Every vote in the United States — for city council, state representative, or president — is cast using materials and equipment manufactured by third party vendors. There are vendors large and small, but the American election equipment industry is dominated by three vendors: ES&S, Hart, and Dominion. These vendors manufacture the machines that approximately 92% of eligible voters use on election day — and they wield extraordinary power with significant implications for our democracy. Because of this, it’s critical that elected officials and advocates pay attention to the role vendors play in the security and transparency of American election systems. Perhaps most concerning are vendor efforts to keep secret the technology upon which American elections rely while at the same time feteing state and local election officials with expensive trips and meals. Vendors have actively and increasingly pushed back on efforts to study and analyze the equipment that forms the basic foundation of our democratic processes.
One way they do this is by opposing independent research by computer and election security experts, such as academics. Vendors have asserted that licensing agreements between vendors and counties prohibit outside testing of county-owned machines. In at least one instance, a vendor has suggested that “non-compliant analysis” — that is, it appears, analysis not approved by the vendor — would infringe the vendor’s intellectual property.
This year, DefCon’s Voting Machine Hacking Village (“Voting Village”) — a high-profile hacking event focused on examining the cybersecurity vulnerabilities of voting equipment — received communication organizers took as legal threats from ES&S, the country’s largest voting machine manufacturer. The communication seemed designed to intimidate Voting Village’s organizers from conducting and publicizing the results of their analysis of ES&S and other manufacturers’ machines. Perhaps this was inevitable after Voting Village’s 2017 report, which detailed numerous exploitable weaknesses in an array of equipment from various prominent manufacturers. After this year’s event, a bipartisan group of U.S. Senators asked ES&S to explain itself, and urged it to support independent research efforts. ES&S responded by suggesting that independent security research jeopardizes election integrity, and “makes hacking elections easier.” Fortunately, the Senators, all members of the Senate Intelligence Committee, roundly rejected this brush-off — but it does not bode well for researcher-vendor relations moving into the 2018 primary and 2020 national election seasons.
Perhaps the most notable effort to bar independent research into the efficacy and security of American voting equipment is happening right now. The Digital Millennium Copyright Act, 17 U.S.C. § 1201, protects the technological measures used by copyright owners from unauthorized access to or use of their works. It does this, in part, by prohibiting the circumvention of those measures and the trafficking in devices primarily intended to circumvent those measures. The statute contains a number of statutory exemptions—for example, applicable to schools and libraries—and also allows for rulemaking procedures whereby narrow, temporary exemptions may be adopted by the Librarian of Congress. This latter kind of exemption must be reexamined every three years, and review of those exemptions is happening right now. One exemption, Proposed Class 10, allows for security research into computer programs including voting machines. This fairly limited exemption is how DefCon and academic researchers can legally investigate, “white hat” hack, and analyze machines used by Americans on election day. This year, the U.S. Copyright Office (the part of the Library of Congress charged with this endeavor) is considering whether to remove certain limitations on research conducted under this category. The country’s three largest election systems vendors oppose this move and are asking the Copyright Office not to approve the proposed exemption.