Election security advocates scored a major victory on Thursday as a federal judge issued a 153-page ruling ordering Georgia officials to stop using its outdated electronic voting machines by the end of the year. The judge accepted the state’s argument that it would be too disruptive to switch to paper ballots for municipal elections being held in November 2019. But she refused to extend that logic into 2020, concluding that the state had plenty of time to phase out its outdated touchscreen machines before then.
The state of Georgia was already planning to phase out its ancient touchscreen electronic voting machines in favor of a new system based on ballot-marking machines. Georgia hopes to have the new machines in place in time for a presidential primary election in March 2020. In principle, that switch should address many of the critics’ concerns.
The danger, security advocates said, was that the schedule could slip and Georgia could then fall back on its old, insecure electronic machines in the March primary and possibly in the November 2020 general election as well. The new ruling by Judge Amy Totenberg slams the door shut on that possibility. If Georgia isn’t able to switch to its new high-tech system, it will be required to fall back on a low-tech system of paper ballots rather than continue using the insecure and buggy machines it has used for well over a decade.
Alex Halderman, a University of Michigan computer scientist who served as the plaintiffs’ star witness in the case, hailed the judge’s ruling.
“The court’s ruling recognizes that Georgia’s voting machines are so insecure, they’re unconstitutional,” Halderman said in an email to Ars. “That’s a huge win for election security that will reverberate across other states that have equally vulnerable systems.”
Georgia’s voting technology is deeply flawed
Totenberg’s ruling is 153 pages long because it presents a mountain of evidence that Georgia’s touchscreen voting machines—as well as back-office software the state uses to manage voter registrations, design ballots, and count votes—are outdated and insecure.
Georgia is still using Diebold Accuvote TSX touchscreen machines whose hardware and software date back to around 2005. In 2006 and 2007, security researchers discovered numerous security vulnerabilities in these machines—problems serious enough to cause California to decertify them from use in state elections.
After one 2006 report, Totenberg writes, “Diebold was forced to create a security patch for the vulnerable TSX software.” Yet incredibly, “there is no evidence that Georgia ever implemented the software patch or made any upgrades to protect the integrity of its DRE machines,” Totenberg says.
The security problems found by those early researchers were serious. Not only can someone with physical access to the machine install vote-stealing malware, it’s also possible to deliver such malware using viruses that spread from machine to machine on the memory cards election workers use to load ballot information onto them. Hence, a malicious actor with a few minutes’ access to a single machine could potentially hack dozens or even hundreds of machines.
These concerns seemed somewhat theoretical when they were first raised around 2006. After all, who would want to hack an election? But they’ve been given added urgency after revelations that the Russian government actively probed state election systems—including in Georgia—in 2016.
Not actually air-gapped
Besides hacking voting machines directly, another way someone could compromise an election would be to first hack the office computers of election officials. Officials use these computers to create ballot definition files that are later transferred to voting machines via memory cards. Here too, there’s a risk that malware could ride along with the ballot files and infect machines.
Georgia election officials dismissed these concerns. In 2018 testimony before Judge Totenberg, official Michael Barnes insisted that the computers used to design electronic ballots were air-gapped from the Internet, making it impossible for remote attackers to compromise them. But subsequent testimony made it clear that this was wrong. In reality, Totenberg writes, ballots were designed “on public-facing internet-connected desktop computers of the individual ballot builders, then copied over from the public facing computer onto a ‘lockable’ USB drive for transfer to the ‘air-gapped’ system.”
In court testimony, Halderman pointed out that this setup isn’t actually secure. “Air-gapping” a computer does no good if people are regularly transferring files to it from Internet-connected computers.
It gets worse. In 2016, a Georgia-based security researcher discovered that Kennesaw State University’s Center for Election Systems, which has a contract to help Georgia manage its elections, had a massive cache of sensitive election-related documents—including private voter data and passwords for election systems—publicly available on its website for anyone to download. After being notified of the breach, it took officials months to remove the sensitive information from the website.
