Ed Felten has hacked into many, many voting machines over the years, because he wants Americans to know that the technologies we use to record votes can be dangerously porous. A professor of computer science and public affairs at Princeton University and the director of the Center for Information Technology Policy, he served as the deputy chief technology officer of the United States under President Barack Obama and now studies issues of government transparency and cybersecurity, with a special focus on voting and election security. In a recent interview for Slate’s technology podcast If Then, Felten described the problems that have plagued voting machines for years, why much of the technology has remained outdated, and what he’s worried about in 2018.
April Glaser: You first started hacking into voting machines in the late ’90s at Princeton, if I’m correct. What were those machines and what flaws did you see then? Are we still seeing the same problems today?
Ed Felten: We see a lot of the same problems today that we’ve seen in the past, and mostly because the machines have not been upgraded in many places. What we found back then was really two things. First of all, there were fundamental vulnerabilities because of the use of paperless computer systems in voting. That’s a risky thing to do in itself. Then on top of that, the systems that were actually out there in the field were not very well secured.
In some places in the U.S., there are new machines in use that are more secure, but in a lot of places, including my own home state of New Jersey, we’re still using the same old equipment as we have for a long time.
Glaser: You saw some of these voting machines were actually for sale on eBay back then, right? Is that still the case?
It still is, yeah. When a state or county switches machines or they take some out of service, they typically will sell them for surplus. So you can buy them on eBay and other places. That’s how we got a lot of the early machines that we study.
Glaser: I remember reading back in 2008 that one of the voting machine manufacturers actually threatened to take legal action against you for studying and testing the security of these machines. Has your research led to a hardening of these voting machine technologies?
I think the long-term impact of the research that my team and others have done has been more to get states and counties to switch to more secure systems. But that happens very slowly. We still have something like 30 percent of U.S. voters are voting on systems that are suspect by design.
Will Oremus: Before we get into the problems with the current machines, I wanted to ask what’s maybe a really basic question. But what does it look like to hack a voting machine? Is it a person standing there at the ballot box in front of the machine and doing stuff to it? Is it that they’re tapping in somehow remotely? When you hack them, what does it look like, and what might it look like if this were to actually happen in an election?
When we study a machine, we first kind of take it apart in our lab to understand everything about it. Then we try to figure out how someone might be able to modify the machine or the results. That typically involves just changing the software on the machine. Literally just installing a software upgrade or update that wasn’t authorized by the manufacturer that causes the machine to do something else. So usually it involves either having hands on the machine, physically hands on somewhere. It might be in the warehouse where the machine is kept, or it might also involve, if the machine has some kind of networking or wireless capability, breaking into it that way.
Glaser: Have we seen instances of hacked voting machines? I know that there’s been problems with the technology having bugs or not working right. But have we seen instances of hacking?
We don’t have confirmed cases in the U.S. of hacking that affected elections. As you said, we’ve seen quite a few examples of errors or things that shouldn’t have happened happening, but we haven’t seen those sorts of errors. But then again, part of the problem is that it would be hard to tell because the vulnerable machines don’t keep the kind of records you would need to keep in order to be sure that there wasn’t a problem.
Oremus: I was going to ask, is it just that we don’t know and it probably has happened, or are there actual barriers that have prevented this from happening? If it hasn’t happened, what’s the obstacle that has kept it from happening, you think?
I think the factor that has kept it from happening is that the people who have the capability of doing it have not chosen to manipulate an election. We knew in 2016, we’ve known before that there are people who have the capabilities to mess with voting machines, but they just haven’t so far. We can count ourselves lucky, but we shouldn’t stay in this position where we have to rely on the bad guys choosing not to act.
Glaser: Yeah, that’s quite unsettling. We know earlier this month, Texas officials charged that early votes intended to go to Beto O’Rourke instead went to Ted Cruz, and the voting machines, which are the eSlate machines made by Hart Intercivic, had switched the votes. I remember reading that those voting machines were running on something like 2007 software. Is this something that voters should really worry about? That is such ancient software.
