A man walks into a voting booth in Georgia. This joke begins and ends with the booth itself, which is an antiquated dinosaur called the Diebold AccuVote TS—one variety of touch screen voting machine also known as a direct recording electronic (DRE) voting machine. Georgia still uses that particular AccuVote TS, even though that beast has seen better days.1 Thousands of other AccuVote TS machines outside the great state of Georgia have been scrapped.² The state representatives likely have a certain affinity for their voting machines, even though they have been around since the early 1990s.

On the flip side, perhaps the newer machines are too expensive for them to buy. Of course, these machines are used fervently, but they are only used every few years. Perhaps Georgia believes the machines have more staying power.

The volunteer poll workers have given our hypothetical man a plastic smart card. The man inserts the card into the computer, which is attached with old sealant to the thin, notebook-sized touch screen.

This man is older and not necessarily the most technologically savvy person. He still records his business records in ink in ledgers. However, he knows how to work this voting machine, which performs almost like the ATM at his bank. He patiently scrolls through the list of questions with the multiple-choice answers like he did in grade school. He finally gets to the real issue at hand and selects his candidate for president.

Things may go off without a hitch. The man's picks for office are recorded accurately, electronically in its internal flash memory.

Alternatively, things may not work out exactly according to plan. The man could press the name of his candidate and instead the other candidate's name lights up. This is what happened that same day to his fellow American voters in North Carolina, where Trump lit up for people who pressed Clinton's name, and in Texas, where Clinton lit up for people who pressed Trump's name. His vote flipped.3

The problem could be due to human error. The man's finger may be greasy from a snack he might have been eating that morning, and he may have accidentally tapped the wrong button. It is also quite conceivable that the machine was off. The glue may have softened, causing the misalignment of the screen. The software that connects to the touch screen may have lost its calibration. The hardware could also be failing, losing its long-haul efficiency. It is just as likely that the computer, like a person with Alzheimer's, is losing its efficiency throughout the course of the day, specifically because it has performed so many tasks before sunset. On Election Day, then, the moment the Diebold AccuVote TS was created for, the machine malfunctions.

Alternatively, something more ominous could be happening. The machine could have malfunctioned because the system was rigged or compromised, because somebody deliberately practiced vote flipping.

The most vulnerable aspect of all DRE machines, which are currently being used in four other states (New Jersey, South Carolina, Delaware, and Louisiana), is their lack of strong security systems.⁴

While Russian cyberspace operatives were hacking into our voting system in July 2016, Princeton University professor and White House consultant Edward Felten, one of the VIPs seated in the Old Executive Office Building, did think about all DREs, and specifically about Georgia's endearing dinosaur. In 2005, Felten led a team of Princeton graduate students who dissected the Diebold AccuVote TS, piece by piece. A security analysis found extreme problems in the software that would be used in a real election.⁵ Felten explained multiple technical means through which an ill-intentioned person could install malicious software. It was relatively easy to reprogram the software in the system to incorrectly count votes. “The machines are fundamentally computers inside, that will do what they are programmed to do,” he explained. Since the machines aren't connected to the internet, a person who wanted to reconnoiter a machine would have to physically have access to that machine. However, a software upgrade could be performed in less than sixty seconds.6

Hackers could also create viruses in the electronic memory cards that the voting officials use to program the machine through illegal methods, perhaps bribing an electoral official or just stealing a memory card. If you could get your hands on one of these memory cards (in a particular state or county), you could put malicious software on it. The voting machine virus could then spread virally from memory cards to machines, and from machines to memory cards. You wouldn't have to compromise voting booths in multiple states to wreak havoc.

“We also confirmed earlier reports that the machines stored the votes internally—in the order that they were cast, which meant that someone who could get access to the memory cards or the machines could figure out that, say, the seventeenth person who voted that day voted for particular candidates. In most states there are records of the order in which individual voters vote and it's possible for observers in the polling place to make those records,” Felten said.⁷

Later studies confirmed those results. Other studies showed that different kinds of paperless voting machines had similar vulnerabilities. In “America's Voting Machines at Risk,” an extensive 2015 study done for the Brennan Center for Justice, Lawrence Norden and Christopher Famighetti estimated that forty-three states would be using machines bought over a decade ago and that fourteen states would be using machines that are at least fifteen years old.⁸

OPTICAL SCANNING MACHINES

Many states have moved away from those kinds of machines since then, instead adopting optical scanning machines.⁹ These machines scan the paper ballots cast by voters, but the paper record is kept as a backup. Optical scans can be more secure than paperless DRE scans, according to Felten. They are, however, far from perfect.

