3 ways Michigan elections remain vulnerable — and what the state can do about it

J. Alex Halderman, a computer science professor at the University of Michigan, poses with voting machines his team of student researchers easily hacked to spit out different results than what voters punch in. The machines are used in 18 states. Michigan’s system is more secure because voters fill out paper ballots, which can later be used to double check results. (Bridge photo by Riley Beggin)

LANSING—Around 50 elections officials and analysts met at an outpost of the Lansing City Clerk’s office in June, eagerly awaiting the day’s activity: Piloting a relatively new method for ensuring accurate election results. 

The volunteers — from as near as Delta Township and as far as California — were there to learn an election audit method considered the “gold standard” for verifying votes as the nation barrels toward its first presidential election following widespread Russian tampering in 2016.

The method is known as a risk-limiting audit, which essentially involves hand-counting a statistically significant sample of ballots to be confident election results are accurate. 

A spokesman for the Michigan Secretary of State said it’s one of a handful of techniques the state is testing ahead of the 2020 statewide election, when it will be required to audit elections across the state — a legacy of Proposal 3, the citizen-initiated constitutional amendment passed last November. 

Opinion: Michigan needs vote-by-mail elections
March 2018: As hacking fears mount, Michigan election security gets middling marks​

The fact that the state is required to audit is a new phenomenon; before the amendment passed last fall, the state audited a fixed percentage of precincts after each election but wasn’t bound by law to do so

And that change is good news, elections security experts told Bridge. A robust post-election audit is one of the best ways the state can make sure state elections are protected against hacking or manipulation by foreign or domestic adversaries. 

“Michigan is already in a really good position compared to most other states,” said J. Alex Halderman, a computer science and engineering professor at the University of Michigan who specializes in election security. He is co-chair of a commission of state and national security experts formulating recommendations for the Secretary of State on how to improve Michigan’s election security, which are expected to issue findings by year’s end.

Michigan has paper ballots (as opposed to an electronic-only record of votes), which allows the state to double check election results. Under previous Secretary of State Ruth Johnson, the state purchased new voting machines in 2018, which promised better technology and fewer breakdowns. Michigan is also updating its voter registration system to improve security, Halderman said. 

“That means we are very close to being well-protected against cyber attacks that could try to change results,” he said. 

The operative phrase: Very close

Volunteers unpack ballots from the City of Lansing’s May 7 election to conduct a risk-limiting audit, one of three the state Bureau of Elections planned for June to test whether risk-limiting audits (considered the “gold standard” of elections verification) are feasible for statewide elections. Madison McFarland, right, came from Greene County, Missouri, where she works as an election coordinator to experience the cutting-edge audit method. (Bridge photo by Riley Beggin)

Michigan has $11 million in federal funds to help secure state elections, which Secretary of State Jocelyn Benson said will probably not be enough to implement all the needed changes, “but it’s enough to get us started.” Gov. Gretchen Whitmer approved another $2.5 million to implement Proposal 3 on June 24. 

Michigan still faces vulnerabilities state officials hope to close, however. In interviews with Bridge Magazine, Halderman and Benson outlined the kind of security threats that give them heartburn ahead of the 2020 election. 

“Our goal is to be prepared for the threats we know and also be prepared for emerging threats,” Benson said. “The challenging thing here is the threats are evolving as quickly as we prepare for them.”

Here are three: 

Over-centralization

Despite computer scientists’ best efforts, there’s no such thing as a hack-proof voting machine. But it’s implausible for hackers to try to access each machine individually, Halderman said. Instead, hackers might look for centralized places where they can access multiple machines at once. 

That place, Halderman said, is likely to be an election management system, which elections officials use to program the ballot ahead of an election (for example, to plug in the names of who is running for Governor or state Representative.) 

In Michigan, each county is responsible for programming its ballot ahead of elections. Many use an in-house election management system specific to the county, but many others outsource the job to one of the nation’s three largest elections technology companies.

“If an attacker can get into one of those election management systems, they can spread malicious code to change the way the voting machines count to all of the voting machines in the area that that system covers,” Halderman said. “So the question becomes, how locked down are our election management systems?”

That varies dramatically from place to place. The more decentralized the management systems are, the less likely it is an attacker will be able to affect broad areas. 

Not every state is good about this, Halderman said. In the most egregious case, a single election management system operating out of an office park in Omaha, Neb. programs machines in 34 states and 2,000 jurisdictions. 

