A friend of mine who is a doctor, asked my advice as a software engineer, how best to safeguard our elections. Which, after all, are pretty much our only hope for escaping from the nightmare we wake up to every morning. She was expecting I would talk about encryption methods, error estimation, statistical sampling, or cybersecurity.
My answer, was little old ladies.
(And before you fellow little old ladies become offended, I’m pretty little, a lady, and gettin’ old. Already have grey hair. So don’t get antsy on me.)
It is virtually impossible to hack a heterogeneous system where the ballots are hand counted locally in each precinct, and the totals that are locally hand counted are immediately reported publicly to the web before going through any central hub. And the closer we are to such a system, the better.
What would a would-be hacker do? Send volunteer ballot counters from out of town? Recruit thousands all over the country? But many true volunteers who have been poll watching for decades would be involved too, and would be watching and verifying the local counts. Change the totals? But the local totals would have been made public by local volunteers, and could simply be added up.
We need less computer involvement, not more. The only important computer-related thing is to put the totals immediately on the Net, under control of one or more local volunteers.
I understand that election officials put a huge amount of effort into safeguarding our elections, with multiple poll watchers, investment in software and infrastructure, and I appreciate that. But whatever safeguards are in place, immediate, public reporting at the precinct level is critical. Only local transparency can avoid any possibility of hacking or adjusting numbers in a central location. This also means that mail-in ballots are more subject to hacking, because they are all counted in one place, and subtotals are not public.
Any system that relies on computer code for security, is only as secure as the code, the database, and the network is. Multiple remote backups are good, but only if there never was a time that the total was stored in exactly one place and subject to modification. Open source code is good, but unless someone is verifying that exactly that code with a checksum is installed on each voting machine, and nothing else, at all the times when voting or totaling is occurring, its not enough. Statistical sampling helps to detect fraud after the fact, but then it becomes a debate as to whether or not fraud occurred, and what to do about it.
Dr Halderman, professor of Computer Science, made a call for paper ballots in November. He also points out that we really cannot tell if a cyberattack changed the result of the election in November — without actually checking the physical evidence immediately afterwards, we cannot rule it out. The Washington Post ran a detailed analysis of the recounts in Wisconsin and Michigan, which appear not to indicate vote tampering in November, but also some weaknesses in our ability to determine that. Whether or not it did happen, we want to make sure it doesn’t, and that we can tell the difference.
Its unlikely that many precincts will return to actual hand-counting, but the closer we are to that the better. We should at least have hand counted sampling on election day, to make sure the voting machines are not behaving differently on election day than they were in practice. Machines should be dead simple, just counting dots on actual paper ballots and recording totals, and local humans should have access to the totals, rather than automated reporting to a central server.
The ballots should be immediately available for sampling and counting, and the machines should have to report subtotals at any point, that could be compared against the ballots up to that point. Ideally the machines should count the ballots in batches of manageable numbers, say a thousand or two each, with a bag of paper ballots corresponding to each batch, and several random batches should be sampled and hand counted at every precinct at every election. And if a batch is bad, the local election staff and volunteers should have the ability to immediately put that machine out of operation, and to raise a public alert without asking anyone for permission.
We can trust a system that each of us can clearly understand and inspect parts of and that is controlled by people we know — local volunteers and individuals who are members of the community.
Please don’t be snowed by technical sounding assurances. Fight to keep local control of our elections.