With Election Day only weeks away, alarms have sounded about the possibility of hackers tampering with the results. Andrew Appel ’81, the Eugene Higgins Professor of Computer Science, has shown that it is possible to hack into a voting machine in a matter of seconds, armed with just a screwdriver. PAW discusses the security risks and possible solutions with Appel.
Haven’t voter-registration databases been hacked this year?
Yes, in Illinois and Arizona. But it is possible to recover from this sort of hack. If you’re told at the polls you’re not registered and you believe that is a mistake, you can cast a provisional ballot and they can sort it out afterward. Most jurisdictions also check each voter’s name in a printed poll book. Once those poll books are printed, hacks into the voter-registration database are less likely to disrupt the election, although some places use electronic poll books. If those fail, there are more potential problems.
How about tampering with actual voting machines?
Appel on voting under the names of dead people or voting twice: “In the last two decades, in-person voting fraud of that kind just hasn’t been documented, beyond — at most — one attempt per 30 million votes.”
Approximately 40 states vote on paper ballots, which are then counted by an optical-scanning machine. If those machines are hacked, the paper ballots can be recounted by hand. In five or six states and significant parts of several others, though, they use paperless touch-screen voting machines, and those machines can be hacked, as I have demonstrated, and there are no paper ballots to recount.
What should we be doing?
States that have not yet adopted optical-scanning voting machines should do so. After the debacle of the 2000 presidential election, Congress outlawed punch-card ballots. It would be very appropriate to outlaw paperless touch-screen voting machines, as well.
Have states been working to protect the vote this year?
In many places, election administrators have been trying to follow best practices, which include not connecting ballot-programming computers to the internet. Unfortunately, some places say they have been taking precautions but haven’t.
WATCH Andrew Appel ’81’s TEDxPrincetonU Talk, “Internet Voting? Really?”
The Department of Homeland Security has offered to help states and localities with their cybersecurity. That’s helpful, but you can never totally prevent computers from being hacked. The best thing is to use optical-scanning voting machines with paper ballots that can be recounted by hand, if necessary. It is also important to have a transparent process of announcing the results in each precinct, with outside witnesses present who can check the results if there are questions.
Interview conducted and condensed by Mark F. Bernstein ’83
5 Responses
Michael Otten ’63
8 Years AgoLee Varian, BSEE 1963, was...
Lee Varian, BSEE 1963, was an expert on redistricting, otherwise known as gerrymandering. Can we see any follow-up of his work in this area, or more on what happened in 2010+?
Anonymous
8 Years AgoSam Wang, the professor who created...
Thanks, Michael. Sam Wang, the professor who created the Princeton Election Consortium, and recent grad Mark Tengi '16 built an online app to diagnose partisan gerrymandering. You can explore an online demo at gerrymander.princeton.edu/
Michael I. Shamos ’68
8 Years AgoVoting-Machine Security
The Oct. 26 issue featured an interview with Professor Andrew Appel ’81, “Election Hacking 101,” in which Dr. Appel pronounced “paperless touch-screen voting machines” hackable and insecure.
My career has intersected with Dr. Appel’s. We both graduated from Princeton. Professor Appel was a graduate student at Carnegie Mellon while I was a computer science faculty member there, and we were opposing experts in the case of Gusciora v. Christie, brought in N.J. Superior Court in Mercer County to enjoin the use of touch-screen machines in New Jersey. After a bench trial extending over five months, during which Dr. Appel demonstrated his hack to the court, the judge found that the voting machines were not insecure. This decision was upheld by the Appellate Division Sept. 16, 2013, and the case ended.
To be clear, there are no “paperless” touch-screen machines used in New Jersey or anywhere else in the United States. All electronic voting machines are required by law to have the capability of making a “permanent physical record of each vote cast.” They do this by recording votes on a paper roll internal to the voting machine, which permits subsequent audit and recount.
Bruce T. Draine
7 Years AgoVoting-Machine Vulnerability
The Oct. 26 issue contained an interview with Professor Andrew Appel ’81 in which Appel discusses the vulnerability of the touchscreen electronic voting machines used in New Jersey and many other states.
In the Dec. 7 issue, letter writer Michael Shamos ’68 stated that the touchscreen voting machines used in the United States are required to record the count on a paper tape, and that this allows the accuracy of the count to be verified by “subsequent audit and recount.”
Considering Shamos’ extensive experience with voting technology, this statement appears deliberately misleading. On these machines, the paper tape can’t be seen or checked by the voter, and doesn’t print until the polls have closed. If the voting machine software has been “hacked” to bias the count (e.g., by shifting a fraction of the votes from one candidate to the other), a competent hacker would ensure that the final printout to the paper tape agreed with the subverted electronic tally.
In actuality, the touchscreen voting machines used in New Jersey and many other locales have no “paper trail” that could be used for an independent audit to verify the vote. One wonders why our legislators are content with elections conducted using such a vulnerable system. Cui bono?
Armin Rosencranz ’58
7 Years AgoVoting Vulnerability
Published online July 6, 2017
Michael Shamos ’68 (Inbox, Dec. 7) is well known for being one of the few computer scientists who have defended direct recording electronic (DRE) voting machines. Trump’s modest victory – Clinton won the popular vote by 2.8-plus million – seems attributable to the disenfranchisement of low-income and minority citizens, the promulgation of fake news, Russian hacking, and vulnerable DRE voting machines.