Voters elect officials in representative democracies who pass laws, interpret laws, enforce laws, or appoint various other representatives to do one of the above. The terms of elected officials, the particulars of their laws, the structure of courts that interpret laws, and the makeup of the bureaucracies that are necessarily created to govern are different in every country.
In China, the people elect the People’s Congresses who then elect the nearly 3,000 National People’s Congress members, who then elect the Present and State Councils. The United States has a more direct form of democracy and the people elect a House of Represenatives, a Senate, and a president who the founders intentionally locked into a power struggle to keep any part of the government from becoming authoritarian. Russia is setup similar. In fact, the State Duma, like the House in the US are elected by the people and the 85 States, or federal subjects, then send a pair of delegates to a Federal Council, like the Senate in the US, which has 170 members. It works similarly in many countries. Some, like England, still provide for hereditary titles, such as the House of Lords - but even there, the Sovereign - currently Queen Elizabeth the second, nominates a peer to a seat. That peer is these days selected by the Prime Minister. It’s weird but I guess it kinda’ works.
Across democracies, countries communist, socialist, capitalist, and even the constitutional monarchies practice elections. The voters elect these representatives to supposedly do what’s in the best interest of the constituents. That vote cast is the foundation of any democracy. We think our differences are greater than they are, but it mostly boils down to a few percentages of tax and a slight difference in the level of expectation around privacy, whether that expectation is founded or not.
2020 poses a turning point for elections around the world. After allegations of attempted election tampering in previous years, the president of the United States will be voted on. And many of those votes are being carried out by mail. But others will be performed in person at polling locations and done on voting machines.
At this point, I would assume that given how nearly every other aspect of American life has a digital equivalent, that I could just log into a web portal and cast my vote. No. That is not the case. In fact, we can’t even seem to keep the voting machines from being tampered with. And we have physical control over those! So how did we get to such an awkward place, where the most important aspect of a democracy is so backwater. Let’s start
Maybe it’s ok that voting machines and hacking play less a role than they should. Without being political, there is no doubt that Russia and other foreign powers have meddled in US elections. In fact, there’s probably little doubt we’ve interfered in theirs. Russian troll farms and disinformation campaigns are real. Paul Manafort maintained secret communications with the Kremlin. Former US generals were brought into the administration either during or after the election to make a truce with the Russians. And then there were the allegations about tampering voting machines. Now effectively stealing information about voters from Facebook using insecure API permissions. I get that. Disinformation goes back to posters in the time of Thomas Jefferson. I get that too.
But hacking voting machines. I mean, these are vetted, right? For $3,000 to $4,500 each and when bought in bulk orders of 16,000 machines like Maryland bought from Diebold in 2005, you really get what you pay for, right? Wait, did you say 2005? Let’s jump forward to 2017. That’s the year DefCon opened the Voting Machine Hacking Village. And in 2019 not a single voting machine was secured. In fact, one report from the conference said “we fear that the 2020 presidential elections will realize the worst fears only hinted at during the 2016 elections: insecure, attacked, and ultimately distrusted.”
I learned to pick locks, use L0phtCrack, run a fuzzer, and so much more at DefCon. Now I guess I’ve learned to hack elections. So again, every democracy in the world has one thing it just has to get right, voting. But we don’t. Why? Before we take a stab at that, let’s go back in time just a little.
The first voting machine used in US elections was a guy with a bible. This is pretty much how it went up until the 1900s in most districts. People walked in and told an election official their vote, the votes were tallied on the honor of that person, and everyone got good and drunk. People love to get good and drunk. Voter turnout was in the 85 percent range. Votes were logged in poll books. And the person was saying the name of the official they were voting for with a poll worker writing their name and vote into a pollbook. There was no expectation that the vote would be secret. Not yet at least. Additionally, you could campaign at the polling place - a practice now illegal in most places. Now let’s say the person taking the votes fudged something. There’s a log. People knew each other. Towns were small. Someone would find out.