DETROIT, MICHIGAN

In Detroit in 2016, when more than eighty of the optical scanners that registered and counted votes, which were marked on paper, malfunctioned—in many cases the scanners jammed—there were ballot inconsistencies in 59 percent of the precincts.10 More than 2.1 million votes were recounted before the recount was halted. A Detroit official noted that this kind of chaos happens every election year with their machines.

The recount was spearheaded by Jill Stein, a Green Party candidate running for president, but then the recount was stopped after a judge said Stein's request was invalid.¹¹ Her petition filed in Pennsylvania noted that the mixed bag of optical scan and electronic machines in the state could be vulnerable to hacking, and requested a complete forensic analysis of the machines. Her petition was rejected on several grounds, including there being no evidence that Pennsylvania's voting system was compromised.¹²

DURHAM, NORTH CAROLINA

The monster was raging in the machine here as well, wreaking havoc on Election Day. A technical glitch in the “electronic poll books” caused volunteer poll workers to scramble to look up and confirm voters’ names.¹³ In some areas, they had a paper copy backup system in place, but in others there weren't any records. Delays of several hours caused people to leave without voting. Some voters’ names had somehow disappeared from the system altogether. Other people were informed that they'd already voted when they hadn't. The Voter Protection Hotline rang off the hook. Various counties petitioned for emergency measures. Voting was extended an extra hour, until 8:30 p.m., for residents in two counties, and also extended an extra hour for residents of six additional counties.

Although officials contended that the glitch was a fluky technological mishap, researchers found that the problem may have originated at VR Systems, Inc., the vendor that supplied digital software to manage voting registrations. US law enforcement later determined that its Florida headquarters were hacked by people believed to be Russian-government-based operatives. During the last week of October, the hackers used a VR Systems’ address to send 122 emails to state and local officials across the country whose attachments contained malware, which was reportedly a ruse to mine for enough information to cause disaster, according to an NSA report.14

Trump ended up winning North Carolina. It was a swing state that was expected to favor Hillary Clinton. Durham County, in particular, was largely Democratic. The county has more than 38 percent African American voters, three-quarters of whom had voted for the reelection of Barack Obama.¹⁵ Twenty other counties in North Carolina used VR Systems, Inc.¹⁶

THE MONSTER IN THE MACHINE: THE HANGING-CHAD INCIDENT

This is certainly not the first time our election system has been called into question. And it is not the first time election chaos has been blamed on the monster in the machine.¹⁷ The outcome of the most contentious presidential election in United States, the race between George W. Bush and Al Gore in 2000, hinged on thousands of votes cast on the now defunct Votamic-style punch-card ballots (Votamics were last used in the 2014 general election in Idaho).¹⁸ Voters use a stylus to punch holes in a card for each candidate chosen. The punch goes through the backing to remove a chunk of chad. The hole that is left counts as the vote. In the Florida election, 1.9 million ballots were considered “spoiled votes,” which means essentially that the punched holes were indecipherable.¹⁹ These were called “hanging chads,” in which some corners of the punched marks still attached to the page and “fat chads,” or “pregnant chads,” where all the corners were attached but a faint indentation seemed to have been made.²⁰ The punch cards were counted by optical machines.

According to a report by the US Civil Rights Commission, more than half of these spoiled ballots were used by African Americans, who were largely expected to vote Democrat in that election.²¹ Many of the more antiquated machines were in predominantly African American voting precincts, such as those in Gadsden County, which had in equal measures the highest number of black voters and the highest rejected vote rates. An African American voter was ten times as likely as a Caucasian voter to have a rejected vote. African American voters were less likely than voters in more affluent, predominantly Caucasian counties to receive a replacement ballot if they used the punch cards incorrectly.22

Approximately 6,600 votes lost in Palm Beach County were attributed to the butterfly ballot in use there, which opened like the wings of a butterfly and had candidates’ names on two sides and punch holes in the middle.²³ (How was this ballot supposed to work, ideally?) Many voters, especially elderly people, claimed they were confused by the way names were listed on the ballot and could well have voted for the wrong candidate.

