In 2008, Andrew Appel ’81 tampered with an electronic voting machine, changing 20 percent of the votes it had registered from one candidate to the other. His “crime”—court-ordered in his role as an expert witness in a New Jersey lawsuit—captured the attention of the media and voters. Politico called him “part of a diligent corps of so-called cyber-academics—professors who have spent the past decade serving their country by relentlessly hacking it,” in a story that focused on several Princeton computer scientists.
Appel, Princeton’s Eugene Higgins Professor of Computer Science, studies software verification, computer security, and technology policy. He recently testified on Capitol Hill to help Congress better understand the scope of cyber threats to our system of voting. Back on campus, he outlined some of the challenges involved in keeping votes secure.
Why did you become interested in voting security?
In the 20th century, almost nobody cared about the technology of how we vote. And then in November 2000 all of a sudden it became very important because of those hanging chads and butterfly ballots in Florida during the Bush-Gore election. By 2003 lots of states were rushing to replace their election equipment and a few computer scientists, including me, started to notice that many states were adopting paperless touchscreen voting machines—the vote is recorded only on the computer, with no paper record that can be double checked for accuracy. Those machines have a big problem: It’s easy to make a computer program that you can install to make it shift votes from one candidate to another. And there is no way to detect the presence of fraudulent software. Those machines are still used in 10 states.
There are another three or four states where they vote on touchscreen machines that print out a paper record of your vote that you can inspect before it drops into a ballot box. That’s not as good as voting on paper ballots but it’s adequate.
How can the touchscreens be hacked?
When you touch the screen the computer inside decides how to interpret it and how to record it in its memory. The vote-stealing program that I wrote as an expert witness in a New Jersey court case worked like this: It would wait until it was time to close the polls and then it would go into the computer’s memory of the votes recorded and shift 20 percent of the votes from one candidate to another. The machine has an electronic log of each vote cast that is supposed to be a protection, so my program changed the log, too.
What is the most secure voting machine used today?
All voting machines can be hacked. And you can never be sure when you look at a machine what software is installed in the machine’s computer. So the best way to overcome this problem is to have elections that you can recount without trusting the software. An optical scanner and paper ballots let you detect and correct the problem if a machine is hacked.
How does an optical-scanner system work?
You are handed a sheet of paper with the names of candidates and little ovals. When you are finished filling in your ballot, you feed it into the scanning machine, which has a computer inside that counts your vote, and saves the ballot in a sealed box. The paper ballots can be recounted by hand, if necessary. About 40 states use this type of machine. About a dozen of those states go even farther. Even if there is no suspicion, they will randomly pick a few of those ballot boxes and recount them to make sure that they agree exactly with what the computer says.
Are most voting machines connected to the Internet?
Most are not, but there is still a problem. Before each election, the election administrators need to prepare a ballot definition file, which lists the races and candidates in the election. They put that onto a memory card or cartridge and stick it in a slot in the voting machine. The machines that program those ballot definition files are sometimes connected to the Internet. Professor Ed Felten, Princeton’s Robert E. Kahn Professor of Computer Science and Public Affairs, demonstrated in 2006 that vote-stealing viruses can be transmitted from these cards into the voting machines.
What do you think could happen on November 8?
A lot of the potential hacks are detectable and correctable. If there are hacks that affect voter registration databases or the electronic poll books that some states use to check names at voting locations, then there will be big problems. But at least we’ll know about it—voters will notice if their names are erased from databases and poll books, because they won’t be allowed to vote. If optical-scan voting computers get hacked, at least in principle that’s detectable by recounting the paper ballots. And when the polls close you’ve got to add up all the results from different precincts. That’s done by computer and those computers are often connected to the Internet. Fortunately, in general, the results in each precinct are announced publicly to poll watchers in the precinct before they become part of the overall count. So in principle, it’s possible to independently verify the results—with the exception of the results reported by paperless touchscreen voting machines.
For information on supporting computer science at Princeton, contact Jane Maggard, associate dean for development, engineering and applied science, at firstname.lastname@example.org or 609.258.6850 or Tom Roddenbery, associate director, strategic priorities, at email@example.com or 609.258.6122.