Election 2020 (Part II): 3 Security Questions Electronic Voting Systems Providers Need To Answer
We need to have confidence in our electoral processes.
Some things just need to be said: the year 2020 has been (and continues to be) one of the most challenging years of our lifetime — it is a gift that just keeps on giving. Forgive the sardonic take, but it has been one heckuva year to say the least –- and as of the time of this writing, the presidential election continues to drag on due to serious allegations of voter fraud by the Trump campaign amid claims of fraud and growing statistical evidence of anomalies in the voting tallies in many battleground states. Whether or not you agree with the election challenges presented to date, it is hard to miss the significant claims of potential fraud and vote manipulation being made that involve electronic voting (“e-voting”) systems used in the U.S. This situation is leaving many voters with questions over the security and accuracy of these systems, while receiving few answers in the process.
Face it: Most of us casting our votes using e-voting systems do not know where these votes go once we press the “cast your vote” button. To help provide some context, it is worth generally understanding the election process (care of Britannica):
To understand electronic voting, it is convenient to consider four basic steps in an election process: ballot composition, in which voters make choices; ballot casting, in which voters submit their ballots; ballot recording, in which a system records the submitted ballots; and tabulation, in which votes are counted. Ballot casting, recording, and tabulation are routinely done with computers even in voting systems that are not, strictly speaking, electronic. Electronic voting in the strict sense is a system where the first step, ballot composition (or choosing), is done with the aid of a computer.
Is The Future Of Law Distributed? Lessons From The Tech Adoption Curve
Most e-voting systems in the U.S. use some type of specially designed machine to either directly record the vote (a direct recording electronic, or DRE machine) or optically scan a paper ballot, or both. Since DRE machines handle composition, casting, and recording of votes and place that data in memory on the device, the recording of this vote (and how it is handled and later tabulated) is invisible to the voter. As a result, there is lingering controversy over the security and integrity of recorded votes using e-voting systems.
This leads to some legitimate questions about e-voting systems that the vendors should address with more than platitudes to assuage fears of both voters, elections officials and candidates. Here are three of them:
Is your e-voting system subjected to regular third-party penetration testing and vulnerability analysis? In my research I have seen a lot of marketing material claiming their systems “meet or exceed” relevant “industry standards,” but that doesn’t cut it. Being tested and certified by the U.S. Election Assistance Commission (EAC) in accordance with federal Voluntary Voting Systems Guidance (VVSG) is great … but not enough. Vendors of e-voting systems have trusted, highly qualified “white-hat” hackers … I mean, contractors … regularly “hammer” their systems to uncover potentially hidden vulnerabilities so that the systems can be hardened against attack and intrusion both locally and in transmission of data. If a vendor already does so, then they have an immediate market advantage. After hearing about alleged Russian interference in the 2016 election for the entirety of President Trump’s first term, and now allegations of Dominion Voting Systems being compromised by Chinese and Iranian rogue actors in the latest election challenge in Michigan, this is not only recommended, but simple common sense.
Does your e-voting system use an immutable audit trail? From what I have been able to gather, most jurisdictions either use a DRE machine or optical scanner technology to tabulate votes into a file for incorporation into a centralized database. The problem is that this data can ostensibly be manipulated or changed (either through malicious software intrusion or otherwise). This should not be possible under any circumstances. Using current technology (such as blockchain), voting records can be recorded in an immutable ledger that can be used for not only securing the record but audit purposes as well. They are not only cryptographically protected, but they are permanent entries in the blockchain and cannot be changed by design. This immutability fosters security and authentic auditability. For example, if any votes are “dumped” into such a system in the wee hours of election night, it becomes an easier task to cross-reference the votes tallied to actual vote records to determine irregularities and whether any of the electronic votes are not authentic. It’s definitely not perfect, but it is better.
Sponsored
Legal AI: 3 Steps Law Firms Should Take Now
Generative AI In Legal Work — What’s Fact And What’s Fiction?
How Transactional Lawyers Can Better Serve (And Maintain) Their Clients
How Transactional Lawyers Can Better Serve (And Maintain) Their Clients
Do you escrow your e-voting system source code? I realize this is a delicate topic — as an IP lawyer I have negotiated many source code escrow agreements and provisions and understand the issues on both sides of the fence. The problem here is that the very nature of e-voting systems demands accountability and a certain level of transparency. As I wrote in my prior article, states should negotiate source code escrow provisions that include allegations of improper operation of the software as a triggering event so as to authorize the release of source code to a mutually agreed forensic programmer to perform necessary auditing under strict confidentiality restrictions. To the extent potential software shenanigans have been alleged and enough evidence presented to draw the software into question, such a forensic review can address the allegations while protecting the source code from improper disclosure. Securing the value of the vendors’ IP is critical, but so are our votes.
Don’t misunderstand me: e-voting systems cannot prevent all fraud — these systems merely collect, record, and tabulate input data, so bad actors in the chain of custody will always be a problem. Although no system will ever be perfectly secure, there is no reason e-voting systems can’t be more secure by design. We need to have confidence in our electoral processes, and allegations of vote fraud and vote manipulation by the very systems collecting, recording, and tabulating our votes cannot be casually dismissed — they must be taken seriously. For the sake of our electoral system, I remain optimistic that answers to these and other legitimate questions will be forthcoming. Then again, it’s still 2020….
Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.
Sponsored
The Business Case For AI At Your Law Firm
