Earlier this year, US intelligence agencies blamed the Russian government for leaking emails stolen from senior Democrats in an attempt to influence the US election. We also know that someone — likely the Russian government — tried to hack voting infrastructure in Ukraine to change the outcome of the election there.
So could the Russian government have used its hacking capabilities to directly modify the results of the 2016 election in the United States? It’s a serious possibility — serious enough that US election officials should be on their guard against it. But under current law, election officials in most states don’t perform even basic checks to make sure that the results have not been modified by malware.
In a Wednesday post, computer scientist Alex Halderman, a leading expert on the security of voting systems, argues that this needs to change. (Halderman’s post follows a widely circulated New York magazine article that Halderman says incorrectly described his views.) The first step, he argues, is for the Clinton campaign to request recounts in key swing states.
“Were this year’s deviations from pre-election polls the results of a cyberattack? Probably not,” Halderman writes. “I believe the most likely explanation is that the polls were systematically wrong, rather than that the election was hacked.” But he argues that a recount is the best way to make sure.
Traditionally, recounts have been viewed as an extreme step that should be taken only in the event of a razor-thin result like we saw in Florida in 2000. But in today’s era of hackable voting systems, these checks need to become routine. It’s the only way to ensure that foreign governments or other malicious parties can’t tamper with the results of US elections.
Elections are hackable even in states that use paper ballots
In the wake of the messy 2000 election, Congress provided states with billions of dollars to improve their voting systems. Many states “upgraded” to touchscreen voting machines that stored voting results electronically. That proved to be a huge mistake. In 2006, Halderman was part of a team of Princeton researchers that showed how easy it is to hack these machines and make them produce inaccurate results.
Over the past decade, election officials in many states have heeded these warnings and switched to using paper optical-scan ballots. However, this doesn’t totally foreclose the possibility of election hacking, because the machine that counts the votes is still a computer that could be hacked.
These vote-counting computers are not online, so they can’t be hacked directly from the internet. However, as Halderman explains, “shortly before each election, poll workers copy the ballot design from a regular desktop computer in a government office, and use removable media (like the memory card from a digital camera) to load the ballot onto each machine. That initial computer is almost certainly not well secured, and if an attacker infects it, vote-stealing malware can hitch a ride to every voting machine in the area.”
The good thing about optical-scan voting machines is that a human being can double-check the machine’s work. If a vote-counting machine is systematically shifting votes from one candidate to another, a manual recount of randomly selected ballots should detect the discrepancy. But this only works if someone actually performs the check. And under current election law in most states, that doesn’t happen.
America’s recount laws are outdated
Most states allow candidates to request a recount in the event of a close election. If the result is very close, the state will often cover the costs of the recount. Otherwise, the candidate has to pay for the costs of the recount. In Wisconsin, for example, a candidate must pay for the recount if the margin of victory was larger than 0.5 percent.
In the pre-computer era, this rule made a lot of sense. Back then, the main concern was about humans making honest mistakes or old-fashioned voting machines malfunctioning. These kinds of errors could only alter the result of an election by a small margin. So it only made sense to do a recount if the result was very close to start with.
But things look different if you’re worried about someone deliberately manipulating an election result. Malware can change 3 percent of votes as easily as 0.3 percent of votes. So a comfortable margin of victory doesn’t tell us much about whether the election was hacked.
So in a world of computerized voting systems, it’s a good precaution to automatically do manual checks of the electronic counts. And fortunately, modern statistical techniques allow election officials to verify the results of an election at a much lower cost than it would take to perform a full-blown statewide manual recount.
Asking for a recount would enhance public confidence in the election
The key swing states of Wisconsin and Michigan predominantly use paper ballots, so their results can easily be checked. Pennsylvania uses a mix of paper ballots and electronic voting machines. So verifying its results will be harder, but at least the paper ballots can be checked.
The deadlines for the Clinton campaign to request recounts in these states are coming up within the next week.
But that doesn’t mean it will request a recount. In fact, there are two big reasons for the Clinton campaign not to.
One is money. Today’s cumbersome recounts can cost millions of dollars to perform, and the Clinton campaign might have to pay those costs. However, this doesn’t seem like a very big obstacle. There are millions of disappointed Democrats out there who are worried about tampered election results. Some fundraising emails to Clinton’s existing base of contributors could raise the necessary funds.
The second and more serious objection is that frivolous recount requests could compromise public faith in the election results. Throughout the campaign, Hillary Clinton stressed the importance of accepting the results of the election. Skeptics worry that if Clinton were to request recounts without any tangible evidence that the original count was wrong, it could legitimize conspiracy theories and ultimately undermine confidence in the election result — and the democratic process more generally.
But in the era of hackable voting systems, that gets things precisely backward.
Foreign governments tampering with US voting machines is a real threat. And if someone carried out a sophisticated attack on America’s voting systems, there might not be any obvious signs other than the changed outcome. So if no one manually checks to verify that the electronic results were accurate, it’s totally rational for the public to doubt the integrity of the results.
The solution is to make recounts (or equally reliable but much more affordable statistical audits) a routine part of the vote-counting process. If election officials audit the results of every election, then the decision to audit a particular election won’t give credence to conspiracy theorists, and it will bolster rather than undermine public confidence.
Making audits a routine part of the election process would have another big benefit too: It would deter foreign governments from trying to steal election results in the first place. Our current procedures create a significant chance that a hacked election would go undetected — which is a huge temptation for someone to try it. Under a system of routine audits, in contrast, hacked results would almost certainly be found, which means a foreign government probably wouldn’t bother. By requesting a recount this year, Clinton would help to set a precedent that integrity checks should be a routine part of the election process.
Swing states could change their laws by 2020 so that audits happen automatically, without the losing candidate having to request them. But until that happens, it’s better to be safe than sorry.