Election Integrity: Problems with Black Box Voting by Janet Maker
This is the sixth blog in our series examining election integrity
Those who cast the vote decide nothing; those who count the vote decide everything –Attributed to Joseph Stalin
In our previous blog about the 2016 presidential recount we noted that the term black box voting was popularized by Bev Harris, owner of the website and author of the 2004 book by the same name. The book defines black box voting as “Any voting system in which the mechanisms for recording and/or tabulating the vote are hidden from the voter, and/or the mechanism lacks a tangible record of the vote cast.“
Early Electronic Voting
Voting with the aid of computers began in the late 1960s. A rapidly expanding electorate in cities such as Los Angeles required voting equipment that accommodated large masses of voters at an affordable price. One possible answer was the punch card. At the time, punch cards were a common method of computer data entry, and it was easy for programmers to write programs for business computers that could tally the vote. Voters could punch their ballots at local precincts and drop them into ballot boxes and, after the polls closed, the ballot boxes could be collected and taken to a central location where the ballots could be fed into the computer for tallying.
With advances in technology, different methods evolved both for casting votes and for tallying them. For example, mark-sense ballots were often used instead of punch cards, and after the invention of mini-computers, each precinct could have its own vote-tallying machine. The ballots from each precinct would not need to be sent to a central computer; summaries could be sent instead.
There were reports of miscounts from the earliest days. For example, Bev Harris’Black Box Voting (p. 6) documents one election with a proven miscount in 1971. In a Las Vegas race for a seat on the city assembly, Democrat Arthur Espinosa was declared the winner. Republican Hal Smith challenged the results because he noticed that a faulty voting machine had failed to count all the votes. After the votes were recounted, Smith was declared the winner. This sort of thing has happened regularly in many elections over many years, but people tend not to investigate the reasons for the miscounts. Bev Harris says (p. 6),
Vendors have learned that reporters and election workers will believe pretty much anything, as long as it sounds high-tech. They blame incorrect vote counts on “a bad chip” or “a faulty memory card,” but defective chips and bad memory cards have very different symptoms. They don’t function at all, or they spit out nonsensical data.
There seems to be a widespread assumption that both the vendors and the purchasers of voting equipment are behaving in an ethical manner. However, this cannot be assumed. An example of the problems with private ownership of voting equipment is The Shoup Voting Machine Corp, which was involved in bribery of public officials to sell its machines. The following is quoted from Wikipedia:
In July 1971, United States Attorney General John N. Mitchell announced that the Shoup Voting Machine Corp. of Philadelphia, its subsidiary Southern Municipal Sales, Inc., Shoup president Irving H. Myers, company executive vice president Martin V. Schott, several other Shoup employees, and other individuals had been indicted by a Philadelphia grand jury for a total of four indictments for bribery, mail fraud, and conspiracy. According to one indictment, “Shoup officials conspired to sell 200 machines to Hillsborough County”, Florida, for $530,700 using bribery, then bought 180 back as scrap for $5,400. Another indictment charged that Shoup officials then bribed an official of Harris County, Texas, to buy 100 of them. On March 1, 1972, the Sarasota Herald-Tribune reported that Shoup had changed its plea from innocent to no contest and was fined $45,000, while a former salesman had changed his plea to guilty and received a sentence of 181 days. In 1972, C. H. “Sammy” Downs, a former Louisiana state senator serving as his state’s public works director in the administration of Governor John McKeithen, resigned when he was indicted by a federal grand jury for bribery in connection with procuring state business for the Shoup company. The firm was also indicted in the case. In the 1973 trial, the case against Downs, pushed by U.S. Attorney Gerald J. Gallinghouse of New Orleans, resulted in a hung jury.
Although this example does not involve changing the vote tally, we can probably assume that if vendors and public officials will commit one type of fraud for money, they are likely to be willing to commit other types as well.
In 1974, the first Direct Recording Electronic (DRE) voting machine was patented. Known as the Video Voter, it was first used in real elections in 1975, near Chicago, Il. DREs do not use any ballots. Instead, the voters use touch-screen terminals or push-buttons to record their votes. Votes are stored on a memory card, disk, or other device, and election officials can take these devices to a central location for tabulation. More recently, some machines can send the results over the Internet.
