2020 and the black-box ballot box

One of the scarier notions in the world today is the prospect of American voting machines being compromised at scale: voters thrown off rolls, votes disregarded, vote tallies edited, entire elections hacked.

That’s why the nation’s lawmakers and civil servants flocked (relatively speaking) to Def Con in Las Vegas this week, where hackers at its Voting Village do their best to prove the potential vulnerabilities — including, in some cases, remote command and control — of voting systems.

There are several ways to help secure voting. One, thankfully, is already in place; the decentralization of systems such that every state and county maintains its own, providing a bewildering panoply of varying targets, rather than a single tantalizing point of failure. A second, as security guru Bruce Schneier points out, is to eschew electronic voting machines altogether and stick with good old-fashioned paper ballots.

But paper ballots don’t help much if you use machines to tabulate them and those machines are compromised — so it’s especially worrying if those are, in engineering parlance, black boxes, i.e. machines which provide visibility only of their inputs and their outputs, not their inner workings.

A solution to this black-box problem is to either tabulate by hand, or instantiate a separate audit process after each election. That means independently sampling and hand-counting a small fraction of the votes, ensuring that the audit result is statistically in line with the overall tally — and if it isn’t, increasing the sample size, up to and including a full recount.

The election threat model is broader than you might think. Researchers can, for instance, transform ballot images so that votes move imperceptibly. Which is one of many reasons why paper ballots are so critical. I have some good news there: as Politico’s excellent voting machine interactive shows, most U.S. states have and/or are moving to paper ballots (and most of the remainder were/are going to mostly vote for the party apparently opposed to democracy anyway.)

The audit situation, though, is … more complicated. Only 25 states require any audits of federal elections, for instance, and only some of those audits have teeth. Witness Verified Voting’s superb interactive explainers of post election audits and state audit laws.

I don’t want to minimize the significance of secure voting machines and the Voting Village hackers’ work. It’s as important as everyone says. But as any security expert will tell you, defense in depth is often even more important than the strength of any individual layer.

Secure machines, which generate individual paper ballots, to be hand-tabulated and/or audited — that’s the kind of defense in depth we want, and personally I’m a little concerned that the final moat, the audit, doesn’t get the attention it deserves. To quote, of all people, a Republican president: “Trust, but verify.”