Thursday, March 23, 2017

On March 9, 2017 Professor Jones presented at an Iowa City Foreign Relations Council's luncheon.

You may read the text below or watch or listen to the video "after the break."

Click here for "developing" media coverage of Professor Jones and voting security.

The Election of 2016: Was it hacked?

Douglas W. Jones
March 9, 2017
delivered to the Iowa City Foreign Relations Council

First, I want to talk about the campaign rhetoric over the past year.

"The system is rigged." both Bernie Sanders and Donald Trump were talking about a rigged political system.

From the start of his campaign in April 2015, Sanders emphasized over and over how our political and economic systems are rigged in favor of the wealthy, and by May of 2016, he was more pointed, saying that the Democratic party’s delegate selection process was rigged by the party’s system of superdelegates.

At the same time, Trump was making similar statements.  In April 2016, speaking in Albany, he said “I’m hundreds of delegates ahead but the system, folks, is rigged. It s a rigged, disgusting, dirty system.”  Initially, he was talking about the Republican party’s delegate selection system.  In mid March, he even warned CNN that “I think you would have riots,” if he does not get the nomination.

In one sense, both of these outsider candidates had a point.  The Democratic and Republican parties have created delegate selection processes that favor the party establishment.  This is very natural in party politics, and it is not all bad:  A party without an establishment could become a political machine that flies left and right at random as the winds of politics shift.

As the two parties finished their nomination process, giving us a race between Hillary Clinton and Donald Trump, Trump’s rhetoric shifted.  He continued talking about a rigged system, but now, his focus was on the general election.  In Early August, Trump told the Washington Post that “If the election is rigged, I would not be surprised.”  He based this on the overturning of Voter ID requirements that several states had tried to impose.  Addressing other audiences, he stated outright that “the election is going to be rigged.”

In October, Trump focused on the millions of dead people still on the voter rolls.  This theme continued even after the election, when Trump blamed his loss in the popular vote to over 3 million “illegals” who had voted in the election.

There is a very strong sense in which our national presidential election system is rigged, and that is written into the constitution.  The Electoral College biases the presidential election in favor of smaller states.  A voter in Wyoming has more than twice the clout in the presidential election than a voter in California because Wyoming's one congressional district gets 3 electoral votes while California's 53 districts get 55 electoral votes.  Trump was not complaining about this.

Trump’s concern with our voter registration system has a basis in fact.  In general, our voter registration lists are very poorly maintained.  When people move across state lines, they frequently fail to cancel their old voter registration when they obtain a new one.  When people die, their voter registration records frequently live on.  Drivers’ license offices are now required to offer voter registration materials when they issue a license, and this has resulted in the occasional non-citizen ending up inadvertently registered to vote.

The vast majority of errors in our voter registration system do not translate into illegal votes.  By in large, the dead do not vote, and the vast majority of those who are registered in more than one state not only don’t vote twice but don’t even know that they are still registered at their old residence.  Our voter records in Iowa are typically bad, as anyone who volunteers to make phone calls for a political campaign will learn very quickly.  That does not, however, translate into fraud.

When Iowa Secretary of State Matt Schultz investigated voter fraud in Iowa between 2012 and 2014, at a cost of ¼ million dollars, he found very little.  Granting him the most generous definition of voter fraud, the rate he found was under one vote in 10,000, and of those illegal votes, many were cast in error, for example by convicted felons whose voting rights had been restored and where that restoration had then been revoked.

It is noteworthy that the vast majority of voters that Schultz found to have cast questionable ballots had proper ID.  We routinely issue drivers licenses to non citizens and convicted felons.  Trump's initial complaints about the overturning of voter ID laws leading to massive voter fraud are not justified by any studies I have seen of illegal voting.  Under these circumstances, proposals for voter ID requirements are far more likely to bar legitimate voters from voting than they are to prevent fraud.

Trump’s rhetoric echoes a pattern that has continued since the election of 2000.  When someone raises questions about election integrity, the answer from those whose election was questioned has frequently been this:  Yes, we are also concerned about voter fraud.  Note the deft pivot from election integrity to voter fraud.  Election integrity is a property of the system as a whole, with huge administrative components.  Voter fraud, on the other hand, is a criminal matter that justifies police action against individual voters.

