This scientist is trying to create an accessible, unhackable voting machine

This article was originally published on Undark. The original article is available.

In late 2020, a large box arrived at Juan Gilbert’s office at the University of Florida. This product was sought by the computer science professor for many months. Previous orders had not produced satisfactory results. He was optimistic this time.

Gilbert drove the package home. Inside was a transparent box, built by a French company and equipped with a 27-inch touch screen. Almost immediately, Gilbert began modifying it. Gilbert connected it to Prime III, the voting system that he had been working on since the George W. Bush presidency began.

After 19 years of building, tinkering, and testing, he told Undark this spring, he had finally invented “the most secure voting technology ever created.”

Gilbert did not just want to publish a paper describing his findings. He wanted the election security world to acknowledge what he had done, and to acknowledge that this was a breakthrough. In the spring of 2022, he emailed several of the most respected and vocal critics of voting technology, including Andrew Appel, a computer scientist at Princeton University. He challenged him to hack my machine.

Their access would be unlimited–no tamper evident seals to avoid, chain of custody procedures to subvert or mock poll workers, and they’d only have to agree to one condition: Flip every vote to a single candidate .

By this point, Gilbert had published a video of his ballot-marking device, or BMD, in action, but he was unsure how the hacking community would respond. He said, “There’s a section of that community who’s very confident with what they do.” He said, “And if that part of that community hears how it works, it may run from it ” After nearly two decades working in the election space, Gilbert realized he was getting into the most contentious debate about election administration in the United States: what role, if any touch-screen ballot-marking devices, should play in the voting process. Federal law requires polling sites to have at least one voting machine on-site that can serve voters with disabilities, and at least 30% of votes were cast on some kind of machine in the 2020 general election, as opposed a hand-marked ballot.

A curbside voting machine stands in a parking lot in South Carolina — A curbside voting machine stands in a parking lot in Charleston, South Carolina. Voters 65 and older and people who are unable to stand in line to vote because of a disability are allowed to vote from their vehicle.

Advocates say the electronic voting systems can be relatively secure, improve accessibility, and simplify voting and vote tallying. Academic critics such as Appel argue that electronic voting systems are insecure and should not be used. These arguments have been supported by a small, informal group of hackers who spend their time hacking the devices.

Recently, this formerly niche debate has been embraced by a chorus of conspiracy theorists who claim, with no evidence, that compromised machines cost Donald Trump the presidency.

Amid these concerns about election technology, a handful of innovators–including Gilbert–have searched for a solution that will silence critics: a voting machine that’s easy to use, based in open-source software, and significantly more difficult to hack than existing models. Experts believe the pursuit of a hacker-proof computer is a mistake. Even if Gilbert’s machine was foolproof, he and others believe that the vote hacker culture, which is more focused on creating devices than on them, makes it unlikely that the machine will ever be given a fair hearing.

For two decades, the rise in voting technology has allowed the United States to achieve its highest democratic ideals and also embodied its most vexing political suspicions.

Gilbert believes he has a solution. Who will prove him wrong!

Today, the voting machine market is dominated by three major vendors: Election Systems & Software, Dominion Voting Systems, and Hart InterCivic. According to one estimate, the entire industry generates approximately $300 million in revenue annually.

In most areas of the country, voters simply fill out a paper ballot. This is then fed through an optical scanner, which is a device that counts votes. Some voters use digital setups called direct recording electronic system, which sometimes use the computer to mark and count the votes.

A ballot-marking device includes elements from both systems. Although the exact designs of BMDs are different, they all have a touch screen that allows voters to make their selections. The machine prints out a paper ballot which can be fed into a scanner. BMDs can accommodate all voters, regardless of their ability to see, touch, or handle paper. They are different from hand-marked paper ballots.

The machines have proliferated since 2002, when Congress passed the Help America Vote Act.

Among other momentous changes, HAVA phased out punch-card systems, like the one that produced the infamous “hanging chads” in Florida in 2000, and allocated roughly $3 billion to states, part of which was used to buy new machines–whether they wanted to or not. Every polling station in the country must have at minimum one machine for people with disabilities. This is a requirement of the bill.

The importance of HAVA to the disability vote “can’t be overstated,” says Michelle Bishop, voter access and engagement manager for the National Disability Rights Network, the nation’s largest provider of legal advocacy services for people with disabilities. She says that before the law, many people had lived with systems that essentially disenfranchised large populations of voters .”