The problem with the lack of a hard-copy ballot is that there is nothing that can be recounted, so there is no way to verify the reported results. If the 1971 election had used DREs, Espinosa would have remained the winner, and Smith would have had no way to know about the uncounted votes. (Voter verified paper audit trails, or VVPATs, were not used in the U.S. until 2002, and they have their own problems, which we will discuss later.) In the 2016 election, five states — New Jersey, Delaware, Georgia, Louisiana and South Carolina, as well as many jurisdictions in other states —cast votes on DREs with no paper trail.
Many people consider optical-scanned ballots to be safer than DREs because there is a paper ballot that can be recounted or audited, but elections using scanners have been flipped from the beginning. For example, Bev Harris discusses (p. 42) a report from an election official in a California district in 1980. Jimmy Carter beat Ronald Reagan by a large margin in that district, but the scanner reversed the results, giving Carter’s votes to Reagan and vice versa. This came to light because there was an audit in which the ballots were hand counted, but when the election official requested that the state of California do more audits to see whether the same thing was happening in other districts, her request was ignored. Unfortunately, audits are rarely done, and in some states they are illegal, as we saw in our November blog about the recount in Michigan. Where there is no system for proper audits, optical scanners are no safer than DREs.
Problems with voting technology
The two main issues for election integrity have always been (1) accuracy of the computer recording the voter’s choices, the “vote-casting problem” and (2) the accuracy of the computer software that generates election results, the “vote-tallying” problem.
Possibly the first significant alarm raised was in 1969 by two computer scientists in Los Angeles who stated publicly that a vote-tallying program could be rigged by the addition of an undetectable bias routine. Research has consistently revealed the shocking ease of hacking any voting machine’s “black box” technology. A single person with access to a machine can easily and inexpensively manipulate how it functions, in ways such as the following:
- They can add malicious code to the software that will alter vote totals. Hiding functions in software programs is known as putting in “back doors.” Bev Harris has a long list of different, very creative back doors that hackers have installed (Black Box Voting, pp. 43-46).
- They can also tamper with the machine’s hardware. For example, some of the machines require voters to use smartcards to vote. Fraudulent smartcards can record multiple votes or they can be pre-loaded with votes.
- Both regular and absentee ballots are usually counted by optical scanners. The tally can be changed by hacking either the scanner or the central tabulator. The actual ballots are available, but nobody is allowed to count them by hand.
- Election results that are sent over the Internet by computer or cell phone from a precinct to the regional counting center could be vulnerable to a man-in-the-middle attack. This means that the results are routed to an intermediate web site where the man in the middle flips the votes in favor of a certain candidate before forwarding them to the regional counting center. Sending vote results over the Internet violates the chain of custody. Memory cards or disks should instead be placed in locked containers and physically delivered to the counting centers.
- Voter registration and electronic pollbooks are also computerized, and there have been many cases of purging of certain groups of voters from the rolls.
Researchers have proven that elections can be stolen using techniques like these, and they have also recommended ways to prevent the stealing of elections. Protecting our elections is not very difficult. However, there are two reasons why the necessary protections have not been put in place. The first is that voting machines are owned by private companies and have proprietary software. Most will not allow access to the source code, so we have no way to verify that the machines are not rigged. The second problem is that for the most part, election administrators have failed to adopt the recommendations that would make elections safer. There have never been consistent, mandatory security standards governing the operation of computerized voting, so vendors have had a relatively free hand selling their flawed products.
So how many elections have been stolen? First, we need to understand that rigging even a national election is not as huge a task as one might think. You do not need to have hackers working in all 50 states. Because of the Electoral College, you only need to focus on the machines in the swing regions of swing states. In 2016, the states that gave the election to Trump were Michigan, Wisconsin, and Pennsylvania. What happened there is discussed in November’s blog. Another example is the 2004 presidential election, in which Ohio gave the election to Bush; later we will be discussing the strange things that happened there.