Trump's election fraud rhetoric may have been largely intended to motivate his supporters.  By baiting them with the threat posed by an army of illegal voters intent on supporting his opposition, he could drive them to work harder.  There is a big downside risk to this, though, and that is that he could drive them to work harder by engaging in their own counterfraud.  A robust democracy requires the consent of the electorate to abide by the rules and accept the results of the election.  Widespread belief in a rigged system leads to a cynical and even contemptuous attitude toward the rules.  If you believe that “they are cheating”, then by gum, you have a license to cheat just as much.

So how do we defend the system?  When I wrote my book Broken Ballots, I made a point of looking not just at the technology of today’s elections, but how we came to vote using machinery in the first place.  In the United States, the transition from hand-counted paper ballots and voice voting began after the Civil War, sparked by large scale revelations of the extent of election fraud.  The first generation of practical voting machines were developed in response to this, and it was defense against fraud that drove the initial acceptance of voting machines, starting in the 1880s.  By the1920s, most urban areas were using voting machines, although in Chicago and Louisiana, it took until the 1950s for machines to be adopted.

The election fraud that drew so much attention in the 19th century was not the retail “voter fraud” to which Trump has referred so loudly, it was on a wholesale scale, the work of corrupt political machines, both urban and rural.  Much of this involved ballot box stuffing or other forms of corruption at the polling places.  Boss Tweed's political machine in New York, Tammany Hall, was in the headlines, and when Federal Marshals took over administration of federal elections in Harrison County, Texas, they found that about 1/3 more ballots were counted in the state and local races than in the federal races, despite observers who agreed that every voter had voted both a federal and a state-and-local ballot.  This was clear evidence that the state-and-local ballot box was stuffed.

Voting machines were successful in the United States for two reasons.  First, hand counting a US general election ballot with large numbers of races and issues on the ballot is hard enough that, even if honest, clerical errors are common.  Few other countries in the world construct ballots as complex as those we vote on routinely.  Second, most of the corruption we faced was carried out at the precinct level by election  officials.  Numerous cases were uncovered where precinct officials announced totals without bothering to count the ballots, and at one precinct, a New York Times reporter observed a Tammany Hall official eating ballots of which he disapproved during the count.

Voting machines were seen by the good government movement as a tool in the battle against election fraud because they transfer much of the responsibility for the conduct of the election from precinct election officials to the technicians in the county building.  Of course, this means that they also transfer the potential for fraud from the precinct to the technicians, but this was not immediately obvious in the late 19th and early 20th centuries.   With the advent of electronic voting in the late 20th century, much of the responsibility and potential for fraud have been transferred onward from the county building to the technicians working for the voting system vendors.

When faced with the transition to voting machines, political machines took time to adapt. In many cases, the political machines found it easier to shift their focus from precinct-level fraud to voter registration than it was to corrupt the machines.  Literacy tests, laws barring non-citizens from voting, and a variety of other measures became popular as voting machines were put in place.  Of course, some polling place fraud still persists, as was proven by the corrupt Clay County, Kentucky political machine that was broken up in 2009.  None of their precinct-level manipulations were prevented by use of modern electronic voting machines.

How do we defend against corrupt voting machine technicians?  The possibility that the voting machine technicians might be corrupt occurred to several 19th century voting system developers.   Jacob H. Myers, generally recognized as the inventor of the first successful mechanical voting machine, proposed a machine where voters would vote by inserting tokens in slots in the face of the machine.  The machine counted the tokens as the voter left the voting booth, but it also stored them in a separate pot for each candidate.  At the close of the polls, the contents of the pot could be checked against the count for each candidate if there was any suspicion that the counters were wrong.

Joseph Gray, another 19th century inventor, proposed a mechanical voting machine where voting punched a paper "ticket" as it incremented a mechanical "register" inside the machine.  This was the first voting machine equipped with a voter-verifiable paper trail.  It never caught on, but Gray clearly stated his purpose clearly:  "In this manner, we have a mechanical check for the tickets, while the ticket is also a check on the register."

These 19th century proposals were forgotten.  People at the time saw mechanical voting machines as inherently unbiased and mechanically incorruptible.  Those who worried about corruption of the mechanism were few and far between.