There are a lot of voting machines, electronic voting machines, that run old software. That’s true in Texas. That’s true in Georgia. It’s true in New Jersey and a bunch of other places. Typically, these machines don’t have their software updated very often, and that has something to do with cost and maintenance issues, and also that software updates, in some cases, need to be certified through a slow and expensive process, which pushes people away from actually doing that. So all the more reason not to have to rely on this software being correct.
Oremus: What was the issue in Texas? I couldn’t get full clarity on that. Do you have a good understanding, do you think, of the vote-flipping or vote-switching bug?
As I understand it, it’s a usability problem, a user interface problem. This particular voting machine has a strange interface where there’s a sort of wheel that the voter can turn, and then a button to press to record their choice. Apparently if users go faster than the machine anticipates, you can get unexpected results. This kind of points to another issue that folks have had with electronic voting machines, which is often there are usability problems that cause more voters to leave the voting booth not having cast the vote they thought they did than we really want.
Oremus: That’s the argument, of course, for the paper trail, right?
A paper trail helps. Really for electronic voting, a paper trail is the most important safeguard because it creates another record of the vote, which the voter saw. The thing about paper is that it’s less surprising in how it behaves than computers can be. You kinda know that if you take a pencil or pen and make a mark on a piece of paper and put that paper in a box, and then you come back later and look at the paper again, it will still have the same marks on it. That’s not necessarily the case with a computer, right? If a computer records some information and then you come back later, it might have changed. That’s just the nature of how computers work. So, paper trail is the most important safeguard we need against all of these sorts of problems, whether it be malice, or error, or usability. Paper trail helps with all of those.
Oremus: My state, Delaware, just recently approved new voter machines that do have a paper trail. But should we be thinking about going all the way back to just pure paper? The whole push toward voting machines really gained momentum after Bush v. Gore with the hanging chads in Florida. Paper obviously has its own problems. What’s the optimal solution, do you think, at this point?
From my standpoint, I think the best system is one that keeps both paper and electronic records. You have a paper record, which the voter saw and verified, and you also have an electronic record. The benefit of having both is that each one has its pros and cons from the standpoint of reliability or security, but if you keep them both and then check them for consistency against each other, then you’re in the best position to detect a problem if there is one. A good example of a system like that is an optical scan system where the voter marks a paper ballot and then the voter feeds that into a scanner in the polling place, and the scanner keeps an electronic record. So best practice No. 1 in the polling place is to have a voter-verified paper record, along with an electronic record. And then best practice No. 2 is to actually compare them by a statistical audit after the election.
Glaser: Are there federal standards that voting machine companies have to adhere to in any way? Because it seems like they should work already, that they shouldn’t be switching votes or have these usability issues.
There are federal standards, and most of the states have voluntarily adopted the federal standards. But those standards are old and they’re not very comprehensive. Some of the machines may have been certified against the standard that existed when the machine was new, and so those could be standards that are quite old and might not have much of anything about security or usability in them. Back in the day, the standards were really written thinking about the old-fashioned, big metal lever machines. The federal government and the whole policy process is still kind of catching up in terms of standards.
Glaser: You worked at the White House under the Obama administration. I’m curious, why wasn’t there more progress on this issue then, or when will we see progress on this issue? I know it was only in January 2017 that election systems were designated as critical infrastructure like the electrical grid is, that they would get federal protections.
One of the core challenges here is that elections are really run by the states and counties as opposed to being run or managed in a centralized way. The federal government can set standards, but at the end of the day, it’s your county clerk, probably, who is the most important person for the operation of voting in the place where you vote. Because it’s so decentralized, and because these things are run by officials who often don’t have a lot of technology expertise available to them, it’s very difficult to get coordinated action across the whole country. So what we’ve seen over the past, say, 15 years as the security of voting machines has come into focus as an issue is slow progress as more and more states and counties adopt more secure practices. But it’s going be quite a while, probably, before we move forward. There have been efforts to pass federal legislation in this space. There’s a bill called the Secure Elections Act, which is now pending. But things tend to move slowly.
