This scientist is trying to create an accessible, unhackable voting machine

This nonfiction was primitively published connected Undark. Read the original article.

In precocious 2020, a ample container arrived astatine Juan Gilbert’s bureau astatine the University of Florida. The machine subject prof had been looking for this benignant of merchandise for months. Previous orders had yielded mediocre results. This time, though, helium was optimistic.

Gilbert drove the bundle home. Inside was a transparent box, built by a French institution and equipped with a 27-inch interaction screen. Almost immediately, Gilbert began modifying it. He enactment a printer wrong and connected the instrumentality to Prime III, the voting strategy helium has been gathering since the archetypal word of the George W. Bush administration.

After 19 years of building, tinkering, and testing, helium told Undark this spring, helium had yet invented “the astir unafraid voting exertion ever created.”

Gilbert didn’t conscionable privation to people a insubstantial outlining his findings. He wanted the predetermination information assemblage to admit what he’d accomplished—to admit that this was, successful fact, a breakthrough. In the outpouring of 2022, helium emailed respective of the astir respected and vocal critics of voting technology, including Andrew Appel, a machine idiosyncratic astatine Princeton University. He issued a elemental challenge: Hack my machine.

Their entree would beryllium unfettered—no tamper-evident seals to avoid, chain-of-custody procedures to subvert, oregon mock canvass workers to dupe—and they’d person to hold to lone 1 condition: Flip each ballot to the aforesaid candidate.

By this point, Gilbert had published a video of his ballot-marking device, oregon BMD, successful action, but helium was unsure however the hacking assemblage would respond. “There’s a portion of that assemblage that’s precise assured successful what they do,” helium said. “And if they perceive however it works, they whitethorn tally distant from it.”

After astir 2 decades successful the predetermination space, Gilbert knew helium was jumping feet-first into possibly the astir contentious statement implicit predetermination medication successful the United States—what role, if any, touch-screen ballot-marking devices should play successful the voting process. Federal instrumentality requires polling sites to person astatine slightest 1 voting instrumentality on-site that tin service voters with disabilities, and at slightest 30% of votes were formed connected immoderate benignant of instrumentality successful the 2020 wide election, arsenic opposed a hand-marked ballot.

A curbside voting instrumentality stands successful a parking batch successful Charleston, South Carolina. Voters 65 and older and radical who are incapable to basal successful enactment to ballot due to the fact that of a disablement are allowed to ballot from their vehicle.

MICHAEL CIAGLO/GETTY IMAGES

Advocates accidental the physics voting systems tin beryllium comparatively secure, amended accessibility, and simplify voting and ballot tallying. Meanwhile, world critics similar Appel person argued that they are insecure and should beryllium utilized arsenic infrequently arsenic possible. Those arguments person astatine times been bolstered by a rich, informal assemblage of hackers who walk their clip proving that they tin hack the devices.

Recently, this formerly niche statement has been embraced by a chorus of conspiracy theorists who claim, with nary evidence, that compromised machines outgo Donald Trump the presidency.

Amid these concerns astir predetermination technology, a fistful of innovators—including Gilbert—have searched for a solution that volition soundlessness critics: a voting instrumentality that’s casual to use, based successful open-source software, and importantly much hard to hack than existing models. But immoderate experts judge that the pursuit is misguided, due to the fact that nary machine could ever beryllium unhackable. And adjacent if Gilbert’s instrumentality were foolproof, helium and others reason that ballot hacker culture—one that’s much intent connected destroying devices than creating them—makes it improbable the instrumentality would ever get a just hearing, fto unsocial beryllium adopted.

For 2 decades, the emergence of voting exertion has enabled immoderate of the United States’ loftiest antiauthoritarian ideals, and besides embodied its astir visceral governmental suspicions.

Gilbert believes he’s invented his mode retired of that dilemma. Who volition beryllium him wrong?

Today, the voting instrumentality marketplace is dominated by three large vendors: Election Systems & Software, Dominion Voting Systems, and Hart InterCivic. According to 1 estimate, the full manufacture generates astir $300 cardinal successful gross annually.

In overmuch of the country, erstwhile idiosyncratic votes, they conscionable capable retired a insubstantial ballot, which is typically fed done a tallying instrumentality called an optical scanner. Elsewhere, immoderate voters usage afloat integer setups, called nonstop signaling physics systems, that sometimes usage the machine to some people and tally the votes.