One of the greatest election reformers of the mid 20th century, UC Berkeley professor Joseph Harris, invented the Votomatic punched card voting machine as a reaction to the lack of a voter-verified paper trail on the mechanical voting machines of the mid 20th century.  Harris's Votomatic was incredibly cheaper than the mechanical machines it replaced, and the ballots could be counted by computer.  In the 1970s, I voted on a Votomatic in Illinois, and at the time, I thought it was an incredible step forward, moving from 19th century mechanism into the computer age.

The problems with dangling chad that would later doom the Votomatic were serious but largely unrecognized until the election of 2000.  The legacy of Harris's work lives on, however.  When Harris proposed legislation in California to allow use of his new machines, he also proposed that, after every election, precincts representing one percent of the voters be selected at random for an audit that included a hand recount of the ballots.  This would defend against any corruption of the computer programs or punched-card tabulators used to count the ballots.

California enacted Harris's proposal into law in 1965, and ever since, that state has been conducting routine election audits.  They do this immediately after the first count is announced, before the final certification, regardless of whether there are any recount requests, and naturally, in the event an audit discovers significant discrepancies, the candidates are entitled to request a full recount.  If you talk to California election officials, they say that auditing is not a major burden, that it builds public confidence, and that it means that, in the event of a request for a full recount, they have a large crew of election workers who know how to conduct a hand count because they do it routinely.

Election auditing remained essentially unknown in much of the United States until the controversy surrounding Election 2000.  Since then, many states have brought election auditing into practice.  Most of the states doing so have followed California's example by requiring random selection of precincts for audit until the number of ballots involved exceeds a set percentage of the votes cast.  Some states have changed the numbers, so, for example, Minnesota requires 5 percent, New York requires 3 percent.  The web site has state-by-state details.

Currently, Iowa does not conduct post-election audits.  The election reform bill under consideration right now in Des Moines is large, with provisions for voter ID, signature verification, electronic pollbooks and auditing.  The auditing provisions are quite odd. The bill would require an audit in February after the November general election, and it forbids the audit from changing the election results in the event any discrepancy is found.  Under this proposal, an audit cannot trigger a recount or any other corrective action.  While I agree that any auditing is better than none, I wonder where this rather timid auditing proposal came from.

It is fair to ask, could an audit detect the millions of illegal ballots that Trump said were cast last November?  Phillip Stark, the UC Berkeley statistician who invented risk limiting election audits, has noted that "If the number of illegal voters in CA is more than 500 thousand (among those who voted in this election), there's a 99.8% chance that a random sample of 140 voters from CA would find at least one."

Michel Chevallier, then the head of elections in Geneva, Switzerland told me that they actually do something like the audits that Stark suggests.  For over a decade, Geneva voters have been allowed the choice of voting at the polls, voting by mail, or voting by Internet.  Given the wild-west character of internet security today, I'm not in favor of Internet voting, but the Geneva system has an interesting feature.  The credentials needed for postal and Internet voting in Geneva could possibly be stolen or traded.  To prevent this, the election office conducts a simple survey after each election.  They talk to randomly selected people whose credentials were used in that election, asking just one question:  "Did you vote in person, by mail, or by Internet?"  The election office knows how each ballot was received, and if the voter indeed voted that ballot, they should remember how they did it.  If a voter's credentials were bought or stolen, however, they would not know how how they were used.

Election auditing can only accomplish very small results with paperless voting systems, either the mechanical monsters we used here in Iowa before the 1980s or the direct-recording electronic machies, many of which use touch screens, that were briefly the rage 15 years ago and are still widely used in some states.  With hand-marked paper ballots such as we have used in Iowa starting in the 1980s, correctly done auditing can eliminate essentially all of the questions we might have about the integrity of the voting system.  As David Dill at Stanford University once said, we could vote on machines “made by the Devil himself” and still run fair elections.

There are useful audits that can be conducted on paperless machines.  All of these machines maintain a variety of internal records, recording when the polls open, when the polls close, when the machine is enabled for one voter to vote, when the voter puses the cast-ballot button, and things like that.  Real failures in election administration have been diagnosed from these event logs.  Duncan Buell at the University of South Carolina has been a leader in working in this area, and earlier, Martha Mahoney at the University of Miami did pioneering work on event-log analysis.

