Mar 26, 2019

Travis County Clerk’s Dream Voting System Gains New Life

Reporting Texas

The Austin, Texas skyline is seen at night. Photo by Carlos Delgado on Unsplash

Travis County Clerk Dana DeBeauvoir’s longtime dream of a secure, electronic, open-source voting system with a voter-verifiable paper record has come back to life in an unexpected way — through the United States Department of Defense.

In 2005, to address concerns about the transparency and security of electronic voting machines, DeBeauvoir partnered with computer security experts to create an extremely secure voting system that was easily auditable and produced a paper trail.  She and her partners dubbed the system STAR-Vote, short for secure, transparent, auditable and reliable voting system.

The development of STAR-Vote stalled in 2017 because no company was willing to create the open-source software that would make STAR-Vote freely available and publicly accessible. That kind of access would allow independent security experts and the public to quickly catch and fix problems that could make the system vulnerable to hackingSince then, STAR-Vote has existed only in a scientific paper online, but that’s about to change.

On March 14 at the Election Verification Network conference in Washington, D.C., Oregon-based cybersecurity firm Galois announced its $10 million contract with the Defense Advanced Research Projects Agency to develop an open-source voting system embracing the STAR-Vote principles.

DARPA is known for creating transformational technology, including the internet, automated voice recognition and language translation, and the GPS transmitters in consumer devices.

Joe Kiniry, principal scientist and research lead for the Galois project, said by email that the firm is creating a software-based voting system demonstrator that will run on secure hardware created by DARPA. Kiniry expects the demonstrator to be publicly available after it is tested by hackers and researchers at the computer hacking conference DEF CON in August.

Once the voting software is made public, companies are welcome to explore ways they can use it for profit, Kiniry said, but enabling business is not Galois’ goal. “The prime customer for the work is DARPA — the whole point is to have a compelling demonstrator running on top of secure hardware that normal folks can understand, and that can be attacked during DEF CON,” Kiniry said.

DeBeauvoir said open-source software is “kind of like a paradigm shift. It gives everybody in the marketplace the opportunity to come up with … better, smarter election security and voting equipment.”

For nearly 200 years, American elections relied on paper ballots and later punch-card systems or mechanical lever voting machines before electronic voting machines gained wider use in the 1990s. The use of computerized voting machines soared once Congress passed the Help America Vote Act in 2002, after problems with paper ballots muddied the 2000 presidential election results in Florida.

Electronic voting machines offer several practical advantages over hand-marked paper ballots. They can provide a range of accommodations for disabled voters, as required by the Americans with Disabilities Act. Additionally, they can easily display a variety of ballots. On election days, hundreds of thousands of Travis County voters from more than 240 precincts can vote in any one of 80 polling locations, so every polling location must provide each voter the correct ballot for their precinct, written in both English and Spanish.

But like any other computer, computerized voting machines have the potential to be hacked or to malfunction.

“Frankly, the security community prior to 2000 hadn’t paid attention to these electronic voting machines,” said Dan Wallach, professor of computer science and computer security at Rice University and a co-author of STAR-Vote. “It wasn’t until 2007 that studies that I and others were part of found just how bad they all were. By then we were stuck with them.”

Since 2002, Travis County had used the Hart Intercivic eSlate voting system, which does not offer a voter-verifiable paper record. During the 2018 midterm election, a handful of voters using the same machines around the state reported that their straight-ticket votes appeared to have changed to candidates of the other party in some races. Hart Intercivic called it user error; the absence of a paper trail meant that it was impossible to assess how many votes may have been erroneously changed.

In 2018, Travis County contracted with Election Systems & Software to purchase ExpressVote electronic voting machines that provide a paper trail, which allows independent auditing of election results. The feature fulfills the 2018 recommendation by the National Academies of Science, Engineering and Medicine that all elections should be conducted with human-readable paper ballots.

The Express Vote voting system is seen here. Image courtesy of Election Systems and Software

Yet a paper trail creates additional challenges. Voters must verify that the paper ballot produced by the ExpressVote machine matches their choices, and a 2018 study from Georgia Tech showed that nearly half of voters using the machine didn’t bother to check. Of those who did, more than 50 percent failed to recognize errors.

“The security model for ballot marking devices requires the voter to be part of the policing of the system to make sure the system is operating correctly,” said election auditing expert Philip Stark, associate dean of mathematical and physical sciences and professor in the department of statistics at the University of California, Berkeley. “And it just doesn’t work.”

DeBeauvoir said she will make sure voters know they must check their paper ballots by including that information in the upcoming public education campaign about the new voting system. Voters can “spoil,” or discard, any ballot that is incorrect and get three tries to vote a correct ballot, per Texas law.

Travis County “has 790,000 voters, and I have to touch every single one of them, if I can, to explain to them what the new paper trail is” before the county’s new system is used for the first time in November, DeBeauvoir said.

The paper ballot produced by ExpressVote includes both text and a barcode, which also contains the voter’s choices. The voter reads and verifies the text, but the vote-counting machine reads the barcode. This opens the possibility, however remote, that the votes counted via the barcode differ from the text that the voter checked.

“This is widely considered to be a poor engineering decision on the part of the vendor,” Wallach said.

A post-election risk-limiting election audit — a statistical method of counting samples of the paper ballots to verify the election outcome — can mitigate the risk of discrepancies between the barcode and the text, Wallach added.

DeBeauvoir said she will roll out the first risk-limiting audit in the state for the November elections. The audit will check the voter-readable text — not the barcodes — on samples of the paper ballots to provide evidence that the election outcome is accurate.

Travis County has addressed other security questions about the ExpressVote System, according to DeBeauvoir. Poll workers will record election data on removable media (thumb drive, CD, etc.) and physically walk them from place to place to maintain separation from the internet.

DeBeauvoir and Stark differ on whether ballot marking devices such as the ExpressVote are vulnerable to hacking. DeBeauvoir said the machine is equivalent to marking ballots with a typewriter. Stark “respectfully disagrees” and says ExpressVote is a computer that is “easy to hack.”

Regardless, DeBeauvoir said that “if there’s a [voting] machine that anybody has a question about, [Travis County] automatically takes that machine out of operation and quarantines it” for the duration of the election, a standard procedure in effect since 2001. Voters can make complaints about potentially malfunctioning machines to election judges at their polling places, she added.

Meanwhile, election security is poised to enter a new era once DARPA and Galois’ open-source voting software becomes publicly available. While she is not involved in Galois’ development project, DeBeauvoir, who has 32 years of experience running elections in Travis County, hopes to contribute when the software is close to completion by helping to ensure the system is a “practical concept that will work on the ground.”

DeBeauvoir said that the 15 years she spent working on STAR-Vote was “a labor of love” and that she feels lucky that DARPA and Galois have decided to give it new life. At the announcement of the contract on March 14, Kiniry was “nice enough to call me out and say thank you,” DeBeauvoir said. “I love elections. This is the heartbeat of democracy.”