November 23, 2016 | By Jacob Hoffman-Andrews

E-Voting Machines Need Paper Audits to be Trustworthy

ballot box

Election security experts concerned about voting machines are calling for an audit of ballots in the three states where the presidential election was very close: Michigan, Wisconsin and Pennsylvania. We agree. This is an important election safety measure and should happen in all elections, not just those that have a razor-thin margin.

Voting machines, especially those that have digital components, are intrinsically susceptible to being hacked. The main protection against hacking is for voting machines to provide an auditable paper trail.

However, if that paper trail is never audited, it's useless.

EFF worked hard, alongside many others, to ensure that paper trails were available in many places across the nation. While there are still places without them, we have made great strides. Yet this election was a forceful reminder of how vulnerable all computer systems are. 

We not only need elections to be auditable, we need them to be audited.

We should use this opportunity to set a precedent of auditing electronic voting results to strengthen confidence—not only in this election, but in future ones.

There is precedent for hackers attempting to influence elections by tampering with voting infrastructure: Ukraine's 2014 election came under attack from pro-Russian hackers, and this spring Bloomberg reported on how a team of hackers targeted elections throughout Latin America. There was also plenty of hacking related to the 2016 US election, with two separate major dumps of political emails and several reports of attempted attacks on election systems. These attacks tell us that hacking groups, some of whom may be nation states, were particularly interested in affecting this election's outcome.

Of course, there is good reason to believe US voting machines are vulnerable; for years, EFF along with hundreds of security experts nationwide and even worldwide sounded the alarm about the risk posed by insecure voting machines. EFF handled many cases arising from problems with the machines.  In 2004, California decertified many voting machines due to serious security flaws.

Most e-voting machines are not connected to the Internet, but disconnection isn't a sufficient defense against hacking. Malware can be engineered to cross a so-called air gap by riding on removable storage media like thumb drives and SD cards. The Stuxnet worm is a remarkable example of this in action. It was designed to infect internet-connected workstations and then copy itself over whenever a thumb drive was plugged into those workstations. Once an infected thumb drive was plugged into an air-gapped system, the worm would install itself and begin its work. The voting machines used in America are updated using removable storage that is at some point plugged into a regular computer in a government office. Hackers need only compromise that computer, and they can use that toehold to copy a Stuxnet-like worm onto all removable storage that comes into contact with it and matches a certain profile. Once plugged into a voting machine, that worm could alter the machine's software to subtly change the vote. A particularly well-written worm would automatically reverse those changes after the election to cover its tracks.

There's a defense against the possibility of hacked voting machines: good, old-fashioned paper. Thanks to tireless advocacy by EFF and other voting security experts, many e-voting machines record a paper copy of all votes. But, like a seat belt, these paper records only work if you use them. Currently, U.S. states need far more buckling up.

That could change. Candidates can petition for a recount. The deadlines for such a petition are coming up fast: Friday in Wisconsin, Monday in Pennsylvania, and Wednesday in Michigan. It's especially worth auditing the vote in these states, because they had some of the closest margins in the presidential election and therefore are the most interesting targets for hackers looking to swing the election.

Counting the paper ballots isn't just good for increasing voter confidence in this year's election, it's good electoral hygiene and a basic safety measure. We hope that audits this year can serve as a guiding example for states to improve their election systems for future years: by replacing paperless voting machines with optical scan systems and adopting inexpensive risk-limiting audits as a routine matter.

With concerns about election hacking higher than ever, this is a turning point in securing our election systems. We ask the Clinton campaign: call for for recounts in Wisconsin, Pennsylvania, and Michigan. Even if you think an election-changing result is unlikely, it is a vital step on the road to securing our democracy.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Agreements that change how the Internet works should be made transparently, with input from users. https://www.eff.org/deeplinks...

Feb 22 @ 4:17pm

Virginia Supreme Court should protect drivers from license plate surveillance. https://www.eff.org/deeplinks...

Feb 22 @ 3:55pm

Sen. Wyden stands up for travelers, quizzing the Dept of Homeland Security about border searches of digital devices. https://www.eff.org/deeplinks...

Feb 22 @ 2:54pm
JavaScript license information