The most interesting auditing model that has been proposed to date is Phillip Stark’s risk limiting audit.  In such an audit, the number of ballots selected for recounting depends on the margin of the election and the degree of assurance you want that all was honest.  If the election was won by a wide margin, you only need to check a few ballots to assure yourself that the election result was honest.  The smaller the margin, the more ballots you need to check.  Stark's formulas begin with the margin in the election, the number of ballots cast and the confidence level you want in the outcome, and tell you how many ballots to count.  While the detailed formulas are messy, there are approximations that are pretty intuitive.  To assure yourself that an election with a 10 percent margin was honest, recounting just 10 randomly selected ballots gives some assurance (but not much), while if the margin is 1 percent, you need to recount 100 ballots to get the same limited assurance, and if the margin is 0.1 percent, you should count 1000 ballots.  Colorado and several other states have begun experimenting with risk-limiting audits.

Unfortunately, in last Fall’s battleground states of Wisconsin, Michigan and Pennsylvania, there were no provisions for routine auditing.  What these states have is laws allowing recounts.  I will get to the recounts later, after discussing the possibility of Russian involvement because it is also one of the justifications for a recount.

In May, 2016, The director of national intelligence reported signs of attempted cyberattacks on several 2016 presidential campaigns.  At the time, they did not identify the likely sources of the attacks, nor the victims.  It appears that the purpose of the public release by our government was to get all of the political campaigns to raise the level of their defenses.  They did repeat some history, though, reminding us that in 2008, Chinese hackers had attempted to breach the computers of both Barack Obama and John McCain, and that there were domestic and foreign attacks on the computers of Obama and Romney in 2012.  In short, the Internet these days seems to be as lawless as the stereotypical wild west of the 19th century.

In June, we learned that the Democratic National Committee was one of the victims of these attacks, that the material stolen included copies of all of their opposition research on Donald Trump, and that the attacks were Russian.  The DNC said that no financial, donor or personal information had been taken.  While Russia denied any involvement, the news stories noted that some of the attackers appear to have had access to the DNC’s computers for a year, and that they were only expelled in early June during a “major cleanup” of the DNC’s computer system.

We need to be clear here:  Russian intelligence is naturally interested in gathering every bit of information they can about the potential leaders of our country.  And I hope that US intelligence is just as interested in Russia and China.  It would be foolish of any great power not to poke around on the Internet to see what they could find about their rivals.

The question is, did they go beyond information gathering and attempt to intervene in the US election.  Just days after the revelation that the DNC was the victim, someone going by the name “Guccifer 2.0” released a large pile of DNC documents to Wikileaks, including opposition research but also information about at least some donors.  My impression of these document releases is that they were not complete releases of everything that was stolen, but rather, carefully curated collections designed for maximum impact.

Early this year, FBI director James Comey said that the RNC and several other Republican campaigns had also been hacked during the campaign, but not Trump’s campaign.  This does not surprise me.  If I’d been in charge of Russian intelligence, I'd have wanted all the information I could get about likely contenders for the presidency.  In early 2016, when these hacks took place, Trump was still the outsider, judged by just about everyone as unlikely to win the nomination.  He may have been considered unlikely enough a candidate to be deemed not worth hacking at the time.

I am not an expert on Russian politics, but I have traveled in the former Soviet union as an election observer in Kazakhstan, where I had opportunities to speak with many in the central election commission.  I worked with the former chair of the Russian central election commission when I observed elections in the Netherlands.  In general, the Russian and former Soviet attitude toward American interest in election integrity is a bit resentful.  They don't like us telling them that their elections are less than open and honest.  I get the impression that many in the leadership would love to see American democracy discredited.

I suspect that the leadership in Russia, having harvested all the intelligence they could get on all of the likely candidates, had a clear interest in seeing Clinton pushed aside.  She did not make friends in Russia during her term as Secretary of State, and she would have been a hard-nosed opponent as president.  Trump, on the other hand, would appear, from a Russian perspective, to be a “wannabe oligarch,” a man with aspirations just like those of the Russian leadership.  This naturally leads to a bias against Clinton and for Trump in the Russian leadership.

