Election security experts will be carefully watching the Democratic primaries and caucuses in 14 states and one U.S. territory on Super Tuesday for signs of irregularities which may prevent accurate and timely reporting of voting results. Of particular interest will be Los Angeles County, where election officials are debuting brand-new custom voting machines to improve how residents vote.
Los Angeles County officials spent US $300 million over the past 10 years to make it easier and more convenient for people to vote—by expanding voting schedules, redesigning ballots, and building 31,000 new ballot-marking machines. As the nation’s largest county in terms of the number of residents, the geographic area that it covers, and the number of languages that must be supported, county officials decided to commission a brand-new system built from scratch instead of trying to customize existing systems to meet their requirements.
The county’s Voting Solutions for All People 2.0 system (VSAP), built by voting technology company Smartmatic, is coming online at a time when voting systems around the country are under heightened scrutiny in light of concerns over election interference. Amid concerns about ballot-stuffing or undercounting votes are worries that votes would not be recorded correctly if voting machines have been tampered with, or if attackers can manipulate totals by intercepting data sent from a polling station to central offices to be tabulated. There are other issues, too, including the fact that websites used by election officials to provide information such as how to register, where to vote, and to post the voting results, could be modified with inaccurate information. Many of these sites are running on machines with outdated operating systems and software.
These are valid grounds for concern. Technical snafus and communications breakdowns delayed the reporting of results of the Iowa Democratic caucus in February, and the confusion over who actually won has direct impact on how voters view the integrity of the election process.
The new ballot-marking machines in LA County will record a person’s voting choices in a way that can be properly counted and audited, says Juan Gilbert, professor for computer and information science in the University of Florida. “Without paper ballots, you don’t have confidence and interpretation of the voters’ intent and meaning to auditors,” Gilbert says. The VSAP meets that requirement.
On LA’s voting machines, a touchscreen shows the ballot. Once the voter has finished making their selections, the machine prints out the ballot. The voter’s individual ballot is never saved on the voting machine itself. There is a physical copy of the ballot that the voter can verify for accuracy before it’s collected and stored in the ballot box. These marking machines are not connected to any networks and the machines are programmed with the ballot before they arrive to the polling stations.
The machines that contain the poll books, with information about registered voters, are on the network, but they are separate from the ballot marking machines.
“There’s never an opportunity for a malicious actor to remotely access any part of the machine that would be able to connect a voter to their individual selection on the ballot,” says Maurice Turner, the deputy director of the internet architecture project at the Center for Democracy and Technology, who has been involved with the VSAP design as a member of the technical advisory committee.
California’s Secretary of State Alex Padilla certified the machines in time for them to be used for the primary, provided “some essential modifications” are made. As part of the testing process, independent testing firms hired by the Secretary of State had turned up some security vulnerabilities, such as the fact that the machines had open USB ports that could be used by attackers to tamper with the system, or that testers could access and modify event logs on the machines. Too many people had security privileges to make changes on the system, according to the report. Testers were also able to access the physical ballot boxes.
The county was also instructed to address paper jams and misfeeds, which was happening nearly five times more than is allowed by the state standards, and all ballot boxes had to have tamper-evident seals on the seams between voting machine printers and ballot boxes to make it easy to tell if someone had gotten inside the boxes without authorization. The county was also required to tighten password security, and add USB port covers at workstations with tamper-evident seals. The machines didn’t have full-disk encryption, but Padilla gave the county six months to come up with a plan on how to update the machines.
“LA County has definitely gone through the appropriate security measures to ensure that the process is as secure and accountable as possible,” says Turner, noting he was satisfied with the mitigations that have been put into place. The next step would be to get the software released as open source so that researchers could test for any potential vulnerabilities and developers could contribute refinements so that other municipalities could adopt the system.
The primary issue with a ballot marking device is whether or not voters review the printout to verify it is correct. However, that isn’t something that needs more technology, Gilbert says. Having someone standing at the polling station reminding voters to review the paper is enough.
While the bulk of the voters in Los Angeles County will use these machines on 3 March as part of Super Tuesday, the machines have actually been operational since 22 February, when early voting started there. There have been no reports of major issues yet, although there were scattered reports of voters arriving early in the morning and finding the machines weren’t powered on.
For Dan Wallach, a professor in the systems group at Rice University’s Department of Computer Science, more was at stake than just whether the votes were being captured correctly. Plenty of things could go wrong on election day, such as printers jamming, touchscreens not responding properly, and power fluctuations because the machines require too much electricity.
“Forget that it is a voting system. It is a computerized system that has a lot of moving parts,” says Wallach. “It can fail because the hardware failed. It can fail because the software wasn’t correct.”
And as Wallach noted, it’s not necessary to manipulate actual votes in order to target an election. In denial-of-service attacks, for example, hackers inundate online systems with so much traffic, they freeze or shut down. Similarly, if voting machines can’t be used due to some kind of attack, they couldn’t capture any votes. It could take days or weeks to figure out whether such an incident was caused by a hacker or by a routine bug.
“If there are no IT issues [on election day], it [the voting system] will be considered a massive success,” says Wallach.
One question that remains unanswered is how future certification will be handled. Voting systems are designed to undergo full certification testing once every few years, but LA designed the VSAP machines to be updated more frequently. The state-level certification process needs to be able to account for something that could require a major change in the system without going through the entire array of tests every single time, Turner says. But that’s a problem to solve down the road.
“On Tuesday night, if the focus is on the candidates themselves, on figuring out who won and who lost rather than the mechanics of the voting lines or machines malfunctioning? That would be considered a win,” Turner says.
This story was updated on 3 March 2020.