The Vergecast - Election cybersecurity: How ready are we for November 3rd?
Episode Date: July 21, 2020Cybersecurity journalist Kim Zetter talks with The Verge's Nilay Patel and Russell Brandom about the state of election security in the US — what methods are being proposed to stop potential interfer...ence in the voting process, the problems with mail-in voting during a pandemic, and how voting machines are not always the best solution for a presidential election. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Support for the show comes from Retool.
Too many companies run critical operations on duct taped spreadsheets,
Slack workflows, and whatever else they could cobble together.
Not because they want to, but because building internal tools
means weeks of waiting on someone else's backlog.
That's where Retool comes in.
Build custom internal tools just by describing what you need.
Prompts something like,
Build Me a Revenue Dashboard on our Salesforce data.
And Retool actually builds it on your company's data,
in your cloud with enterprise security built in.
Go to retool.com slash Verchcast.
We all need to retool how we build software.
What's up, y'all. I'm Skylar Diggins, seven-time WMBA All-Star, Olympic gold medalist, and mom.
And I'm Cassidy Hubbard, host and reporter for nearly 20 years, covering the biggest names and stories in sports and mom.
And this is Am Mom, a community for athletes, game changers, and moms of all kinds.
Tap in with us.
Hey, everybody. It's now from the Vergecast.
On this week's interview episode, Russell Brandem and I sit down with Kim Zetter, who's an
absolutely amazing cybersecurity journalist.
We wanted to talk about election security, voting machine security, e-voting, alternative
ways of voting, how to keep votes secure, safe, and anonymous.
These are huge issues, especially in the pandemic when people are not quite as excited to
go to polling places than might otherwise be.
It turns out e-voting is incredibly.
hard to do securely. Voting machine security issues have been well known for a long time.
There's just a lot of surface area for attack, even as we all kind of push towards these
evoting solutions. Kim has a lot of thoughts on this, a lot of thoughts on what the safest way
to vote is. Obviously, this is all relevant because there's an election coming up. One thing I do
want to call out, we actually taped this episode back in March before primaries, so you will
hear us talk about the upcoming primaries here and there. We just had a really big backlog of
episodes, and this one got pushed, but it felt incredibly relevant.
so we wanted to get it out this week.
So check it out.
It's Kim Zetter on the Vergecast with me and Russell Brandem.
Kim Zetter, you're a cybersecurity journalist.
You wrote an incredible book about Stuxnet called Countdown to Zero Day.
Welcome to the Vergecast.
Thank you.
Thanks for having me.
And Virge Policy editor Russell Brandem is here because anytime there's cybersecurity,
I just look inquiring at Russell for help.
Welcome, Russell.
Wouldn't miss it for the world.
So, Kim, you know, I wanted to talk to you broadly when we asked you,
come on about election security in general. We are obviously now talking in the middle of the
coronavirus pandemic. There's a lot of conversation about how long the sort of shutdowns will last.
There's a lot of conversation about voting by mail. I know Nancy Pelosi is pushing that really hard
in sort of the stimulus bill negotiations. What is your general sense of how ready we are for this
upcoming election given what's happening right now? Oh, I don't think we're ready at all.
I mean, I think that, no, I mean, you have election officials are used to the methods that they've used for years, right?
And even those methods that are, you know, long established, we still have problems in elections, you know.
And so now you're throwing into the mix something entirely new for many states.
I mean, some states are already doing entirely vote by mail, Colorado, Oregon, a couple of them, Washington, Hawaii.
And there are states that are, that offer absentee ballots.
you know, essentially vote by home or vote at home ballots to anyone who wants them,
some restrict that.
But when you're talking about going from sort of requested ballots to sort of mandatory ballots
to everyone, you're talking about changing the entire infrastructure of an election.
And it requires a lot more staff to process vote by mail ballots and just a lot more logistics.
and, you know, throwing that into the mix.
In some cases, if you're trying to do it now for primaries,
because primaries have all been rescheduled for May and June,
that's a couple of months.
That's not going to happen.
And even November is touchy.
Are you used to the nervous laugh response when you give the bad news?
I feel like it's usually, usually when we're talking about election cybersecurity,
it is the bad news.
And I wonder is the kind of, oh, no.
common response.
I think, well, I mean, I think that elections, you know, in general, don't promote a positive response in the U.S.
Because they're often so problematic here.
And I feel like our elections are sort of jury rigged.
You know, we sort of patched them together.
And at the end of election, we sort of wipe our brow and a sigh of relief that, oh, okay, maybe we actually elected the right person or maybe
that went okay, despite everything that goes wrong in elections. So we sort of, you know, fly by in every
election a year and feel like, okay, we pulled something off, but it's really iffy every time we do it.
And I know a lot of people hate it when I talk this way, especially election officials, because
they want the public to have confidence in the outcome of elections. But if you are inside and you
see how the sausage is made, it's disturbing.
how elections are pulled off in the country.
So let's take that for a minute. Outside of the pandemic, outside of maybe we'll postone
our elections, particularly primaries, outside of vote by mail for the general.