A ballot-marking instrumentality has elements of some kinds of systems. While circumstantial designs vary, BMDs person a machine interaction surface for voters to marque their selections. The instrumentality past prints retired a insubstantial ballot that tin beryllium fed into a scanner. Unlike hand-marked insubstantial ballots, BMDs person the quality to accommodate each elector utilizing a assortment of accessibility devices—including voters who can’t see, grip paper, oregon adjacent interaction a screen.

The machines person proliferated since 2002, erstwhile Congress passed the Help America Vote Act.

The value of HAVA to the disablement ballot “can’t beryllium overstated,” says Michelle Bishop, elector entree and engagement manager for the National Disability Rights Network, the nation’s largest supplier of ineligible advocacy services for radical with disabilities. Prior to the law, she says, “we had conscionable benignant of been surviving with systems that fundamentally disenfranchised ample numbers of voters.”

Machines person different advantages implicit insubstantial ballots: they tin connection aggregate connection options, enactment larger jurisdictions that request thousands of antithetic ballot types, and guarantee that voters don’t inadvertently miss a contention oregon marque a mistake that disqualifies their ballot. Those errors tin sometimes person a decisive effect: successful 2008, for example, the borderline of triumph successful Minnesota’s Senate contention was good beneath the fig of ballots rejected for elector error.

But mechanized voting brings its ain acceptable of fears, too—in particular, that idiosyncratic could tamper with the machines and manipulate the results. And, immoderate experts say, the companies’ behaviour has done small to animate nationalist trust. “They’ve mostly done things the mode I would accidental a ’90s IT steadfast would bash things,” said Ben Adida, the enforcement manager of VotingWorks, a nonprofit that has developed its ain open-source voting machine. “Very secretive, don’t speech to the property much, decidedly don’t speech to researchers, curl up into a shot each clip there’s a information study and deny, deny, deny.” (The companies archer the communicative differently—saying that protecting their root code, audit logs, and parts of the machines’ operating manuals is simply a indispensable information protocol, particularly now.)

Over the past 2 years, questioning the information of our voting machines has go its ain governmental movement.

In York County, Pennsylvania, residents attempted to get an inaugural connected the November ballot that would region the area’s physics voting machines. In Arizona, Kansas, Michigan, New Hampshire, and Oregon, determination are pending lawsuits challenging the reliability of physics voting machines, and a peculiar authoritative successful Michigan volition analyse whether the Republican campaigner for lawyer wide illegally gained access to voting machines aft the 2020 predetermination to execute “tests.”

These advocates connection small impervious that the machines person been hacked.

However, determination is simply a morganatic interest that they could be, accidental machine scientists similar Appel, the Princeton professor. An adept successful programming languages and machine security, Appel has publically questioned voting exertion for years. In 1 2009 quality earlier a tribunal successful New Jersey, helium installed vote-stealing bundle successful a instrumentality successful conscionable 7 minutes, utilizing lone a fastener prime and a screwdriver.

Appel and different machine scientists fearfulness that a hacker could gaffe malicious codification onto a ballot-marking device—changing votes, sowing chaos, and possibly adjacent altering the result of an election.

STEPHEN MATUREN/GETTY IMAGES

These critics accidental that the codification successful BMDs is complex, often poorly organized, and highly long, making it easier to insert codification that goes undetected. Because the races and candidates alteration each election, a caller ballot plan indispensable beryllium uploaded earlier each contest, offering different accidental for malicious codification to gaffe in. And due to the fact that voting is done anonymously, Appel notes, it’s intolerable to nexus a circumstantial ballot to the idiosyncratic who formed it. “There is nary enactment a elector tin instrumentality to show to predetermination officials that a BMD altered their expressed votes,” Appel and 2 colleagues wrote successful a 2020 paper.

In effect to specified concerns, voting instrumentality companies admit that their instrumentality whitethorn person vulnerabilities. But, they say, astir each the machines permission a insubstantial way that tin beryllium audited, making it imaginable to drawback incidents.

Still, experts say, a hack could person far-reaching effects. In September 2016, Appel submitted written testimony to a House committee proceeding connected predetermination integrity. “I powerfully recommend,” helium wrote, “that, astatine a minimum, the Congress question to guarantee the elimination of ‘touchscreen’ voting machines, instantly aft this November’s election.”

Juan Gilbert whitethorn look similar an improbable campaigner for a voting instrumentality inventor. His household wasn’t peculiarly governmental increasing up, helium says. He doesn’t retrieve erstwhile helium archetypal voted.