“You had better believe that there is an enormous bullseye for the world’s best attackers painted on that central facility.” Halderman said. 

In 2016, roughly 75 percent of Michigan counties outsourced their ballot programming to election management vendors, he said. Now around 63 percent of counties rely on elections technology companies to program their ballots each election, according to data provided by the Michigan Secretary of State’s office — including some of the state’s largest counties such as Wayne and Macomb. 

Michigan counties that program their own ballots 

Overcentralization of election management systems is a potential security threat, said J. Alex Halderman, an election security expert at the University of Michigan. The level of security in each system (used to program ballots ahead of elections) varies from county to county, but counties that program their own ballots help prevent an attack on their system from affecting other areas. 

These Michigan counties program all of their own elections: 

  • Benzie
  • Branch
  • Clare
  • Clinton
  • Eaton
  • Genesee
  • Grand Traverse
  • Gratiot
  • Hillsdale
  • Ingham
  • Ionia
  • Kalamazoo
  • Kent
  • Livingston
  • Mecosta
  • Missaukee
  • Montcalm
  • Muskegon
  • Oakland
  • Oceana
  • Ottawa
  • Sanilac
  • Tuscola
  • VanBuren
  • Washtenaw

Source: Michigan Secretary of State

Counties that program their ballots in-house help assure an attack on their system won’t affect other areas of the state. Though a breach in even a single, highly-populated county (say, Kent, Wayne or Oakland counties) could have a major impact on state results. 

Benson said in May she plans to hire someone to oversee election security statewide and improve and standardize training so local elections officials are prepared for attacks. 

“The people operating the machines need to be trained in how to ensure that they are properly secured, that our ballots are secured, that they can be recounted,” Benson said. 

That’s a reference to Michigan’s recount law, which outlines a number of ways precincts can be made ineligible for recount. In 2017, a fifth of Detroit precincts weren’t eligible for a recount in a tight city clerk race due to poll worker errors. 

Voter registration records

State voter registration systems are also centralized by nature and usually connected to the Internet, Halderman said. A U.S. Senate committee investigation into the 2016 election found that Russian hackers accessed voter registration records in a small number of states and had the ability to change or destroy the data. 

“They chose not to pull the trigger for reasons that have not been publicly disclosed,” Halderman said. If they had, it could have been Election Day chaos: people showing up at the polls only to be told they’re not on the voter registration list. 

“We skirted with disaster in 2016 that way and, fortunately, now that everyone in the election system community is aware that voter registration systems are a potential target, most states are taking steps to better monitor or better secure those systems,” Halderman said. 

Michigan is among those states. In January, Michigan joined the Electronic Registration Information Center, which allows member states to cross-check voter registration data to ensure the rolls are accurate. 

“Although it doesn’t directly guard against cyber intrusions into the voter file – we have other safeguards against that activity, and are considering more – having an accurate and up-to-date voter list could mitigate the damage of any effort to alter or manipulate voter records by making it more noticeable if it were to occur,” said Shawn Starkey, spokesman for Benson’s office. 

Over the last few years, the SOS and Department of Technology, Management and Budget have begun upgrading Michigan’s voter rolls “to prevent unauthorized access and reduce other vulnerabilities,” said another SOS spokesman, Michael Doyle, including changes to who can get into the system and how. 

As of March, the state had spent $10.5 million upgrading the system. The department will consider other security measures once the commission Halderman helps lead releases its recommendations. 

Voter confidence

A democratic government’s legitimacy is only as strong as the faith voters have in it — and as of late, that faith is weak. According to an NPR/Marist poll conducted ahead of the 2018 midterm elections, nearly two in five Americans said elections are unfair. 

The 2016 attack on U.S. elections showed that even without hacking, attackers can cause widespread distrust in government, Halderman said. 

“There’s all kinds of ways that adversaries could try to discredit elections just by making up things that aren’t true,” he said. “If you’re an attacker, the next best thing to actually changing votes is making people think you did change votes.”

That’s a serious problem, Halderman and Benson said. The best defense, Halderman said, is re-engineering the elections system to make it one based on evidence rather than faith. 

Risk-limiting audits use statistical methods that rely on both computer programs and human-generated keys — including a random number compiled by 20 die-rolling volunteers, in the case of the Lansing audit pilot — to ensure election results are accurate. (Bridge photo by Riley Beggin)

Using a risk-limiting audit method, such as the type piloted in Lansing, Halderman said, is one way to ensure the state can give voters confidence that those in office were actually chosen to be there. 