. Machines have other advantages over paper ballots. They can offer multiple language options, support larger jurisdictions that require thousands of ballot types, and ensure that voters don’t accidentally miss a race or make a mistake which disqualifies them from their ballot. Those errors can sometimes have a decisive effect: in 2008, for example, the margin of victory in Minnesota’s Senate race was well below the number of ballots rejected for voter error.

But mechanized voting comes with its own set of concerns, including the possibility that someone could alter the machines and manipulate the results. Experts say that the behavior of these companies has not been inspiring public trust. “They’ve generally done things the way I would say a ’90s IT firm would do things,” said Ben Adida, the executive director of VotingWorks, a nonprofit that has developed its own open-source voting machine. “Very secretive, don’t talk to reporters, definitely not talk to researchers, curl into a ball every single time there’s a security report, and deny the existence of a security log or source code. This is especially important now. ) Over the past two decades, questioning the security and integrity of our voting machines has become a political movement.

In York County, Pennsylvania, residents attempted to get an initiative on the November ballot that would remove the area’s electronic voting machines. In Arizona, Kansas, Michigan, New Hampshire, and Oregon, there are pending lawsuits challenging the reliability of electronic voting machines, and a special prosecutor in Michigan will investigate whether the Republican candidate for attorney general illegally gained access to voting machines after the 2020 election to perform “tests.”

These advocates offer little proof that the machines have been hacked.

However, computer scientists like Appel from Princeton have a legitimate concern about whether they could be. Appel, a computer security expert and an expert in programming languages, has been questioning voting technology for many years. In one 2009 appearance before a court in New Jersey, he installed vote-stealing software in a machine in just seven minutes, using only a lock pick and a screwdriver.

Appel and other computer scientists worry that a hacker might insert malicious code into a ballot-marking device, changing votes, sowing chaos and possibly altering an election’s outcome.

Hands of an election official conducting a count of paper test ballots.

These critics say that the code in BMDs is complex, often poorly organized, and extremely long, making it easier to insert code that goes undetected. Each election has a new race and candidate. Every contest requires a new ballot design. This gives malicious code another chance to slip in. Appel also points out that it is impossible to link a particular ballot to the voter because voting is anonymous. “There is no action a voter can take to demonstrate to election officials that a BMD altered their expressed votes,” Appel and two colleagues wrote in a 2020 paper.

Voting machine companies have acknowledged that their equipment could be vulnerable. They claim that almost all machines leave a paper trail that can easily be audited and can be used to detect incidents. Experts warn that hacking could have devastating consequences. In September 2016, Appel submitted written testimony to a House committee hearing on election integrity. “I strongly recommend,” he wrote, “that, at a minimum, the Congress seek to ensure the elimination of ‘touchscreen’ voting machines, immediately after this November’s election.”

Juan Gilbert may seem like an unlikely candidate for a voting machine inventor. He says that his family was not particularly politically inclined growing up. He can’t recall when he first voted.

But Gilbert loves a challenge.

During Gilbert’s junior year of college, when a professor of his suggested he become an academic himself, Gilbert thought it was a joke. At Miami University, 20 minutes from where he grew up in Hamilton, Ohio, he planned to get an undergraduate degree, find a job, and start earning a living.

“I had never seen an African-American computer science professor,” he wrote in a 2002 essay, “and so had concluded that it was not a job for me.” In 2001, he was the first African-American at the University of Cincinnati to receive a PhD in computer science.

Since then, Gilbert has been trying to diversify the field. The graduate students in his Computing for Social Good Lab are mostly women and mostly Black, and Gilbert also does outreach at organizations like UF’s chapter of the National Society of Black Engineers. Jean Louis, then an undergraduate, met him at one of those meetings years ago. He had never thought about graduate school. Louis says that he had a different idea of what a computer science PhD should look like before meeting Louis.

Louis now works in Gilbert’s lab, where he and other researchers are employing technology to try and solve big, ambitious problems. One piece of software they developed, Applications Quest, uses artificial intelligence to address the issue of diversity in admissions and hiring. It’s currently being used by the University of Florida to select scholarship recipients. Another product, Virtual Traffic Stop, allows police officers to initiate a video call with the driver they’ve just pulled over, making the encounter safer for both parties.

“The central point of this technology interacts to people,” Louis says about the work being done in Gilbert’s laboratory.

“It’s not just theory,” he says, “but like actually putting into practice where you can help people out.”

Louis was a coauthor with Gilbert on one of their recent papers about the BMD, and the voting machine, he said, has been a special obsession for Gilbert. “Dr. Louis states that Dr. G is “on another level”. “He’s visibly, auditorily, all the ‘-lys’ passionate about Prime III.”