However, there are all kinds of elections at all levels of government: municipal, county, state, as well as party primaries like the ones run by the DNC in 2016, and all of them can be rigged.
Although it is probably impossible to prove whether or not rigging was intended, we can document elections with results that range from suspicious to impossible. Bev Harris documents 100 such elections in her book, and says that she could easily have documented hundreds more if she had the space. Her book was published in 2004, and we have evidence that such cases have only increased as the technology has become more sophisticated. Here are some examples from Harris (pp. i-vii):
- September 1986, Dallas, TX: The number of voters changed on different computer printouts but the votes for individual candidates remained the same
- November 1988, Hillsborough, Broward, and Dade counties, FL: There was a large reduction in Senate votes compared to previous elections, but only in counties that used computerized voting.
- November 1990, King County, WA: After the election ended, some votes for Democrats disappeared from the tally, and votes for Republicans mysteriously appeared.
- 1994, New Orleans, LA: Candidate Susan Barnecker videotaped votes for herself being recorded for her opponent. (The video footage can be viewed in the documentary, The Big Fix 2000.
- November 1995, Bergen County, NJ: Computer tallies rose and fell by 8,000 to 9,000 votes for no discernable reason.
- November 1996, Guadalupe County, TX: The machine tallied more votes than the number of ballots cast.
- 1998, Tucson, AZ: 9675 votes went missing and it was discovered that no votes were recorded in 24 precincts.
- November 1999, Norfolk, VA: Machines tallied zero votes, even though votes had been cast.
- November 2000, Davidson County, NC: Computers counted 5000 early voting and absentee ballots twice.
- November 2000, Albuquerque, NM: The machine withheld 60,000 votes from the count
- March 2002, Palm Beach County, FL: Votes for one candidate recorded for another candidate.
- March 2002, Medley, FL: Voting machines gave the town council election to the wrong candidate.
- November 2002, Palm Beach, FL: Votes were tabulated for 644 precincts, but only 643 precincts had voters in them.
- November, 2002, NJ: A reporter observed 104 precincts with votes even though the area only had 102 precincts.
- November 2002, Dallas, TX: When voters pushed Democrat, they recorded as Republican.
- November 2002, SC: More than 21,000 votes were uncounted.
- November 2002, Taos, NM: Computer counted votes under the wrong names.
- November 2002, PA: Voters reported voting Libertarian, but zero votes for the Libertarian candidate were recorded.
- November 2002, FL: When voters tried to vote for Bill McBride for governor, the votes recorded for Jeb Bush.
- November 2002, St. Bernard Parish, LA: With a 34-vote margin between two candidates, the machine ate 35 votes and nobody could access them.
- November 2002, NB: When Democratic candidate Charlie Matulka tried to vote for himself, he discovered that his optical-scan ballot had been already filled out for Republican Chuck Hagel.
- January 2003, Everett, WA: 21.5% of the ballots in 28 precincts were not counted.
U.S Manipulation of foreign elections
The most important thing to keep in mind is that for every error that has been detected, there are no doubt many more that have never come to light. Probably many of the errors were unintentional, but it is likely that others were planned. We know that the United States knew how to manipulate elections because the CIA has been doing it overseas for many years.
After World War II, United States foreign policy was devoted to spreading and supporting what the U.S. called “democracy” but which others called corporate capitalism, throughout the world, often against the will of the people.
In 1975, the United States Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities, also known as the Church Committee, was tasked with investigating abuses by the intelligence agencies (CIA, NSA, FBI, and IRS). During this investigation, the CIA admitted that it was engaged in 5000 “benign” operations in foreign countries. These operations covered a wide range of activities, but they included electronic election rigging. Carnegie Mellon researcher Dov Levin has an historical database that tracks U.S. involvement in meddling with foreign elections over the years. By his count, the U.S. intervened in foreign elections more than 80 times worldwide between 1946 and 2000. This does not count other types of interventions, such as assassinations and coup d’etats.
Election fraud in the U.S.