And there’s reason to believe Michiganders yearn for greater security and faith in their elections: Proposal 3, which implemented a variety of voting rights, passed in November with nearly 70 percent of the vote.

“We all need confidence in our voting system,” said Chris Swope, Lansing City Clerk. “In any sort of election you should have some sort of assurance that the reported winner is the actual winner.”

Experts coordinating the audit trial said conducting risk-limiting audits isn’t particularly difficult or expensive — it just requires a lot of preparation. In Colorado, the first state to require statewide risk-limiting audits, it took around eight years to get the system up and running. “It’s definitely a big undertaking,” Swope said, but “hopefully we can learn from them and it won’t take eight years.”

In the meantime, “it’s really important that people still exercise their right to vote,” Halderman said. “If they don’t, then well, you’ve just guaranteed your vote isn’t going to be counted.”

Like what you’re reading in Bridge? Please consider a donation to support our work!

We are a nonprofit Michigan news site focused on issues that impact all citizens. In an era of click bait and biased news, we focus on taking the time to learn both sides of a story before we post it. Bridge stories are always free, but our work costs money. If our journalism helps you understand and love Michigan more, please consider supporting our work. It takes just a moment to donate here.

Pay with VISA Pay with MasterCard Pay with American Express Donate now

Comment Form

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Comments

Anna
Thu, 07/11/2019 - 3:16pm

The "automatic voter registration" process sometimes works a little too automatically. Two friends of mine who are non-citizen legal residents were offered completed "applications for voter registration" by Michigan Secretary of State personnel in 2016 and 2017 when they renewed or changed their address on their driver's licenses. If they had not been paying close attention, and had signed and returned that form to the Secretary of State person who gave it to them, they too would have become improperly registered voters.

If (and this is pure speculation) someone or some group was paying SOS clerks for completed but unsigned applications to register to vote that could be turned in at a different SOS office, some almost undetectable mischief could be worked by that unscrupulous someone in close races. Imagine some individual activist getting some of those no-excuse or automatic due to age absentee ballots for for city or county offices, or in primaries where 15 or 20 votes in a given election could make a huge difference.

marcia robovitsky
Tue, 07/02/2019 - 10:06am

Talk about NO TRUST in government to run a proper election:
Bloomfield Township has a very controversial ballot question on August 6th.
One question: should there be a S.A.D. (Special Assessment District) for ALL taxable properties @ 2.3 mills for 15 years for Public Safety ?
The SAD will collect over $9 million this December 2019 if it passes. The township already has on the books 4 dedicated millages for Public Safety collecting $23 million per year.

The Vote NO Ballot committee has been using social media and promoting the absentee ballot now that the law has changed. The ABSENTEE BALLOTS arrived in the mail and the directions tell you to use the "secrecy sleeve" when returning the ballot. Well, that "secrecy sleeve" is NOT included in the envelope. The clerk's office said they didn't include it because it wasn't needed. YES IT IS NEEDED.

FYI:
1. The Vote YES Ballot committee was formed June 19, 2019 by the current Treasurer of the Township and the donations go to the Supervisor's home address.
2. The Supervisor reported at a Town Hall meeting intended to "explain" the issue ... that the Yes group has over $60,000 to spend.
3. There was an ad placed by this group before the committee was legally formed. That ad used a P.O. Box which is not part of the legal document.
4. The Township elected and other employees have been seen using township vehicles on work days with lawn signs in the vehicles and being placed throughout the township. The lawn signs have Bl. Twp. employees in uniform with township insignia clearly showing.
5. So many of us in Bloomfield Township want to know why this local government can get away with conflict of interest, violations of the Hatch Act and other laws.
6. There was a FOIA written by the Supervisor that was honored by the Clerk and therefore thousands of emails of township residents were given to the Supervisor to use for THEIR use to promote THEIR slate in the 2016 local election. Even though a trip to Lansing to report this violation by three citizens with documents, nothing happened. The same Supervisor and Clerk and a new Treasurer are running... or should I say... ruining... our township today. MY OPINION.

marcia robovitsky
Tue, 07/02/2019 - 10:12am

marcia robovitsky
Tue, 07/02/2019 - 10:07am

marcia robovitsky
Tue, 07/02/2019 - 10:01am

Talk about NO TRUST in government to run a proper election:
Bloomfield Township has a very controversial ballot question on August 6th.
One question: should there be a S.A.D. (Special Assessment District) for ALL taxable properties @ 2.3 mills for 15 years for Public Safety ?
The SAD will collect over $9 million this December 2019 if it passes. The township already has on the books 4 dedicated millages for Public Safety collecting $23 million per year.

