In August, the Democratic National Committee decreed there would be no online voting in 2020’s state party-run presidential caucuses due to security and reliability issues. But the Nevada Democratic Party will be using several online elements in early voting and 1,700-plus local precinct caucuses, reviving these concerns among election experts.
The state party, as detailed in a long report in the Nevada Independent, will use an app—that “has not been finalized yet” — so caucus chairs can receive the results of early voting by area residents (February 15-18) and transmit the outcome of their precinct’s ranked-choice process (February 22) over Wi-Fi or cellular signals to state party headquarters. Nevadans who have not registered as Democrats can do soto vote early or at precinct caucuses, where party representatives will add them to their voter rolls via online or cellular transmissions, the Independent also said.
Early voters and those participating in the caucuses will also record their registrations and presidential preferences on paper forms — as backups. But the central systems that will be used to manage voter lists and to submit local precinct results in 2020’s third Democratic presidential contest will be over the internet.
The state party sees many benefits in deploying party-provided electronic tablets in early voting, such as the ability to offer ballots in many languages. It similarly sees benefits in precinct caucus chairs using a smartphone-based app that is basically a vote-calculator that receives and sends data at the start and close of the process, as that app facilitates ranked-choice voting tallies and quickly reports to state party headquarters.
However, the reaction from computer scientists and other technical experts who have extensively studied voting systems — and reviewed the Nevada Independent report but not seen further details — is marked by more worry than praise. Beyond questions of whether the state party is skirting the DNC Rules and Bylaws Committee’s reversal on offering online voting in 2020, key aspects of the overall system that Nevada is poised to use revive many cybersecurity and reliability issues associated with internet-connected voting systems.
In short, the use of online data transmissions and apps might not uniformly work, could be disrupted or corrupted by meddlers, and could undermine the process’s credibility.
“It is an enormous target of opportunity for disruption,” said David Jefferson, a Lawrence Livermore National Laboratory computer scientist and Verified Voting board member who has analyzed voting systems since the 1990s. “For example, the central locations could be the target of a denial of service attack [blocking data transmission]. It would be hard to prevent or defend against that.”
“Certainly, cellular telephone, most of the time these days, is the internet. Wi-Fi is the internet. You’re taking something that is not supposed to be connected to the internet and you’re connecting,” said Duncan Buell, chair and professor of the College of Engineering and Computing at the University of South Carolina and a county election official. “If this is the counting and tabulation system, that’s an absolute no-no. One does not do that.”
“The caucus voting system proposed in Nevada has a sufficient number of online components that it causes me concern about the level of security required to maintain the integrity of the process,” Maurice Turner, Internet Architecture Project deputy director at the Center for Democracy and Technology, said. “Thousands of network connections and user authentication sessions is a lot to manage perfectly on the first try.”
These experts are referring to different aspects of Nevada’s overall caucus voting system. Jefferson said that data pathways could be impeded. Buell said the counting mechanisms could be compromised. Turner said the system’s gears might not all mesh—for reasons tied to deploying still-evolving software, which was “a constant cycle of refining new features and fixing uncovered vulnerabilities without breaking the usability.”
These concerns are not new nor the only ones raised by experts in election technology and security circles. Different issues arise as voting data moves through the process — starting with registration and voter lists, and continuing to balloting and tabulations.
In 2016, Russian spy agencies hacked into two statewide voter registration databases (in Illinois and Arizona) and are suspected of scrambling Election Day voter lists in a large North Carolina county. (A Nevada party official, on background, said that the party will use the state’s voter registration system for new voters and updating voter lists.)
Voting system vendors have long denied and then been criticized for allowing voting machinery to be accessed over the internet, leading Democrats who focus on election security like Oregon Sen. Ron Wyden to say, “Not only should ballot tallying systems not be connected to the internet, they shouldn’t be anywhere near the internet.”
Party-run elections, such as presidential caucuses, also occupy a gray area of law where there are limited federal penalties for meddling apart from campaign finance violations and few case law precedents for falsifying results, said Rick Hasen, who curates a well-respected election law blog and teaches law at the University of California Irvine.
More recently, the worst-case scenarios for 2020 — such as one described in a recent Lawfare blog post by former Facebook Security Chief Alex Stamos — said that attacks on infrastructure that underlies election systems are not just speculation.
These precedents are apart from partisan disinformation that would erupt if an early 2020 presidential caucus were somehow marred.
The Nevada Democratic Party only struck positive notes in an upbeat December 5 press release touting the Nevada Independent’s coverage of its new presidential caucus voting system.
“As the first and only caucus state to offer in-person early voting, NV Dems are making history in 2020,” its release excerpting the Independent’s report said. “In order to make this process more efficient, the state party developed an app to assist in both early voting and on Caucus Day to ensure Nevada Democrats have their voice heard alongside their neighbors at their home precinct and to assist the thousands of volunteers who will be leading caucuses on February 22.”
The Independent reported, “Party officials… did not go into detail about the specific security measures they are putting into place, other than to say that they are implementing ‘common’ protocols, such as two-factor authentication for log-ins to the apps.” Shelby Wiltz, the state caucus director, told the Nevada outlet: “We’ve been working hand in hand with the DNC and security experts to ensure that this process is going to be secure at every step.”
The Nevada Democratic Party did not reply to multiple requests from Voting Booth seeking details about their caucus system. Neither did the Iowa Democratic Party’s executive director reply to see if that state was using some of the same systems in its 2020 early voting. (The two states were planning to use the same telephone-voting vendor before the DNC Rules and Bylaws Committee reversed course on online voting in August.)