But Gilbert loves a challenge.

During Gilbert’s inferior twelvemonth of college, erstwhile a prof of his suggested helium go an world himself, Gilbert thought it was a joke. At Miami University, 20 minutes from wherever helium grew up successful Hamilton, Ohio, helium planned to get an undergraduate degree, find a job, and commencement earning a living.

“I had ne'er seen an African-American machine subject professor,” helium wrote successful a 2002 essay, “and truthful had concluded that it was not a occupation for me.” In 2001, helium was the archetypal African-American astatine the University of Cincinnati to person a PhD successful machine science.

Ever since, Gilbert has worked to diversify the field. The postgraduate students successful his Computing for Social Good Lab are mostly women and mostly Black, and Gilbert besides does outreach astatine organizations similar UF’s section of the National Society of Black Engineers. At 1 of those meetings respective years back, helium met Jean Louis, past an undergraduate who had ne'er considered postgraduate school. “Beforehand, I had a antithetic presumption of what a machine subject PhD was expected to look like,” Louis says.

Louis present works successful Gilbert’s lab, wherever helium and different researchers are employing exertion to effort and lick big, ambitious problems. One portion of bundle they developed, Applications Quest, uses artificial quality to code the contented of diverseness successful admissions and hiring. (It’s presently utilized by the University of Florida for assistance selection.) Another product, Virtual Traffic Stop, allows constabulary officers to initiate a video telephone with the operator they’ve conscionable pulled over, making the brushwood safer for some parties.

“The cardinal constituent is that this exertion interacts with people,” says Louis of the enactment being conducted successful Gilbert’s lab.

“It’s not conscionable theory,” helium says, “but similar really putting into signifier wherever you tin assistance radical out.”

Louis was a coauthor with Gilbert connected 1 of their recent papers astir the BMD, and the voting machine, helium said, has been a peculiar obsession for Gilbert. “Dr. G is connected different level,” Louis says. “He’s visibly, auditorily, each the ‘-lys’ passionate astir Prime III.”

In the aboriginal 2000s, Gilbert says, helium was astatine an engineering league with his postgraduate students. None of them had been antecedently looking astatine voting instrumentality design, but they were interested, particularly aft the 2000 predetermination and the meltdown of Florida’s punch-card system. The students were crushed by what the speakers determination had to say: “You can’t usage machines. It won’t work. There’s nary mode to bash it,” remembers Gilbert.

Now that Gilbert had heard idiosyncratic accidental it couldn’t beryllium done, helium was fired up. In 2003, helium and his squad released their archetypal prototype of Prime III. The instrumentality allowed voters to marque their selections not conscionable by touching a screen, but besides by utilizing a headset and microphone oregon a paddle system, accommodating voters with carnal disabilities and those who person trouble seeing, hearing, speaking, oregon reading. Real-world investigating led to adjustments. After determination was a distracting magnitude of inheritance sound during a trial tally astatine the Alabama Institute for the Deaf and Blind, helium changed the strategy to amended observe a voter’s voice. Before it was utilized by a radical of voters with varying degrees of literacy, helium added pictures to the ballot.

As Gilbert’s instrumentality was taking signifier successful the aboriginal 2000s, the authorities astir voting exertion became progressively complicated.

In August 2003, the twelvemonth earlier George W. Bush would triumph reelection, Walden O’Dell, the CEO of Diebold, wrote a missive inviting 100 friends to a Republican fundraiser astatine his home. In the letter, O’Dell, whose institution made the machines that astir 8% of voters utilized successful 2000, said helium was “committed to helping Ohio present its electoral votes to the president adjacent year.” The missive alarmed immoderate observers. “There are capable conflicts successful this communicative to capable an morals manual,” past legislator Jon Corzine, a New Jersey Democrat, told the New York Times that year.

In 2007, different voting instrumentality vendor, Smartmatic, sold its US subsidiary successful bid to extremity a months-long review by the Committee connected Foreign Investment successful the United States of whether the Venezuelan-owned institution had ties to the Venezuelan government.

Around the aforesaid time, immoderate machine scientists and hackers were exposing sedate insecurities. In California, a squad commissioned by past caput of authorities Debra Bowen recovered a litany of problems with 1 of the state’s machines: viruses could leap from instrumentality to instrumentality and adjacent to the predetermination absorption system; a elector could delete each physics records of the erstwhile votes cast, adjacent the backup copies; and the physics and insubstantial records had capable item to enactment the secrecy of the ballot a risk.