The Vote NO Ballot committee has been using social media and promoting the absentee ballot now that the law has changed. The ABSENTEE BALLOTS arrived in the mail and the directions tell you to use the "secrecy sleeve" when returning the ballot. Well, that "secrecy sleeve" is NOT included in the envelope. The clerk's office said they didn't include it because it wasn't needed. YES, IT IS NEEDED !

FYI:
1. The Vote YES Ballot committee was formed June 19, 2019 by the current Treasurer of the Township and the donations go to the Supervisor's home address.
2. The Supervisor reported at a Town Hall meeting intended to "explain" the issue ... that the Yes group has over $60,000 to spend.
3. There was an ad placed by this group before the committee was legally formed. That ad used a P.O. Box which is not part of the legal document.
4. The Township elected and other employees have been seen using township vehicles on work days with lawn signs in the vehicles and being placed throughout the township.
5. So many of us in Bloomfield Township want to know why this local government can get away with conflict of interest, violations of the Hatch Act and other laws.
6. There was a FOIA written by the Supervisor that was honored by the Clerk and thousands of emails of township residents were given to the Supervisor to use for THEIR use to promote THEIR slate in the 2016 local election. Even though a trip to Lansing to report this violation by three citizens with documents, nothing happened. The same Supervisor and Clerk and a new Treasurer are running... or should I say... ruining... our township today. MY OPINION.

JR
Tue, 07/02/2019 - 11:13am

This article is very reassuring. Keep up the good work, Michigan. As a private citizen with a background in data management, the issue of election security has kept me up at night as well.

I have often wondered why we connect voting machines to the internet at all. I understand that it is more convenient to load software over the internet, to report results back to county clerks' offices that way, and then send those results on to the state electronically, but internet access is the weakest link in election security Even modern encryption can sometimes be broken. In addition to the above measures, wouldn't it be more secure to download results to a physical medium and safely hand carry those results to clerks' offices for collation rather than trust the internet to reliably transport the data? Air gapping the voting system would be the ultimate decentralization method and would eliminate hacking as a threat, even if it resulted in delay in reporting results. Technology doesn't always improve systems.

Related to this, I believe that there is also threat inherent in state sunshine laws that have allowed any person to buy, publish and sell voter records on the web. If you have never considered this, I'd suggest you search your name electronically with the word "voter." In most cases you will find up to date information on yourself, your declared political affiliation, and information on voting members of your family. If there is public value in making that information available I would argue that purchasers should be required to physically travel to Secretaries of State or clerks' offices as they were pre-internet, pay a fee to have the information copied for them in non digital form, and swear under penalty of law not to share that information. Further, search engines should be required to expunge links to the current databases as a privacy protection measure. Am I an old fogey? Probably, but consider for a moment the threat of having this information widely available on the web, both from the perspective of election security and identity theft.

Don
Tue, 07/02/2019 - 11:21am

In 2016 Ruth johnson the republicans security of state destroyed 75000 ballots from Detroit. NO one BUT she seen them. She gave Michigan to tRUMP NOT any russian hackers>> But what bugs me the most is that Detroit Mayor Duggan went along with her!!!

Barb
Tue, 07/02/2019 - 12:56pm

Proof?

Geoffrey Owen
Tue, 07/02/2019 - 12:27pm

Very good article. Left me feeling more insecure than I felt before. I read the statute on recounts and given the way lawyers will attempt to block and challenge recount provisions I wasn't encouraged. The 2016 election was decided in Michigan by a very slim margin and when a recount was requested it was challenged. A week before the election the polls showed 0% for Trump in Detroit. It was reported that 75,000 Detrot ballots undercounted and had no vote for president. While it is possible that a few people could have manually and visually verified these results in a reasonable time it was deemed out of the question. Also given that the possibility for errors made by poll workers as simple as placing the ballots in the wrong box or noting the wrong machine number would throw them out, as noted recently in a cited Detroit Election, it seems to easy to disqualify 10,000 votes in a few places and change the results. The issue of what happens on or after election day with absentee and provisional ballots may also influence the outcome of razor thin margins and influenced by legal challenges during a recount. As for the centralized managment issue with 34 states using one source in Nebraska, where is the national oversight? According to the SCOTUS decision, the Federal Courts have no jurisdiction over partisan influence of the elections as far as gerrymandering is concerned, but a wider interpretation could include election management. As for the core problem of foreign interference we have only the president's assurance the Putin says he didn't interfere in 2016 and won't interfere in 2020. We have a predient operating under his explanation that he won by a landslide, where in fact had 39,000 votes been switched the outcome would have changed. Add to this the fact that the constitution never gave us a right to vote in the first place and we are left with the conclusion that the will of the people is but an illusion.

