Hacking Democracy
It seems like not a single day goes by that there isn’t a major news story about worries of election interference, voting machines, & how our country is going to protect election infrastructure.
Over the last few months report after report has come out from a wide range of governmental and non-governmental organizations with recommendations on how states can improve their election security. The recurring theme from these reports is simple. Use paper ballots and perform robust statistically based post-election audits. Is our state meeting these recommendations? It turns out, we have some work to do.
Does Washington require all ballots to be returned on paper?
As a vote by mail state, you might think all of our votes are submitted on paper, but where we aren’t meeting the paper ballot standard is with email return of ballots.
Washington allows service and overseas voters to return their ballot via email attachment or fax, and there is no requirement that they additionally mail in their paper ballot. Washington also allows all voters, even those residing in state, to return their ballot via email attachment. Without a doubt, Washington has the most lenient email ballot return laws in the country.
In the November 2016 election, over 17,000 ballots were returned via email or fax statewide. Once a marked ballot is uploaded onto a voter’s computer, it is no longer a paper ballot. It is a digital file. And digital files can be manipulated in a number of different ways.
What are some of the security concerns with returning a ballot by email?
Email is an insecure method of transmitting a marked ballot across the Internet. Email is not encrypted therefore ballots can be intercepted, deleted, and modified in transit by a number of different mechanisms without either the voter or the election official knowing. In addition, when election officials download ballot file attachments, the attachments can carry malware into an election network.
Can machines that are not tied into the internet be vulnerable to malware?
It is a common misconception that voting machines (including ballot scanners) operate in complete isolation from the Internet. Machines require software programs in order to operate, and typically software is written on computers that are connected to the Internet. When software programs or updates are installed on the voting machines via removable media, this can be one mechanism for malicious actors to gain entry into a voting or tabulation system.
How can audits help secure our elections?
In depth reports detailing election vulnerabilities have described Washington’s past post-election audits laws as “unsatisfactory”. Post-election audits provide a means for election officials to detect fraud, tampering, and errors. During the 2018 legislative session a bill was passed, sponsored by Representative Zack Hudgins of the 11th LD, giving county auditors the option to perform post-election risk-limiting audits. Risk-limiting audits are resoundingly recommended by numerous national election integrity organizations, including the LWV.
What are risk-limiting audits?
Risk-limiting audits are a statistically based post-election audit that limits the risk of election officials certifying an incorrect election outcome. Compared to other audit methods, risk-limiting audits have been found to be efficient, and cost-effective. The number of ballots audited depends on the margin of a race. Ballots are randomly chosen and manually compared to either the cast vote record or to batch tabulation totals until there is strong evidence that the election outcome is correct. Risk-limiting audits are currently the gold standard of ensuring that election outcomes are accurate with high confidence
How can we protect our elections?
With the current state of technology, paper ballots and robust post-audits are recommended by cybersecurity and election security experts in order to safeguard our elections. Paper ballots, either marked by hand or with an assistive device, provide a means for voters to verify their vote. And the paper gives election officials a record of every vote cast. Statistically based manual post-election audits, such as risk-limiting audits, provide a means for detecting and correcting any errors or incorrect election outcomes. Both are needed in order to protect and recover from election interference.
Would you like to help?
Being able to have confidence in election outcomes is a cornerstone of democracy. Contact Kirstin Mueller to learn more about how to get involved.
Hacking Democracy Event Summary
On Thursday March 29th, the LWV of Seattle King County and LWV of Washington teamed up with the UW CIAC (Center for Information Assurance and Cybersecurity) to host a forum on Election Security. The evening included an overview of cybersecurity concerns surrounding voting systems, and a panel discussion with election security questions specific to Washington State
Thank you to everyone who attended the forum, and to all those whose time and contributions made this event a success. The forum was recorded, so you can view it here!
The following day, Kathy Sakahara, the LWVWA Elections Chair and Kirstin Mueller, the LWVWA Election Security Chair, met with state policymakers and cybersecurity experts to discuss election security in Washington. A lot of great topics were covered, and Kirstin demonstrated how easily an email ballot attachment can be intercepted and manipulated without detection by the voter or an election official. Based on the response, we are enthusiastic about continuing to work with legislators and others to advocate for best practices in this area.