The pregnant chads, hanging chads, and butterfly ballot mishaps were discovered during an extensive, painstaking recount.²⁴ The Florida recount occurred following a media super blunder, in which national networks mistakenly called Gore the winner in the state before everyone had a chance to vote. Later, the media reversed their call and gave it to Bush, only to then change their minds again and deem the election “too close to call.” The election margin was tight, with Bush leading by just 537 of the 5.8 million votes cast. After thirty-six days of deliberation, Gore ultimately conceded the race to Bush.²⁵

There were a multitude of lawsuits against the state, alleging discriminatory practices and overt racism during the election. For example, there was a massive removal of predominately African American voters from the rolls due to a list of nearly sixty thousand suspected felons that was sent to election supervisors prior to the election, which was riddled with mistakes.²⁶ Following a legal battle between the NAACP and an organization called Database Technologies, the latter reran names on the “purge list” and found that approximately twelve thousand voters who were not felons weren't allowed to vote because they were on the original list sent to the elections office.²⁷

Many claimed that the discrepancies were caused by a scheme Florida's former governor, Jeb Bush (George's brother), created to eliminate from the voting rolls those who were projected to vote Democrat and for Al Gore. This included mostly African American and Hispanic voters who were Democrats.

Three days of hearings were conducted by the US Commission on Civil Rights, during which Floridians gave testimony about some of their problems in voting, including being turned away because they were on the purge list, being blocked from remote polling locations, and because they had difficulties with antiquated voting equipment. The commission concluded that there were significant violations of the Voting Rights Act of 1965—which prevents the Fifteenth Amendment's tenets against voting discrimination, including discrimination on the basis of race.28

The report does not find that the highest officials of the state conspired to disenfranchise voters. Moreover, even if it was foreseeable that certain actions by officials led to voter disenfranchisement, this alone does not mean that intentional discrimination occurred. Instead, the report concludes that officials ignored the mounting evidence of rising voter registration rates in communities. The state's highest officials responsible for ensuring efficiency, uniformity, and fairness in the election failed to fulfill their responsibilities and were subsequently unwilling to take responsibility.²⁹

The hearings also determined African American voters were targeted on purge lists; for example, in Miami-Dade, Florida's largest county, black people represented only 20 percent of the population, but represented more than 65 percent of the names on the purge list.³⁰

Florida did institute legislation to address problems with the 2000 presidential election.

The Commission publicly applauded this development as soon as it occurred, and even before the details of the legislative package were finalized. The Commission reiterates that Florida and its leaders deserve credit for the new election law.

However, the same leadership that effectively ensured passage of the recent legislation was missing in the years and months leading up to the November 2000 election. If the same level of leadership had been present, the Commission's investigation reveals that most of the problems during the past election would have been prevented, and the dire consequences documented in this report could have been avoided.31

The maelstrom eventually led to the establishment of the Help America Vote Act (HAVA) of 2002 by Congress, introducing revolutionary changes to voting systems and voting access—and introducing minimum standards for states’ election administration. It requires states to implement several procedures that were previously unrequired, like upgrading equipment, creating protections for statewide voter registration databases, and instituting measures to deal with administrative complaints. It also established the Election Assistance Commission to help states comply with HAVA and to give them funding to do so.³²

While it can be difficult to determine whether glitches in the machine or nefarious humans are the ghosts behind state elections that do not seem to go off according to plan, it seems that in these times it is as important to first shore up the machines as it is to uncover accountability. It seems a no-brainer that states complying with HAVA and that have been part of our country's history would set the bar high for their equipment. To find out why this isn't happening across the board, as well as to learn some of the long-term dangers of keeping our systems outmoded and unchecked in the future, I spoke with Edward Felten.³³

I asked him first about the AccuVote TS, and why Georgia officials hadn't acknowledged how risky those machines are.³⁴

Felten: I think there [are] several factors. One is that they are hearing from some people, including the vendors selling the machines, that there are some people who claim that those risks are overstated. I think that's number one.

