Let's Talk Election Security
Are US elections secure?
With the 2024 Elections right around the corner, the topic of election security is at the forefront of the minds of many, especially with some raising the old specter of election fraud in 2020.
Let’s get this out in the open right from the start: THERE. WAS. NO. ELECTION. FRAUD. IN 2020. In a November 2020 joint statement, the members of Election Infrastructure Government Coordinating Council (GCC) Executive Committee and the members of the Election Infrastructure Sector Coordinating Council (SCC) said the following:
The November 3rd election was the most secure in American history. Right now, across the country, election officials are reviewing and double checking the entire election process prior to finalizing the result.
When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary. This is an added benefit for security and resilience. This process allows for the identification and correction of any mistakes or errors. There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.
Let me repeat that: There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.
But these are government officials saying this, some will contend. OF COURSE, they will say that our election system is secure! It’s in their best interest to do so!
You want independent confirmation from a nonpartisan expert? I spoke with my friend Robert J. Hansen, whom many (including me) consider an election expert. Rob is not just a random guy. While a graduate student at the University of Iowa, he was a founding member of A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections (ACCURATE), an NSF-funded voting research group.
From the organization’s website, ACCURATE is a multi-institution voting research center funded by the National Science Foundation (NSF) under the CyberTrust program.
But it’s funded by the government! Yes, it is. But if you’re so far gone that you refuse to trust experts unless they come from an organization that confirms your biases, don’t read any further. Please. Just close your computer and continue screaming into the void.
What I knew already is that many don’t actually know the difference between election fraud and voter fraud.
Were there instances of voter fraud, and do there continue to be? Sure. No system is perfect. Was there enough to sway the election in 2020? Even the Heritage Foundation has not found sufficient evidence of voter fraud swaying the election, unless you really believe that the 2020 election came down to roughly 1500 votes.
But don’t conflate voter fraud and election fraud. There is a difference, says Rob.
There's a lot that happens between the time the voter inputs their ballot and the time election officials declare election results, he confirms. Voter fraud generally means election shenanigans being played out at the point of input. Election fraud is a larger term encompassing not only voter fraud, but also shenanigans at any other point in the process.
And yes, there have been arrests and convictions for voter fraud.
A woman in Iowa in April was sentenced to four months in prison, four months of home confinement, and two years of supervised release for a voter fraud scheme she committed during the Iowa 2020 primary and general elections. According to the Justice Department, a federal jury in November 2023 convicted Kim Phuong Taylor of 26 counts of providing false information in registering and voting, three counts of fraudulent registration, and 23 counts of fraudulent voting. Taylor submitted or caused others to submit dozens of voter registrations, absentee ballot request forms, and absentee ballots containing false information.
The Associated Press did some analysis of their own and found there was not enough voter fraud to sway the election in 2020. They flagged several instances of election fraud.
A Wisconsin man who mistakenly thought he could vote while on parole.
A woman in Arizona suspected of sending in a ballot for her dead mother.
A Pennsylvania man who went twice to the polls, voting once on his own behalf and once for his son.
But widespread fraud? Nope.
BUT THE EVIL MEDIA IS LYING TO US, some will loudly contend. Remember what I said about closing your computer and screaming into the void? Please do.
I asked Rob about CISA’s claim that the 2020 elections were the most secure in our history. Is the statement true?
“Yes. Unequivocally. No hesitation,” he replied.
Practically every voter had a smartphone with a camera. For the rest of the electoral process, election observers were generally welcome to bring their phones. Elections are tightly choreographed and nothing in the process is hidden from the public or improvised on the spot. If a citizen or an observer sees something that's not quite according to plan, they take pictures and go to newspapers or election officials demanding answers. The 2020 election was transparent like nothing else in American history.
States certainly have different legal requirements when it comes to the presence of smartphones at the polling sites. Ballot selfies have become a “thing” during the past 10 years, and some states have outright banned these because of the risk of fraud.
Taking photos of your ballot is illegal in majority of states because of these risks. Taking photos of what you believe is malfeasance is not.