We know that Russian government policy has long been to collect compromising material or kompromat as they call it, on everyone they can, for later use when leverage is needed.  The Russian investigation of US political campaigns was almost certainly interested in gathering kompromat.  Naturally, as the election approached, Russian authorities would be expected to look at the quality of the dirt and ask:  Who will we have the most leverage over.  While I don't believe that Clinton is squeaky clean, I suspect that the dirt we've seen about her use of a private e-mail server, is about as bad as they could find.  We don't know what they have on Trump, but my guess, given his business dealings with various Russian oligarchs over many years, is that they have much more.  Both the “wannabe oligarch” and the kompromat arguments suggest a Russian preference for Trump, but I warn that, without evidence, this is just a speculative justification for suspecting Russia.

Where is the proof?  How do we know the Russians did this?  The answer lies in the way we build Internet servers.  From my laptop computer all the way up to the huge machines run by the likes of Google and Amazon, computers connected to the Internet maintain log files.  These files are retained for periods from days to weeks and then deleted so that the disk space can be reused, but when something goes wrong, they are the first place an analyst should look to see what happened.  These logs don’t record everything that happened, but they record the metadata.  Where in the world was the computer that contacted your computer and when did it do so, but not what it did.  Once the DNC discovered it was being hacked, they extracted all the logs they could to determine where the traffic to their computers was coming from.  The NSA collects far more, but the logs from the servers have been subject to multiple independent examinations.

Half of the suspicious traffic came from Tor routers.  Tor is a free Internet service that provides anonymized Internet access.  Tor is based on technology developed by the US military and deliberately released into the public domain because it allows people living in totalitarian countries to avoid Internet censorship.  To dissidents in China, Iran and Saudi Arabis, nations that attempt to severely restrict or control Internet access, Tor is a very valuable tool.  Of course Tor is a double edged sword.  Criminals use Tor, and so do spies.  This use of Tor in the attacks on US campaign Internet servers is to be expected.

The key clues to the attacks come from the other half, Internet contacts that were not as carefully anonymized.  When working over a period of a year or so, hackers sometimes don’t remember to cover their tracks, and instead of coming through a service like Tor, they occasionally came in directly from their own machines or through intermediaries that maintain logs allowing tracking back to the source.  The Internet addresses of some of these machines were addresses previously associated with Russian groups code-named FANCY BEAR and COZY BEAR, also known as APT 28 and APT 29.  We don't officially know who these are, but they have been tracked for a long time, long enough for the trackers to name them.

How do we know that these are Russian?  Over many years, their activities have followed a daily pattern with most activity during normal working hours in the time zone of Moscow and Saint Petersburg.  Furthermore, they don’t normally work on Russian holidays.  We can’t say for sure that these organizations are parts of the Russian government, but the level of sophistication they show strongly suggests that they are closely allied with Russian intelligence.

Here, it is clear that Russia routinely attempts to maintain “plausible deniability,” claiming that actions such as these are the acts of rogue agents and not the Government.  On many occasions, however, “plausible deniability” shifts to become “implausible denial.”  In 2007, attackers from Russia shut down the web servers for a number of Estonian organizations.  Russia denied any government involvement, claiming that the attacks were actions of individuals working without any sanction.  And then, in the 2008 Russo-Georgian war, similar cyberattacks were coordinated with military action.  Can they really deny government involvement.

Russian involvement did not stop with the DNC and RNC.  In late August, we learned that Russian hackers had breached the voter registration databases of Illinois and Arizona.  State election offices are typically run on a shoestring, so I would bet that other states were breached without anyone noticing.

On November 1, I put together an analysis of the situation for a press conference convened by Garry Kasparov’s organization  I concluded that the structure of US election administration would make it very difficult for Russia or any other outsider to directly hack the vote.  Our elections are extraordinarily decentralized, with over 5000 local election offices, mostly at the county level.  These local offices do most of the work.  There is no one-size fits all hack that could be used to make national-scale changes.

There are a few states with very centralized election administration.  Georgia and Maryland are examples.  Just this past week, we learned that Georgia's election center has indeed been hacked, but to what end?  Georgia is a safely red state and Maryland is safely Blue.  An outsider would be hard pressed to change the results in these states without being noticed.  A smart hacker would focus on battleground states, not safe states, and in those states, focus on a few large counties where small changes could swing the result statewide.