You've written a lot about the 2016 election. You've written a lot about the 2018 election.
When there was concerted attempts to sort of break into the infrastructure, access photo
registration databases, what is the sort of state of play of elections before the virus hit?
Well, you know, election officials and DHS have been putting in this very concerted effort since 2016
to try and make election infrastructure more secure.
And so they've had three years to do this.
And it's great that DHS is playing a role in this now because prior to 2016, really, we had nothing.
And now we have sort of someone leading it who can come in and offer free services and do a security assessment for election officials.
But even what DHS has been doing in the last three years is extremely limited.
And they've only been able to actually even do their assessments in about 40 jurisdictions.
They released a report recently showing their progress since 2016.
There are more than 10,000 election jurisdictions in the country.
And their report showed that they were able to do security assessments at 40 of them, about 40 of them.
And even what they're doing, a security assessment that DHS does is they come
in, they'll sort of do as kind of a pen test of your internet-facing systems. So these are, let's say,
the voter registration database or voter lookups, looking up for precincts, anything that's connected
to the internet. They will do a scan and see if there are vulnerabilities. But these are only the
online facing systems. They don't look at the voting machines themselves at all. They don't have a
mandate for that. And these are proprietary systems. And they couldn't look at them even if they wanted to
without permission of the voting machine vendors.
So there's this large swath of the infrastructure
that has not even been examined since 2016.
So just to be clear, I just want to call it off.
You said pen test.
That's a penetration test.
So they come in and they try to attack the systems
that are public-facing to the Internet.
Yeah, they will do a scan.
They look for sort of everything that's on the system,
or sorry, everything that's connected to the Internet,
and then they will look at vulnerabilities and recommend patches.
and then they'll do a follow-up and suggest improvements after that.
I wouldn't call it, I suppose that sort of was a misnomer.
I'm not sure that I would call it a real pen test that they do.
That's much more involved.
But they're really doing sort of a risk and vulnerability assessment.
And then the actual voting machines, I remember this being a controversy, even so far back as 2000, right?
With the machines and the source code is proprietary, nobody could audit the code.
That's still going on?
Yes. So since 2016, a couple of the voting machine vendors have agreed to hand over their systems to DHS. So DHS runs out of Idaho National Lab. DHS has a program there, and they've had a long standing program there for industrial control system security. So this started around a couple of years before Stuxnet. It's around 2006 or so. And they started doing. And they started doing.
doing assessments of industrial control systems for vendors.
And they would look at the vulnerabilities, look at the source code, and then give the vendor a report.
So since 2016, a couple of the voting machine vendors, DHS has done outreach to them,
and a couple of voting machine vendors have agreed to provide their systems to DHS to be examined at Idaho National Lab.
But they're looking at, I believe, upcoming systems, not systems that are currently in the market.
It's unclear to me exactly what they've looked at.
But the problem with that is that we already have long-standing assessments of all of this equipment.
Many of the machines out there have been examined by academics who were able to get hold of the systems.
The vulnerabilities in these systems have been known for two decades.
So there isn't really anything, I think, that DHS's assessment could uncover that someone hasn't already uncovered.
So you're looking at sort of a feel-good movement of voting machine vendors being able to put out a press release saying,
we are very transparent.
We gave our system to DHS to look at,
and we are actively now looking at addressing these vulnerabilities.
But these are vulnerabilities that they sat on for two decades
and showed no interest in many cases of fixing.
And I also want to point out that many of the problems with these systems are architectural.
It's not a matter of slapping a patch on them.
These are endemic problems that have to be fixed
through simply re-architecting the system from scratch.
Give me an example of one of those.
Well, the way that they use encryption in some cases, where they use it badly, they implement it badly, they use poor algorithms, things like that, those are things that they have to, you know, fix in a more concerted way, not just with a patch.
They have hard-coded passwords in some of these systems.
You change a hard-coded password, and that potentially breaks other parts of the system.
Well, we're not even sure about some of the features in the system.
So, for instance, the many systems have an embedded modem that are used to transmit votes on election night.
Well, when these voting machines go through testing and certification in labs that are certified by on a federal level,
the actual modem transmission part never even gets examined by these labs.
So we have parts that actually we don't even know how they've secured them.
We rely on, for instance, election systems and software to tell us that they have all of these,
security features around those modems and the transmission, but we don't really know. No one's ever
actually been looked at that. And so it's unclear even in the DHS assessment if they looked at the
modem transmission of votes. So this sort of, you know, we're talking about like the voting machines
versus the parts of the election infrastructure that are connected to the internet. And this gets to
something that you see in a lot of articles of sort of post-2016, where it trickled out that there
had been a lot of, at the very least, there were Russian government officials sort of paying a lot of
attention to various voter roles and sort of the internet-connected infrastructure. But one of the
things that they always say is, okay, there was some sort of message, we don't want to know if
it's an attack or not. You know, maybe the system was compromised, but the voter rolls
themselves weren't changed, but there's always this sort of note in the story of, you know,
there's no indication that the actual vote tally was altered, right? Because that's not connected
to the system. And also, I think, you know, when you're reporting on this stuff, it's sort of
seen as good form to, like, reassure people in the integrity of the result, just to say, you know,
don't, it's not like they were sort of doing this to, to, so that Bernie would lose out or
what have you. But it sounds like from what you're describing that kind of distinction,
is not really as clear as it looks.
So a couple of things about that.
I'll address sort of the messaging that came out after 2016 first.
There were talking points passed around by election officials and to DHS that were very concerned
that, of course, I mean, there was already concerns before 2016 about the integrity
of the outcome and whether or not people could believe it.
And, of course, Trump was tweeting about, you know, when it looked like,
he might be losing, he sort of injects this tweet out there that would call into question the results if he doesn't win. And then he does win and then everyone also is suspicious about that. So election officials were very nervous about any kind of loss of faith in election outcomes and elections in general. And so the talking points repeated over and over again were that voting machines are never connected to the internet so no one could hack them. And first they said,
no votes were ever changed. That was, that was really the adamant statement. No votes were
ever changed. And then they had to sort of walk that back because people like me were criticizing
them for that. And then they sort of caveated that, well, there's no evidence that any votes
were changed. So we've gone from there are no votes that were changed to there's no evidence
of votes were changed. But there has to be a caveat to that, a further caveat to that in that
no one actually looked to see if any votes were changed. So what I mean by that is that,
It's part of what I said before is that the voting machine vendors prevent anyone from looking at their voting machines.
They actually go to court to fight this when people do try to look at them.
We don't have any sort of effort after an election to examine voting machines and determine whether or not they perform the way that they were supposed to.
And even if we did have an effort to do that, it's really unclear whether we would have the technical ability to see that,
because you can make malware on a machine that disappears once the election is over.
And so you could test a machine after an election and it seems to perform perfectly well.
But during the election, it might not have and you might not ever know it.
So that's an issue there is that we don't even actually look to see if votes were changed.
And so these assertions, you have to take them with a grain of assault and put caveats around them that no one actually ever looked.
The issue now about whether voting machines were connected to the Internet or even the issue about those voter registration databases that the Russians were so interested in in 2016.
when everyone says they looked at data, but they didn't change any data.
So this is another statement that we're supposed to be trusting.
Given the lack of security, the general lack of security around election infrastructure,
we're supposed to believe that all of these states have the ability to detect when voter registration databases have changed.
And it's not clear that they do have that.
In order to do that, you have to have some kind of change management system in place so that you have a backup of
the voter roll data over, I don't know, let's say years time or whatever, and to do a comparison
to see over those subsequent months when the Russians were looking into voter registration databases,
you have to have some change management to see what got changed and what were authenticated changes
and what were unauthenticated changes. And it's not clear that states were doing that.
So we don't really even know what's behind those statements, those assertions that they're making.
So I guess, I mean, a lot of what you're describing here are sort of safeguards that we should have both sort of technically and politically, right?
That like there should be a technical safeguard in the state election system.
And then also there should be sort of a political safeguard of like someone is checking to see a sort of third party is coming in to make sure that that technical safeguard is working appropriately.
And, you know, it's absolutely like alarming how few of.
those safeguards are in place. But one thing I always struggle with is, you know, as cybersecurity
writer, a lot of what people think about as sort of threat models, right? What is the attack
that you're worried about? And I think, you know, for this, a lot of what you hear from election
vendors is, well, the threat model, because the machine isn't physically on the internet, right?
Like, the voting machine isn't physically on the internet. The threat model would have to be some sort of
Russian spy slash troll coming in and physically plugging a USB stick into, you know, this machine,
and then that would compromise this particular voting location.
So there are multiple threat models.
There's the threat model against the voter registration databases, right?
So if someone comes in and alters the voter registration databases to remove voters or to indicate
that they're in an active voter and then they have to vote in some provisional way or something,
There are a lot of ways to just sort of disrupt and disenfranchise voters if you mess with the voter registration database.
But that's a very visual, sorry, visible way of doing it, right?
We'll start to see a lot of voters showing up at the polls and having problems with their voter registration.
So that's one thing.
That's one threat model.
That would create a lot of chaos.
And it's unclear, you know, if we would do a do-over.
That's the other thing is we don't have methods for like, okay, if this goes wrong, what is our plan?
The second thing about what you said about no voting machines connected to the Internet, that's not true.
All of those voting machines that transmit votes on election night via modem are connected to the Internet.
They're connecting to cellular towers in order to do that transmission and that data is going through the Internet.
And that means that there is a back-end system on the Internet also that is receiving that cellular transmission.
So there are critical systems that are connected to the Internet.
And I wrote a story about that last year, which said not only is there just a system there that's receiving those votes,
connected to that system is also the system that does the final tabulation of official voting results.
But there's also that system that does that final tabulation is also, in many cases,
the system that programs all of the voting machines before an election.
So it's not about someone coming in with a USB stick and infecting one system or even just like one county system.
You have another threat model here, and that is the voting machine vendor themselves.
or in many cases, counties will contract with a third-party company to program the machines for them before an election.
Those third-party companies that sort of sit there as middlemen are vulnerable.
They don't have CSOs.
They don't have security staff.
They have never needed or had a requirement to have any kind of security awareness or basic level of security themselves.
So the threat models are multi here, and multiple layers.
multiple levels, multiple parties.
And that's some of what DHS has been trying to address over the last three years.
But like I said, they have a small staff and they have limited amount of resources and way, way too many jurisdictions to try and secure.
Support for this show comes from Shopify.
Every thriving successful business has to start somewhere.
A good place to start is a relatively simple question.
What if, given the right tools, I really put my all into this.
One tool that can help grow your sprouting business to new heights is Shopify.
Millions of businesses around the world rely on Shopify for e-commerce.
They offer a host of helpful tools you can take advantage of,
from payment processing to analytics to website design.
Their design studio includes hundreds of templates to help you create the exact website
you've been envisioning for your business.
If you're wondering, what if I need help?
Then no worries, because you're never left to fend for yourself.
Shopify's award-winning,
customer support is available 24-7. It's time to turn those what-ifs into a thriving business with
Shopify today. Sign up for your $1 per month trial today at Shopify.com slash vergecast. Go to
Shopify.com slash vergecast. That's Shopify.com slash vergecast. Support for the show comes from
Grammarly. You don't need reminding that the world moves fast. But work today requires clear
communication, and when every message counts, sounding rushed or generic can be getting lost
in the shuffle. Grammally gives you one place to think, write, and finish your work where you
already write, while giving you access to agents that help you sound natural and engaging. No matter
what kind of writing you're doing, Gramerly helps you get ideas done faster and move from draft to
done with less friction. You can use Gramerley's AI chat to brainstorm ideas, outline a solid draft,
then refine it with context-aware suggestions that fit what you're working on.
See why 90% of professionals say Grammarly has saved them time writing and editing their work.
In a world of generic AI, you don't have to sound like everyone else.
With Grammarly, you never will.
Download Grammarly for free at Grammarly.com.
That's Grammarly.com.
So a thing we talk about on the show all the time is that computers sort of generally are well
understood, like you add a computer to something and you kind of know what problems it comes with.
And so here it seems like computers are very good at counting. So it seems like you should just
glue a computer onto this process that is fundamentally counting very fast and reliably.
But then there's the set of computer problems of security, network security. You need a chief security
officer. You need multiple rounds of audits. And no one has really addressed that set of problems
in a holistic or countrywide way.
Is that a good frame to think about it?
Yeah.
I mean, so any time you introduce computers into the mix here,
you have the potential for problems,
whether or not it's someone hacking
or just a software glitch
or some kind of thing that goes wrong with it.
So you have a problem of relying on that system.
Now, it's not a bad thing to use a computer to count ballots,
to count votes for, you know, rapid counting.
And there are some studies that indicate
that computers are more accurate than people,
you know, hand counting, manually counting.
But you need to have a checks and balance,
and that's the point of the audits that you mentioned.
And first of all, you need that paper trail.
You need a paper backup,
a ballot that was handmarked by the voter,
so we know the voter's intent.
And you have that as a backup.
That auditing part is critical that you mention
because if no one ever actually looks at that paper backup,
then it doesn't mean anything.
And the problem that we have right now
is that there are only,
I believe two states that actually do the type of audit that is designed to detect if there's
been a problem with the software.
Many states have audits in place.
They have to do some kind of audit legally, but the way that they do the audit won't
actually necessarily catch problems.
And so we've got sort of these false assurances.
We spent the last two decades many states moving back to machines that produce a paper
backup, but then they don't ever actually even look at the paper backup so it doesn't mean
anything. But then we had laws come in that said, okay, now you have to, in some cases,
look at that paper backup. But the way that the law is written, it's so badly, the audit is so
badly done that it doesn't actually mean anything. So that's really where we are right now
that we need to fix. So you're describing, you know, just sort of in a very basic sense,
a lot of complexity, right? Like, we're going to add computers to this. We've got to audit the
the machines and then they're going to generate a paper trail, and then we got to audit the paper
trail against the result. Shouldn't, I mean, if we're talking about widespread vote by mail,
shouldn't everyone just mail a slip of paper in and have that hand counted? And it's probably the same
amount of complexity without the same amount of attack surface. So there are other issues with vote by mail
ballots. And you'll, a lot of the opponents of vote by mail will tell you that this creates a better
opportunity for fraud. So not hacking, but this is the way that elections used to be thrown,
right? Is that someone who has access to those ballots either replaces a bin of ballots or loses
a bin of ballots or, you know, changes marks on the ballots or things like that. So that's a
different problem, but it's a smaller scale problem. It's, you're talking about someone who has
access to ballots. And that's different than someone who can, you know, get into, you know,
a voting machine vendor and change the software on, you know, thousands of machines. So it's not
without its own risks that issue of someone stealing ballots or replacing ballots, but that's not
the primary problem that we're looking at in terms of moving to the vote by mail ballots.
The vote by mail ballots involve a lot more processing and a lot more people. It's a really,
really complicated process. When you fill out a ballot at home, you put it in an envelope that's
specially designed. It has a, usually it has a legal statement on the outside of the envelope and you sign it.
When that ballot arrives to the election office, they first have to verify that signature against a
signature that you have on file with them in your voter registration or in your DMV registration.
And sometimes they do that with software, that match. And sometimes they do it simply with a
visible match. And there are all kinds of problems there if that they don't actually match. You know,
I don't know, does your signature remain same 20 years down the line?
Who knows?
But anyways, and so there are states that don't require when there's a mismatch
for them to actually even tell you that there's been a mismatch.
So you may not ever even know that they rejected your ballot based on your signature,
and then you have no chance of correcting that.
In other cases, the law gives them a minimal amount of time to notify you
and for you to then rectify that.
And again, if you're unable to rectify that or you don't respond, then again, your ballot gets thrown out.
So now what we have here is a situation where we create a lot more opportunities for voters to get disenfranchised because the processing, the process is in place for processing those vote by mail ballots is problematic.
So one model that I've heard about, I know votes, VOATC is very controversial, but when they're talking about the design, they say,
all right, you know, to keep people from being disenfranchised, we're going to have, you have this app,
the app verifies your identity in various ways, you sort of hit the button and, you know, that,
that casts your vote a certain way. The screen tells you you've cast the vote. And then there's a
back end that even though there isn't either, even though you maintain anonymity in a general sense,
or I suppose pseudonymity because it has to be tied to you in some way, you can go in with your
password that's granted and see how your vote was registered so that if anyone gets up to any
shenanigans, you can go and say, oh, wait, like this was this problem. I've meant to vote for
this one person and it cast my vote for this other person. Obviously, like votes, their specific
implementation has come under fire from a lot of the auditing process that you're talking about.
But I wonder if as like a, as sort of a mechanism, this idea of voting and then verifying your vote is, is sort of something
we should be looking at or sort of thinking about. Yes, but I want to put a caveat on what you've
just described here. The method that you're describing doesn't allow you to verify that your
vote was counted accurately. All that allows you to verify is that they received your ballot
and that your ballot presumably is in that mix of ballots that was tallied. But it can't tell you
that when they tallied that ballot, that they actually tallied your votes correctly.
And that's the problem with a lot of these crypto solutions for voting,
is that they will give you sort of a tracking number that you can then go online and see that your tracking number is listed among all the tracking numbers that were tallied.
But they can't tell you that the back end system that then tallied the votes, tallied them correctly or didn't drop your votes after word, something like that.
So there are two issues here with anonymity.
That's the other thing with vote by mail is that you lose.
kind of that anonymity. You're signing the ballot that you're sending in. And it's supposed to be
separate from your ballot. There's a mechanism for they will open, they will check the signature on that
envelope and they will separate it from the ballot inside that's in a separate envelope. So they do the
verification without actually ever looking at your ballot. They divorce those two, the envelope and
your ballot, so that when they tally the ballot, they don't actually have their signature
connected to it. Oh, man. You see why? I feel like
I always see cryptographers talking about how, like, this is so much more complex than making someone.
Just, like, don't let my credit card get stolen, which we do an okay job on a good day.
But, like, that's relatively simple.
Like, don't let anyone read my email.
Like, we got you.
It's just this handshake.
But then there are so many specific things you have to nail down for voting where it has to sort of, it has to be cast, it has to be tallied.
The tally has to sort of, all those processes have to make.
integrity and then at the same time we have to maintain a level of anonymity so that we can't be like going through and sort of persecuting people based on how they voted.
Right. I mean, I'm a security reporter. The anonymity issue isn't high on my priority list, but for some people it is. And it used to be an issue for vote buying, right? If you could prove how you voted to someone, your employer or a party or whatever, they could buy your vote. And so that becomes an issue for some. But, you know, the votes issue that you were talking about, you know, it requires you to sort of authenticate yourself at the front end of the system. And then it,
The question is, how are they handling that in a way so that that authentication of who you are is separated from your ballot so that someone can't connect those two.
So that is an issue there.
I think the larger issue with the systems like votes, which is using mobile phone.
That's V-O-A-T-Z, right?
Yes, V-O-A-T-Z, is that we haven't figured out how to secure that back-end client system, right?
So you're basically saying now instead of the voting machines that we already know are vulnerable, that we already are vulnerable,
that we already know we're coded poorly by the voting machine vendors,
we're now going to say, okay, the voting machine now is instead of that system
that you go to the precinct and vote on, the insecure system,
the voting machine now is your laptop, which you haven't updated any patches on in two years,
or, you know, your Android phone that is rife with vulnerabilities and can be hacked.
So it's that, you know, your system now, you're required to update and maintain the security
of your own voting machine.
And that it's not just that is the delivery, right?
We have to trust that election officials are designing a system
or that a vendor-like votes has designed a system
so that that entire chain from transmitting the ballot to you
to then receiving the ballot back from you is also secured
and also authenticated and also can't be targeted
in a denial of service attack that prevents you actually
from receiving or sending back your ballots.
So a whole host of new problems
that haven't been addressed, and yet votes is out there pushing its solution.
And a lot of people are saying, you know, why can't we do online banking all the time?
We do e-commerce all the time.
What's the problem?
Why can't we do voting over the Internet?
The problem with, and I get so tired of people using online banking as the example for why we should be doing online voting.
When you're doing online banking, you have a record of every one of your transactions.
and you're receiving a ledger every month from the bank,
either online or you get it in the mail,
and you're able to then verify all of those transactions.
It's also not a nominous.
You go to the ATM, you get a receipt.
You have all of this tracking,
and you can go back to the bank and say,
look, your system messed up.
This is what I did, and this is what your system says I did.
So you have a way of, let's say, reconciling for the person what went wrong.
For a voter, you have, one of the first.
you've cast that ballot and you're separated from that ballot, you have no way of knowing whether
or not something happened to your ballot after you submitted it. And you have no way of then holding up
your hand and saying, hey, I have a record here. And it shows that you counted my ballot incorrectly.
So the banking example doesn't match the voting example. And so people shouldn't be using that.
You also have a lot of incentive with the bank to check the bank, right? Like a personal incentive
to make sure the bank gets it right.
Whereas, I mean, how much political science over 100 years, 200 years is about how voters actually don't have personal incentives, and yet they vote anyway.
Right.
And they don't even look at, we've seen studies where they handmarked their ballot and they never review the ballot before they submit it.
There are systems like the optical scan machines are supposed to spit out your ballot if you vote for too many candidates.
Like, you know, you can only vote for one presidential candidate, but let's say you mark two.
of them by mistake. And you never even look at your ballot or you look at your ballots and you
don't notice it. The machine notices that and it spits back out the ballot and says, hey, you voted
too many times, fix this. So once you start doing that in a way that is separated from the voter,
like the vote by mail ballots, this is going to be a problem. Voters are not going to check
their ballots. They send them in. Once they've put that in the post, they have no way then
the system can spit back that ballot and say, hey, this voter voted for too many candidates in the
presidential race, but that ballot has now been separated from the voter. The voter is sitting at home,
and you can't go back to the voter and say, hey, fix this now. So we're going to have a lot more
problems in this election in that regard. A lot more ballots will get thrown out simply because
voters don't check what they do before they send them in and because we don't have a way for
them to reconcile the issues afterward. Can I just say a word that'll make you mad? I mean,
it'll make me mad too, but I feel like we should say it. Well, I mean, like, you know, votes,
V-O-A-T-Z votes with a Z. I do not think we should turn our democracy over to a company with
the Z in the name. It's just me. It's a personal feeling I have. My name has a Zee. How can you say that?
Well, yeah, but you're not. Okay, well, Zetter is like a real. I'm just walking down a dangerous path.
It's called Votes. It's not replacing the S. It's called the votes. It's called for God's sake.
It's a cute. It's a cuteified. Yes. It's too cute. Like Kim Zetter is like a meaningful
cybersecurity name. He's got a brand. Votes is like it honestly sounds like a middle school should use
it for like a middle school election. But they're trying, right? That's a company that's
trying, they've built a tech stack, people have looked at it, what they are not doing, and this is
where the same make you mad, is a new look method, like a blockchain method of voting that a
lot of people talk about. That seems like it has a number of positive benefits, but it seems
like it has huge problems. Have you evaluated that stuff? Well, so there were people that
looked at that system. MIT researchers looked at the claim that they were actually even using
blockchain, and it turns out that they're at least not using blockchain for the transmission
of the ballots back.
And they said that they were.
So presumably they're only using blockchain
for the storage of the votes after they arrive.
So the whole point of using the blockchain
was to preserve the security of the transmission,
not just the storage.
So even that claim we couldn't trust.
So the problem is that until MIT looked at that system,
we had to sort of believe the claims of votes itself
that it had done some independent reviews of its system
and that they had passed security.
Well, now we find out that it doesn't pass security
and it doesn't even pass the claims
that they asserted about it.
And so there's this whole thing about, you know,
turning over these systems to these third-party vendors,
trusting them to get something right
and not having any transparency.
That system also doesn't undergo testing and certification
in the way that our voting machine does.
So this is just remarkable to me
that election officials would, you know,
the voting machines that they put in the precincts,
they, you know, by law, their states require, in many cases, them to undergo testing and certification.
But then you move to something like this mobile voting app, and that goes out the window,
and no one requires the same kind of rigor.
And I would question whether or not even the voting machines go under any kind of rigorous testing and certification.
But even that sort of low level of standard that we've required for the voting machines themselves goes out the window, suddenly,
when we're talking about a mobile voting app.
And that I don't understand.
Yeah, I guess the benefit seems very high.
I mean, this is why we keep chasing it, right?
Everyone has a phone to, you know, some degree of certainty.
It would be better if more people participate in the democracy.
It would be simpler.
And, you know, I think generally we think computers are good at counting.
So it seems very easy to say we should just all vote on our phones.
Well, I would also say, I mean, this is the only nice thing I've ever said about blockchain voting.
But I will say in the most abstract possible terms, the problem you're describing Kim of, you know, you've submitted the vote.
You know that when you submitted it in the public facing part of it, it was for candidate A.
How can you be sure that that's not being tallied as a vote for candidate B?
That actually does seem like a problem that could plausibly be solved by having it sort of having them do the adding on a
public ledger, right? Like, what we want is for that to happen in an open and transparent way so that we can
make sure that when you're adding up the numbers, there isn't anything funny going on.
Well, okay, so you have to authenticate that everything that's in that leisure is actually a
legitimate ballot, right, first of all. So there's still a lot of complications. And then you also
have to show in a transparent way that everything that is in that ledger is in the actual tally and
that nothing has changed in that tally. So I guess,
I don't know.
I haven't seen a blockchain solution
that works
in voting. I haven't
spoken with any kind
of election security
expert who believes that blockchain
is a solution for voting.
They know more than me,
better than me, about how the blockchain
would work for voting. And so I kind of
trust them to, you know, in their
assessments that blockchain is not
you know, where you want to go down with voting.
Oh yeah. Well, and I think, I mean, this is
100% the concern. Right. Every time I, I think if I, if I like call up a security expert and mention
blockchain voting, they'll like hang up on me. Like they are so sick of people talking about it.
That's why I said it would make everybody mad. Yeah, you, you succeeded. You succeeded in making
us mad. But again, I mean, you know, Russell, you're still talking about the problem of having the
backup, right? So let's say one of those, the ledger, the ledger fails, right? And you still don't
have that paper backup in any kind of mobile voting. I mean, everyone talks about, okay, this would
increase voter turnout. Well, the studies are a little mixed on that. There are some studies that say,
yes, that when you do mobile voting, it does increase voter turnout. Others say it's not really
sort of negligible. Voting by home should also increase voter turnout, right? The voter does,
has to do the least thing that they have to do. They receive something in the mail. They fill it out.
They send it back. It's a prepaid envelope.
that also really lowers the barrier for a lot of voters to cast a ballot.
And at least in that vote-by-mail situation, you actually have a paper trail that's filled out by the voter.
Look, there isn't a perfect voting solution.
What we have to sort of examine are all of the risks, weigh them, and figure out the one that has the risks that can be most easily addressed or best addressed.
And I think that, you know, people who have spent a lot of time talking about this and thinking about this come down to,
that voter marked paper ballot is the best solution that we have. You can still tabulate the votes
with the computer, but you need that paper trail for integrity, for faith and trust in the outcome,
and a way to reconcile problems when they do show up. So we only have a few minutes left.
I want to ask broadly about our upcoming election, but I feel like we can't have a long
conversation about voting security and online voting, all this stuff. With that, like, legally I'm
required to mention Estonia. Like, I feel like the police will call in.
I don't. So Estonia is a small country. They do a lot of online voting. They're very proud of it. They've had a lot of controversy around it. Are they getting it right? Is that a model that we can look at? I don't think it's a model that anyone recommends. That has been audited. And two people who are very well regarded in election security did an audit, found numerous problems with the system. Estonia didn't like that they found problems. I don't know that the problems have been solved. I know that. I know that.
Estonia likes to, you know, put itself out there as a leader in, you know, the internet's citizen.
So they are pushing this.
But I don't know the Estonian system well enough to know what kind of safeguards they have,
what kind of checks and balances, what kind of auditing they do in that.
So I'm a little reluctant to sort of assert whether or not they're doing it right.
All I know is that there are reports out there on the internet that you can look at where people
examine the Estonian system and found problems with it.
Are there other countries that are good models that are sort of getting the balances right?
Not for internet voting.
I mean, no one recommends internet voting in the security community.
But elections in general, or election security in general?
Oh, I mean, elections are complicated.
I mean, the best model, I just, I'll just come back to that, I feel like a broken record.
The best model is having a voter handmarked paper ballot in which you do an audit afterwards.
I mean, it seems, people don't like that because it seems like, you know,
know, it's not really a sexy solution, right? It sounds like old school voting, which we had for a long time.
But sometimes that is the best solution is that you have, is to go back to that low-tech,
least complicated way of voting. Like I said, again, that has its own issues that you have to
address, but every election is going to have integrity issues that need to be addressed. And so you just
have to come down to where you weigh the risks and decide which has the risks that you can most
easily address and that are the most transparent to address.
So look, I don't think being a broken record on there is a known best solution is a problem.
Like, right?
Sometimes there's just a known best solution.
We should go with it.
I think that brings us to now, which is the known best solution potentially has another
very high cost, which is transmission of the virus.
How do you see that playing out?
I mean, we're all recording this, you know, in March.
We don't know what's going to happen by November, but how?
How do you see the conversation playing out right now?
Yes.
I mean, so weighing those two risks, right, between poll workers and voters getting infected and potentially dying,
that, of course, is not the option that we want.
And so the second best option that we have may be vote by mail.
And so I'm not saying don't do vote by mail.
But if we're going to do vote by mail, it's not something that we can slap together at the last minute.
It really needs concerted planning starting right now.
and they need to look at it with open eyes and understand all of the potential risks that they're going to have.
Quite often what you get are election officials.
Everyone tells them in advance, okay, this is what's going to happen.
People can actually anticipate the problems that are going to happen.
And then election officials don't address them.
And then on election day, everything falls apart in this.
Well, no one could have seen this.
But everyone can see right now all of the potential problems from vote by mail.
And it requires a lot of planning.
And so that's the question now is,
will the federal government pass a bill that provides election officials with all the money they need
to hire new staff to implement new processes and procedures to get it right by November?
And so it's really in the hands of the federal government right now to provide the resources necessary
to make that go smoothly.
It's still not going to go smoothly, but to make it go as smoothly as we can possibly do it in the short amount of time that we have.
So in terms of like the political wish list that sort of verge cast listeners
should go out and sort of demand from their representatives.
It's we should actually invest in elections that are that sort of function well.
Like we need to spend a little bit more money on this.
It'll be worth it.
And then also it sounds like for your local sort of election body, the county board usually,
you should be asking for a paper trail, for a paper ballot and kind of making sure that they don't do anything too fancy.
I mean, is that is that what we should send folks out to go advocate for?
Yeah, you need to have the paper backup.
You need to have an auditing mechanism in place and an auditing law in place.
And then you need the resources given to election officials for this process to succeed by November.
But really, I mean, we don't have a lot of time because primaries are going to have the same issue.
And the rescheduled primaries are in, you know, two months or so.
So, I mean, I don't want to depress everyone.
but this is a real challenge
how we're going to pull this off this election year.
The alternative is that the election gets canceled
and I don't think that we want that either.
So everyone has to get this right,
has to do the planning, has to get the resources,
federal government needs to move on this
to get the money out to states
and then election officials have to take the responsibility
and actually produce a plan and do this right.
Because the alternative is either
we have a really messed up election or we have no election at all. So that's what's in our hands.
So I want to end on it. I wouldn't call it uplifting. But if you, right, we're trying to fix
a system. No, do the uplifting. I want the uplift. I'm trying. I need it. I wonder my way to it.
I've been such a downer. The reality is that, you know, we live in a society and a democracy that's
been going for a while. We have a long history. There's systems that have to be changed.
not replaced. Based on everything you know, if you were to clean sheet it, right, and say,
this is actually how we should do it. What would be your recommendation?
Pretty much what I've been saying. I would get rid of the voting machines that we have now in
precincts, unless it's an optical scan machine. I would do a, look, DARPA, right? Darpa has been
researching, I wrote a story about this. They have been looking at doing a system from scratch
that uses the latest and secure hardware techniques. So if you could design a system from
bottom up, right? I would scrap all the voting machines that we currently have that we know
have problems in them. I would design an open source system that's transparent, that uses secure
hardware so that the base of it is already secure, then has open source software that's been
fully vetted and is secure, and then it is, it's a scanner, right? It's not a touchscreen machine
without a paper trail, and it uses a handmarked paper ballot for disabled voters. You can have a
touchscreen for them, and then you also require those audits. That seems to be sort of the pie in the
sky. If we could do this all over again, start from scratch, that would be the way that I'd go.
Well, I'll get to work on that immediately. My goal, when this is all over, is to somehow take control
of the United States government. I don't know how that works without getting elected, but I'm thinking
about it. That's the next episode. We have the paramilitary training, and yeah.
First of all, you just take control of the machines. You take control of the running machines, and that's how you
get elected to then have the control to take over.
Like I'm saying, like everybody, I've had a lot of time to sort of sit around at home and think
big thoughts.
Kim, thank you so much for coming on.
We've been huge fans for such a long time.
It's kind of an honor to speak with you.
So thanks for joining us today.
Oh, you're welcome.
And I'm sorry for depressing you.
All right.
My thanks to Kim Zetter for joining us on the Vergecast.
Again, sorry that we taped it in March and released it this week, but I still think it's
incredibly relevant.
I love that conversation.
It was actually kind of fun for me.
go back and listen to it. Voting security, voting tech, we're going to keep on top of it as we
come up to the election. We've got a lot of plans for election coverage. Also, thanks to Russell for
joining me. Always a good time. We'll be back on Friday with the chat show. A lot of news going
down lately. We'll see if there's another streaming service coming out. It usually is one.
You can tweet at me. I'm at Reckless. Let me know who you want me to talk to you, what you want me
to cover. I love that feedback. It really helps us drive the show. Other than that, we'll see you on Friday.