Now digitizing a process usually goes from vocal or physical to paper to digital to database to networked database to machine learning. It’s pretty much the path of technological determinism. As is failing because we didn't account for adjacent advancements in technology when moving a paper process to a digital process. We didn't refactor around the now-computational advances.
Paper ballots showed up in the 1800s. Parties would print small fliers that looked like train tickets so voters could show up and drop their ballot off. Keep in mind, adult literacy rates still weren’t all that high at this point. One party could print a ticket that looked kinda’ like the others. All kinds of games were being played. We needed a better way.
The 1800s were a hotbed of invention. 1838 saw the introduction of a machine where each voter got a brass ball which was then dropped in machine that used mechanical counters to increment a tally. Albert Henderson developed a precursor to a computer that would record votes using a telegraph that printed ink in a column based on which key was held down. This was in 1850 with US Patent 7521. Edison took the idea to US Patent 90,646 and automated the counters in 1869. Henry Spratt developed a push-button machine. Anthony Beranek continued on with that but made one row per office and reset after the last voter, similar to how machines work today.
Jacob Meyers built on Berenek’s work and added levers in 1889 and Alfred Gillespie made the levered machine programmable. He and others formed the US Standard Voting Machine Company and slowly grew it. But something was missing and we’ll step back a little in time. Remember those tickets and poll books? They weren’t standardized.
The Australians came up with a wacky idea in 1858 to standardize on ballots printed by the government, which made it to the US in 1888. And like many things in computing, once we had a process on paper, the automation of knowledge work, or tabulating votes would soon be ready to take into computing. Herman Hollerith brought punched card data processing to the US Census in 1890 and punch cards - his company would merge with others at the time to form IBM.
Towards the end of the 1890s John McTammany had aded the concept that voters could punch holes in paper to cast votes and even went so far as to add a pneumatic tabulation. They were using rolls of paper rather than cards. And so IBM started tabulating votes in 1936 with a dial based machine that could count 400 votes a minute from cards. Frank Carrell at IBM got a patent for recording ballot choices on standardized cards. The stage was set for the technology to meet paper. By 1958 IBM had standardized punch cards to 40 columns and released the Port-A-Punch for so people in the field could punch information into a card to record findings and then bring it back to a computer for processing. Based on that, Joseph Harris developed the Votomatic punched-cards in 1965 and IBM licensed the technology. In the meantime, a science teacher Reynold Johnson had developed Mark Sense in the 1930s, which over time evolved into optical mark recognition, allowing us to fill in bubbles with a pencil. So rather than punch holes we could vote by filling in a bubble on a ballot.
All the pieces were in place and the technology slowly proliferated across the country, representing over a third of votes when Clinton beat Dole and Ross Perot in 1996.
And then 2000 came. George W. Bush defeated Al Gore in a bitterly contested and narrow margin. It came down to Florida and issues with the ballots there. By some tallies as few as 300 people decided the outcome of that election. Hanging chads are little pieces of paper that don’t get punched out of a card. Maybe unpunched holes in just a couple of locations caused the entire election to shift between parties. You could get someone drunk or document their vote incorrectly when it was orally provided in the early 1800s or provide often illiterate people with mislabeled tickets prior to the Australian ballots. But this was the first time since the advent of the personal computer, when most people in the US had computers in their homes and when the Internet bubble was growing by the day that there was a problem with voting ballots and suddenly people started wondering why were still using paper.
The answer isn’t as simple as the fact that the government moves slowly. I mean, the government can’t maintain the rate of technical innovation and progress anyways. But there are other factors as well. One is secrecy. Anywhere that has voting will eventually have some kind of secret ballots. This goes back to the ancient greeks but also the French Revolution. Secret ballots came to the UK in the 1840s with the Chartists and to the US after the 1884 election. As the democracies matured, the concept of voting rights matured and secret ballots were part of that. Making sure a ballot is secret means we can’t just allow any old person to look at a ballot.
Another issue is decentralization. Each state selects their own machines and system and sets dates and requirements. We see that with the capacity and allocation of mail-in voting today.