Now, can we do better? Rob says, sure! Especially because laws differ from state to state, and federal courts have given conflicting guidance on exactly what parts of the election process can be photographed. Is it a First Amendment issue? Is it not? If the Supreme Court could address this and establish a nationwide uniform rule, Rob says, that would help.
What is a Secure Election?
I was looking for an objective definition from an independent expert, which Rob was thankfully able to provide. The National Science Foundation's first electronic voting group declared it their mission to help guarantee “correct, usable, reliable and transparent elections.” So what Rob and colleagues focused on is “robust mechanisms to help achieve these four essential properties even in adverse conditions.” Rob defines a “secure election” by the standard of these four hallmarks. If an election system delivers them, “even in the presence of human error, equipment failures, and/or illegal interference, you can pretty honestly say you're running a secure election.”
OK, if you’re discounting this objective definition because GOVERNMENT, remember what I said earlier.
Note that Rob doesn’t define election security by demanding a perfect record. Yes, technical and human errors will happen. Yes, voter fraud does happen, but it’s relatively rare in a country of 300 million people.
So how can elections be swayed and voting methods abused?
I turned back to Rob for an example. Can mail-in ballots be abused, especially to such a degree that they would sway an election?
Well, the Post Office does have a police force of its own, and they’re watching mail-in ballot efforts pretty closely. For those who are screaming about why in the world would the USPS need cops… this is one reason.
BUT ARMED COPS! BUT POST OFFICE! Nope! Close that laptop. Step away.
There are legitimate reasons to use mail-in voting, Rob confirms.
Imagine a polling precinct being run at a long-term health facility, like a hospice or nursing home. Some residents are mobile enough to get to the voting booth, but others aren't. The pollworkers appoint a doctor to go to these invalids, collect their ballots, and bring them to the precinct. Most people think this is reasonable: doctors already enjoy a position of trust in society, they can be sworn into service as adjuncts to the pollworkers, and if they play games with the ballots there's a great risk of detection and utter hell to pay.
Well, mail-in ballots are just like that except we're now trusting the United States Postal Service instead of a doctor.
I would submit, based on nothing but my own experience, that people trust the Post Office a lot less than they trust doctors. But nonetheless, the monitoring of these ballots is pretty intense.
MIT in late 2021 published a deep dive into the rejection of absentee ballots in the 2020 election. The research found that absentee/mail-ballot rejection rates dropped significantly in 2020 compared with 2016, dropping the most in states that had previously erected high barriers to the use of mail ballots. I don’t see this as a negative thing. This suggests that mail-in ballots were clearing a higher barrier, so rejection is becoming relatively rare because they’re actually doing things right. The absentee and mail-in ballots are conforming to more stringent standards.
Another policy that attracted attention in 2020 was pre-processing, according to MIT. Mail-in ballot preprocessing is the practice of preparing absentee ballots for counting, by means of verifying them according to the state’s laws and sometimes opening ballots to ready them for tabulation.
Longer preprocessing times before Election Day give officials more time to contact voters and correct defects, such as missing signatures, that might render a ballot invalid. However, there is little, if any, evidence that preprocessing time influenced rejection rates.
Yes, they open the ballots.
BUT CORRUPT GOVERNMENT OFFICIALS!
Nope. Step away from the computer, please.
Foreign Influence
So what about those indictments that exposed Russian influence campaigns two weeks ago? Can efforts by foreign intelligence sway the political climate and elections in a country?
Rob says yes, and I absolutely agree. I’ve had responses to my last article that engaged in a lot of handwavium, shrugging off “private recipients” of Russian money and engaging in whataboutism, claiming that governments are corrupt because they take funds from these sources.
I would submit that these “private” individuals, who have vast audiences of millions of people are much more likely to effectively sway public opinion for pay than governments - especially in today’s political ecosystem when so many get their “news” from memes, TikTok, and YouTube.
To be fair, we’ve also engaged in influence campaigns abroad, and they’re been effective. Rob reminds us that democracy took a few years to reassert itself in Europe after World War II and that in 1946, Czechoslovakia elected a Communist government that quickly lost the confidence of the people. So rather than lose the 1948 election, the Soviet Union staged a coup d'etat to ensure Communist rule for decades.