As a result, it was not surprising that former CIA-director George H.W. Bush was suspected of having used techniques honed overseas to manipulate some U.S. elections for his own benefit. The Manchester (New Hampshire) Union-Leader, in covering the 1980 Republican Caucus in Iowa, is quoted as saying that the Bush campaign “has all the smell of a CIA covert operation….Strange aspects of the Iowa operation [include] a long, slow count and then the computers broke down at a very convenient point, with Bush having a 6% bulge over Reagan.” Bush ended up winning the primary. The breakdown of tabulating equipment that occurred in Iowa has become a common feature in suspicious elections.
In 1987 the Shouptronic ELECTronic Voting Machine was patented (yes, the same Shoup). It was one of the first DREs to achieve widespread use and was almost immediately implicated in the very controversial 1988 New Hampshire Republican primary pitting George H.W. Bush against Bob Dole. Polling on election day showed Bush losing by 8 points, but when the votes were tallied, Bush had won by 9 points. Mainstream statisticians have called this 17-point turnaround a “virtual statistical impossibility.”
We know that the United States has manipulated elections in foreign countries, and experts do not dispute the fact that elections can also be stolen in the U.S. But how can we know whether elections in the U.S. have actually been stolen? To understand that, we have to consider who would have the motivation and the ability to steal elections, and then we have to look for evidence that they actually did steal them.
So far as motivation is concerned, I can’t think of anything on earth that has the potential for greater material rewards than winning American elections. The winners have the power to reward or punish whoever they wish anywhere on the planet, to have worldwide fame, to spread their ideology, and to make unimaginable amounts of money. The American president has long been considered the most powerful person on earth.
What about morality? Considering that we are talking about politicians who regularly serve the interests of their campaign fund donors instead of the constituents who “elected” them, we are probably dealing with a very low bar. The same is true of the owners of the voting technology, as we shall see.
HAVA and the explosion of electronic voting equipment
In 2000 the world was presented with the embarrassing spectacle of hanging chads and butterfly ballots in Florida. This created a gold rush for vendors and lobbyists, who took advantage of the Florida fiasco to persuade legislators to enact a sweeping election reform bill. A bipartisan congress passed the Help America Vote Act (HAVA) in 2002. The goals of HAVA were (1) to replace punch card and lever-based voting systems; (2) to create the Election Assistance Commission to help with the administration of federal elections; and (3) to establish minimum standards for election administration. States would receive federal funding if they submitted a plan describing how the money would be used for the adoption of new voting systems. States were allowed to make their own decisions about the specifics, but all states and localities were required to upgrade their voting machines, registration processes, and poll worker training.
HAVA requires that all voting systems be auditable and produce a permanent paper record that can be counted by hand as an official record for any recount. However, states received federal money without following this requirement. In 2016 we still had states using non-auditable DREs. According to Ballotpedia, paperless machines are used in Pennsylvania, Florida, Georgia, Indiana, Kentucky, Tennessee, Texas, and Virginia. Virginia and Florida are reportedly phasing them out. Florida’s DREs raised red flags in several elections, including a close 2006 congressional race in which Democrats charged that as many as 16,000 votes went missing.
In the United States, 27 states require VVPATS for all DREs used in public elections. Another 18 states don’t require them but still use them in some elections. However, it’s important to understand that DREs with voter verified paper trails (VVPATs) are not really safer.
The first reason is that VVPATs don’t make elections secure is that nobody will ever look at the paper trail unless the margin of victory is within the recount margin. Hackers are smart enough to make sure that doesn’t happen.
Second, the hacker can flip votes both in the computer memory and in the printed audit trail without getting caught. Let’s say Smith and Brown are tied in the polls. Smith supporters decide to hack the DREs so they flip 5% of Brown’s votes to Smith. If the real results were an exact tie, the hack would give Smith 52.5% of the votes, which is well outside of the recount margin.
If they want to make sure the hack cannot be discovered even if the election is recounted, the hackers can allow the VVPAT to show the hack. That is, voters who voted for Brown will see Smith if they look at the VVPAT. If 1,000 voters intended to vote for Smith and 1,000 for Brown, all 1,000 Smith voters and 950 of Brown’s voters—97% of all voters–won’t see anything wrong, because their votes will be recorded correctly.
