The upcoming U.S. presidential election can be rigged and sabotaged, and we might never even know it happened.
This Election Day voters in 10 states, or parts of them, will use touch-screen voting machines with no paper backup of an individual's vote; some will have rewritable flash memory. If malware is inserted into these machines that's smart enough to rewrite itself, votes can be erased or assigned to another candidate with little possibility of figuring out the actual vote.
In precincts where vote tallies raise suspicions, computer scientists will be called in the day after the election to conduct forensics. But even if a hack is suspected, or proven, it would likely be impossible to do anything about it.
If the voting machine firmware doesn't match what the vendor supplied, "it's like you burned all the ballots," said Daniel Lopresti, a professor and chair of the Computer Science and Engineering Department at Lehigh University in Pennsylvania. "We have no way to confirm that we can really trust the output from the machine," he said.
This election in particular has computer scientists and security experts worried. They are concerned that electronic voting machines, voter tabulation and registration systems will be hacked. If an attack causes a polling place backup and some voters to leave and go home, the vote is reduced. This may be as effective as voting-machine tampering in affecting the outcome. It may also undermine confidence in the results. Pennsylvania is attracting the most concern. It is a swing state and many counties use touch-screen systems that do not use a paper ballot or produce a paper record -- for the voter to inspect -- of the voter's intent.
Lopresti was an expert witness for the plaintiffs in a Pennsylvania case challenging the use of touch screen voting machines. The lawsuit (Banfield v. Cortes) was filed in 2006 by 24 state residents. It argued that the state's election system does not retain a physical record of votes, and suffered from a "lack of meaningful and appropriate security measures." The plaintiffs wanted a system with paper verification of each vote.
But the response by Pennsylvania was to spend nearly 10 years fighting this lawsuit, even as other states reversed course on touch-screen systems.
In 2007, Maryland, for instance, decided to replace touch-screen terminals. Budget issues delayed rollout until 2014, but when Maryland voters head to the polls in November they'll be filling out paper ballots that are fed into an optical-scanner system.
Pennsylvania argued in court, in part, that the electronic voting records were permanent records. The court agreed.
Lopresti can't explain Pennsylvania's decision to stick with touch-screen systems without paper verification. "They tended to believe that some of us were putting forth doomsday stories," he said, and they trusted the technology, he said.
Pennsylvania officials may have worried nonetheless.
On Feb. 2, 2015, two weeks before the voters lost their final appeal in their case, the state appointed Marian Schneider, one of the attorneys representing the voters in their lawsuit, to the post of secretary for elections and administration with oversight for elections and IT systems.
Michael Churchill, an attorney who also represented the plaintiffs, said there has been no change in Pennsylvania, since the court case, in the use of electronic voting machines without paper backup. "However there is much more attention to security issues," he said, in an email. (State election officials didn't respond by press time to questions about security from Computerworld.) But will this extra attention be enough?
Following the 2011 municipal primary, officials in Venango County, Pa., had concerns about the vote, including a tie in one race. David Eckhardt, a computer science professor at Carnegie Mellon University, is also a Judge of Elections at one polling place, and was asked by the county to examine the iVotronic voting terminals and Unity tabulation software made by Election Systems & Software, Inc.
Eckhardt didn't find positive evidence of tampering, but did find "positive evidence of IT practices which were imprudent enough to theoretically provide a wide enough door for a well-equipped, motivated attacker to have tampered with the election." His report included a recommendation for an "explicit written security protocol governing the practices of Election staff."
Most county governments are better prepared to safeguard boxes of paper ballots than to safeguard boxes of flash memory," said Eckhardt.
In the absence of voter-verified paper records, getting at the truth of a vote will be difficult.
Cynthia and Ernest Zirkle ran for the Democratic County Committee of Fairfield Township, N.J, in June 2011. It was a very small election, with fewer than 100 votes.
This election used one electronic, touch-screen voting machine with no paper copies of the individual votes. Ms. Zirkle and her husband lost the election. But she knew the results were wrong, because she had a good idea about who had voted for her. Proving it took work.
"There was no verifiable paper trail, or back-up paper to see if the names were reversed," said Ms. Zirkle, in an interview. What she suspected was true: The votes that the Zirkles should have received went to their opponents.