Many voters reported problems with the machines
Meanwhile, dozens of ordinary Georgia voters told the court that they had experienced problems with Georgia’s touchscreen machines. Totenberg describes one voter’s experience:
Teri Adams described that when she voted at the Bleckley County Courthouse and selected candidate Stacey Abrams for governor on the DRE screen, she noticed that her designated selection was listed as Brian Kemp on the review screen. She tried to vote for Abrams a second time, but the review screen again showed Kemp as her chosen candidate. Ms. Adams cast her ballot on the third try when her selection in the governor’s race remained Abrams. Adams reported her problems on “machine number 2” to the poll workers whose only response was “did it take your vote?”
Adams was hardly an isolated case. A number of voters reported that it took two or three tries to ensure that a voting machine was choosing their preferred candidate.
Is this evidence that hackers were tampering with the election? Probably not. It seems more likely that Georgia’s touchscreen machines are just old and poorly designed. Someone who hacked the machines in order to steal the election wouldn’t have any reason to alarm voters by showing the stolen vote on the screen—they could show the voter’s correct choice on the screen while recording a different result in the electronic record.
But the fact that so many voters have reported problems with the machines is a problem in its own right. A mis-recorded vote is a problem regardless of whether it was the result of hacking, malfunctioning equipment or just a badly designed user interface. And there’s now ample evidence that touchscreen machines are a less effective way to record voters’ choices than a traditional paper ballot.
Georgia must stop using its machines after 2019
Judge Totenberg had all of these problems in mind as she was deciding what to do with the lawsuit. She was convinced by the plaintiffs’ argument that Georgia’s current election system was fatally flawed and needed to be overhauled—and that a hand-marked paper ballot was the gold standard for secure and reliable voting.
At the same time, she took seriously warnings from the state of Georgia that an abrupt shift to paper ballots could cause more disruption than it was worth. The issue was complicated by the fact that Georgia’s legislature recently passed legislation directing that the state develop a new election system based on ballot-marking devices—electronic voting machines that print out a paper ballot the voter can examine.
Georgia has signed a contract with a vendor for these new machines and plans to start testing them in a few cities in this November’s elections. The state aims to start rolling the new system out statewide in time for next March’s presidential primary. Under that timeline, the state would stop using its current, insecure machines before the end of the year.
The problem, critics point out, is that the state may not be able to roll out the new system in time for next March’s election. Experts testified that Georgia has set an unusually aggressive timeline for standing up a completely new election system, and this creates a risk that the schedule could slip. In that case, Georgia’s most likely fallback would be to continue using its existing touchscreen machines for the spring primary election—and possibly even the November 2020 general election.
So Judge Totenberg decided to split the difference. She denied the plaintiffs’ request to force Georgia to begin using paper ballots in the November 2019 election. She accepted the state’s argument that it would be a waste of resources to set up a paper-based system that will only be used in a single election—and that such an order could distract from efforts to develop the new system for 2020.
However, she also ordered the state not to use its old touchscreen machines as a fallback for elections in 2020. If the new ballot-marking devices aren’t ready by March, the state will be required to use hand-marked paper ballots instead.
People are finally listening to computer scientists
The order is an important ruling for voters in Georgia, who won’t have to worry about outdated equipment failing to accurately record their vote in 2020. But the ruling is also an important milestone in the broader debate over voting machine security. Judge Totenberg’s ruling is a strong endorsement of the consensus of computer security experts about the dangers of computer-based voting. Princeton computer scientist Andrew Appel put it well in a report quoted by Totenberg:
All digital information—such as ballot definitions, voter choice records, vote tallies, or voter registration lists—is subject to malicious alteration; there is no technical mechanism currently available that can ensure that a computer application—such as one used to record or count votes—will produce accurate results; testing alone cannot ensure that systems have not been compromised; and any computer system used for elections—such as a voting machine or e-pollbook—can be rendered inoperable.
As a result of these arguments, most computer scientists favor voting via a hand-marked paper ballot. They believe that computerized optical scanners are a reasonable way to speed up the vote-counting process provided that a state also provides for routine post-election audits that hand count a random sample of ballots to verify the accuracy of the machine count.
Federal legislation to strengthen election security has been blocked by Senate Majority Leader Mitch McConnell. But that doesn’t preclude changes at the state level, with the courts spurring states along in the most egregious cases. Totenberg’s clear and thorough ruling will give opponents of electronic voting machines a bit of extra momentum as they race to decommission as many electronic voting machines as possible before the November 2020 presidential election.
https://arstechnica.com/?p=1552423