In the early 2000s, Gilbert says, he was at an engineering conference with his graduate students. None of them had been previously looking at voting machine design, but they were interested, especially after the 2000 election and the meltdown of Florida’s punch-card system. The speakers said that machines were not possible. It won’t work. Gilbert says that there is no way to do it.

Now that Gilbert had heard someone say it couldn’t be done, he was fired up. In 2003, he and his team released their first prototype of Prime III. The machine allowed voters not only to touch a screen but also to use a headset and microphone, or a paddle system. This made it possible for voters with disabilities or those who have difficulty reading, hearing, or seeing. Real-world testing led the to adjustments. He made adjustments to the system after noticing a distracting amount in background noise at the Alabama Institute for the Deaf and Blind. He added photos to the ballot before it was used by voters with different literacy levels.

As Gilbert’s machine was taking shape in the early 2000s, the politics around voting technology became increasingly complicated.

In August 2003, the year before George W. Bush would win reelection, Walden O’Dell, the CEO of Diebold, wrote a letter inviting 100 friends to a Republican fundraiser at his home. In the letter, O’Dell, whose company made the machines that roughly 8% of voters used in 2000, said he was “committed to helping Ohio deliver its electoral votes to the president next year.” The letter alarmed some observers. “There are enough conflicts in this story to fill an ethics manual,” then senator Jon Corzine, a New Jersey Democrat, told the New York Times that year.

In 2007, another voting machine vendor, Smartmatic, sold its US subsidiary in order to end a months-long review by the Committee on Foreign Investment in the United States of whether the Venezuelan-owned company had ties to the Venezuelan government.

At the same time, hackers and computer scientists were exposing grave vulnerabilities.

A team that was commissioned by Debra Bowen, the secretary of state, discovered a number of problems with one state’s machines. The virus could jump from machine-to-machine and even to the election management software; a voter could delete all electronic records of previous votes cast, including backup copies; and both electronic and paper records were detailed enough to pose a risk to the secrecy surrounding the ballot.

Based on those discoveries, Bowen took the radical step of temporarily decertifying many of the state’s machines in 2007, just three months before the state’s presidential primary. “It was scary, thinking about not having a program,” said Cathy Darling Allen (county clerk for Shasta County in Northern California).

But, she said that “in hindsight,” it was the right thing to do .”

As hackers began to challenge voting machines’ integrity, Gilbert continued to develop his solution. In 2018, Prime III’s software was used in New Hampshire, after being piloted a few years prior. That year, it also debuted in Butler County, Ohio, where Gilbert grew up.

“It’s nice seeing somebody who is passionate about the work they do,” Eric Corbin, deputy director for Butler County’s elections board. Corbin may need technical support or minor tweaks to the Prime III code from time to time, so he calls Gilbert or texts him. “I’d be surprised if I looked back and it took him more than 24 hours to get back to us,” Corbin says. The latest version of the machine was created by Gilbert and his students this year. It has a touch screen that allows voters to make their selections, and a printer to create a paper vote which is then fed into the scanner.

closeup of the back of electronic voting machine with paper receipt spooling out — Voters in Wellington, Florida, cast their ballots on new touch-screen voting machines for the 2004 election. Palm Beach County was one of contested counties in the 2000 Bush-Gore election.

The machine also has some more distinctive security features. The touch screen is transparent so voters can see the machine printing their ballot in real-time and spot any issues. The entire machine is protected by transparent glass. This makes it difficult to insert malicious USB drives. The machine’s operating system and software, as well as the printer connection and ballot information, are all stored on a Blu-ray disc that can only be read. The disc cannot be overwritten, modified or altered in any way, unlike a normal hard drive, which some skeptics believe could be used to manipulate voting technology. Gilbert said, “I have taken away this ability.” “You cannot change it.”

To further ensure that the USB ports can’t be used to upload mischievous code, Gilbert’s machine reboots after every cast vote. He says that this caveat eliminates a lot of their problems. “No software can persist, ?”

” Like most BMDs, the machine also produces paper ballots that can be audited. One long-standing concern about these paper trails is that voters don’t actually verify whether what’s printed on their ballot matches what they selected on the machine. Audits won’t be of any use if that is the case. This is why Gilbert’s machine has been so innovative, he explains. Because the transparent touch screen allows voters to see directly at the paper being printed it makes it more likely that they will notice any tampering. He also said that if this happens, the voter can raise an alarm.