Nearby, Italy was having its own first parliamentary elections since the war, Rob reminds us, and the United States believed the Soviets were seeking to subvert Italian democracy by influence campaigns to get a Communist government elected, followed by a "friendly invasion" to "preserve the people's choice," basically repeating the Czechoslovakian playbook in Italy. With some help from the CIA, the Italian centrist Christian Democrats won that election with 48 percent of the vote. And the CIA was tossing bags of money at Italian politicians, writing thousands of letters, making short-wave radio broadcasts, and published numerous books and articles, warning Italians about the perils of a communist victory.
These days, influence campaigns are easier to spread, and disinformation is easier to conceal in what RAND calls the “firehose of falsehood.” In my last article, I discussed Russian tactics, and Russian disinformation strategies in their own words. Fact is, they’re cheaper and easier than conventional warfare. Purchase some doppelganger domain names, pay a few million to what Rob describes as “the current crop of mouthpieces” to spread and support Russia’s message, and watch the disinformation propagate!
Audiences today trust influencers more than they do governments, which is why Russia is so focused on coopting social media platforms and online content to spread the Kremlin’s message.
A Fine Line
OFAC and the State Department yesterday designated three entities and two individuals for malign activities abroad.
According to new information, much of which originates from employees of Russian state-funded RT (formerly “Russia Today”), we now know that RT moved beyond being simply a media outlet and has been an entity with cyber capabilities. It is also engaged in information operations, covert influence, and military procurement. These operations are targeting countries around the world, including in Europe, Africa, and North and South America.
Well, that’s great, but we don’t want to be a country known to silence free expression. We are not Russia, after all, that imprisons and murders journalists to ensure that truth about its government and about its atrocities in a country they maliciously invaded two years ago doesn’t get out. Therefore, State specifically noted that we are not taking action against these entities and individuals for the content of their reporting, or even the disinformation they create and spread, but rather for their covert influence activities.
Therefore, Treasury issued a General License to ensure that these sanctions targets may continue to engage in “journalism and media operations” not prohibited by U.S. sanctions.
Is there a fine line between free speech and malign activities? Yes.
And according to Rob, thanks to our First Amendment, propaganda campaigns are quick, easy, and effective. Vladimir Putin is a sanctioned individual, so media outlets cannot outright sell him political ads, so those selling these ads must perform due diligence and know your customer research to ensure they’re not transacting with a sanctioned individual or a proxy.
But any other (not sanctioned) person can anonymously purchase airtime or screentime because the First Amendment protects your right to post an anonymous criticism of your city government on a lamppost, or your right to wear a Guy Fawkes mask at a protest. Generally speaking, anonymous speech is still free speech!
That said, deceptive attribution—whether in cases of plagiarism or defamation—is not protected under the First Amendment. So as Rob says, if you pay a couple of YouTube schmucks $100,000 to parrot your words and pretend those words are theirs, that's propaganda, not journalism and not free speech. This is the equivalent of using proxies to evade sanctions.
Online Voting
Let me touch on online voting. Rob, as an elections expert, asserts that no, online voting cannot be made secure.
Vint Cerf is one of the grandfathers of the internet, a nerd of truly legendary status. You may have heard of something called TCP/IP, the protocol that literally makes the internet possible? Thank Vint. Email? Vint. The international board of internet standards called ICANN? Vint. Turing Award, the Nobel of computing? Vint. The Marconi Prize? Vint. Who hooked up the International Space Station to the internet? Vint. He's the Buckaroo Banzai of computing.
Years ago he estimated that roughly one in four home PCs was compromised with malware and may as well belong to someone else. Most of these victims didn't even know it: the malware authors are happy to let you use your PC normally so long as while you're asleep they get to use it to pump out Viagra spam or participate in cryptocurrency mining.
My suspicion is that today the number is probably slightly worse.
You can't have secure online voting when a quarter or more of the terminals used to cast votes are under the control of a Chechen organized crime syndicate. You just can't. It's absurd to even have the conversation.
Online banking is quite different because every single transaction is logged and documented. Patterns such as your usual banking hours, your location, your transaction amounts, and everything else can help your financial institution establish a pattern of normal behavior and identify suspicious transactions.