Number two is that to change [systems] would cost money. It would be inconvenient. There would be some risk of the change not going smoothly. So, people would prefer not to change. I know in New Jersey the dollar cost of changing the voting machines has been one of the factors that held back a switch to more secure technologies. And the other thing that happens is, in some of these cases, there are public officials who have staked some of their reputations on the idea that these machines are secure enough to use. It can become difficult for them to back down from that position.

Pegues: Is the secretary of state in Georgia one of those guys?

Felten: I don't want to speculate about that particular case. But this is a phenomenon that we've seen in other states, and sometimes in other places. Sometimes changes to the technology become easier when people rotate out of certain positions. Change is sometimes slow in government processes. I think that there's been ample time for Georgia and other states to make changes, and that they should have long ago. We'll see if they're actually going to move forward now. I do think that the threat is higher now than it was back in 2005 [when Felten and his Princeton team first learned of the voting machine vulnerabilities]. I think that's one of the reasons why we may see a renewed push for better technologies now.

Felten believes that the lack of better technologies put us in a vulnerable place for attack by outside entities such as Russian hackers.

Pegues: One of your former colleagues, Alex Halderman, said that he has no doubt that Russian intelligence operatives have the capability to change votes.

Felten: I agree that it's within the technical capability of the Russian intelligence service or other foreign intelligence services to do that, at least on some of the systems that are used. On the DREs, if a couple of graduate students in my lab were able to do what they did, an intelligence service that has more people, more resources, and many less scruples would be able to do a lot more.

However, Felten doesn't believe voting booths were tampered with in the 2016 elections.

Pegues: All right, so when you hear US intelligence officials testifying on Capitol Hill saying that essentially as far as we can tell, no votes were tampered with, I have sources who are telling me that they struggled over what to say about that, how to word their responses when they were asked about that. I'm wondering, do you have confidence in that assessment?

Felten: I do, yes.

Pegues: Why?

Felten: For a couple of reasons. And I need to speak a little bit carefully here, because I was a government official during this time. I need to be careful that I'm not revealing something I shouldn't. But what I would say, generally, is that to understand what a foreign intelligence service might be doing, you might understand…by seeing the effects of what they're doing.

You might understand it because you have other intelligence sources that help you understand what they're planning, what orders have been given, and so on. In other words, there are other sources of information about what Russian intelligence services are trying to do and [actually] doing beyond just looking at voting machines.

I think when you take into account the sources of information that the US intelligence community had, the assessment that there was not a Russian attack on the Election Day voting process itself is justified.

Pegues: So, based on what happened with 2016 and the information that is still really coming out about election systems and databases being penetrated, what is your prognosis for the system, or your assessment of the system that we have in place and whether it can stand up to Russian intrusions?

Felten: There are two ways to look at that question. One, what is the likelihood that they could cause trouble or that they could cause parts of the system to fail? I think it's very difficult to prevent a very highly resourced and capable organization like a nation-state-level adversary from causing technical trouble within a system.

The next question to ask is, can we create a system that is resilient enough to deal with that possibility should it happen so that we know what happened, that we have the ability to figure out what the voters actually did, and make sure that people can have confidence in the results of the election, even if there is technical mischief? And in order to do that it requires having safeguards in place and cross-checking different kinds of results against each other, and so on.

So that means having a paper record of each vote that the voters [made], taking care with the chain of custody on those paper records, and then doing postelection audits to make sure that those paper records are consistent with the electronic record. All of these things are part of building a system that is resilient so that if someone does monkey with voting machines, we'll be able to detect it and correct it.

Pegues: Does the state of Georgia have that kind of system in place, as far as you know?

Felten: Georgia does not have a voter-verified paper record. Their voting systems are not secure enough that if some very capable actor were to target a Georgia-based election, it might be impossible to figure out. It might be impossible to know what the voters were really trying to do on that Election Day.

Pegues: What about New Jersey?

Felten: New Jersey has similar problems. Its systems are somewhat older, and in some ways more difficult to tamper with. But still, New Jersey doesn't have the safeguards that it ought to have.

Pegues: If you were still in the White House, and you were looking ahead to the 2018 and 2020 elections, what would you be doing now? What would you be trying to convince secretaries of state or election officials in states across this country to do?