Based connected those discoveries, Bowen took the extremist measurement of temporarily decertifying galore of the state’s machines successful 2007, conscionable 3 months earlier the state’s statesmanlike primary. “It was a scary thing, reasoning astir not having a system,” said Cathy Darling Allen, the region clerk for Shasta County, successful Northern California.

But “in hindsight,” she said, “it was truly the close happening to do.”

As hackers began to situation voting machines, Gilbert kept processing his solution. In 2018, Prime III’s bundle was used successful New Hampshire, aft being piloted a fewer years prior. That year, it besides debuted successful Butler County, Ohio, wherever Gilbert grew up.

“It’s bully to spot idiosyncratic who’s passionate astir the enactment helium does,” says Eric Corbin, lawman manager of Butler County’s elections board. Corbin occasionally needs method enactment and tiny tweaks to the Prime III code, truthful helium calls oregon texts Gilbert. “I’d beryllium amazed if I looked backmost and it took him much than 24 hours to get backmost to us,” Corbin says.

The latest mentation of the machine, which Gilbert and his students finalized this year, has each the parts of a mean voting machine: a interaction surface for voters to marque their selections and a printer to make a insubstantial ballot that is past fed into a scanner.

Voters successful Wellington, Florida, formed their ballots connected caller touch-screen voting machines for the 2004 election. Palm Beach County was 1 of contested counties successful the 2000 Bush-Gore election.

MARIO TAMA/GETTY IMAGES

The instrumentality besides has immoderate much distinctive information features. The interaction surface is transparent, allowing voters to ticker the instrumentality people their ballot, successful existent time, and announcement immoderate issues. The full instrumentality is besides encased successful afloat transparent glass, making it hard to insert, say, a malicious USB thrust undetected. And the machine’s operating system, software, printer connection, and ballot accusation are stored connected a read-only Blu-ray disc. Unlike a emblematic hard drive, which voting exertion skeptics accidental could beryllium manipulated to alteration a person’s votes, the disc cannot beryllium overwritten, modified, oregon changed successful immoderate way. “I person taken distant that ability,” said Gilbert. “You cannot alteration it.”

To further guarantee that the USB ports can’t beryllium utilized to upload mischievous code, Gilbert’s instrumentality reboots aft each formed vote. “That caveat blows retired a full batch of their issues,” helium says. “No bundle tin persist, right?”

Like astir BMDs today, the instrumentality besides produces a insubstantial ballot that tin beryllium audited. One long-standing interest astir these insubstantial trails is that voters don’t really verify whether what’s printed connected their ballot matches what they selected connected the machine. If that’s the case, past audits are nary use.

This is wherefore Gilbert’s instrumentality is truthful innovative, helium says. The transparent interaction surface forces voters to look straight astatine the insubstantial being printed, making it acold much apt that voters volition announcement immoderate tampering. And if that happens, helium says, the elector tin rise an alarm.

By aboriginal May, Gilbert says, helium had emailed astir a half-dozen experts, including Appel and Harri Hursti, the cofounder and co-organizer of the Voting Machine Hacking Village astatine DEF CON, the yearly hacking league successful Las Vegas. He’d issued his challenge: Could they hack the machine?

DEF CON, successful particular, seemed similar the cleanable accidental for Gilbert to showcase his BMD.

According to a 2017 report written by Hursti and respective collaborators, the Voting Village was launched successful 2017 “to item cyber vulnerabilities successful US election infrastructure.” At the gathering, attendees person the tools, access, and escaped clip to unscrew, disassemble, and fundamentally destruct each of the machines on-site. The lawsuit sometimes produces viral content, similar a 2018 Twitter video successful which hacker Rachel Tobac said she’d gained head entree connected a voting instrumentality utilized successful 18 states. “Requires nary tools and takes nether 2 minutes,” Tobac wrote connected Twitter. “I’m acrophobic for our upcoming elections.”

Hackers determination bash precisely what Gilbert had been asking for—spend days tearing machines apart, escaped of charge—and their assurance that each BMDs are insecure rivals Gilbert’s assurance that his is not.

“We cognize each azygous instrumentality successful this country tin beryllium hacked,” Hursti said astatine the commencement of the normal successful August 2021. “And each aboriginal instrumentality tin beryllium hacked.” 

In addition, DEF CON attendees habitually knock the instrumentality vendors for keeping their codification secret. Not lone is Prime III unfastened source, but Gilbert’s BMD, with its transparent casing and automatic reboot aft each vote, would contiguous a unsocial challenge.