Questions to the Rules Committee were forwarded to David Bergstein, DNC director of battleground state communications, who said that Nevadans would not be voting via an online ballot. Therefore, Nevada’s approach was not online voting, an accompanying background memo said. The apps “are not a mechanism for mobile or online voting.”
“Nevada’s application [app] is being used to assist in running their caucus and early vote process in a more efficient manner,” Bergstein said. “The application is being used for those who caucus in person—it is not in conflict with the RBC’s [DNC Rules and Bylaws Committee] guidance in regards to the use of remote or tele-caucus voting utilizing technology, and their plan is in compliance.”
Narrow Views and Wider Threats
The DNC Rules Committee is not a body that micromanages the technical aspects of each state’s nominating process. It reviews state plans to see if participation goals will be met, and in party-run contests—where a handful of state parties will rent voting systems for caucuses or primaries—how the voting and delegate selection process will unfold.
During its review of 2020 state plans, it became aware of cybersecurity and reliability issues surrounding the introduction of an online voting option. Initially, that option was seen as a way to boost participation in the presidential caucuses. That led the RBC to convene a technical advisory board of outside experts. They concluded that allowing voters to participate by using their phones as ballot-marking devices was too risky. Despite protests from caucus and party-run primary states, the Rules Committee in August voted to postpone introducing an online voting option.
After that meeting, Nevada’s 2020 plans were not discussed further by the body, but endorsed and turned over to the DNC’s technical staff. The latest details about how elements of their system would use online data transmissions emerged in a December 5 profile by Megan Messerly in the Nevada Independent.
Voting Booth then contacted experts to assess the latest developments. Most could only go so far in raising specific issues because they had not examined the Nevada system’s fine-print details beyond the Independent’s report. While some experts praised the state party for using digital devices while they were offline (such as tablets for early voting sessions and apps to calculate rank-choice results) and having paper record backups and other contingency planning, they also raised many questions.
“The idea of using an app to hold the instructions for running the caucus seems like a good idea, especially if backed up by verbal and printed instructions from training (and downloadable, so it doesn’t rely on a live connection),” said Whitney Quesenbery, co-director of the Center for Civic Design and a nationally known expert on usability issues in voting systems. “Knowing which caucus locations are most likely to have problems seems like good contingency planning.”
“There certainly is a risk in trying something new,” said the Center for Democracy and Technology’s Turner. “Officials should be prepared to publicly communicate both the good and the bad that will come from using the new system, and ensure that their backup plan of using on-site registration and paper backups is well-practiced.”
“Is someone at [party] headquarters going to check the [online] data to make sure there are no simple mistakes?” asked Quesenbery. “How open are they being about sharing the app and the process of managing both the caucus interactions and the data? Are they going to run some equivalent of both process tests and a logic and accuracy test?”
The state party did not respond to inquiries to pose these and other questions, such as about training with an evolving app to be used by 1,700 chairs in two months.
The University of South Carolina’s Duncan Buell, who also is a county election official, said that using an unfinished app “was nuts.”
“I don’t see the need for this. I think it is a genuinely bad idea,” he said. “There’s really no reason why they [precinct chairs] literally couldn’t get in the telephone and relay numbers [local results]. This is not like a ballot with 20 different things they have to report. This is one set of numbers of decreasing complexity.”
“Presumably, they’ll have TV screens or something [at caucus sites],” he continued. “So, from a remote location, you telephone it in. Somebody types in the numbers. We see numbers appearing on the screen. If they are not the same numbers you just got on your piece of paper, you tell them to correct it… This is not rocket science.”
Verified Voting’s David Jefferson agreed that using the telephone to avoid transmitting data online was probably the simplest way to address most likely cybersecurity risks.
“I was thinking also that telephone exchanging this information would either be preferable or useful as a check of the online communication of this data,” he said. “But even this is something that if they have not practiced it, it’s not going to work.”
Jefferson thought that the use of a still-evolving app would make it hard for an outsider to hack into the central vote-count management system “mostly because the system has not even been used. It is not even finished now.”
“There’s no way to practice your attack if you’re an attacker. It’s really an example of security by obscurity rather than a serious defense,” he said. “When I say security by obscurity, I don’t mean that this is their deliberate policy. They will get the benefit of that because there is not enough time left for an attacker to get enough information to create a sophisticated attack because the software isn’t finished. But the fact that the software isn’t finished has its own negative effects. They will not be able to practice at any kind of scale or practice their backup procedures, I’m guessing.”
Jefferson was quick to add that his remarks contained elements of uncertainty because he didn’t have enough details for a sharper critique. However, apart from these issues, he said that sending precinct results over the internet was unnecessarily risky amid today’s cybersecurity landscape where the flow of data in digital pipes can be stymied.
“As far as disruption is concerned, it would seem to me to be quite a straightforward target,” he said. “But I have no idea how hardened against a denial of service attack they will attempt to be. Of course, there’s no impregnable defense against a large enough denial of service attack. But, of course, they [the Nevada party’s vendors likely] know that. Or at least the DNC national security staff knows that.”
The Nevada Independent’s profile of the 2020 caucus voting system said “the addition of early voting and new technology to the process has also ramped up pressure on the party to run a smooth caucus, especially after a fraught caucus-to-convention process in 2016.”
Without further DNC intervention—which seems unlikely given its press statements—it appears that the Nevada Party will be introducing a range of new technologies in one of the most volatile presidential seasons in memory. Whether what unfolds will be fraught or greatly facilitated is an open question. But 2020 will not be a repeat of 2016.
Shares