Our secret ballot in the United States makes it impossible to associate actions, such as “transfer my retirement savings to the Caymans" or "I am voting for this raving lunatic for President," with actors (i.e. bank customers, voters) and outcomes such as $200,000 going to a criminal syndicate or a raving lunatic gets elected, according to Rob.
Associating actions with actors and outcomes is the bread and butter of sanctions compliance, but it's utterly anathema to voting. If you can do it, your secret ballot isn't secret enough.
The next natural discussion is the blockchain, which Rob wants to nuke from orbit, just to make sure (KIDDING! Maybe.)
In 2019 I was in a geek bar in Denver, where I found myself cornered by a blockchain enthusiast who was eager to tell me how blockchain could transform voting. I sighed, ordered a triple Scotch, and told him once the Scotch was done, I'd tell him why he was wrong. Until then, explain it to me like I'm a normal voter interested in improving things.
I proceeded to sip whiskey while he regaled me with tales of trapdoors and one-way functions, Merkle trees and how to chain them, distributed voting on which history was authoritative, and more. I finally got fed up, shotgunned the rest, and told him to stop.
“You lost in your very first sentence,” I told him. “You were supposed to explain it to me like I'm a normal voter interested in improving things. Normal voters have about a sixth-grade command of math and you're sitting there talking about crap that normally isn't even covered in the undergraduate computer science curriculum. You want to replace our current clunky system—but one which I can explain any part of to a sixth-grader—with something new that's only understood by a technological priesthood that you just happen to be part of. No deal. Stay out of my field.”
When the system is so complicated that the only option the voter has is to just trust it and hope it works out, it’s a bad idea! This is where those of you whom I instructed to step away from your computers can return and insist that if a system is too hard for you to comprehend, you’re not going to trust it.
Securing our Elections
So how can we make the most secure election system in history even more so? Will voter ID laws help? Depends on the law and how it’s implemented, what kind of ID is legitimate, and whether it can be equitably imposed on residents. In a real example, Rob says, a state may declare a nonexpired federally issued photo ID as sufficient for voting. Federal judges enjoy their position for life: as such, their federally-issued credentials don't have expiration dates. Should a federal judge's credentials pass muster? There are a lot of edge cases like that.
Standardizing rules across the country could be helpful. I’ve heard of very few instances where voter ID laws have prevented someone from casting their ballot, but it does happen. The Brennan Center claims that voter ID laws disproportionately impact the Black community, reducing turnout, and press reports support this assessment. In North Carolina, a court struck down the state’s voter ID laws on the basis of discrimination.
The American public broadly supports voter ID laws, according to Gallup polling in 2022. Gallup found that nearly eight in 10 Americans favor requiring photo identification to vote. A UMass poll in January 2022 found that 67 percent of voters favor requiring voter ID at polling stations, including 93 percent of Republicans, 50 percent of Democrats, 63 percent of Independents, and 60 percent of African American voters. It could help.
So let’s talk about the red flags. Interestingly, Rob says that sanctions compliance and election security use some of the same tools! That perked my ears up, being a sanctions compliance geek.
One of my favorites is Benford's law, which in effect says "human beings have a hard time picking natural-looking numbers." Armed with the right kind of Benford test (we tend to use the Benford second digit variant) we can very quickly see if the vote tallies pass our sniff test. If the numbers look like a human tweaked them, a human probably did.
Frank Benford in the 1930 documented the leading digits of all sorts of data and confirmed that 1 was the most common number. So invoices that fail the Benford’s law of digit frequency distribution can raise a red flag for fraud. The law can also be used to track indicators for faulty economic reporting, as well as possible fraudulent AML/CFT results.
Software delivery manager, Sami Belhadj, last year used Benford’s Law to examine US elections between 2000 and 2016, using details by county.
I modeled Benford's law in my favorite data analysis and visualization tool... Power BI! By taking the 1st digit of each value contained in the "candidatevotes" column of my dataset (shared above), I get the following results:
Benford's Law has been perfectly respected in every election since 2000. Therefore, there has probably been no fraud in the last 5 American elections, at least... according to this law!