I suggested on November 1 that such an attack would be far more difficult than releasing carefully curated stolen or even fictional information through the news media.  Curated leaking through Wikileaks, building credibility and then releasing hard-to deny fictions at the last moment seemed to me to be the most dangerous strategy because it could change more votes at lower cost than the alternatives.  I think the results of the election have proven me right, but that is not the end of the story.

After the election, I believe it was critical to try to prove that the actual vote count had not been hacked.  This is why I and a number of other computer scientists, notably Alex Halderman at the University of Michigan joined forces with Green Party candidate Jill Stein to file for recounts in Wisconsin, Michigan and Pennsylvania.

The Trump campaign poured significant effort into blocking these recounts, and I think this was ill advised but expected.  The winners in an election generally discourage investigation into the possibility that there were any irregularities in that election.  The winner’s position is invariably “we won, get over it!”  It always falls to the losers to ask the hard questions about the integrity of the system.

In Wisconsin, we reached exactly the conclusion that I had hoped for:  While the ballot count in that state was not perfect, I don’t expect perfection in any effort as complex as a presidential election.  But the errors in the count did not come anywhere near the magnitude that could have changed the outcome.  On election day in Wisconsin, Trump won fair and square.  It was an uphill battle to reach that conclusion, and we did not get the full hand count we hoped for, but we had observers in many of the counties that conducted their recounts by machine.  In many of these counties, despite no rule requiring it, they did a hand count anyway, without prompting, before the machine count.  In other counties, it was not hard to talk the officials into hand counting, and in others, we found Trump and Clinton volunteers to look over the shoulders of the officials and demand to see each and every ballot, just briefly, so that the volunteers could verify the machine counts.  In sum, the system worked.

The story was more fraught in Michigan, where the recount law has the unusual feature that if there is any discrepancy between the number of ballots the precinct officials say they issued to voters and the number found in the ballot box, no examination of the ballots is permitted.  If just one voter takes his ballot from the polling place as a souvenier, a recount of that polling place is not permitted.  This, along with skilled maneuvering by Trump’s legal team stopped the Michigan recount before more than a few counties could complete their recounts.

In Pennsylvania, the situation was worse.  Many Pennsylvania counties vote on paperless electronic voting machines where there is really no useful possibility of an audit.  Fortunately, some of these machines are so old that hacking would only be possible with direct physical access to the machines.  There is no way that Russia could do that over the Internet.  The biggest barrier to a recount in Pennsylvania, though, is that Pennsylvania law requires three voters in each precinct to file a request for a recount in that precinct before it can proceed.  In effect, nobody can mount a statewide recount in Pennsylvania without having an organization on the ground in advance.

Unfortunately, many of the judges and lawyers with whom we interacted during the recount battles asked for proof that the recount would change the result before it could be permitted.  This is a very odd standard, since only the ballots themselves could offer proof, and also because a recount that detects no irregularities is actually more valuable than one that detects problems precisely because it shows that our election system is trustworthy, at least inasfar as the actual vote count is concerned.

Another fear, based on the hacks of voter registration databases, was that an attempt would be made to disenfranchise voters.  An outsider with access to the complete registration records of voters could, for example, request absentee ballots on behalf of voters they wished to disenfranchise, having those ballots mailed to random overseas mailing addresses.  Voters showing up at the polls under such circumstances would be forced to cast provisional ballots; even if all those provisional ballots are counted, the result would be long lines as election officials deal with “problem voters.”  Fortunately, on election day, nobody reported evidence of such an attack.

This “absentee ballot” attack is not merely hypothetical.  It happened in Miami in an August 2013 primary.  Fortuately, the perpetrator was amateurish enough that the county election office caught on, the perpetrator was caught, and eventually agreed to a plea deal and a year of probation.

I continue to advocate for election auditing.  I wish the audit provisions of Paul Pate’s election reform bill that is now up for discussion in Des Moines were stronger, but I have long felt that any auditing is better than none.  I agreed to give this talk back in November, when we still had no idea how the story would end, and as it turns out, the story is still very much in play.