After an election marred by hacker intrusions that breached the Democratic National Committee and the email account of one of Hillary Clinton's top staffers, Americans are all too ready to believe that their actual votes have been hacked, too. Now those fears have been stoked by a team of security experts, who argue that voting machine vulnerabilities mean Clinton should demand recounts in key states.
Dig into their argument, however, and it's less alarmist than it might appear. If anything, it's practical. There's no evidence that the outcome of the presidential election was shifted by compromised voting machines. But a statistical audit of electronic voting results in key states as a routine safeguard---not just an emergency measure---would be a surprisingly simple way to ease serious, lingering doubts about America's much-maligned electoral security. "Auditing ought to be a standard part of the election process," says Ron Rivest, a cryptographer and computer science professor at MIT. "It ought to be a routine thing as much as a doctor washing his hands."
On Wednesday, University of Michigan computer security researcher Alex Halderman published a blog post arguing that Wisconsin, Michigan, and Pennsylvania should perform recounts due to risks that the election was hacked. The article followed a far more sensational report from New York Magazine the evening before stating that Halderman and a team of experts tried to persuade Clinton staffers to request that recount, citing a disparity in Clinton votes between counties that used fully electronic versus paper ballot voting. (Halderman disputed the accuracy of some of NY Mag's claims, and at no point said there was hard evidence of an actual hack.)
Some election statisticians and polling analysts quickly dismissed the disparity that alarmed Halderman, arguing that the lack of electronic votes for Clinton compared with paper ones was a misreading of other factors. Election quant Nate Silver immediately called it "probably BS," noting that the disparity disappeared when race and education levels were factored in, suggesting those demographic differences explained Clinton's seemingly disproportionate popularity in paper-ballot counties. MIT political scientist Charles Stewart III backed up Silver's point in an interview with WIRED. "Basically pro-Trump counties for whatever reasons were more likely to be voting on electronic voting machines than counties that ended up being pro-Clinton," he said.
Election security experts still agree with Halderman's underlying argument: that auditing elections would help to settle dangerous, persistent uncertainty in a system potentially plagued by hackers. They're not as taxing as a full recount. And, importantly, they shouldn't solely be deployed as an emergency provision in contested elections, but rather a default part of the process. MIT's Rivest quotes his computer scientist colleague at George Washington University, Poorvi Vora: "Brush your teeth. Eat your spinach. Audit your elections."
While there’s no indication that polling places in the three states Halderman calls out were hacked, it’s well established that electronic voting machines are vulnerable to malware that could corrupt votes. Many US voting machines today scan a paper ballot that the voter fills out by hand, and many electronic systems produce a paper record as well. In fact, Halderman notes, about 70 percent of Americans live in voting districts that leave a paper trail, a record that can be used to check voting machines' digital results. But all too often, no one ever does, he writes. "No state is planning to actually check the paper in a way that would reliably detect that the computer-based outcome was wrong," Halderman says.
In fact, around half of all states already do perform some form of "audit" on their electronic voting results. But strangely, those so-called audits aren't actually designed to stop hackers from installing their candidate of choice as president, says Pamela Smith, the president of the non-partisan group Verified Voting, which focuses on election security.
Smith points out that in Wisconsin, for instance, audit rules require 100 voting places to have their votes checked for errors in any election. But that check is meant to identify reliability problems in the voting machines, not wholesale hacking. Even if widespread errors were found, the audit wouldn't be expanded to a larger sample of the machines. And ultimately the only recourse of the auditors, no matter how many erroneously counted ballots they find, is to suspend future purchases of voting machines from that equipment vendor. "It’s almost as if it’s designed to not find out if there’s anything wrong, or if there is, not do anything about it," Smith says.
Performing a real, statistically valid audit of electronic voting results isn't so hard, says MIT's Rivest. Auditing the entire national election would require checking an estimated half a percent of paper ballots, he and University of Berkeley statistician Philip Stark have found. For states with close margin, like this election's results in Wisconsin or Michigan, the audit would need a bigger random sample, but hardly a full recount. Rivest says that statisticians could perform an audit of just 2.3 percent of the ballots in Wisconsin, 11 percent of the ballots in Michigan, or just .7 percent of the ballots in Pennsylvania and determine if the results were correct with 95% certainty. (If they were found to be incorrect, Rivest notes, the audit would be expanded.)
Of course, Rivest's method assumes that paper ballots exist to be checked in an audit in the first place. In some states, including Pennsylvania, they don't: Much of the Quaker State uses so-called direct record electronic (DRE) voting machines. Those machines have not only been found to be vulnerable in many cases to physical access hacks that can infect them with malware in just seven minutes, but they lack any actual paper ballot filled out by a voter. Auditing them may be possible, but would require more skilled and less certain computer forensics work.
Pennsylvania's lack of a paper ballots likely mean no easy audit can call into question the result of this month's election, even if anyone believed that the election had been effectively hacked. After all, Clinton would have had to win Pennsylvania, and Wisconsin, which went to Trump, as well as Michigan, whose votes are still being counted. But a quick, relatively cheap statistical audit could at the very least confirm Trump's victory, putting to rest an uncertainty that weakens confidence in the federal government no matter who the president is.
While there are still a few days left for Clinton to request recounts---which would require her campaign paying for them---election-watchers like Smith and Rivest say the real lesson of the 2016 election and the hacker doubts surrounding it is that American elections should be both auditable and audited. And not as a special measure when one party asks for it, but whenever the vote comes within a certain statistically chosen margin. That means both replacing bad voting machines that don't have a paper trail, and changing state laws around the country to give automatic election audits real teeth.
"An election should provide accurate results, and it should provide credible results," says Rivest. "We shouldn’t be in the situation we’re in now. We should know that the outcome is the correct one."
Until our election technology can give us that certainty, in other words, it will have failed us---whether it's hacked or not.
Additional reporting by Emma Gray Ellis.
