closest races for governor that Georgia had seen — between Gov. Roy Barnes, a Democrat, and his Republican challenger, Sonny Perdue. Perdue won with just 51 percent of votes in a major upset. It was the first time in more than 130 years that a Republican became governor of Georgia. This wasn’t the only upset. Senator Max Cleland, a popular Democrat, went into Election Day leading his Republican opponent, Saxby Chambliss, by three points; he lost by seven.

What happened next highlighted everything that was wrong with electronic voting machines and their vendors. Rob Behler, a contractor who worked in the Georgia warehouse where Diebold prepared its D.R.E.s for the election, came forward to reveal that many of the machines experienced frequent crashes or other persistent malfunctions. Diebold had given workers at least three software patches to fix the problems, he said, but the patches were not examined by the independent lab responsible for testing voting machines or by Georgia officials. Brit Williams, a retired academic overseeing the rollout for the state, denied to me at the time that Diebold installed any uncertified patches, but acknowledged that it did install one patch that a test lab took a “quick look” at.

The Georgia patches underscored a disturbing reality — no one really knew what companies were programming into their black boxes, in part because the lab testing reports were confidential. Election activists and computer-security experts did get occasional glances inside the boxes, though, and what they saw wasn’t reassuring. Months after the Georgia election, Bev Harris, the election-integrity activist, discovered the FTP server that Diebold used to distribute software patches for its machines in Georgia. The server had been left unsecured, and Harris found about 40,000 files on it, including source code for Diebold’s D.R.E.s. She gave the code to computer scientists at Johns Hopkins University, who found several security problems with it, including an encryption key hard-coded in the software, a violation of basic security practices. The key was used to encrypt vote records and audit logs — the most critical data on a voting system — and was the same key for every Diebold system. Anyone who accessed the source code on Diebold’s unsecured server could find the key in the code.

Over the next several years, reports commissioned by officials in California, Maryland and Ohio found more problems with Diebold machines and similar issues with machines from other manufacturers. Problems with voting machines in elections were also making headlines. In 2002 in North Carolina, for example, D.R.E.s made by ES&S failed to record 436 entire ballots during early voting in Wake County, a failure the company attributed to a software bug. Two years later, in Jacksonville, N.C., a D.R.E. made by UniLect lost more than 4,500 ballots when its memory became full and stopped recording; it continued to let voters cast ballots, however, instead of locking up. The incidents that made headlines were disturbing enough, but the real concerns were the ones that weren’t being caught.

The problems with voting machines did not go entirely unnoticed on Capitol Hill. In May 2003, Representative Rush Holt, a New Jersey Democrat, introduced an amendment to HAVA that would require all voting machines to produce a voter-verifiable paper trail and to mandate random manual audits. It was an opportunity for lawmakers like Hoyer, who missed the security issues with D.R.E.s the first time, to make up for the oversight. But still they resisted. Hoyer told me, “I didn’t think Rush was correct” about paper trails. Hoyer and other lawmakers believed that the new voting systems were “in fact reliable and secure and user-friendly. Now I think in retrospect we were obviously wrong, because our premise was the machines were not subject to being hacked. And now we know.”

The troublesome 2004 presidential election in Ohio, in which Kerry was denied access to the voting software, provided a strong case for why paper and audits were necessary. A lot of Ohio counties still used punch cards, but some had adopted D.R.E.s and optical-scan systems. For one precinct of Franklin County, which used D.R.E.s made by a company called Danaher Control, the election-management system tallied 4,258 votes for Bush, though only 638 voters cast ballots. When officials pulled votes stored in the D.R.E., Bush’s total was 365. In Mahoning County, voters using 25 D.R.E.s made by ES&S found that when they touched the screens to vote for John Kerry, the machines interpreted it as a vote for Bush, not an uncommon problem when touch screens are poorly calibrated. “Undervoting” — when a ballot shows no vote in a particular race — was also exceptionally high in the state. Democratic precincts across Ohio had 75 percent more undervotes than predominantly Republican ones. In two precincts in Montgomery County that used punch-card machines, the computer tabulators indicated that 6,000 ballots had no vote for president — an undervote rate of 25 percent, while 2 percent is normal. A congressional inquiry found “numerous serious election irregularities” in Ohio but ultimately couldn’t conclude whether fraud had occurred.

The incidents in Ohio demonstrated that American elections still had integrity problems, but there was little constituency for change. In 2005, Holt introduced a variation of his 2003 reform bill, and once again it quickly died, in part because voting-machine vendors launched a formidable lobbying effort to quash the requirement of paper trails. Some state election officials joined the effort, arguing that adding printers to D.R.E.s would create problems for elderly poll workers if the printers jammed or ran out of paper. The American Association of People With Disabilities was also remarkably effective in lobbying against paper trails, arguing that they discriminated against blind voters, even though the same audio that assisted blind voters to mark their digital ballot could read the paper trail to them. The association persuaded the League of Women Voters and the American Civil Liberties Union, two politically powerful groups, to oppose paper trails as well.

A second major undervote incident with D.R.E.s in 2006 also failed to move Congress. In Sarasota, Fla., more than 18,000 ballots cast on D.R.E.s made by ES&S showed no vote in the race for the 13th Congressional District. Kathy Dent, the supervisor of elections, insisted that voters either didn’t see that particular contest or intended to leave it blank. But documents I obtained through a public-records request showed that poll workers in 19 precincts called her office on Election Day and during the primary months before it to pass along voter complaints about the machines. Many reported that when they tried to vote for Christine Jennings, a Democrat, the screen failed to register their touch. Jennings lost by fewer than 400 votes. The incident led Florida — the state whose punch-card fiasco prompted the nationwide switch to paperless D.R.E.s — to mandate the use of voter-marked paper ballots. But when Holt reintroduced his bill in Congress in 2007 and 2009 to do the same, he still couldn’t get any interest.

