Securing our Elections
Privacy Plus+
Privacy, Technology and Perspective
Securing our elections. This week, we return to the topic of election security, and governmental entities who contract without appropriate due diligence and contract negotiations.
Vice has reported that voting machines made by the top voting machine company in this country, Election Systems & Software (“ESS”), have been left exposed online despite ESS’s denials, and to the ultimate effect of potentially allowing a hacker to alter official election results. A link to the article in Vice follows: https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials.
Hacking election machinery may not be nearly as hard to do as we might suppose – or as hard as it jolly-well ought to be.
The Guardian reports that at the Defcon hackers conference last year, a collection of children were given basic hacking instructions and then were turned loose on the voting machinery of a number of states. It took an eleven-year old girl all of ten minutes to hack the first voting machine and change the election results. Every one of the states’ machines followed. On average, the kids took about fifteen minutes to crack each machine. A link to the article in The Guardian follows: https://www.theguardian.com/technology/2018/aug/22/us-elections-hacking-voting-machines-def-con. And now, this weekend, politicians have descended on this year’s Defcon, seeking “white hat” hackers’ help in up-securing machinery and processes. The following article describes how lawmakers are now interfacing with Defcon’s “Voting Village”: https://www.cnet.com/news/lawmakers-turn-to-hackers-at-def-con-to-get-election-security/.
We have little patience or excuse for governments that contract for voting machines without first having undertaken painstaking due diligence and detailed contracting. We have previously written on this subject, describing how Chicago and Detroit fell short in their due diligence obligations when they purchased facial recognition systems from DataWorks Plus, in part, because they apparently did not notice that their vendor did not have a privacy policy posted on its website (facial recognition technologies clearly present privacy concerns, so not having a private policy should just as clearly be a big red-flag). For more on this, please refer to our post linked here: https://www.hoschmorris.com/news-hm/privacy-plus-may-25-2019. Last week, we also noted, but did not name a voting machine vendor with no privacy policy. Well, now we are naming Dominion Voting Systems (to whom the State of Georgia awarded a contract valued at over $100M). At your own risk, you can take a look at Dominion’s website here: https://www.dominionvoting.com/. And Travis County, Texas, which encompasses the capitol city of Austin, appears to have a disconnect between what it has contracted for and how its vendor describes the product. (For more on Travis County’s contracting problems, take another look at the article in Vice referenced above).
How secure is your own local election machinery? According to Verified Voting (“VV”), a nonprofit organization that tracks voting machine use across the country, our own Dallas County, Texas contracts with ESS for its voting machines. The following link directs to VV’s web tool, which allows you to see precisely which ESS voting machine models Dallas County is using, and also to query which vendors are servicing other jurisdictions: https://www.verifiedvoting.org/verifier/.
If democracy-threatening weaknesses in American voting machinery are apparent to eleven-year olds, they have not escaped the attention of our nation’s adversaries, either.
Former special counsel Robert Mueller’s report confirmed that in the 2016 election Russians targeted at least one private vendor that provided election software, stating, “[i]n August 2016, GRU officers targeted employees of [REDACTED], a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network.” See Mueller Report at 51 (a link to the full Mueller report appears in our Privacy Plus+ post, dated August 3, 2019, and linked as follows: https://www.hoschmorris.com/news-hm/privacy-plus-august-3-2019).
If we can’t rely on our election results, then we can’t rely on our democratic process. Therefore the first requirement of voting machines is that they produce an accurate count of voters’ decisions. Everything else – speed in reporting vote counts, ease of use, even cost – is a distant second. Governments at every level should realize that. Painstaking due diligence, careful contracting, and the best cybersecurity this country’s best minds can produce, are all required.
Otherwise, paper ballots may actually be the answer.
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.