Skip Navigation
Analysis

There Is Shockingly Little Oversight of Private Companies That Create Voting Technologies

Failure to engage in real oversight of their practices leaves our elections vulnerable to breakdown and attack.

voting machines
The Washington Post / Contributor

This op-ed origin­ally appeared in Slate. 

The Iowa caucuses debacle was a reminder of some of the most import­ant prin­ciples in elec­tion secur­ity, among them that trans­par­ency in elec­tions is import­antpaper ballot backups are crucial to ensur­ing an accur­ate countvoting should not take place on smart­phone apps, and running elec­tions should be left to profes­sion­als. But miss­ing from the round-the-clock media cover­age was another valu­able lesson from Iowa: Private tech compan­ies are cent­ral to our elec­tions, and our fail­ure to engage in real over­sight of their prac­tices leaves our elec­tions vulner­able to break­down and attack.

The report­ing in the after­math of Iowa iden­ti­fied a 6-month-old private tech company called Shadow as the supplier of the failed app at the root of the mess. In an attempt to help precinct captains report out three separ­ate sets of results, the Iowa Demo­cratic Party had paid Shadow $60,000 to develop an app to convey the vote totals. Precincts would take and upload pictures of results, which would go to party headquar­ters. But on caucus day, the app failed, as did backup phone lines. This promp­ted many to ask how some­thing as import­ant as report­ing vote totals in a pres­id­en­tial elec­tion could be left in the hands of a shoes­tring tech company. The follow-up ques­tion should have been: What are the controls on private vendors that sell the equip­ment and tech­no­logy that run our elec­tions?

Elec­tion offi­cials from across the coun­try buy much of their elec­tion infra­struc­ture from private vendors. These compan­ies build and main­tain regis­tra­tion data­bases. They create elec­tion websites that explain how to register and where to vote. They manu­fac­ture and config­ure voting machines. Yet unlike vendors in sectors the federal govern­ment has desig­nated as “crit­ical infra­struc­ture”—like defense and energy—compan­ies in the elec­tion tech­no­logy space oper­ate under very little federal regu­la­tion. While voting systems face some func­tional require­ments through volun­tary submis­sion to federal test­ing and certi­fic­a­tion, vendors them­selves are largely free from over­sight.

That leaves the public—and elec­tion offi­cials—in the dark about key inform­a­tion. For example, vendors don’t have to disclose whether or not they’re controlled by foreign nation­als, share inform­a­tion about the supply chain for parts they use, or reveal their employee screen­ing and cyber­se­cur­ity prac­tices. Vendors aren’t even required under federal law to report if they’ve been hacked.

There needs to be more over­sight of these crit­ical play­ers in our elec­tions. While state and local govern­ments are primar­ily respons­ible for running elec­tions, only the federal govern­ment has the resources and consti­tu­tional respons­ib­il­ity to ensure that the more than 8,000 local elec­tion juris­dic­tions can safe­guard federal elec­tions from insec­ure vendor prac­tices.

Unfor­tu­nately, compre­hens­ive federal over­sight is not likely to happen in the next nine months. So what can be done to protect our elec­tions in 2020?

A lot. Most import­ant of all, state and local elec­tion offi­cials must double down on resi­li­ency plans to detect and recover from cyber­at­tacks or malfunc­tions with crit­ical systems like elec­tronic poll books and voting machines.

Consider the elec­tions happen­ing on Super Tues­day. In many polling places, poll work­ers will use elec­tronic poll books, laptops, or tablets (gener­ally built and main­tained by private vendors) instead of paper lists to look up voters as they arrive. When they func­tion prop­erly, elec­tronic poll books exped­ite the admin­is­tra­tion process and shorten lines. But when they fail, they can bring polling loca­tions to a stand­still. Of the 14 states hold­ing primar­ies on Super Tues­day, 11 use elec­tronic poll books. (The excep­tions are Maine, Oklahoma, and Vermont.)

Every state that uses elec­tronic poll books should ensure that paper backups are required in the polling place. That way, if the elec­tronic poll books fail or show inac­cur­ate inform­a­tion, poll work­ers can turn to the backup to process voters, instead of forcing them to wait hours for the prob­lem to be fixed, or turn­ing them away, as happened in Indi­ana in 2018 and Durham County, North Caro­lina, in 2016.

Voting machines also need contin­gency plans in case of fail­ure. Three voting system vendors control about 90 percent of the voting machine market, and these and other private compan­ies program the files needed for those systems to func­tion.

Most juris­dic­tions use optical-scan voting machines as their primary polling place equip­ment. For these systems, voters fill out a paper ballot by hand. So even if the scan­ner that reads the ballots goes down, voters can still vote, and poll work­ers can store their completed ballots until machines are fixed or count them after the polls close.

That’s not true in the 20 states where a signi­fic­ant number of voters use elec­tronic voting machines to directly mark or cast their ballots. In those states, includ­ing many counties in the Super Tues­day states of Arkan­sas, Cali­for­nia, North Caro­lina, Tennessee, Texas, and Utah, voting machine break­downs mean voters have no way to fill out their ballots if elec­tion offi­cials haven’t supplied the polling place with emer­gency paper ballots. That’s why the Bren­nan Center, where we work, has recom­men­ded such states require emer­gency ballots for two to three hours’ worth of peak voting activ­ity. It is crit­ical that all polling places in these states that use such machines have enough emer­gency paper ballots to get them through system fail­ures; too many have failed to make that a require­ment in the past.

Finally, all states should conduct postelec­tion audits that can spot soft­ware errors in vote tallies and fix them. These audits entail a manual check to ensure that the voting machines recor­ded votes accur­ately, performed before certi­fy­ing elec­tion results. Offi­cials compare some percent­age of paper records to the vote tally repor­ted by the voting system soft­ware. Half of all states require such audits.

Nearly 90 percent of Amer­ic­ans vote on paper ballots or systems that produce redund­ant paper records of their votes, and that includes voters in all Super Tues­day states except Texas and Tennessee (where some but not all voters will vote on paper). But paper ballots only add secur­ity if we use them to check and correct the soft­ware on the voting machines that report vote totals.

None of these resi­li­ency recom­mend­a­tions cost much money or require new tech­no­logy. Given everything we know—­from the warn­ings of intel­li­gence offi­cials to the lack of vendor over­sight—these prepar­a­tions are the least we can do to ensure all Amer­ic­ans can vote with confid­ence this year.