We know every vote counts, but will your vote actually be counted? Or will it be hacked? I’ve spent the last several months reporting on election hacking for my podcast Breach, and I’ve learned a lot: Mostly that vote “hacking” is a much broader problem than people realize. While lots of attention has been paid to the hacking of electronic voting machines themselves, elections can be hacked months before, or months after, voting day. Here’s a look at the entire life cycle of your vote, and all the places it can be hacked along the way.
Step 1: Deciding to vote
The voting process begins when people decide to vote (or, they don’t), and register. The enemies of democracy spend a lot of time trying to convince citizens that their vote doesn’t count, that people shouldn’t even bother going to the polls. Encouraging apathy is actually step one. How does that happen? Through disinformation campaigns—state-sponsored trolling—that are nudged along unwittingly by people who fall for the trick.
“Academics will make the distinction that disinformation is false information that’s knowingly spread,” says Nick Monaco, a D.C.-based researcher and expert in worldwide trolling campaigns. “So there’s an intent to deceive people knowingly. Then they’ll say that misinformation is information that is spread unknowingly that’s false. So maybe you retweet a story that you thought was true, that would be a case of misinformation. But if you create a false story to smear someone that would be disinformation.”
In the podcast, we talk about a fictitious election between myself and Alia Tavakolian, my Breach co-host. Someone spreads a rumor online that I am a puppy killer—very untrue—and I lose crucial campaign time fighting off this attack. Why does it spread so quickly? Bots, using artificial intelligence, talk it up.
“Most news organizations now have incentive (and) choose of their own accord to report on what’s trending online. What if what’s trending online is produced 90% by bots and 10% (by) humans?” Monaco said.
In other words, bots are hacking people’s attitudes. State-sponsored trolling is the hacking of our minds.
“I think that in the first place, if people’s attention is hacked already by a platform, and they’re spending time on this platform, and then they’re receiving messages that might sway their actions… So we already have you in one place, we know where you are, we know what you think about, and we know where you live. Let’s just send you some information that we think would be amenable to what you—what you think, and maybe influence you to act in some way,” Monaco said.
Step 2: Voter registration
Let’s say you press on past digital propaganda and decide you are going to vote. You register. That data has to live somewhere. And it has to remain accurate. If a group wanted to engage in voter suppression, they could hack state registration databases and remove names—or just change addresses in a way that would create election-day chaos.
“(Voter) records are maintained in computer databases, many of which are connected directly or indirectly to the internet, and subject to the same kind of data breaches that affect other kinds of internet systems,” said Matt Blaze, a computer science professor at the University of Pennsylvania, where he’s been working on voting technology for the past fifteen years. “We often don’t find out that we’re not listed on the voter registration database when we should be until we show up at the polls to vote.”
This isn’t a theoretical risk. The U.S. government says that Russians tried to access voter registration databases in at least 21 states, and in two states they were able to succeed to some degree.
Even more ominous: If someone wanted to tip an election, they’d do this only in zip codes that traditionally leaned one way or the other.
“Because with the marketing data these days we can microtarget down to the neighborhood how we know a certain neighborhood’s going to vote,” said Maggie MacAlpine, co-founder of security firm Nordic Innovation Labs. “We’ve had some elections that were decided by less than 1,000 people, and the burden tends to be on the voter to say that you are registered or not. So if just ten people in the right place at the right time come in and say, ‘Well, I should be registered, why aren’t I registered?’ If you can keep that spike under the radar, you can actually change things that way.”
Many jurisdictions use e-poll books at voting locations now, to get the best registration information in the hands of poll workers. They also add another layer of technology to the process that can be hacked.
Step 3: Voting “Day”
U.S. voting machines have been under scrutiny dating back at least to the hanging chads of Bush v. Gore in the 2000 presidential election. In 2002, Congress passed the Help America Vote Act, which gave states money and incentives to abandon old-fashioned voting machines and led to the purchase of electronic machines—generally touch-screens (DREs) or optical scan / scantron machines (like multiple-choice tests). They’ve caused a lot of trouble. There have been years of demonstrations showing the machines are vulnerable to various attacks. Vendors often say these are only theoretical, that the machines themselves are not networked so they aren’t really vulnerable. Many voting experts disagree.
“What people sometimes don’t understand about voting machines is that they’re really not as isolated from each other and from internet-attached systems as they may seem,” said J. Alex Halderman, director at the Michigan Center for Computer Security in Society, and another long-time voting expert.
For starters, the machines must be loaded with candidates—somehow.
“Before every election, virtually every electronic voting machine in the country has to be programmed, and it has to be programmed with the ballot design. That is the candidates, the races, and the rules for counting,” he said. This is usually done with an election management system. “(Hackers) can potentially spread malicious software to every voting machine in the jurisdiction just by having that software essentially hitch a ride with the ballot programming that election officials copy to the machines in the field.”
Harri Hursti was the researcher who first hacked voting machines nearly 15 years ago. His technique actually has a name: “The Hursti Hack.”
“What I found was that the bootloader is looking from the memory card a certain file name. If it finds that name, it will reprogram itself with the contents of that file with no checks, balances whatsoever,” he said. Some of the same machines he hacked 15 years ago are still being used in elections today. “Sometimes I get tired of talking about it… but it took people 15 years to listen.”
This article appeared originally here on BobSullivan.net.