By early May, Gilbert says, he had emailed about a half-dozen experts, including Appel and Harri Hursti, the cofounder and co-organizer of the Voting Machine Hacking Village at DEF CON, the annual hacking conference in Las Vegas. He challenged them to hack the machine.

DEF CON seemed like the perfect place for Gilbert to show off his BMD.

According to a 2017 report written by Hursti and several collaborators, the Voting Village was launched in 2017 “to highlight cyber vulnerabilities in US election infrastructure.” At the gathering, attendees have the tools, access, and free time to unscrew, disassemble, and essentially destroy all of the machines on-site. The event sometimes produces viral content, like a 2018 Twitter video in which hacker Rachel Tobac said she’d gained administrator access on a voting machine used in 18 states. Tobac posted on Twitter, “Requires no tools, takes less than 2 minutes.” “I’m concerned for our upcoming elections.”

Hackers there do exactly what Gilbert had been asking for–spend days tearing machines apart, free of charge–and their confidence that all BMDs are insecure rivals Gilbert’s confidence that his is not.

“We know every single machine in this room can be hacked,” Hursti said at the start of the convention in August 2021. “And every future machine can be hacked.”

In addition, DEF CON attendees habitually criticize the machine vendors for keeping their code secret. Prime III is open source. Gilbert’s BMD with its transparent case and automatic reboot after each vote would be a unique challenge.

Some observers have been frustrated by the DEF CON culture. Amber McReynolds, a former director of elections for Denver and current member of the Board of Governors of the Postal Service, says that you need to get beyond the constant critiquing and move onto productive solutions. She warns that if you don’t do this, your research could be misused by people who want to discredit the system. “I would like to see the community election security professionals be more mindful about the downstream effects of their comments and their work regarding election officials and democracy as a whole.” By September Gilbert had not heard from Hursti. In reality, no one had offered to test the machine.

When Undark reached out the experts Gilbert had initially contacted, they offered different explanations why they were silent. One claimed that he had retired. The second was in the hospital. Hursti stated that Gilbert had emailed him from his personal account and not the official DEF CON Voting Village account. When asked if he would include the machine at next year’s event he did not respond to Undark’s repeated messages. He wrote to Undark to clarify that Gilbert’s machine would welcome at next year’s convention. However, he had to follow certain DEF CON policies. This included requiring hackers to sign non-disclosure agreements.

Appel declined the opportunity to test the machine as he didn’t have the time or resources to do so. But he had seen the video of the device in action and heard Gilbert give a presentation on the new model. He said it was a good design idea. The lack of hard drives makes it easier for hackers to exploit. He said that the device is solving a problem with ballot marking devices that no one else has attempted to solve. Appel said that he is skeptical about the idea of unhackability. He also imagined scenarios in which Gilbert’s design might fail. In a blog post published in April of last year, for example, he wrote that the system depends a great deal on human voters’ being prompted to review their votes. Appel suggested that a subtle hack could be used to remove the prompt. He wrote that this gives voters the chance to intentionally misprint. Appel suggested another scenario: Suppose a voter tells a worker that the machine printed the wrong name in the ballot. Gilbert has prepared for this scenario. It’s possible to compare Gilbert’s master disc with the one in the machine to determine if there is fraudulent code. Let’s suppose that the poll worker can execute this plan flawlessly during the chaos of Election Day. It reveals that the machine has been tampered with. What next? It’s not clear if Gilbert’s machine will ever be used in a wider context. Dan Wallach, a Rice University computer scientist, said that the machine was a significant step forward. He expressed concerns about the machine’s durability. Appel noted that any new technology will have difficulties in mass production and will require training for voters and poll workers.

There are other hurdles, too. It’s difficult to break into the industry for potential newcomers, says Ben Hovland (a commissioner with Election Assistance Commission), which was originally established by HAVA to enact certain laws, including the distribution of federal funding for machines. The industry isn’t very large. He says that although there are many jurisdictions across the country, there is a fixed amount equipment available for sale.

“And if the jurisdiction recently bought equipment, they may not be looking for 10 years, maybe more.”

Most states also require machines to be certified, which the vendors must pay for. Gilbert could be required to pay hundreds of thousands of dollars for this process according to EAC guidelines.

Gilbert is now working on a new paper and is still looking for a hacker to test the machine. He is now feeling a bit jaded about the world that is election hacking. It often seems more focused on performing and tearing down machines than actually working towards solutions. They only look at things that they can break,” Gilbert said.

“If you have something that you can’t on the face of it figure out before you touch it, they’re not going to touch it.”

Spenser Mestel is a poll worker and independent journalist. His publications include the New York Times and Guardian.