Felten: First of all, to move away from DRE voting machines and to do two things with respect to the Election Day process. One is to use a voting system that has a voter-verified paper record of the vote, a voter-verified paper ballot. Then, second, risk-limiting audits after the elections. [Paper audits are] a way of comparing those paper ballots against the electronic record to make sure that they're consistent.

Pegues: How many states do that currently?

Felten: It's complicated. That's a complicated question, more complicated than it should be, maybe because there are different types of randomized audits that can be done postelection. And some of them are better from a standpoint of being statistically sound.

The majority of states either don't do these postelection audits, or do ones that should be improved. That I can say. I don't want to try from memory to remember which states do this in the best way. I think it would be great to see some kind of national norm that states could agree to about what a sufficient risk-limiting audit looks like. And there are statisticians and other experts who have worked out the technical details of this. But getting states to adopt those procedures would be very helpful.

Pegues: What do you think the Russians were trying to do? I've heard that it was to cause confusion, maybe suppress the vote in some places, maybe alter data.

Felten: Without guessing about what the Russians were trying to do, I can talk about the possible things that an adversary might try to do. I would break those into two categories. The first would be to try to actually modify the result of an election, which means somehow tampering with the casting or tallying of votes in a way that is not detected.

The second thing you would worry about is attempts to disrupt the election or to undermine its legitimacy. That could include things like causing systems to not work on Election Day so that voters show up at the polls and they're not able to vote. That could include things like scrambling the voter registration databases, so when voters show up on Election Day they are told they're not on the rolls.

It could involve things like tampering with machines in ways that are detected in order to cast doubt on the outcome. All these sorts of things might either disrupt or undermine confidence in the election, and that's another scenario that one would need to worry about.

Pegues: That happened in North Carolina.

Felten: You're referring to the electronic poll books in Durham?

Pegues: Yes. US law enforcement believes Russian hackers targeted VR Election Systems, which provided voting systems to North Carolina and also most of Florida. In North Carolina, you had people showing up at the polls amid confusion about whether they could vote.

Felten: In every big national election there are some technical problems, which frustrate people in some places. The question about North Carolina in this instance is [whether] this is an example of that, or is it something that's sort of deeper and more problematic?

And I don't know whether that's the case or not, based on the public evidence I've seen. But it is a question to be asking. Also, we should be clear that the worst case, one that we would lose sleep over, would be much worse than that. It might be voting systems failing to work across a whole state. Really large-scale dislocation or disruption.

Pegues: Are the Russians, in your view, capable of something like that at this point?

Felten: As a technical matter, yes. Our nation-state adversaries are capable of those sorts of things now. Again, we need to be buttoning down the details of our systems to make sure they're as resilient as possible so that people can have confidence that we are able to detect and unwind any kind of attack that happens.

Heading into the 2018 midterm elections, confidence was lacking in the election systems across the country. Even lawmakers in Georgia were introducing legislation to change the sixteen-year-old touch screen voting machines across the state with a paper-based system. The state's twenty-seven thousand machines did not have a paper backup and had proven vulnerable to hackers.35 Lawmakers estimated that it would cost about $25–$35 million to buy the new equipment and that it wouldn't be in place in time for the 2018 midterm elections. Other states were considering similar upgrades, but the clock was already ticking down to the next major election and the pressure was on state and federal officials to secure systems across the country.

In 2018, about seven months before the November elections, Department of Homeland Security (DHS) officials convened a meeting of state and local election members from across the country. On the weekend's agenda was a onetime-only classified briefing for the state and local officials who hadn't yet gotten security clearances. The DHS was trying to bridge the gap between what they knew about the Russian intrusions in 2016 and what state election officials knew. But it was almost as if the two sides lived in very different worlds from each other. An election official in the meeting told me several people in the room were alarmed when a federal official used an antiquated phrase to describe the voting process. The source told me the DHS official said that “the next time people go pull the levers to cast their votes….” What the federal official didn't seem to know was that the statement had pulled back the curtain on the depth of what the DHS and US intelligence and law enforcement agencies did not know about how elections really work. The election official who relayed the account of the meeting to me was frustrated by the comment and insisted, “We don't pull levers anymore!” Fifteen months after the Russian government worked to disrupt the US presidential election, federal officials tasked with stopping the next influence campaign still had a lot to learn.