Andrew Appel, the Eugene Higgins Professor of Computer Science, served as a member of the National Academies' Committee on the Future of Voting, which released a major report Sept. 6.
The following is reprinted from the Freedom to Tinker blog at Princeton’s Center for Information Technology Policy.
In this November’s election, could a computer hacker, foreign or domestic, alter votes (in the voting machine) or prevent people from voting (by altering voter registrations)? What should we do to protect ourselves?
The National Academies of Science, Engineering, and Medicine have released a report, Securing the Vote: Protecting American Democracy, about the cybervulnerabilities in U.S. election systems and how to defend them. The committee was chaired by the presidents of Indiana University and Columbia University, and the members included five computer scientists, a mathematician, two social scientists, a law professor, and three state and local election administrators. I served on this committee, and I am confident that the report presents the clear consensus of the scientific community, as represented not only by the members of the committee but also the 14 external reviewers — election officials, computer scientists, experts on elections — that were part of the National Academies’ process.
The 124-page report, available for free download, lays out the scientific basis for our conclusions and our 55 recommendations. We studied primarily the voting process; we did not address voter-ID laws, gerrymandering, social-media disinformation or campaign financing.
There is no national election system in the U.S.; each state or county runs its own elections. But in the 21st century, state and local election administrators face new kinds of threats. In the 19th and 20th centuries elections did not face the threat of vote manipulation (and voter-registration tampering) from highly sophisticated adversaries anywhere in the world. Most state and local election administrators know they must improve their cybersecurity and adopt best practices, and the federal government can (and should) offer assistance. But it’s impossible to completely prevent all attacks; we must be able to run elections even if the computers might be hacked; we must be able to detect and correct errors in the computer tabulation.
Therefore, our key recommendations [numbered according to their position in the report] are:
4.11. Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner). Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots. Voting machines that do not provide the capacity for independent auditing (e.g., machines that do not produce a voter-verifiable paper audit trail) should be removed from service as soon as possible.
In our report, we explain why: Voting machines can never be completely hack-proof, but with paper ballots we can — if we have to — count the votes independent of possibly hacked computers.
4.12. Every effort should be made to use human-readable paper ballots in the 2018 federal election. All local, state and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.
5.8. States should mandate risk-limiting audits prior to the certification of election results. With current technology, this requires the use of paper ballots. States and local jurisdictions should implement risk-limiting audits within a decade. They should begin with pilot programs and work toward full implementation. Risk-limiting audits should be conducted for all federal and state election contests, and for local contests where feasible.
In our report, we explain why: Examining a small random sample of the paper ballots, and comparing with the results claimed by the computers, can assure with high confidence that the computers haven’t been hacked to produce an incorrect outcome — or else, can provide clear evidence that a recount is needed.
5.11. At the present time, the internet (or any network connected to the internet) should not be used for the return of marked ballots. Further, internet voting should not be used in the future until and unless very robust guarantees of security and verifiability are developed and in place, as no known technology guarantees the secrecy, security and verifiability of a marked ballot transmitted over the internet.
4.1. Election administrators should routinely assess the integrity of voter registration databases and the integrity of voter registration databases connected to other applications. They should develop plans that detail security procedures for assessing voter registration database integrity and put in place systems that detect efforts to probe, tamper with or interfere with voter registration systems. States should require election administrators to report any detected compromises or vulnerabilities in voter registration systems to the U.S. Department of Homeland Security, the U.S. Election Assistance Commission and state officials.
Many of these recommendations are not controversial, in most states. Almost all the states use paper ballots, counted by machine; the few remaining states that use paperless touchscreens are taking steps to move to paper ballots; the states have not adopted internet voting (except for scattered ill-advised experiments); and many, many election administrators nationwide are professionals who are working hard to come up to speed on cybersecurity.
But many election administrators are not sure about risk-limiting audits (RLAs). They ask, “can’t we just audit the digital ballot images that the machines provide?” No, that won’t work: If the machine is hacked to lie about the vote totals, it can easily be hacked to provide fake digital pictures of the ballots themselves. The good news is, well designed risk-limiting audits, added to well-designed administrative processes for keeping track of batches of ballots, can be efficient and practical. But it will take some time and effort to get things going: the design of those processes, the design of the audits themselves, training of staff, state legislation where necessary. And it can’t be a one-size-fits-all design: Different states vote in different ways, and the risk-limiting audit must be designed to fit the state’s election systems and methods. That’s why we recommend pilots of RLAs as soon as possible, but a 10-year period for full adoption.
Many other findings and recommendations are in the report itself. For example, Congress should fully fund the Election Assistance Commission to perform its mission, authorize the EAC to set standards for voter-registration systems and e-pollbooks (not just voting machines); the president should nominate and Congress should confirm EAC commissioners.
But the real bottom line is: There are specific things we can do, at the state level and at the national level; and we must do these things to secure our elections so that we are confident that they reflect the will of the voters.