Of the 50 voters whose votes were flipped, research on voter behavior has shown that at least 33 (two-thirds, probably more) won’t even look at the VVPAT. They will vote for Brown and see a vote for Brown on the monitor, but the vote will be counted for Smith inside the computer and printed for Smith on the paper trail. Voters won’t notice.
Of the 16.7 voters who do look at the paper trail and notice the error, most will think it’s their own mistake. Many of them won’t bother change the vote because they don’t want to spend the time it would take to figure out what they did wrong or how to correct it. Of the few who take the time to change their vote, even fewer will report the issue to a poll worker, and this tiny number will likely be spread over many precincts.
The few poll workers who are notified about the problem are unlikely to bother to make a note of the problem on the inspector’s report, which is the only way to document the issue. And even if the problem is noted, it will not be widespread enough to warrant a forensic analysis of the voting machine software. Hackers know they are safe from detection. Voters need to understand that the VVPAT does not protect their vote
Caltech/MIT Voting Technology Project
During the time that the ballot battles in the 2000 presidential election were being fought in Florida, the presidents of the California Institute of Technology and the Massachusetts Institute of Technology decided to weigh in with some solid science. They assembled a team of computer scientists, human factors engineers, mechanical engineers, and social scientists; and they obtained funding from the Carnegie Corporation of New York and the James L. Knight Foundation. Researchers collected data nationwide and met with leading election officials, researchers, and industry representatives. Since its inception in 2000, members of the Voting Technology Project (VPT) have studied all aspects of the election process, both in the United States and abroad. VTP faculty, research affiliates, and students have written many working papers, published scores of academic articles and books, and worked on a great array of specific projects. All of this research and policymaking activity seeks to develop better voting technologies, to improve election administration, and to deepen scientific research in these areas. Today, members of the VTP are active in:
- Developing better voting systems standards and testing practices
- Studying and developing novel and improved post-election auditing procedures
- Assessing and evaluating the voting experience in federal elections
- Examining ways to make the process of voter registration more secure and more accessible
- Evaluating methods of voter authentication, and their effects on the election process
- Improving voting technologies
The VTP has also developed a toolkit for election management based on the expertise of election administrators, business managers, and social science researchers that can help election administrators plan and conduct elections.
In short, the best minds in election science have made recommendations for best practices. We know what we should do, and we even know how to do it. The thing that is lacking is political will. The VPT made a number of recommendations after the Florida debacle, concerning voting equipment; registration; polling places; absentee and early voting; ballot security; and cost and public financing of elections.
Concerning ballot security, the VPT identified two main problems. One type of security problem involves manipulation of voters. The most important safeguards are the secret ballot and voter registration. For ballots to be secret, voters cannot receive a receipt that tells how they voted.
The second type of security problem involves tampering with the mechanisms for recording and counting votes. Votes can be stolen or destroyed. For example, it is easy to jam a voting machine so the counter in the back does not register the votes cast for a particular candidate. Votes could also be added to the count. These problems do not involve the individual who casts the ballot, but someone else, such as a poll worker, an election officer, or a manufacturer.
It is very easy to tamper with a DRE. For example, a programmer could add malicious code so that every fiftieth vote for a Republican candidate is changed to a vote for the corresponding Democratic candidate. This would only occur when the machine is in “real” mode as opposed to “test” mode, so the fraud could never be discovered during testing. The electronic audit trail made by the DRE machine is also affected, so “recounts” never discover anything amiss. DREs have the following serious security risks:
- We are losing openness. DREs are completely closed, so we cannot observe the count.
- We are losing the ability for people to be involved. The equipment does it all: votes, records votes, counts votes, and produces final tallies. We lose the advantage of having many eyes on the count.
- The separation of privilege is lost. One machine that does it all risks vesting too much control over the system in the vendor’s hands or in the hands of any hacker who can get inside a monolithic system.