Strategies and techniques to ensure IDs are valid used by financial institutions can also be used to ensure. FinCEN recently published a notice about a noted increase in the use of counterfeit US passport cards by illicit actors. The notice included technical, financial, and behavioral red flags, such as:
The photo on the presented U.S passport card has a white, blurry border; a dark gray square surrounding the photo; or is in color. Legitimate U.S. passport cards are laser engraved, which produces a clear and crisp grayscale portrait image.
The card bearer’s date of birth and other areas of text are flat and do not feel raised when touched. Legitimate U.S. passport cards have tactile text on certain areas of the card and should feel textured.
A customer presenting a U.S. passport card as identification may not know or be able to reference personal identifiers, including date of birth or social security number.
Can election workers be trained to identify suspicious behavior or spot possibly fraudulent ID?
What about behavioral indicators? Does the voter appear to be taking direction from someone on the phone and cannot speak a lick of English?
These behaviors might be construed as suspicious.
Nutty Claims
But there are also claims that are so absurd, that anyone who believes them needs to have their head examined.
What I didn’t mention is that I consider Rob to also be a legal expert. No, he’s not a lawyer, but let’s just say, he knows more than most.
In a recent debate Donald Trump claimed the 2020 election had never been reviewed in court, that every lawsuit was dismissed for lack of standing. Nonsense. Countless lawsuits were heard and Trump was victorious in maybe three hypertechnical cases involving local laws. Otherwise his lawsuits were sometimes dismissed for standing but more often went to trial, where the abuse of legal process genuinely shocked me.
For instance, in one lawsuit a Trump-associated attorney submitted into evidence “expert” testimony saying Joe Biden received more than 100% of the votes in Edison County. There is no Edison County. Nowhere in the United States is there an Edison County. It flat doesn't exist.
I had a hard time believing that there’s not a single Edison County in the United States, but that’s correct. There’s an Edison Township in New Jersey, but it’s located in Middlesex County.
Another one was “2000 Mules” an alleged “documentary” by right-wing nutjob Dinesh D’Souza, who claimed that the film was definitive proof of the Democrats conspiring to steal the 2020 Election. Except that it wasn’t, and the film was dropped by its distributor, Salem Media, and an apology was issued specifically to Mark Andrews, a voter from Georgia falsely depicted illegally voting in the movie, when in fact, he was legally dropping off ballots for members of his family.
This movie was especially bad, Rob told me. “I stopped watching it when they tried to superimpose a set of cellphone geolocation pings on a city map of Atlanta. Except their city map of Atlanta was, in reality, a left-to-right flipped map of Moscow.”
Conclusion
Look, I’m not going to claim our elections are perfect. They’re run by human beings, and human beings are not perfect. Neither is technology. But everything I’ve read, and every objective, nonpartisan expert with whom I’ve spoken says the same thing: There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.
So stop stressing, and go vote. Take advantage of early voting, if you can. Your election district will almost certainly offer it. Figure out when your early voting window starts, find a day that fits your schedule, and go down to leisurely cast a paper ballot for the candidate of your choice, says Rob. “No matter how you vote, you're going to be okay and your choice will be counted.”
Umm. No.
There is no evidence because things were designed to make it very hard to find evidence. I wrote this a year and a bit ago - https://accordingtohoyt.com/2023/06/23/dominion-voting-machines-insecure-by-design-by-francis-turner/ . To the best of my knowledge this has been an ongoing problem for a quarter century. Voting machines are black boxes and the storage, programming and deployment of them to polling stations leaves numerous opportunities for people to interfere with them. Have they done so? I don't know and (as I wrote in the link) it seems like design choices are made that make such interference harder to detect than it ought to be.
I also pay attention to the Defcon/blackhat voting machine hacking challenges and the way that the US continues to use voting methods (e.g. postal votes) that other nations, such as the UK, experimented with and stopped because the fraud was too high. BTW the problem with postal voting is not that the votes are fraudulent per se it is that someone can force other people to vote the way they want them to. The votes counted will be correct, the choices made by some of the voters will not be genuine but have been coerced.
US voting is a lot less secure than it need be