There were numerous article reporting on the Voting Machine Village at last weekend’s Def Con hacking convention posted at WIRED, Tech Target, IEEE Spectrum and elsewhere. The event proved to be significant in many ways. As Hacking Village co-ordinator and security expert Harri Hursti noted “These people who hacked the e-poll book system, when they came in the door they didn’t even know such a machine exists. They had no prior knowledge, so they started completely from scratch.” Nevertheless they were able to hack all the voting machines, leading Jake Braun, one of the convention organizers to observe “Anyone who says they’re un-hackable is either a fool or a liar.”
The conference organizers did not restrict the electoral hacking demonstration to voting machines. As reported in Mother Jones, voter registration database was also attacked, and defended, which experts say is just as worrisome. Hursti commented “[i]f you look at all of the reports about foreign actors, malicious actors attacking US election infrastructure in the last election, they were not attacking the election machines, they were attacking the back-end network, the underlying infrastructure.”
While examining an ExpressPoll 5000 electronic pollbook that had been purchased on eBay, hackers discovered the personal records of 654,517 people who voted in Shelby Country, Tennessee. The information included not just name, address, and birthday, but also political party, whether they voted absentee, and whether they were asked to provide identification. Verified Voting President Barbara Simons noted that there’s no formal auditing process for how many of the machines are properly wiped, and thus no way to estimate how many machines have been sold that inadvertently contain voter records. The fact that one of e-pollbooks at DEF CON had personal records that were so easily available doesn’t inspire confidence, said Matt Blaze, a renowned security researcher who has authored several studies on voting machine security and who helped organize the village. “How many other of these machines that also have data left on them have been sold to who knows who? There’s no way of knowing,”
The New York Times observed that the DEF CON exploits demonstrated once again that the best defence against hackers is more hackers. However, legal restrictions often hamper government cybersecurity efforts. According to a 2015 analysis, more than 209,000 cybersecurity jobs in the United States currently sit unfilled. As the Times noted “[p]artly, that’s because private sector jobs tend to pay more. But it’s also because the government can be an inhospitable place for a hacker. Talented hackers can be disqualified for government jobs by strict background checks, and dissuaded by hiring processes that favor candidates with more formal credentials.”
A US district court judge declined to temporarily bar President Trump’s voting commission from collecting voter data from states and the District, saying a federal appeals court likely will be deciding the legality of the request. Theongoing lawsuit was joined by three others this week. As with the lawsuits against Trump’s travel bans, the challengers are using Trump’s own words and tweets to fight his administration’s actions, saying the commission was created to back up a spurious theory in the first place — that voter fraud is a massive problem in the US. Menawhile, the commission’s co-chairman, Kansas Secretary of State Kris Kobach lost a bid to avoid testifying under oath about his plans to change U.S. election law.
Four days after a panel of three federal judges issued an order calling for new redistricting maps by Sept. 1, North Carolina Republicans began to release details of their schedule for drawing new boundaries to correct legislative districts the court found unconstitutional. The General Assembly is tentatively set to vote on new maps on Aug. 24 or 25.
The Texas-based voting systems manufacturer Hart Intercivic filed suit in district court seeking to block the Texas Secretary of State from certifying rival machine makers whose devices produce a paper receipt of votes cast. The court filings are not yet publicly available but Hart’s argument appears to hinge on the state’s requirement that counties wishing to offer multi-precinct vote centers rather than traditional precinct-specific polling place must use direct recording electronic voting machines (DREs). While the market for DREs has essentially disappeared over the past decade, Hart has developed a new DRE as part of its Verity Suite, apparently specifically for the Texas market (though there are reports of the DRE being offered to Pennsylvania counties as well. Unlike Hart’s widely used eSlate, the new DRE apparenly cannot be equipped with a voter verifiable paper audit trail printer.
The Virginia Joint Legislative Audit and Review Commission will review the Department of Elections after a series of technical problems that have raised questions about the reliability of the software that powers the state’s voter registration database. VERIS, the registration database has been criticized by users and has presented technical difficulties for registrars.
To the surprise of no one, Rwanda’s controversial President Paul Kagame has won a landslide victory and secured a third term in office and extending his 17 years in power. The election came after a constitutional amendment, reportedly approved by 98% of voters, which ended a two-term limit for presidents and theoretically permits Kagame to remain in power until 2034. In subsequent presidential election, the National Election Commission announced that Kagame won almost 99% of votes cast.
The voting system manufacturer Smartmatic announced that turnout figures in Venezuela’s Constitutional Assembly election were manipulated up by least 1 million votes. The London-based company has provided voting equipment for Venezuela since 2004. In a London news conference, Smartmatic CEO Antonio Mugica said “We know, without any doubt, that the turnout of the recent election for a National Constituent Assembly was manipulated.”