Improving Election Integrity

Paper ballots help make voting more secure. But paper ballots marked by machines are superior to ones marked by hand.

In the wake of this week’s Iowa caucuses app debacle, the spotlight has been placed on voting and technology—again. Since 2000, when the outcome of the presidential race hung on “hanging chads” and other artifacts of Florida’s ballots, public attention has repeatedly returned to the shortcomings of our elections and their supporting technologies. Now, with presidential primary season here and a general election less than nine months away, the Iowa mess offers us an occasion to revisit this important issue.

In 2018, the National Academies of Sciences, Engineering, and Medicine published a consensus report on the integrity of election technology. Securing the Vote: Protecting American Democracy was the result of a two-year study conducted by specialists in elections administration and policy, cybersecurity, accessibility, and law. I was a member of this committee. In our work, we reviewed extensive background materials and held five meetings in which invited experts discussed voter registration, voting accessibility, voting technologies and market impediments to technological innovation, cybersecurity, post-election audits, and the education and training of election workers.

Securing the Vote makes several recommendations to improve voting in the United States. First, the report recommends that elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine, using a ballot-marking device (BMD); they may be counted by hand or by machine, using an optical scanner. Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots. Voting machines that do not provide the capacity for independent auditing—for example, machines that do not produce a voter-verifiable paper audit trail—should be immediately removed from service. Since there is, as of today, no way to secure a digital ballot, any election that is paperless is not secure. Therefore, internet voting—specifically, the digital return of ballots—should not be used at this time.

With these recommendations in mind, I would like to address concerns that have been raised in a handful of scholarly papers and studies examining ballot-marking devices.

In a paper posted last year, Princeton University computer scientist Andrew W. Appel—also a member of the committee that produced Securing the Vote—and colleagues wrote:

There is no action that a voter can take to demonstrate to election officials that a BMD altered their expressed votes, and thus no way voters can help deter, detect, contain, and correct computer hacking in elections. That is, not only is it inappropriate to rely on voters to check whether BMDs alter expressed votes, it doesn’t work.

More recently, the University of Michigan’s Matthew Bernhard, J. Alex Halderman, and colleagues have also reported findings that voters tend not to verify the ballots produced by a BMD. Therefore, the machine could flip votes—printing something other than what the voter selected—and most voters would never notice. This could change the outcome of the election and no one would know. For their paper, Bernhard et al. conducted a study (a mock election, with a sample size of 241) using a BMD system that flipped one of the selections on each participant’s printed ballot. The researchers found that, “without intervention,” only 40% of the study participants reviewed their ballots at all, and just 7.8% were able to correctly identify the error afterward in an exit survey. Only 6.6% of the participants actually “told a poll worker something was wrong.”

Another recent paper, by Rice University psychologist Michael Byrne, reports on a small-scale observation study of the new voting system developed by Los Angeles County. In a mock election conducted last September to test the county’s Voting Solutions for All People (VSAP) system, 41 out of 81 “voters” (51%) “verified their paper ballot prior to casting it.” The 41 individuals who verified their ballots took, on average, “2 minutes and 10 seconds longer to vote than voters who did not”—indicating that their review of their ballots “was not merely cursory.”

Findings such as these have led some observers to suggest that all voting should be conducted using hand-marked paper ballots and that BMDs should be used only by people with disabilities. Appel and his coauthors state this explicitly: “To reduce the risk that computers undetectably alter election results by printing erroneous votes on the official paper audit trail, the use of BMDs should be limited to voters who require assistive technology to vote independently.”

I believe this would result in a more vulnerable election environment.

Let me begin with the fact that paper ballots have issues as well. Hand-marked paper ballots, unlike ballots produced by BMDs, are susceptible to overvoting and undervoting hacks. The undervote hack occurs when a voter decides not to make a selection in a contest—in other words, the voter leaves the contest blank. This is a natural response when a voter doesn’t want to vote for any candidate in a particular contest. An insider could then make a selection on that ballot. This could take as little as two to five seconds and is impossible to detect if the insider is not caught in the act.