- Many DREs lack redundancy and true auditability. To audit a voting machine, one needs a redundant recording of what the voter intended. There is the initial recording that the electronic machine made, but there must also be a separate recording against which the machine recording is tested–an audit trail. The problem for many DREs is that their audit trails are simply another recording of what the machine recorded. The true standard of auditability is that the audit trail is produced by the voter and not by some intermediary machine. It is the only way to guard against a fraud scheme in which the code occasionally drops votes. It also protects against machines that accidentally lose votes, say because of a power surge.
- We are losing public control over voting equipment. DREs are so complex machines that administrators cannot inspect inside the devices.
All these problems are solvable. The principles of openness, many eyes, separation of privilege, redundancy, and public control must guide the design of electronic equipment.
Recommendations: Move away from complex monolithic machines. Extreme simplicity is recommended. The critical device is the vote-recorder. When the vote is recorded, the voter loses control over the vote, and this is when tampering can occur.
- Make source code for all vote recording and vote counting processes open source. Source code for the user interface can be proprietary, so that vendors can develop their products. There are many protocols for open source. A national commission of experts from outside the voting industry, including other industries such as banking and Internet security, should determine the appropriate protocol for open source in the voting equipment industry.
- Make recording software openly auditable in the same mode that is used to conduct the counts. “Test” modes should be eliminated. Counting and recording devices should be “modeless.” The test mode feature creates a way to cover a hack. To be truly open, interested parties should be allowed to inspect the software the way it is formatted for Election Day. All interested parties (candidates, party organization, etc.) should be satisfied that votes will be counted properly.
- Adapt equipment so that voters can create a record of the vote that they can examine directly, and that can be used to audit equipment and elections. This might require some sort of simple paper recording that the voter can check and submit separately.
- Audits of votes and equipment should be performed routinely, even without a recount.
- Design equipment that logs all events (votes, maintenance, etc.) that occur on the machine.
- Train election officials in the interior workings of their voting equipment.
- Delay Internet voting until suitable criteria for security are put into place.
In view of the evidence of tampering with optical scanners, many election experts now recommend that all elections that use optical scanners should be followed by a risk-limiting audit counted by hand. Risk-limiting audits are efficient. Formulae endorsed by the American Statistical Association determine the size of the samples needed. That means that it’s usually not necessary to do a recount; depending on the margin of victory in the election, you can often obtain a high degree of confidence about the election using a very small sample. You would be able to verify the election results and announce the winner very quickly. Hand-counted risk-limiting audits of optically-scanned ballots would have prevented all the problems noted in the 2016 recounts.
The VTP made its results available before the 2004 election, which was the first time electronic voting was used nation-wide. However, instead of acting on the recommendations, the United States went ahead and had another debacle, which we will discuss in a future blog.
Diebold security breach
In 2003, Bev Harris, author of Black Box Voting: Ballot Tampering in the 21st Century, discovered that Diebold, one of the primary manufacturers of DREs, had left the 40,000 files that comprised its Global Election Management System (GEMS) completely exposed on a website that was accessible to the public. Harris downloaded the files and programmers all over the world began examining the code. They found that it could be easily hacked either on-site or remotely, without leaving any trace that vote rigging had occurred. Reports were issued by researchers from Johns Hopkins, Princeton, Rice, and Stanford Universities, the Brennan Center for Justice, and the Government Accountability Office. In 2005, the nonpartisan Commission on Federal Election Reform, chaired by Jimmy Carter and James Baker, stated that the greatest threats to secure voting are insiders with direct access to the machines: “There is no reason to trust insiders in the election industry any more than in other industries.”
In 2011, a team at the U.S. Department of Energy’s Argonne National Laboratory hacked into one of Diebold’s old Accuvote-TSX DREs. They reported that anyone with $26 in parts and an eighth-grade science education would be able to manipulate the outcome of an election. The team leader, Roger Johnson, wrote “This is a national security issue.” Yet the Accuvote-TSX, now manufactured by ES&S, was used in 20 states in the 2012 election.
So far we have established that U.S. elections can be rigged, both because of flaws in the privatized black-box voting equipment and because the government has failed to establish and enforce uniform voting standards that would insure fair elections.
Next month’s blog will focus on the vendors of the voting equipment and their strong ties to the political and religious right wing.