Individual reflections by Zoe Tan and Clare Dobbin (scroll below).
By Zoe Tan
Cornell Tech
In the Digital Life Research (DLI) Seminar on February 24th, the speaker Sunoo Park (pictured above) talked about the security of electron technology in the US. American elections rely on outdated and vulnerable technologies. Sunoo pointed out that the vulnerabilities are surprisingly very basic, and they are not following basic security practices. For example, some of the machines do not have passwords for administrative functions like reprogramming the machine or resetting the vote counter. Or some have passwords that can easily be Googled because they are available in user manuals, which are publicly online. With all these problems and research that has been taking place over decades, what's been done to fix these security vulnerabilities? When faced with vulnerability reports, election technology vendors have reacted in a number of ways including ignoring them and leaving them unaddressed machines that have been used in many states for over a decade. In some cases, they falsely claim that the vulnerabilities are not actually significant, and falsely claim to fix the vulnerabilities when researchers later found that actually, they didn't do anything about them. Generally speaking, these vulnerabilities have been around and they've been known for a long time, however, remarkably little has happened to change the situation.
Sunoo also talked about the history of the election system and how we ended up in a situation where there is all insecure equipment and nothing can be done to address it. As a federal intervention, the Help America Vote Act (HAVA) was passed to reform different aspects of election administration. However, Congress didn’t appropriate sufficient amount of funds, and Hava itself didn't set precise or binding technical standards for election equipment, which still limited how much the federal government has been able to administer. Meanwhile, the President delayed the appointing EAC commissioners for months past the deadline stated in HAVA, so the EAC couldn’t issue technical guidance before states contracted to replace their equipment. Therefore, this led to a massive deployment of faulty flawed, and expensive equipment which has led to security integrity and integrity crises for which there are no clear-cut legal remedies.
To think about what we can do about it, as a scholar and researcher, Sunoo’s recent research has been looking at how technology can help enhance electron security and also how technology can harm illiquid security. Sunoo introduced a simplified version of election security: 1) Casting: Every eligible voter must have a meaningful opportunity to cast exactly one vote for the outcome of their true preference; 2) Counting: The reported election outcome must accurately reflect the vote cast by eligible voters; 3) Checking: In case the previous two requirements are not met, the system must clearly and reliably indicate its failure to the electorate. To further expand on three requirements, Sunoo proposed several key areas to be addressed on the election security legislation, including mandating durable voter-verifiable evidence of cast votes, opening electron technology, as well as opening testing and audits. For durable voter-verifiable evidence, voters should be able to directly verify the authoritative record of their vote, which means that the version that will be used for accounting auditing should be durable, which is likely to persist on change during and after the election. In terms of the second issue, Sunoo illustrated that today, election technology is highly proprietary, and there is barely any information on how much these machines are sold. This is bad for security and it also fails to provide credible public assurance that the system works and errors are caught. Furthermore, the third part of the legislation is that being open to scrutiny is necessary but not sufficient because we want to make sure that people actually check it. Therefore, additional requirements should include routine system-wide security audits, with the results and procedures made public. Meanwhile, post-election audits, which provide statistical confirmation of the correctness of election outcomes should be required as a routine thing as well. These legislations are extremely important to people who do not trust the election system. For example, due to President Trump's continuous claims of election fraud, many American voters had more and more lack of confidence and they were suspicious about the mail-in voting. With legislations that Sunoo suggested, their previous doubts can be easily dissipated. In terms of the larger landscape of digital life, such legislations are important as well because people would have a legal guarantee that their choices are accurately reflected from the outcome.
Finally, Sunoo ended the talk by emphasizing that making technical security enhancements will not fix the misinformation problem, however, not needing technical security enhancements will worsen the misinformation problem and leave our elections hackable.
By Clare Dobbin
Cornell Tech
In her talk “The Right to Vote Securely,” Sunoo Park discusses the election technology currently in use throughout the USA. Relying on outdated and vulnerable technology, the EVEREST Report stated in 2007 that American voting equipment “uniformly fail[s] to adequately address important threats against election data and processes.” This is due to the fact that security researchers (as of 2019) were able to hack election devices in a variety of ways (e.g. changing vote tallies or changing what is displayed to voters).
With basic vulnerabilities ingrained in our voting technologies, attackers are able to easily reprogram machines to their will. Park describes the state of vulnerabilities as “equivalent of not having passwords.” These machines are so insecure that researchers were able to access key information simply by plugging in a USB keyboard.
It turns out that it is not common practice for election officials to do security reviews. Even with widespread media coverage, flashier election news (see: Can Trump decide when to stop counting votes?) steals most of the attention. As a result, “remarkably little” has been done to change existing vulnerabilities.
How could this have happened? As Park explains, the USA’s complicated election history is a major factor. With a problematic beginning (in the first 50 years, only select white men could vote – publicly, shouted at the courthouse – to receive alcohol if they chose the “right” candidate), the election landscape has changed dramatically. However, insecurities have plagued election results throughout. In 2000, problems with the Bush v Gore election led to election reform such as the “Help America Vote Act” of 2002 and the creation of the Election Assistance Commission. However, with insufficient funds with congress and no precise technical standards for election equipment, the outcome was described by Douglas W. Jones and Barbara Simons as “a massive deployment of faulty, flawed, and expensive equipment [which] has led to security and integrity crises for which there are no clear-cut legal remedies.”
Park proposes solutions from two perspectives: technical and legal. She asks the question “how can technology help enhance election security?” while keeping in mind how this same technology might harm it. On the legal side, an issue remains that the insecurity of the election system is not technically illegal. The US Constitution does not state a right to vote, it only implies it. The right to vote securely is a greater beast. Lawsuits have been called, but the claims are proven unsubstantiated. However, Park explains there are three ways this technology might qualify as unconstitutional: if it is considered a burden on the right to vote (Anderson 1982 and Burdick 1991), if voters are subjected to “arbitrary and disparate treatment” (Bush v. Gore 2000), and if the relative weight of certain voters’ ballots are diminished by the state.
So, Park asks “how should law promote secure elections?” – and simplifies it into three categories:
Casting: every eligible voter – and nobody else - must have a meaningful opportunity to cast exactly one vote for the outcome of their true preference.
Counting: the reported election outcome must accurately reflect the votes cast by eligible voters.
Checking: In the case the previous two requirements are not met, the system must clearly and reliably indicate its failure to the electorate.
These three Cs can be synthesized into Confidentiality, Integrity, and Availability.
The simplest way to guarantee these criteria is through a paper-based system with transparency measures. With a literal paper trail, counts can be easily checked and guaranteed. Furthermore, an attack against a constantly-supervised paper ballot system is nearly impossible at scale.
A paper based system also guarantees voter-verifiability – voters can easily check the authoritative record of their vote, and this record is in a tried-and-true durable format. This could also be guaranteed through machine-marked ballots where the authoritative record is checked before casting.
With the current state of highly proprietary election technology, security is weak and credible public assurance that the system works (and errors are caught) is not provided. Park proposes that new legislation should “require transparency of design, code, manufacture, supply chains, chain-of-custody records, audit logs, and other internal state, inputs, or outputs that are reasonably necessary to verify the correct functioning of election technology.”
However, opening up the technology to widespread scrutiny is just the start. Park explains that to ensure quality elections, there must be routine security audits, research into security weaknesses, post-election audits, and empirical usability, accessibility, and security studies on election technologies. Critically, those who conduct research must be legally protected - something that is not currently guaranteed. Through these suggestions, Park’s research guides a way towards secure elections in the USA.