The overvote hack occurs when the voter makes a selection but an insider makes an additional selection, causing an overvote, which would lead to a nullified contest on the ballot. Like the undervote hack, this is undetectable unless the insider is caught in the act.

These hacks require very little expertise, no technology, and very little time. However, these hacks are not possible with BMDs.

Also, hand-marking can result in stray marks on the ballots—marks that may not be correctly read by the optical scanner. The voter’s intent should not be ambiguous and should not require auditors to interpret. These stray or ambiguous marks also make the overall election-auditing process more difficult, since interpreting them requires additional time from the auditors. And keep in mind that auditing teams are bipartisan by design—which can lead to ballots being debated to favor a particular candidate. Audits are the ultimate safeguard in our elections; they should not be ambiguous. When all else fails, an entire recount should be done and the results should be clear. If this is not possible, our election system is broken.

The ballot summary produced by a BMD doesn’t have this ambiguity: there are no stray marks, and auditing and recounts are much simpler.

Also, the recommendation that the use of BMDs be limited to people who require assistive technologies could create an easier target for adversaries. Because the number of voters using BMDs would be lower and those voters’ ability to review their ballots would be limited (e.g., a blind voter cannot see the printout and so can only verify the accuracy of the ballot with assistance), this recommendation would make it more difficult to detect a hacked BMD system. And the number of voters with disabilities is still large enough to determine the outcome of close elections. Disability law experts Lisa Schur and Douglas Kruse of Rutgers University estimated that 16 million people with disabilities reported voting in the November 2016 election. The margin of victory in that year’s presidential election was much smaller; just a combined 77,000 votes in Michigan, Wisconsin, and Pennsylvania made the difference in the Electoral College. Simply having hacked BMDs flip the votes of people with disabilities could change the outcome of elections. However, if more people are using BMDs, the vote-flipping has a greater chance of being identified.

So how should we protect our elections?

First, we can allow voters to use hand-marked paper ballots—but we should not mandate it for all voters without disabilities. In fact, hand-marked paper ballots should constitute no more than half the total. When a diverse group of voters—including voters with disabilities—are using the BMD, this will increase the chances of detecting any issues that could suggest the BMD was hacked (such as the BMD flipping votes), thereby increasing overall election security. Using both hand-marked paper ballots and a BMD system will also force any adversaries seeking to interfere in the election to implement more advanced attacks that target all voters, not just those with disabilities. Furthermore, on the hand-marked paper ballots, a final option should be included for “None of the Above.” If “None of the Above” is an option, voters can affirmatively select this option and eliminate the undervote hack.

In their paper, Bernhard and his coauthors report that the voters in their mock election were more likely to verify their ballots when poll workers issued instructions after the ballots printed. The authors offered several recommendations to increase rates of verification:

1) Design polling places for verification

2) Incorporate post-voting verbal instructions

3) Encourage personalized slate voting

4) Help voters correct errors, and carefully track problems

5) Prepare contingency plans

6) Educate voters about BMD operations and risks

7) Consider the needs of voters with disabilities

8) Require risk-limiting audits

These are excellent recommendations that should be implemented wherever possible for 2020 and used until further research has been done to improve voter verification of printed ballots from BMDs. My own suggested tweaks: I would place the poll workers between the BMD and optical scanners/ballot box. These poll workers should constantly remind voters to verify that their ballot selections are correct. I would also add that parallel testing methods should be considered as well—specifically, isolating a voting machine on Election Day and having election administration officials use the machine to print ballots for verification. Some research would be required to determine the exact protocol for testing and verification; however, it is an option that should be considered and further researched. I would also recommend that all source code be made available on read-only media for review as well. And all elections should incorporate risk-limiting audits.

Congress and state and local election authorities should move quickly on these recommendations, and those in the National Academies report. A bill now awaiting action in the House of Representatives, the Election Technology Research Act, would implement some of these recommendations, monitor their rollout, and support more research. The sooner these changes get made, the better.