Another issue is cost. Each state also has a different budget. Meaning that there are disparities between how well a given state can reach all voters. When we go to the polls we usually work with volunteers. This doesn’t mean voting isn’t big business. States (and countries) have entire bureaucracies around elections. Bureaucracies necessarily protect themselves.
So why not have a national voting system? Some countries do. Although most use electronic voting machines in polling places. But maybe something based on the Internet? Security. Estonia tried a purely Internet vote and due to hacking and malware it was determined to have been a terrible idea. That doesn’t mean we should not try again.
The response to the 2000 election results was the Help America Vote Act of 2002 to define standards managed by the Election Assistance Commission in the US. The result was the proliferation of new voting systems. ATM machine maker Diebold entered the US election market in 2002 and quickly became a large player.
The CEO ended up claiming he was “committed to helping Ohio deliver its electoral votes to” Bush. They accidentally leaked their source code due to a misconfigured server and they installed software patches that weren’t approved. In short, it was a typical tech empire that grew too fast and hand issues we’ve seen with many companies. Just with way more on the line. After a number of transitions between divisions and issues, the business unit was sold to Election Systems & Software, now with coverage over 42 states. And having sold hundreds of thousands of voting machines, they now have over 60% of the market share in the us. That company goes back to the dissolution of a ballot tabulation division of Westinghouse and the Votronic. They are owned by a private equity firm called the McCarthy Group.
They are sue-happy though and stifling innovation. The problems are not just with ES&S. Hart InterCivic and Dominion are the next two biggest competitors, with equal issues. And no voting machine company has a great track record with security. They are all private companies. They have all been accused of vote tampering. None of that has been proven. They have all had security issues.
In most of these episodes I try to focus on the history of technology or technocratic philosophy and maybe look to the future. I rarely offer advice or strategy. But there are strategies not being employed.
The first strategy is transparency. In life, I assume positive intent. But transparency is really the only proof of that. Any company developing these systems should have transparent financials, provide transparency around the humans involved, provide transparency around the source code used, and provide transparency around the transactions, or votes in this case, that are processed. In an era of disinformation and fake news, transparency is the greatest protection of democracy.
Providing transparency around financials can be a minefield. Yes, a company should make a healthy margin to continue innovating. That margin funds innovators and great technology. Financials around elections are hidden today because the companies are private. Voting doesn’t have to become a public utility but it should be regulated.
Transparency of code is simpler to think through. Make it open source. Firefox gave us an open source web browser. ToR gave us a transparent anonymity. The mechanisms with which each transaction occurs is transparent and any person with knowledge of open source systems can look for flaws in the system. Those flaws are then corrected as with most common programming languages and protocols by anyone with the technical skills to do so. I’m not the type that thinks everything should be open source. But this should be.
There is transparency in simplicity. The more complex a system the more difficult to unravel. The simpler a program, the easier for anyone with a working knowledge of programming to review and if needed, correct. So a voting system should be elegant in simplicity.
Verifiability. We could look at poll books in the 1800s and punch the vote counter in the mouth if they counted our vote wrong. The transparency of the transaction was verifiable. Today, there are claims of votes being left buried in fields and fraudulent voters. Technologies like blockchain can protect against that much as currency transactions can be done in bitcoin. I usually throw up a little when I hear the term blockchain bandied about by people who have never written a line of code. Not this time.
Let’s take hashing as a fundamental building block. Let’s say you vote for a candidate and the candidate is stored as a text field, or varchar, that is their name (or names) and the position they are running for. We can easily take all of the votes cast by a voter, store them in a json blob, commit them to a database, add a record in a database that contains the vote supplied, and then add a block in chain to provide a second point of verification. The voter would receive a guid randomly assigned and unique to them, thus protecting the anonymity of the vote. The micro-services here are to create a form for them to vote, capture the vote, hash the vote, commit the vote to a database, duplicate the transaction into the voting blockchain, and allow for vote lookups. Each can be exposed from an API gateway that allows systems built by representatives of voters at the federal, state, and local levels to lookup their votes.