Glaser: The voting machine industry, I’m reading, is like a $300 million a year industry. And according to some fantastic reporting from Kim Zetter in the New York Times Magazine, there’s this revolving door between voting machine vendors and election officials. I’m curious if one of the reasons why we’re not seeing updates on the local level is that there may be a corruption issue.
I don’t know if there is clear corruption, but there is a tight community of people who are involved in election administration, whether on the vendor side or the election official side. I think the concerns about the cybersecurity of elections have been pretty slow to percolate into that community. This is not unusual to the voting machine space. You see a lot of different industries and sectors that are slow to catch on to how serious the security problems they face could be. Often it takes someone in a sector getting burned before the sector really wakes up and starts to take cybersecurity more seriously. We certainly don’t want to be in a situation where someone in the voting space or election space has to get burned before we take this more seriously.
Oremus: I know one thing that election security experts have been concerned about for a long time is that the software in these systems is proprietary, so you have these different private companies making the voting machines, building the software. And when researchers say, Hey, can we see your software and make sure it’s safe, make sure it doesn’t have bugs in it?, they say, No, you can’t see it. Is that still a problem today and has there been any progress in getting them to open that up or moving toward a more open-source approach?
There have been some efforts to make open-source voting software, but the major vendors are still operating in a closed-source way. This really comes down to what are the contracts that states and counties sign when they buy systems, because the degree of freedom that they have to inspect or reverse-engineer or analyze the systems depends on what’s in the contracts. Sometimes there are terms in there that say thou shall not examine or do security analysis on a system. That’s obviously, in my view, not something that a public official should be signing for a technology like this. There are other situations where officials insist on having more ability to inspect. Many of the most usable studies of voting machine security have come about because of officials who put their foot down and insisted on more freedom to have the machines tested.
Oremus: Yeah, it seems like maybe one dimension of this is a problem with technological literacy on the part of the representatives at the state and local levels who maybe don’t have the information needed to evaluate these systems as they’re making these decisions on behalf of the public.
It’s true there’s not a great deal of information that officials have about how the machines work or about the security. Certainly a lot of decisions have been made in the past that officials might regret now. But, budgets being tight, it’s not easy to admit error and spend another pile of money on new systems. The good news in this area is that I think it’s now pretty clear that the goal should not be to have systems that need to be bulletproof in terms of their security. The goal instead should be to have an overall system that is resilient so that if something goes wrong with the software, if it behaves strangely, that you have something to fall back on, you have a paper ballot, you have an audit or recount capability so that whatever goes wrong, you’ll be able to recover and at the end of the process, voters will be able to have confidence that you got the result right in the end.
Glaser: What’s your biggest concern for the 2018 election? What are you worried about this time around?
Well, it’s the same worry that we’ve had in past election cycles, unfortunately. It’s partly what happens if somebody tries to manipulate the systems and change the result of the election. But, as in 2016, there’s probably greater concern about the possibility that someone will try to undermine confidence in the election to try to undermine the legitimacy of the process by trying to cast doubt on the result. That could mean just trying to cause chaos in some way and then trying to spread rumors about misbehavior or spread conspiracy theories.
The worst outcome that I think that I feared in 2016, and the thing that is the biggest concern in this cycle, is that at the end of Election Day we genuinely won’t know who the voters wanted to put in charge, because we don’t have really a road map for dealing with that kind of uncertainty. The whole point of an election or the way we should think about election processes and security is that the goal is to produce convincing evidence as to what the voters wanted to do. If we’re in a situation where we don’t have convincing evidence pointing in either direction, and yet it’s the end of Election Day—and there really are not do-overs in American elections—then we’re in a difficult situation. I think that’s the thing that I would worry about the most.