Photo by Andrew Harrer/Bloomberg via Getty Images
A major effort to bar independent research into the efficacy and security of American voting equipment is underway right now.
By Jamila Benkato / 09.17.2018
Every vote in the United States — for city council, state representative, or president — is cast using materials and equipment manufactured by third party vendors. There are vendors large and small, but the American election equipment industry is dominated by three vendors: ES&S, Hart, and Dominion. These vendors manufacture the machines that approximately 92% of eligible voters use on election day — and they wield extraordinary power with significant implications for our democracy. Because of this, itās critical that elected officials and advocates pay attention to the role vendors play in the security and transparency of American election systems.
Perhaps most concerning are vendor efforts to keep secret the technology upon which American elections rely while at the same time feteing state and local election officials with expensive trips and meals. Vendors have actively and increasingly pushed back on efforts to study and analyze the equipment that forms the basic foundation of our democratic processes.
One way they do this is by opposing independent research by computer and election security experts, such as academics. Vendors have asserted that licensing agreements between vendors and counties prohibit outside testing of county-owned machines. In at least one instance, a vendor has suggested that ānon-compliant analysisā — that is, it appears, analysis not approved by the vendor — would infringe the vendorās intellectual property.
This year, DefConās Voting Machine Hacking Village (āVoting Villageā) — a high-profile hacking event focused on examining the cybersecurity vulnerabilities of voting equipment — received communication organizers took as legal threats from ES&S, the countryās largest voting machine manufacturer. The communication seemed designed to intimidate Voting Villageās organizers from conducting and publicizing the results of their analysis of ES&S and other manufacturersā machines. Perhaps this was inevitable after Voting Villageās 2017 report, which detailed numerous exploitable weaknesses in an array of equipment from various prominent manufacturers. After this yearās event, a bipartisan group of U.S. Senators asked ES&S to explain itself, and urged it to support independent research efforts. ES&S responded by suggesting that independent security research jeopardizes election integrity, and āmakes hacking elections easier.ā Fortunately, the Senators, all members of the Senate Intelligence Committee,Ā roundly rejected this brush-off — but it does not bode well for researcher-vendor relations moving into the 2018 primary and 2020 national election seasons.
Perhaps the most notable effort to bar independent research into the efficacy and security of American voting equipment is happening right now. The Digital Millennium Copyright Act, 17 U.S.C. Ā§ 1201, protects the technological measures used by copyright owners from unauthorized access to or use of their works. It does this, in part, by prohibiting the circumvention of those measures and the trafficking in devices primarily intended to circumvent those measures. The statute contains a number of statutory exemptionsāfor example, applicable to schools and librariesāand also allows for rulemaking procedures whereby narrow, temporary exemptions may be adopted by the Librarian of Congress. This latter kind of exemption must be reexamined every three years, and review of those exemptions is happening right now. One exemption, Proposed Class 10, allows for security research into computer programs including voting machines. This fairly limited exemption is how DefCon and academic researchers can legally investigate, āwhite hatā hack, and analyze machines used by Americans on election day. This year, the U.S. Copyright Office (the part of the Library of Congress charged with this endeavor) is considering whether to remove certain limitations on research conducted under this category. The countryās three largest election systems vendors oppose this move and are asking the Copyright Office not to approve the proposed exemption.
Pointing to last yearās Voting Village, ES&S, Hart, and Dominion suggest that the Copyright Office might be āmisled . . . into thinking that democracy depends on unbridled hacking of election software,ā when ā[t]o the contrary, if the Office were to approve of hacking election software in the manner proposed, the integrity of elections could be threatened.ā They also worry — among other concerns — that some research may be for the purpose of voter suppression rather than aimed at improving system security, and that such research would hurt voter confidence and chill voter turnout.
Prominent computer and election experts have pushed back. āTo the extent security flaws currently exist in non-exempt software, they will continue to persistāand be less likely to be fixedāif security researchers are unable to examine them,ā Professor Ed Felten and Alex Halderman wrote in a comment supporting the renewal of the exemption and elimination of existing research limitations. āSecurity researchers perform their work specifically to assess potential security risks and assist in mitigating them [when] necessary.ā Moreover, they point out that while narrowing or eliminating the research exemption would deter good-faith independent researchers, it would certainly not deter malicious actors looking to exploit system weaknesses.
Another group of security researchers has pushed back even harder, arguing that the vendorsā comment not only misrepresents the record before the Copyright Office, but the state of election security in the United States. Far from being acceptably secure, Professor Matt Blaze and his colleagues argue that U.S. voting systems are subject to hundreds of known vulnerabilities, including vulnerabilities not successfully identified or addressed by vendors. Legal compliance checks such as those required by state certification systems will never compensate for technical vulnerabilities, they say.
Most surprising to the security community, the Department of Justice Computer Crimes and Intellectual Property Section supports the security researchersā position that Proposed Class 10, with previous limitations eliminated, should be approved.
Independent analysis of voting systems is critical to national security. Indeed, independent studies of various systems has revealed significant flaws with machines and systems used by jurisdictions across the country. Computer and election security experts rely on this exemption to legally conduct research on the machines that Americans use on Election Day.
Vendor efforts at protecting the black box of their election tech is not limited to executive advocacy — vendors also rely on intellectual property-based arguments to participate in, and sometimes hinder, election challenges that implicate the coding and functioning of their machines. In at least one case, a vendorās intellectual property argument resulted in a court-ordered expert analysis of a voting system, where the results could not be made public. This was after the vendor unsuccessfully sought to impose an extravagant bond on plaintiffs to ensure machine source code was not made public. In another case concerning an election challenge in Florida, āthe litigation ultimately was utterly inconclusive as to the reason for the 18,000 electronic undervotes because discovery targeting the defective voting system was thwarted when the voting machinesā manufacturer successfully invoked the trade-secret privilege to block any investigation of the machines or their software by the litigants.ā
Legislators have started to take notice, including by seeking answers about vendorsā security measures (answers that were not adequately forthcoming). But apart from some academic deep dives into the issue, the role of vendors in the basic functioning of American democracy has been under-examined. As the Penn Wharton Public Policy Initiative has pointed out, we have a highly concentrated market with a fairly captive customer base — and no meaningful regulation. Congress should maintain the pressure on vendors, and consider how best to ensure that vendors are active partners in ensuring American elections are secure, accurate, and transparent.
Originally published by Take Care under the terms of a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license.