We now have any person voting capable of verifying that their vote was counted. If bad data is injected at the time of the transaction the person can report the voter fraud and a separate table connecting vote GUIDs to IP addresses or any other PII can be accessed only by the appropriate law enforcement and any attempt by law enforcement to access a record should be logged as well. Votes can be captured with web portals, voting machines that have privileged access, by 1800s voice counts, etc.
Here we have a simple and elegant system that allows for transparency, verifiability, and privacy. But we need to gate who can cast a vote. I have a PIN to access by IRS returns using my social security number or tax ID. But federal elections don’t require paying taxes. Nextdoor sent a card to my home and I entered a PIN printed on the card on their website. But that system has many a flaw. Section 303 of the Help America Vote Act of 2002 compels the State Motor Vehicle Office in each state to validate the name, date of birth, Social Security Number, and whether someone is alive. Not every voter drives. Further, not every driver meets voting requirements. And those are different per state.
And so it becomes challenging to authenticate a voter. We do so in person, en masse, at every election due to the the staff and volunteers of various election precincts. In Minnesota I provided my drivers license number when I submitted my last ballot over the mail. If I moved since the last time I voted I also need a utility bill to validate my physical address. A human will verify that. Theoretically I could vote in multiple precincts if I were able to fabricate a paper trail to do so. If I did I would go to prison.
Providing a web interface unless browsers support a mechanism to validate the authenticity of the source and destination is incredibly dangerous. Especially when state sponsored actors as destinations have been proven to be able to bypass safeguards such as https. And then there’s the source. It used to be common practice to use Social Security Numbers or cards as a form of verification for a lot of things. That isn’t done any more due to privacy concerns and of course due to identity theft.
You can’t keep usernames and passwords in a database any more. So the only real answer here is a federated identity provider. This is where OAuth, OpenID Connect, and/or SAML come into play. This is a technology that retains a centralized set of information about people. Other entities then tie into the centralized identity sources and pull information from them. The technology they use to authenticate and authorize users is then one of the protocols mentioned.
I’ve been involved in a few of these projects and to be honest, they kinda’ all suck. Identities would need to be created and the usernames and passwords distributed. This means we have to come up with a scheme that everyone in the country (or at least the typically ill-informed representatives we put in place to make choices on our behalf) can agree on. And even if a perfect scheme for usernames is found there’s crazy levels of partisanship. The passwords should be complex but when dealing with all of the factors that come into play it’s hard to imagine consensus being found on what the right level is to protect people but also in a way passwords can be remembered.
The other problem with a federated identity is privacy. Let’s say you forget your password. You need information about a person to reset it. There’s also this new piece of information out there that represents yet another piece of personally identifiable information. Why not just use a social security number? That would require a whole other episode to get into but it’s not an option. Suddenly if date of birth, phone number (for two factor authentication), the status of if a human is alive or not, possibly a drivers license number, maybe a social security number in a table somewhere to communicate with the Social Security databases to update the whole alive status. It gets complicated fast. It’s no less private that voter databases that have already been hacked in previous elections though.
Some may argue to use biometric markers instead of all the previous whatnot. Take your crazy uncle Larry who thinks the government already collects too much information about him and tells you so when he’s making off-color jokes. Yah, now tell him to scan his eyeball or fingerprint into the database. When he’s done laughing at you, he may show you why he has a conceal and carry permit.
And then there’s ownership. No department within an organization I’ve seen wants to allow an identity project unless they get budget and permanent head count. And no team wants another team to own it. When bureaucracies fight it takes time to come to the conclusion that a new bureaucracy needs to be formed if we’re going anywhere. Then the other bureaucracies make the life of the new one hard and thus slow down the whole process. Sometimes needfully, sometimes accidentally, and sometimes out of pure spite or bickering over power. The most logical bureaucracy in the federal government to own such a project would be the social security administration or the Internal Revenue Service.