The DEF CON civilization has frustrated immoderate observers. “At some point, you person to determination beyond conscionable the changeless critiquing and determination connected to productive solutions,” says Amber McReynolds, the erstwhile manager of elections for the City and County of Denver and a existent subordinate of the Postal Service Board of Governors. Otherwise, she says, you hazard having your probe weaponized by radical bent connected discrediting the full system. “I’d similar to spot the assemblage of predetermination information professionals beryllium much thoughtful astir the downstream impacts of their comments and their enactment connected predetermination officials, and besides ideology arsenic a whole.” 

By September, Gilbert inactive hadn’t heard from Hursti. In fact, cipher had agreed to trial the machine.

When Undark reached retired to the experts Gilbert had primitively contacted, they offered antithetic explanations for their silence. One said that helium had retired. A 2nd was successful the hospital. Hursti said that Gilbert had emailed his idiosyncratic account, not the authoritative 1 for DEF CON’s Voting Village. Asked whether helium would see the instrumentality successful adjacent year’s event, Hursti did not respond to repeated messages from Undark. The time earlier the work of this story, helium wrote to clarify that Gilbert’s instrumentality would be invited astatine adjacent year’s convention, provided that helium followed definite DEF CON policies, including that the hackers not beryllium required to motion nondisclosure agreements. 

Appel declined to trial the machine, saying helium didn’t person the resources to springiness it a thorough vetting. But helium had seen the video of the instrumentality successful enactment and heard Gilbert springiness a presentation connected the caller model. It was a bully plan idea, helium said, and the deficiency of a hard thrust provides less onslaught surfaces for a hacker to exploit. The device, helium added, is addressing a occupation with ballot-marking devices that cipher other has truly tried to tackle.

Still, Appel said, helium is skeptical of the precise thought of unhackability. And helium imagined scenarios during which, helium said, Gilbert’s plan mightiness founder. In a blog post published successful April of past year, for example, helium wrote that the strategy depends a large woody connected quality voters’ being prompted to reappraisal their votes. A subtle hack, Appel suggested, could simply region that prompt. “This gives the accidental to deliberately misprint successful a mode that we cognize voters don’t observe precise well,” helium wrote.

Appel brought up different scenario: accidental that a elector tells a canvass idiosyncratic that the instrumentality printed the incorrect sanction connected the ballot. Gilbert has prepared for this scenario: it’s imaginable to comparison the maestro disc to the 1 successful the instrumentality to observe if there’s fraudulent code. Assume that the canvass idiosyncratic is capable to execute that program perfectly during the disorder of Election Day, and it reveals that the machine’s been tampered with. What then?

It’s unclear whether Gilbert’s instrumentality volition ever find wider use. Dan Wallach, a machine idiosyncratic astatine Rice University, said the instrumentality was a promising measurement forward. Still, helium voiced concerns astir the durability of the machine’s parts. Appel pointed retired that immoderate caller exertion volition look issues successful being scaled for wide accumulation and necessitate grooming and for voters and canvass workers.

There are different hurdles, too. For imaginable newcomers to the industry, it’s pugnacious to interruption in, says Ben Hovland, a commissioner with the Election Assistance Commission, which was primitively created by HAVA to enact the law’s requirements, including distributing the national backing for machines. For starters, the manufacture isn’t that big. “While determination are a batch of jurisdictions each implicit the country, there’s a fixed magnitude of instrumentality to sell,” helium says.

“And if the jurisdiction precocious bought equipment, they whitethorn not beryllium looking for 10 years, possibly more.”

Most states besides necessitate machines to beryllium certified, which the vendors indispensable wage for. Under EAC guidelines, Gilbert could person to fork implicit hundreds of thousands of dollars to acquisition that process.

Moving forward, Gilbert is readying to constitute a caller insubstantial detailing his design, and helium is inactive hoping to find a hacker consenting to trial retired the machine. The acquisition has near him sounding jaded astir the satellite of predetermination hacking —a world, helium suggests, that often seems focused much connected performatively tearing isolated machines than really moving toward solutions.

“They lone look astatine things they cognize they tin break,” Gilbert says.

“If you person thing that you can’t connected the look of it fig retired earlier you interaction it, they’re not going to interaction it.”

Spenser Mestel is simply a canvass idiosyncratic and autarkic journalist. His bylines see the New York Times, the Atlantic, the Guardian, and the Intercept.