Despite this proliferation of voting-machine problems, the industry was expanding its reach and control, even as it was concentrating power into fewer hands. By 2010, ES&S was so big — it had bought Diebold’s election division and controlled more than 70 percent of the market — that the Justice Department filed an antitrust suit and required it to sell off some of its assets. Many election officials, baffled by the new technology and unable to hire dedicated I.T. staff, purchased complete suites of election services from vendors, services that in some cases included programming ballot-definition files for voting machines and assisting with tabulation. It became common to see voting-machine employees or their local contractors in election offices before, during and after elections, and in some cases even working in election offices full time. ES&S, for instance, even installed remote-access software and modems on election-management systems to gain remote access to them from its Nebraska headquarters to troubleshoot when things went wrong. And when things did go wrong with machines, it was often the vendor who investigated and supplied the explanation that was fed to the news media and the public.

The companies also expanded their reach into other parts of the elections process. Some states built their HAVA-mandated voter-registration databases in-house, but some outsourced this to Diebold and ES&S, the companies that made their voting machines, as well as to other firms. And once these centralized databases were in place, the vendors saw an opportunity for another revenue stream: They persuaded states to replace paper poll books — the lists poll workers use to verify that voters are registered — with electronic poll books that could sync with the statewide databases. The software on these devices didn’t have to undergo testing and certification the way voting machines do, and there were inevitable problems — in 2006 in Denver, Sequoia electronic poll books crashed extensively, creating long lines for an estimated 20,000 people who left without voting. In 2008 in Georgia, Diebold electronic poll books caused delays lasting more than two hours.

Over the years, as election officials became more comfortable with their voting equipment, many jurisdictions who gave control to vendors gradually took it back, but there are still districts where vendors and contractors are involved in every phase of elections, from writing the software that registers voters and determines their eligibility to cast ballots, to programming machines and counting the votes. And it’s not clear to what degree, if any, they’re subject to oversight.

Sixteen years ago, lawmakers led Americans to believe that they had solved the problems of Florida in 2000. But the 2016 election made it clear that the problems simply shifted from one technology to another. Once again, lawmakers are proposing fixes that they say will help address the current state of elections, and once again, those proposals fall short.

Legislators have introduced several bills that propose to bolster security, in part by mandating paper trails and manual audits. But only one of them, the Secure Elections Act, has advanced, and in the process it has been significantly watered down. In August, Republican lawmakers weakened the bill by allowing officials performing audits to rely on the digital images of paper ballots stored in optical-scan machines — images that can be manipulated by hackers and others, security experts say.

This year, Congress appropriated $380 million to states to pay for security upgrades and replace some of the machines that were bought with HAVA funds more than a decade ago, in the belief that this will make elections more secure. But the new machines have the same problems as the ones they will replace — all machines on the market today were tested and certified to the standards HAVA put into effect in 2007, and technology has evolved considerably in the last decade. The Election Assistance Commission and its technical-guidelines committee are completing new standards, but it will be at least another two years before any machines will be tested and certified to them.

Even those standards will almost certainly be inadequate. They will, for instance, most likely continue to exempt commercial off-the-shelf components from testing. (If a vendor uses the Windows operating system or a commercial modem in its machines and asserts that it hasn’t altered them, the labs don’t look at those components.) And they probably won’t require labs to do “penetration testing” to see if they can hack voting systems — one of the most effective ways to measure the security of a system. “These companies have seized a central role in our democracy,” said Senator Ron Wyden, an Oregon Democrat who is one of a small group of lawmakers who have shown a willingness to demand more transparency from the vendors. “But rather than recognizing that cybersecurity needs to be their top priority, they treat it as a public-relations problem that can be dismissed with spin.”

The valuable work of testing system security has been taken up voluntarily by security researchers like the Finnish computer programmer Harri Hursti, J. Alex Halderman of the University of Michigan and the participants at the recent Def Con Voting Machine Hacking Village. But the researchers face hostility and sometimes even legal threats from vendors, who want to prevent them from finding and exposing problems with the machines. Before the Def Con event this year, which received unprecedented support and interest from election officials, ES&S and other vendors sent comments to the United States Copyright Office expressing opposition to a proposed exemption to the Digital Millennium Copyright Act that would expand the rights of researchers to reverse-engineer election software.

Even now, when the country is desperate to prevent Russian hackers from interfering with future elections, the company is more focused on asserting proprietary control over its systems than on working with communities of researchers who want to secure them. In addition to the comments it sent the Copyright Office, it also sent a vaguely threatening letter to its own customers, warning them against helping researchers by providing them with voting-machine software to examine. In that letter, ES&S reminded election officials of an essential fact: The American people don’t own the software that now sits at the heart of their democracy; they just lease it.

A correction was made on 
Oct. 1, 2018

An earlier version of this article referred imprecisely to an area in Ohio where 638 voters cast ballots in the presidential election of 2004. It was in one precinct in Franklin County, not the county as a whole.

How we handle corrections

Kim Zetter has covered cybersecurity for more than a decade. She is the author of “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.”

A version of this article appears in print on  , Page 39 of the Sunday Magazine with the headline: The Crisis of Election Security. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT