Recount 2016
�
�Matthew Bernhard
Verified Voting
An uninvited security audit
of the U.S. presidential election
2016 U.S. Presidential Election
Donald Trump
Republican
Hillary Clinton
Democrat
November 8, 2016
Predictions were for a Clinton Win
Predictions were for a Clinton Win
Predictions were for a Clinton Win
Predictions were for a Clinton Win
Nearly everyone predicted victory for Clinton...
Election Results
Clinton received nearly �3 million more votes, �but Trump won the electoral college.
Not Really...
What Happened?
Explanation A:�Systematically Wrong Polls
Explanation B:�Results Were Rigged
Probably not!
Is rigging actually feasible?
How can we find out �which explanation is true?
American Elections
U.S. Elections
Massive Scale
Highly Distributed�State, county, and local levels
High Complexity�Ballots with many different races,
Over a dozen languages
Sensitive to Latency�Want results on election night
200 million registered voters |
13,000 voting jurisdictions |
187,000 election precincts
|
52 models of voting machines |
U.S. Elections Scale and Complexity
Election Technology by U.S. State
U.S. Elections Scale and Complexity
Election Technology by County: State of Arkansas
U.S. Elections Long, Complicated Ballots
U.S. Voting Machines 2 Styles, 52 Models
Optical Scan
Computer counts paper ballots as they’re placed in ballot box
DRE (Direct Recording Electronic)
Votes cast on-screen, recorded in memory;�sometimes prints paper audit records (VVPATs)
Are U.S. Voting Machines Secure?
Are U.S. Voting Machines Secure?
Diebold AccuVote TSX
Cards spread malware (2007)
ES&S iVotronic
Cards spread malware (2007)
Diebold AccuVote OS
Cards spread malware (2007)
ES&S Model 100
Cards spread malware (2007)
Hart InterCivic eSlate
Cards spread malware (2007)
AVC Advantage
Cards spread malware (2009)
Sequoia AVC Edge
Cards spread malware (2007)
Optech Insight
Cards spread malware (2007)
Every U.S. voting machine subjected to rigorous independent security review �suffered vulnerabilities that allow the spread of vote-stealing malware.
Hacking an Election?
Election Hacking Visible Attacks
Alter election-night results�Undermines credibility, even if detected
Denial of service�Selectively cause long lines, etc.
Political interference�Selectively discredit candidates
Election Hacking Visible Attacks
Alter election-night results�Undermines credibility, even if detected
Denial of service�Selectively cause long lines, etc.
Political interference�Selectively discredit candidates
Election Hacking Visible Attacks
Alter election-night results�Undermines credibility, even if detected
Denial of service�Selectively cause long lines, etc.
Political interference�Selectively discredit candidates
July: Democratic National Committee emails� hacked; leaked to press
August: Voter registration systems in Illinois and Arizona� hacked; other states probed
October: John Podesta (Clinton’s campaign manager)� email hacked; leaked to press
Election Hacking Invisible Attacks
How hard would it be to invisibly�change the outcome, by tampering�with the voting machines?
Challenge 1�Diverse, decentralized voting technology
�Challenge 2�Machines aren’t connected to the Internet��
Challenge 3�70% of U.S. votes have a paper record��
Election Hacking Invisible Attacks
How hard would it be to invisibly�change the outcome, by tampering�with the voting machines?
Challenge 1�Diverse, decentralized voting technology
�Challenge 2�Machines aren’t connected to the Internet��
Challenge 3�70% of U.S. votes have a paper record��
Election Hacking Invisible Attacks
How hard would it be to invisibly�change the outcome, by tampering�with the voting machines?
Challenge 1�Diverse, decentralized voting technology�Need to swap <1% of votes in two states.
Challenge 2�Machines aren’t connected to the Internet��
Challenge 3�70% of U.S. votes have a paper record��
Election Hacking Invisible Attacks
How hard would it be to invisibly�change the outcome, by tampering�with the voting machines?
Challenge 1�Diverse, decentralized voting technology�Need to swap <1% of votes in two states.
Challenge 2�Machines aren’t connected to the Internet��
Challenge 3�70% of U.S. votes have a paper record��
If infected, can spread malware to all machines across one or more counties
Centralized election management computer programs ballot design to memory cards before each election
How hard would it be �to attack an election management computer?
Many jurisdictions outsource �their ballot programming �to small, outside businesses.
75% of Michigan counties use �just two ~20 person companies.
Election Hacking Invisible Attacks
How hard would it be to invisibly�change the outcome, by tampering�with the voting machines?
Challenge 1�Diverse, decentralized voting technology�Need to swap <1% of votes in two states.
Challenge 2�Machines aren’t connected to the Internet�Cards programmed using centralized �election management computers.
Challenge 3�70% of U.S. votes have a paper record
Election Hacking Invisible Attacks
How hard would it be to invisibly�change the outcome, by tampering�with the voting machines?
Challenge 1�Diverse, decentralized voting technology�Need to swap <1% of votes in two states.
Challenge 2�Machines aren’t connected to the Internet�Cards programmed using centralized �election management computers.
Challenge 3�70% of U.S. votes have a paper record
Paper as a Defense
Use of Paper has Increased
Over 70% �of votes cast in 2016 �were recorded on paper.
Post-election auditing lacks coverage
Over 70% �of votes cast in 2016 �were recorded on paper.
Election Hacking Invisible Attacks
How hard would it be to invisibly�change the outcome, by tampering�with the voting machines?
Challenge 1�Diverse, decentralized voting technology�Need to swap <1% of votes in two states.
Challenge 2�Machines aren’t connected to the Internet�Cards programmed using centralized �election management computers.
Challenge 3�70% of U.S. votes have a paper record�Most states rarely or never look at paper!
Election Hacking Invisible Attacks
How hard would it be to invisibly�change the outcome, by tampering �with the voting machines?
Step 2
Target large counties or service providers, and compromise election management computers.
Easier than you thought! .
Step 1
Use pre-election polls to �identify likely close states.
Step 3
Infected memory cards exploit vulnerable voting machines to run malware,
swap, e.g., 10% of votes.
Step 4�Most states just�throw away the�paper ballots.
An Uninvited Security Audit
Hacking Was Plausible How To Check?
After Election Day (Nov. 8), we knew:
Presidential results were extremely close, defied polling.
U.S. alleged Russian political cyberattacks during campaign.
Feasible to attack enough machines to have changed outcome.
Shockingly, even under these circumstances,�no state would examine enough evidence�to expose such an attack.��Five weeks until results are locked in on Dec. 13.
Will we ever be able to confirm outcome was correct?
We and other election integrity advocates wonder what to do?
November & December 2016
8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 1 2 3
4 5 6 7 8 9 10
11 12 13 .
Would Clinton Demand a Recount?
Call with Clinton Campaign
November & December 2016
8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 1 2 3
4 5 6 7 8 9 10
11 12 13 .
In third presidential debate, Trump refused to�say he would accept the election results.
“He said something truly horrifying….� A direct threat to our democracy.”.
New Idea: Any Candidate can Demand a Recount!
Election integrity advocate.
On ballot in most states .� Won 1.06% of the vote .
Willing to lead recounts! .
November & December 2016
8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 1 2 3
4 5 6 7 8 9 10
11 12 13 .
Jill Stein�2016 Green Party �Presidential Candidate
An Accidental Media Circus
“they’ve found persuasive. � evidence that the results … .� may have been hacked.”.
.“The only way to know whether a. .cyberattack changed the result is to. .examine the physical evidence:. �.paper ballots and voting equipment”.�
International News
How to Pay? Crowdfunding!
In two days, raised $5M .
After two weeks, $7M .
Over 160,000 donors! .
November & December 2016
8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 1 2 3
4 5 6 7 8 9 10
11 12 13 .
Where to Recount?
Where to Recount?
Where to Recount? Wisconsin, Michigan, Pennsylvania
All three projected for Clinton, �won by Trump
�Combined 46 electoral votes
� All three had margins <0.8%,� in total decided by fewer than � 78,000 votes
� MI and WI allow candidates � to petition for a recount, � PA requires court order
Wisconsin
Pennsylvania
Michigan
Wisconsin 10 electoral votes
Wisconsin
Margin�22,748 votes (0.77%)
Technology�Almost entirely opscan �All votes use paper
�Law�Any candidate can demand a recount if they pay the cost
Each county decides recount method: hand count or rescan
Michigan 16 electoral votes
Margin
10,704 votes (0.23%)
Technology�Entirely opscan,�All votes use paper�
Law�Any “aggrieved” candidate can pay statutory fee for recount
State Board of Canvassers decides recount method
Michigan
.Uni. of Michigan.
Pennsylvania 20 electoral votes
Margin
44,292 votes (0.72%)
Technology
Mostly paperless DREs�Only ~30% of votes use paper
Law
Three citizens from each �precinct must file, swear there�is fraud, and post bond to get
a recount in that precinct.
Automatic statewide recount �if margin is less than 0.5%.
Pennsylvania
Why Not Other States?
New Hampshire . . . . . . . . deadline passed 6 days after election
Virginia . . . . . . . . . . . . . . . illegal to recount unless margin of victory� is under 1% (Clinton won by 4.9%)
California . . . . . . . . . . . . . margin of victory in California was 30%
Trump could have initiated his own recounts, but did not.. �
Let the (Re)counting Begin
Let the Recounting Begin!
First recount petition filed, in Wisconsin, Nov. 25 .
President-elect Trump not a fan .
He and his lawyers would oppose efforts in all three states .
November & December 2016
8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 1 2 3
4 5 6 7 8 9 10
11 12 13 .
Others did the Real Work
Assistance from 10,000 Green Party volunteers!
EMERY CELLI BRINCKERHOFF & ABADY LLP
Attorneys: Matthew Brinckerhoff, Jonathan Abady, Ilann Maazel, Debbie Greenberger.�Ali Frick, David Lebowitz, Hayley Horowitz, Doug Lieb, Jessica Clarke … and others
More than half-dozen simultaneous legal actions!
Testimony from leading e-voting experts: Philip Stark, Harri Hursti, Doug Jones, Ron Rivest, Dan Wallach, Poorvi Vora, Duncan Buell, Dan Lopresti, and Candice Hoke
What Does a Recount Look Like? Like this...
Washtenaw County, Michigan .
What Does a Recount Look Like? ...and also like this
What Does a Recount Look Like? ...and also like this
Lansing, Michigan .
What Does a Recount Look Like? ...and also like this
Philadelphia, Pennsylvania .
What Does a Recount Look Like? ...and also like this
Philadelphia, Pennsylvania .
What Does a Recount Look Like? ...and also like this
The Election is Decided
Electoral Outcome
Recount Outcome … no state completed a full hand recount
Recount Outcome … no state completed a full hand recount
Wisconsin . . . . Recounted statewide, though not all by hand� 51 counties counted by hand, 9 by re-scanning, 12 by a combination� 11,883 vote corrections (over half the margin of victory!)� Net change: 397 votes. No evidence of an attack.
Michigan . . . . . Halted after three days under opposition from state and Trump� 10 counties finished, 12 started but did not finish (out of 83)� 2,099,578 ballots recounted (43% of total cast).� Net change: 1651 votes. No evidence of an attack.
Pennsylvania . . Defeated in federal court under opposition from state and Trump
One county (out of 67) recounted by hand, and only 143 of its 228 precincts� No published results. Presumably no evidence of an attack?� Lesson: It is really difficult to audit the votes in Pennsylvania!
Recount Outcome Other problems exposed in Michigan
Using the Available Evidence
What we really want:�Statistical Risk-Limiting Audit
Much cheaper than a full recount and yields the same confidence.
What we actually have:
Incomplete, non-random county-level samples. What to do?
Hand count randomly sampled precincts until you establish,�with high statistical confidence, that hand-counting all of the paper records would yield the same winner.
Using the Available Evidence
Recounts let us rule out some attack scenarios (e.g., statewide fraud).�What about other scenarios?
If the randomly selected counties were recounted by hand, then this attempt �to throw the election is considered detected.
Cyberattacks Did Happen, Before the Election
Cyberattacks Did Happen, Before the Election
Using the Available Evidence
Using the Available Evidence
Methodology:
Using the Available Evidence: Results
Wisconsin
Using the Available Evidence: Results
Using the Available Evidence: Results
Wisconsin
Michigan
Using the Available Evidence: Results
Lessons & Conclusion
Lessons
Hacking a U.S. presidential election even easier than we thought!
Lessons
This election probably wasn’t hacked ... what about next time?
U.S. badly needs to reform its voting system
Use of Paper has Increased even more since 2016
Over 70% �of votes cast in 2016 �were recorded on paper.
Use of Paper has Increased even more since 2016
Over 84% �of votes cast in 2020 �will be recorded on paper.
Risk-limiting audits have increased since 2016
Philadelphia’s old voting machine
Danaher Shouptronic 1242
Philadelphia’s new voting machine
ExpressVote XL
What can you do?
Recount 2016
�
Matthew Bernhard
matber@umich.edu
@umbernhard
Verified Voting
An uninvited security audit
of the U.S. presidential election