While the paper-based machines are supposed to make the vote more resistant to digital tampering, they also introduce new uncertainty into an election already marked by widespread warnings that Russia is determined to interfere in yet another U.S. presidential race. Many South Carolina voters and precinct workers will be encountering the new machines for the first time — less than four weeks after the Democrats’ bungled Iowa caucus showed the pitfalls of introducing new technology into a high-stakes election.
The technology behind the ballot-printing touchscreen machines has also raised hackles among cyber researchers, election security advocates and the National Academies of Sciences, Engineering and Medicine. They say the machines may be more secure than the totally paperless systems still used in 11 states — but they’re not as safe as paper ballots that voters mark by hand.
Bothered by the barcode
South Carolina lawmakers decided in June to buy a model called ExpressVote from the country’s largest election technology company, Election Systems & Software. Counties in at least seven states — Florida, Indiana, Kansas, New Jersey, Pennsylvania, Tennessee and Texas — have also replaced their paperless machines with the ExpressVote since 2018, according to a POLITICO survey. Delaware bought another model from ES&S, called the ExpressVote XL, and Georgia has purchased similar machines from another manufacturer.
The ExpressVote is a so-called ballot-marking device, and its most prominent feature is a large touchscreen for voters to make selections. But unlike older electronic machines, this one produces a paper record at the end of the process showing which candidates the voter selected.
That slip of paper, which serves as the official ballot, also embeds those votes in a barcode that the state’s tabulators will scan to tally the results on Saturday.
The problem, according to the security experts: The voting machines are still vulnerable to tampering that could cause them to print barcodes that don’t match the voter’s choices — for example, changing “Sanders” to “Biden” or vice versa. Voters, who can’t read barcodes, would be unable to tell that such a change had occurred.
In a close election, a recount could uncover any tampering by verifying the official results against the text on the ballots. But a hacked machine could also change that text as well — and research shows that most voters do not doublecheck printouts from electronic voting machines. One University of Michigan study published in January found that participants missed more than 93 percent of errors on their printed ballots, although verification improved when poll workers prompted the voters to check the ballots’ accuracy.
“Until [ballot-marking devices] are shown to be effectively verifiable during real-world use,” the researchers wrote, “the safest course for security is to prefer hand-marked paper ballots.”
“Everyone should be concerned about voters not verifying their BMD printouts,” said Eddie Perez, the global director of technology development at the OSET Institute, which advocates for open-source election systems.
South Carolina election commission spokesperson Chris Whitmire disagreed that any danger exists, saying the state “works to educate voters on how to use the system.” That training specifically emphasizes the importance of verification, he said.
“South Carolina’s voting system is tested, certified and proven,” Whitmire said.
Ballot-printing voting machines have also provoked controversy in states like Georgia — where the state pushed ahead with spending $150 million on the devices despite voluminous criticism from security experts — and Pennsylvania, where Philadelphia city election commissioners overrode objections from the state auditor general.
Other experts expressed less concern about these relatively new machines, saying the ballot-printing touchscreens are probably not the most promising avenue for hackers looking to disrupt an election.
In terms of possible cyberattacks from nations like Russia, “malware implants on BMDs are much lower on the bang-for-the-buck list” than attacks on other links in the election security chain, said Dan Wallach, a computer science professor at Rice University. Those include the tabulating machines that count the votes, the websites that report them, states’ voter registration databases and the laptops or tablets that precinct workers use to check-in voters at polling places.
“That said,” he added, “the risk that malware somehow finds its way into these machines is a legitimate security threat.”
But Whitmire noted that ExpressVote machines have already had trial runs in South Carolina, where some jurisdictions have used the devices in smaller elections, including an Oct. 1 special election for a state House district and roughly 200 mostly municipal elections on Nov. 5.
“We have not experienced any issues with the operation of the system, and we expect it to continue to perform as designed in all future elections,” he said.
But voting security experts said those tiny test-runs don’t prove much.
“That doesn’t mean that [the machines] work perfectly,” said Jeremy Epstein, vice chairman of the Association for Computing Machinery’s U.S. Technology Policy Committee. “I disagree with those who insist on hand-marked paper, but it would be good to have additional testing to ensure that [BMDs] work correctly under a variety of circumstances.”
Another weak spot: the check-in process
South Carolina’s unusual system for checking in voters poses another potential problem.
While many states buy tablet computers preloaded with check-in software from the same vendor, South Carolina lets counties buy their own off-the-shelf laptops and provides them with its check-in software. (Counties also have backup paper voter lists in case the machines malfunction, something that occurred in some North Carolina polling places during the November 2016 election.)
A now-defunct South Carolina firm called TiBA Solutions created the software around 2006, Whitmire said, and a tech company called NWN Corp. later updated it. Both that company and the state government tested the program before deploying it, Whitmire said. He called it “a tested, tried and proven system.”
To guard against hacking, the state requires counties to disable WiFi, Bluetooth and other network connections on the check-in laptops. Asked if the state oversees whether they comply, Whitmire said, “The laptops are owned and maintained by county election officials.”
That arrangement worried some security experts.
“I cannot say I am happy with the idea that we are trusting the pollbooks to be disabled from connections,” said Duncan Buell, a computer science professor and voting security expert at the University of South Carolina.
Security protocols will be “largely left to chance” without uniform enforcement, said Perez, who added that letting counties buy whatever laptops they wanted created the risk of “inconsistencies in configuration and performance.”
The results are in — but are they right?
Another risk comes from the platform that South Carolina will use to report the results on election night, which is developed and managed by the Spanish technology company Scytl.
Tampering with this system wouldn’t change the results themselves but could delay them and cause confusion — something 2020 already saw when the Democrats’ process for reporting results collapsed in Iowa.
Scytl is also controversial in the election security community because of its advocacy for internet voting, which nearly all experts consider extremely unsafe and unwise. Researchers have identified multiple weaknesses in the online voting platform that Scytl developed for the Swiss government.
“Scytl has exhibited a pattern of overstating the capabilities of its security architecture,” Perez said. “The fact that the company has attempted to position questionable online voting experiments as ‘secure’ … leaves [me] skeptical of Scytl’s security-centric engineering practices.”
But South Carolina has used Scytl’s results-reporting platform since 2008 and has experienced no problems, said Whitmire, who added that “hundreds of jurisdictions” in the U.S. and other countries use it.
Only two people at the state election commission can gain access to the system’s administrative functions, while county employees must log in with two-factor authentication — which provides more security than mere passwords — before they can upload results data to it. The state trains county officials to use the platform before every statewide election.
Fortunately, disruptions in this late stage of the primary wouldn’t be catastrophic, because counties preserve all their paper ballots until the results are certified.
“The good news is that reporting discrepancies can be corrected,” said Wallach. “The bad news is that corrections might take a while and, if it’s a tight race, we could always have more of the same confusion that we saw with the Iowa caucus results.”