Hillary Clinton’s defeat in 2016 was a shock. But was the vote rigged? Suspicious of the result, Green Party presidential candidate Jill Stein has petitioned for hand recounts of ballots in Michigan, Pennsylvania, and Wisconsin. Trump backers, who are vigorously fighting these recounts, discount the challenges as based on conspiracy theories or worse.
But even if there isn’t evidence to support worries about widespread vote-hacking, we should still support Stein’s belated quest for recounts, because it highlights the importance of some kind of review of election results as a best practice in modern electoral politics. Re-examining the balloting is urgent because U.S. voting is rife with vulnerabilities. These problems aren’t the worst aspects of a democratic process wracked by voter suppression. But the security of voting systems should be improved as soon as possible—and the time to start improving it is now, not two months before Election Day 2020. However flawed a vessel this recount is, some review is better than none.
On the surface, voting seems like one of the easiest things in the world to automate. Efficiency-minded bureaucrats adopted voting machines in the 19th century. Next came computerization, which nations around the world embraced. But election administration in the United States is so localized that vote-tallying methods can vary from city to city.
In 2016 elections, vote-counting methods included optical scan paper ballot systems, direct recording electronic systems, ballot marking devices, and even hand-counted paper ballots. The great advantage of paper-based systems is that voters effectively generate an independent record of each ballot cast, in addition to whatever ongoing tally is kept mechanically. Known as voter-verified paper audit trails, these records are essential to guaranteeing that your local voting machine isn’t prone to fraud or error. There are many ways to generate such trails; for instance, a machine may print a paper record of the votes you have cast, underneath a glass screen. Such paper records verify that the digital record of voting has some nondigital analog, which can then be compared against digital records in case they are suspected of being errant or altered.
However, as voting security expert J. Alex Halderman observed in mid-November, no state at that time was “planning to actually check the paper in a way that would reliably detect that the computer-based outcome was wrong.” That is a major problem—what is the use of a paper record if it is never audited? Halderman has been working on this problem for years. (I met him briefly when I was a visiting fellow at Princeton’s Center for Information Technology Policy, and I got to see the voting machine he had hacked to play Pac-Man, in a bid to get authorities to pay attention to voting problems.) Halderman has been in communication with the Clinton campaign and has expressed caution about any theories that the election was hacked. But he does think audits are warranted, thanks to well-documented problems with electronic voting.
Some skeptics might counter, What evidence is there that errors affected the voting? Why should we worry? One reason is simple: Past audits have disclosed irregularities in other elections. More fundamentally, both software bugs and hacks can be extremely subtle. They pose a classic black box problem: It isn’t easy for outsiders to inspect either the code or the data. Naturally, data privacy is critical in U.S. voting; the secret ballot ensures no one can be coerced by others to vote a certain way (though the creeping legalization of “ballot selfies” thanks to First Amendment absolutist judicial rulings may soon erode that privilege). The inaccessibility of computer code inside voting machines is rooted in another, more worrisome, set of laws, protecting trade secrecy. Law professor David S. Levine warned in 2012 that “Trade-secret law makes it impossible to independently verify that” many voting machines are working properly. So our main hope for auditable elections has to be hand recounts of paper records of voting.
Resorting to human vote-counters may seem archaic in an age of same-day Amazon deliveries. But the stakes of a failed shopping delivery are far lower than those of miscast ballots. Moreover, if your Amazon account is hacked, you’ll probably notice when someone orders weird products with your credit card. No voter follows her electronic ballot from the voting booth to its official recordation. That’s why third-party audits are essential.
To be sure, some recount processes can be protracted. No one wants to relive Minnesota’s 2008 senatorial election, when Al Franken and Norm Coleman battled for months over the meaning of cryptic ballots. That debacle helped demonstrate how digital voting tools and old-fashioned paper can complement each other. On one ballot, for instance, a voter both filled in the bubble by Al Franken’s name and hand-wrote “Lizard People” underneath. Officials rejected the ballot, and it’s by no means clear the voter involved wanted that outcome. With a voting machine that also had a paper trail, he could have inspected how the computer system interpreted and counted his ballot—and then potentially raised a concern at his voting place if he did not actually intend a spoiled ballot.
In other words, if officials are going to insist on computerizing elections, they ought to put into place systems that allow voters to verify how their votes look to the faceless, automated systems processing them. Once confronted with a record of how his vote is recorded, it is up to the voter to object.
Recounts like Jill Stein wants can be costly and controversial. But an audit is not necessarily the same as a recount. An auditor might inspect some statistically representative sample of votes and look for discrepancies. If none are found, the audit ends. If some are found, the audit can expand from, say, 1 percent to 10 percent of the votes. The audit can ultimately trigger a full manual recount, but it need not begin with one.
But to have truly reliable audits, we first need to nix the direct-recording electronic voting machines. In the 2016 election, 20 percent of computerized voting systems did not have paper audit trails. Paperless electronic voting machines are dominant in Delaware, Georgia, Louisiana, New Jersey, and South Carolina. And many states have these sorts of unreliable machines deployed in some locations—including Pennsylvania, where bizarre precinct-by-precinct petition rules also undermine the possibility of postvote audits. A Brennan Center report includes numerous examples of hacks and failures (like sudden shutdown) such machines are vulnerable to. Moreover, this does not appear to be a field of rapid technological advance—or at least states and municipalities are not investing in such advances. Election officials are finding it difficult to keep aging machines functional.
Nor would a sudden infusion of cash into voting technology necessarily solve the problem. The modern technical environment of frequent software updates creates its own vulnerabilities. And as the Volkswagen scandal showed, software can be programmed to lie—to render results when tested, which hide its actual effects. As computer scientist and verified voting activist Barbara Simons astutely observes, “It would not be difficult to write voting machine software that would, like the VW software, know when it is being tested, and thus behave correctly during testing but not during an actual election.” Until we develop the perfect, unhackable, super-resilient vote-tallying computer, nothing can replace a properly conducted, hand-count of ballots as a reliable audit of votes cast.
Will we ever get such a voting supercomputer? Don’t hold your breath. The strongest proponents of voter-verified paper audit trails and election audits are computer scientists who have repeatedly documented the fragility of technical systems. If you can’t trust blockchain to be unhackable, all the more reason to suspect the antique direct-recording electronic voting systems many jurisdictions are still using. They are an accident waiting to happen—and a vulnerability ripe for exploitation.
Sadly, not many states have robust audit procedures in place. If we had a modernized voting system, we would not need to depend on electoral outsiders such as Stein to prod the U.S. to do what it should have become routine after the wake-up call of the 2000 presidential election. However inconvenient it might seem to maintain voter-verified paper audit trails and audit some percentage of ballots, the alternative—an illegitimate election—is far worse. Kudos to all those pushing for 2016 recounts, since they are helping to educate voters and policymakers about the proper level of skepticism America’s voting system is due.