From the Community | It’s time for a frank conversation about election security

On Election Day tomorrow, millions of people will vote using equipment that has been shown to be insecure.

This is the consensus of election-security experts across the United States. Many jurisdictions — including the key swing state of Georgia — use machines that suffer from serious vulnerabilities that have gone unpatched. These flaws could potentially be exploited to change election outcomes or compromise voter privacy, posing a grave risk to the security of U.S. elections.   

I have been involved with elections for as long as I can remember. Growing up, I would knock on doors and hand out flyers for my causes of choice. Once I turned 16, I began to volunteer as a poll worker in my local elections, joining a diverse group of individuals — mostly retirees, but sometimes students or professionals — whose hard work remains so essential to the continued vitality of our democracy. I witnessed firsthand the precision and care that my peers placed into following the meticulously laid-out procedures meant to prevent election tampering.

The scientific method teaches us, however, that the best way to make sense of the world is to subject it to scrutiny. I started asking myself questions about every procedure I witnessed: Sure, we checked that the machines counted the right number of ballots, but how do we know that they counted them correctly? What good are the chain-of-custody procedures for the paper ballots if no one will ever look at them again?

In college, I studied computer security, and encountered a world of academic literature that attempted to answer precisely these questions. I learned that researchers who study the security of elections are consistently skeptical of electronic voting machines. These experts recommend that, rather than asking the public to trust electronic counts on faith, elections should be engineered to prove that they’ve arrived at the correct outcome. 

States can accomplish this by using hand-marked paper ballots that are thoroughly audited after the election. This approach means that if tabulating machines give the wrong result — whether due to an attack or a simple software glitch — officials can catch the mistake and consequently recover the correct outcome from the physical ballots in their possession.

The good news is that in 38 states, the majority of voters cast their votes on hand-marked paper ballots. But only four of these states employ a risk-limiting audit — a rigorous procedure designed to give confidence that no outcome-changing error occurred. Risk-limiting audits are engineered both for mathematical rigor and for cost-effectiveness. It would only cost a few 10s of millions per year to adopt routine risk-limiting audits in every federal election nationwide; compare this to the nearly $16 billion spent on the 2024 election cycle. This is low-hanging fruit that would dramatically change U.S. elections for the better.

How can we get these and other improvements adopted? For starters, we can subject our election systems to real scrutiny, and have frank conversations about the risks we uncover.

In other fields, technology companies commonly incentivize researchers to test their systems’ security so that any flaws found can be disclosed and patched before someone else exploits them. Election equipment vendors, by contrast, often rely on “security through obscurity”: the idea that if no one can get their hands on a machine to try and find its flaws, the flaws may as well not exist. This is a very dangerous game. It means that when untrusted parties do obtain access to machines — as has repeatedly happened in recent years — any benefits from having kept the counting software secret go out the window. Malicious actors who do end up obtaining access to these machines can investigate them to learn their flaws, while defenders are limited to what they can learn with purely public data.

We also need to have accurate, sober conversations about real election security threats. In our current political environment, where elections have been the subject of a never-ending stream of baseless conspiracy theories, it can be tempting to circle the wagons and refuse to acknowledge real flaws that are uncovered. But if responsible people fail to talk about the real flaws in our election systems, we cede that ground to conspiracy theorists who are far less concerned about being constructive or accurate. 

The consequences can be serious. When my research lab discovered a serious privacy flaw in Dominion’s precinct-based tabulators a few months before the 2022 election, it received virtually no coverage outside of conspiracy-theorist circles. This meant that — even though we disclosed the vulnerability to the Election Assistance Commission (EAC), the Cybersecurity and Infrastructure Security Agency (CISA), Dominion, election directors of every affected state and ultimately the public — several jurisdictions never received word and continued to publish vulnerable data. 

This included the City of San Francisco, which has since begun an investigation into why they were never informed of the flaw by their partner entities. The city’s draft letters to CISA, EAC, the California Secretary of State and Dominion itself demanding answers concerning their silence are worth reading in full, but I would like to highlight some of the questions they posed to the manufacturer who sold them vulnerable machines:

Why did your October 7, 2022 notification to our Department of Elections not provide information about the privacy flaw or acknowledge that it existed?

Why have you not yet sent a more detailed advisory, now that the vulnerability is public and a fix is undergoing certification?

Can our Department expect to find out the next time a vulnerability is reported to you that affects us?

Indeed, why didn’t Dominion (or one of several state and federal governmental entities) provide accurate information to affected jurisdictions like San Francisco? Perhaps they feared that accurate discussions of security risks would harm public trust in the voting process. But it matters both that our elections are trusted and trustworthy. They are the bedrock of our democracy and the source of its legitimacy. If evidence-based critiques are enough to shake voters’ confidence, then that confidence is unearned in the first place. We should demand more from our system of government, and an honest discussion is the best place to start. 

Braden L. Crimmins J.D. ’26 is a Knight-Hennessy scholar and editor-in-chief of the Stanford Technology Law Review. He is also a computer science Ph.D. student in Professor J. Alex Halderman’s lab at the University of Michigan and is co-founder of BallotIQ, a startup designed to accelerate government adoption of secure election technology. His recent publications include “DVSorder: Ballot Randomization Flaws Threaten Voter Privacy” and “Improving the Security of United States Elections with Robust Optimization.”

The post From the Community | It’s time for a frank conversation about election security appeared first on The Stanford Daily.