Some will argue states should each have their own identity provider. We need one for taxes, social security, benefits, and entitlement programs. And by the way, we’re at a point in history when people move between states more than ever. If we’re going to protect federal and state elections, we need a centralized provider of identities. And this is going to sound crazy, but the federal government should probably just buy a company who already sells an IdP (like most companies would do if they wanted to build one) rather than contract with one or build their own. If you have to ask why, you’ve never tried to build one yourself or been involved in any large-scale software deployments or development operations at a governmental agency. I could write a book on each.
There are newer types of options. You could roll with an IndieAuth Identity Provider, which is a decentralized approach, but that’s for logging into apps using Facebook or Apple or Google - use it to shop and game, not to vote. NIST should make the standards, FedRAMP should provide assessment, and we can loosely follow the model of the European self-sovereign identity framework or ESSIF but build on top of an existing stack so we don’t end up taking 20 years to get there.
Organizations that can communicate with an identity provider are called Service Providers. Only FedRAMP certified public entities should be able to communicate with a federal federated identity provider. Let’s just call it the FedIdP.
Enough on the identity thing. Suffice it to say, it’s necessary to successfully go from trusting poll workers to being able to communicate online. And here’s the thing about all of this: confidence intervals. What I mean by this is that we have gone from being able to verify our votes in poll books and being able to see other people in our communities vote to trusting black boxes built by faceless people whose political allegiances are unknown. And as is so often the case when the technology fails us, rather than think through the next innovation we retreat back to the previous step in the technological cycle: if that is getting stuck at localized digitization we retreat back to paper. If it is getting stuck at taking those local repositories online we would have retreated back to the localized digital repository. If we’re stuck at punch cards due to hanging chads then we might have to retreat back to voice voting. Each has a lower confidence interval than a verifiable and transparent online alternative. Although the chances of voter fraud by mail are still .00006%, close to a 5 9s.
We need to move forward. It’s called progress. The laws of technological determinism are such that taking the process online is the next step. And it’s crucial for social justice. I’ve over-simplified what it will take. Anything done on a national scale is hard. And time consuming. So it’s a journey that should be begun now.
In the meantime, there’s a DARPA prize. Given the involvement of a few key DARPA people with DefCon and the findings of voting machine security (whether that computers are online and potentially fallible or physically hackable or just plain bad) DARPA gave a prize to the organization that could develop a tamper proof, open-source voting machine. I actually took a crack at this, not because I believed it to be a way to make money but because after the accusations of interference in the 2016 election I just couldn’t not. Ultimately I decided this could be solved with an app in single app mode, a printer to produce a hash and a guid, and some micro-services but that the voting machine was the wrong place for the effort and that the effort should instead be put into taking voting online.
Galois theory gives us a connection from field theory and group theory. You simplify field theory problems so they can be solved by group theory. And I’ve oversimplified the solution for this problem. But just as with studying the roots of polynomials, sometimes simplicity is elegance rather than hubris. In my own R&D efforts I struggle to understand when I’m exuding each.
The 2020 election is forcing many to vote by mail. As with other areas that have not gotten the innovation they needed, we’re having to rethink a lot of things. And voting in person at a polling place should certainly be one. As should the cost of physically delivering those ballots and the human cost to get them entered.
The election may or may not be challenged by luddites who refuse to see the technological determinism staring them in the face. This is a bipartisan issue. No matter who wins or loses the other party will cry foul. It’s their job as politicians. But it’s my job as a technologist to point out that there’s a better way. The steps I outlined in this episode might be wrong. But if someone can point out a better way, I’d like to volunteer my time and focus to propelling it forward. And dear listener, think about this. When progress is challenged what innovation can you bring or contribute to that helps keep us from retreating to increasingly analog methods.
Herman Hollerith brought the punch card, which had been floating around since the Jacquard loom in 1801. Those were individuals who moved technology forward in fundamental ways. In case no one ever told you, you have even better ideas locked away in your head. Thank you for letting them out. And thank you for tuning in to this episode of the History of Computing Podcast. We are so, so lucky to have you.