Summary: Dominion Voting, one of the nation's largest voting-machine vendors, uses the internet to deliver voting-machine software to local election officials before each election. Local election clerks can be so naive that they will proudly say "The voting machines are never connected to the internet," and genuinely believe that protects the software--even though they themselves downloaded the machines' software from Dominion's website onto a county computer, from which they made copies for each voting machine.
* * *
Before we talk about Dominion in particular, a reminder about the basics: In Wisconsin (like everywhere else), every voting machine system (like every other computer) is hackable. Even if never connected to the internet, every working computer contains software copied from some other computer. And hacks don't need to come in over the internet: Every computer is programmed by normally fallible humans who occasionally have motive, means, and opportunity for fraud.
That's why every responsible manager, including every elections official, must routinely audit their computers' output (that is, our election results).
Now, about Dominion Voting Systems and their Imagecast Evolution (ICE) machine.
Voters and reporters in the 12 Wisconsin counties* using ICE voting machines believe that their voting machines are never connected to the internet. What they probably don't know is that (except for Fond du Lac County), their vote-counting software was downloaded from the internet anyway.
The software in our voting machines has to be updated for every election, because each election has a unique set of races and candidates. No election official in Wisconsin has the ability or authority to write these programs by themselves. They either send the information to an out-of-state vendor who will write the programs for them, or they use an app provided by their voting-machine vendor to compile the vote-counting instructions themselves.
Typically, when an outside vendor writes the software for voting machines, they will deliver it to the local election officials on portable media (something like a USB drive, an SD card, or a "PROM" pack) via courier or FedEx.
But Dominion Voting, a corporation headquartered in Toronto and Denver, emails the county clerk when the software is complete, and the county clerk then downloads the software from the Dominion website.
I first discovered this last year, when I was contacting the county clerks in an attempt to inventory their current security practices; get a read on their level of understanding of the risks; and assess their receptivity to the idea of protective election audits.
Here's how it works: In Wisconsin, it's the municipalities that own and operate the voting machines, but because the county clerk has overall responsibility for designing and printing the ballots and reporting the election results, municipalities in most counties cooperate to buy the same voting-machine system. They then rely on the county clerk to handle the machine preparation before each election.
The first four Dominion-ICE-using county clerks I interviewed were happy and proud to explain to me their pre-election procedures. When they get the email from Dominion before every election, they download the tabulation software to a county computer from the Dominion website; save it onto an SD card; copy it onto the county elections-management computer (which is never connected to the internet!), and from there copy it onto portable media to give to the municipal clerks to load into the individual voting machines.
As I spoke with them, I was trying hard to stay completely in a fact-gathering mode, to understand their point of view without influencing it. So I was trying hard to avoid asking follow-up questions like "Are you JOKING?!?!?).
But I do not have a poker face, and one clerk picked up on my discomfort. She patiently explained to me that it was safe to send voting-machine software over the internet because the Dominion website was secure and wouldn't let her get to the software without a password. And because she downloads the software to a different computer--not the central county elections-management computer or any individual voting machine--she assured me that the local elections equipment stays "air-gapped" and secure.
I didn't ask, but I imagined her thinking that any malicious code can be erased by waving the SD card through the air.
Yes, that is the level of IT sophistication typical of local election officials.
The fifth ICE user I spoke with was the atypical Lisa Freiberg, Fond du Lac County Clerk. Whew.
Freiberg has enough IT sophistication and backbone that, when Dominion suggested to her that she rely on them to write the program updates and download the software via internet, she refused. Instead, she obtained from Dominion software that she maintains on the county elections-management computer. She uses that software before each election to design the ballots and write the instructions the voting machines will use to count the votes. When I interviewed her in July 2018, she believed she was the only ICE user in the state who refuses delivery of the voting-machine software via the internet.
ICE is not the only voting system that Dominion offers or supports, and I don't know if the company sends any other system's software out over the internet. But even without being an IT professional, I can see some of the opportunities this practice might offer to those who would like to manipulate our elections.
When even the New York Times cannot protect its email from hackers, we cannot expect the deputy clerk in a rural Wisconsin county to know not to open an email containing malicious code that will allow hackers to intercept the next download from Dominion. Once they've got the rural county's ICE software, they can use that knowledge to interfere with the next election in any other county that uses Dominion software.
This one problem could easily be fixed, as Freiberg demonstrated. Dominion ICE users could simply refuse to download software over the internet, and work with their vendor to find a different way.
Less easily fixed is Dominion's way of doing business. Why did Freiberg even have to ask for an alternate method of obtaining the software? Does Dominion itself understand the risks to election security and voter confidence?
And it's not just this one slip-up. Independent observers and experts have expressed serious concerns about the design of the system. Other serious concerns are:
- The ICE system is designed in a way that would allow someone to program it to print additional votes on a ballot after the voter has cast it. This feature renders elections conducted on these machines unauditable, because the ballots were not secured from alteration after leaving the voters' hands.
- The ballot-printing feature of the system records voters' selections in the form of barcodes printed on the ballots, which the tabulator reads when it counts the votes. This means that the voters are unable to verify that the counted votes are the ones they intended to cast.
- The ICE system incorporates a feature known to security advocates as "permission to cheat." A voter who uses the touchscreen to mark his or her votes can choose to have the machine count the votes and drop the printed ballot into the bin without the voter's review--essentially giving the computer programmers permission to cheat. Security advocates (and common sense) insist that voters MUST verify the integrity of the printed ballot if election results are to be trustworthy.
Arguably more than any other voting system, the Dominion ICE is the target of voter concern, even outrage. The most direct, immediate solution is for candidates and voters to demand that no more counties buy the ICE system, and to demand that their election officials who already use it follow the Fond du Lac county clerk's example and refuse to download software over the internet.
Beyond that, we need to take action to make Dominion take security seriously or to prohibit use of their products. The ICE system could be decertified at either the state or federal level, and federal legislation could prohibit the use of voting systems capable of changing voters' ballots after they have been cast.
* Door, Fond du Lac, Grant, Green, Ozaukee, Racine, Trempealeau (one municipality), Vilas, Walworth, Washington, Waupaca (four municipalities), and Winnebago Counties