Nick Ciaramitaro
Tue, 07/02/2019 - 3:08pm

Michigan has a paper trail and a mostly de-centralized system of programing vote counting computers which are not hooked up to the internet. It is one of the most secure systems around. But, as the article points out, new hacking techniques are being invented everyday and so we must be vigilant. No system is perfect but thanks to Secretary Benson's efforts I'm confident that we will remain one of the best.

Anonymous
Tue, 07/02/2019 - 5:48pm

Published in AmericanThinker.com, 26 Aug 18
The solons of our sophisticated society assure us that there is no election fraud. Concerns about elections in which non citizens participate and fanatical partisans vote multiple times are dismissed as a paranoid right wing fantasy. "Russian hacking" of our elections is the current grind, but our officials have not been able to demonstrate what was hacked, much less for whom, so they assure us that our votes were safe.

This last week, I got woke.

My household suffered its third assault on our ballots in four years. Fortunately, I served as a city commissioner in Kentwood, Michigan for four years (until last fall) and had the means and the motive to trace the foul-ups to our city clerk's office. These are people I know and trust. They are good people who made some very human mistakes, but these effectively denied me and my wife our votes. I wrote up the first two on the blog I kept as a city commissioner and link to them.

1. I always vote absentee. In July 2016, my ballot return envelope had the return address of the city hall in Saline, Michigan (at the other end of the state) and would have been lost. I, my neighbor, and 57 others noted the error and got corrected envelopes. The fiasco was traced to a mix-up in the printing press where many cities have their ballots prepared and mailed.

2. July 2015, my wife needed to vote absentee for the first time and asked for the ballot. The envelope to return her ballot lacked an address but happened to have our return home address so came back. I hand-delivered it. The clerk had reached into a box of envelopes that she thought had been stamped with the return address, but some weren't.

3. I got a call from the Kent County election clerk this last week. The office had sent me a certificate of election to a minor office in the Libertarian Party as a precinct delegate – but I had not gotten even one vote, so the clerk apologized, as I could not be a state-approved delegate. Well, I knew I had voted for myself on the absentee, so I insisted that he look it up in the official county log. He stated that there were zero votes for Haas in Kentwoods 14th precinct.

So I called our city clerk, who found my original ballot, marked with my self-vote. It seems that the precinct delegates are not considered for the automatic "tape" that goes in on election night and is the main focus of the clerk's attention. These minor-office elections are handled manually, and she (assistant clerk and a very nice person) had forgotten to file the paperwork. She would correct it.

These three lapses would have resulted in votes not being counted if we had gone on vacation for a few weeks and not gotten the message in time. It's a slipshod way of doing things.

I offer three other lapses in collecting the votes here in Michigan.

4 and 5. These are courtesy of Bill Hall, chair of the Libertarian Party of Michigan. The absentee ballot in Laketon Township in Allegan County referred to the "two parties" instead of the three that would have included the Libertarian Party, which has just gotten major party status. The clerk promised to try to correct the problem for the primary election. In the second, Southfield, Michigan had similar misdirections to "two parties," but the city clerk acted insulted when the blunder was pointed out to her.

6. The irregularities ascribed to incompetent election-workers in Detroit precincts that would have voided half the vote in Nov. 2016 had the law been properly applied have been reported on but been passed off as the equivalent of hearing problems in an old folks' home.

I report these lapses to bring it home to Michigan voters that they should look critically at their election material. Are addresses correct and present? Are the directions correct?

We must point out to elected officials that they have to be careful about details. Elections are too important to be left in the hands of poorly trained or sloppy clerks at the point where they are gathered.

Erwin Haas is a former flight surgeon in Vietnam, Kentwood city commissioner, and assistant clinical professor of medicine at Michigan State. He is running as a Libertarian for Michigan's 26th state Senate district. His blog is here.

Marlene Augst
Wed, 07/03/2019 - 8:59am

I see nothing in here about verification those who are registering to vote ARE IN FACT CITIZENS as it is being reported ALL OVER the country thousands of non citizens are being registered to vote. According to the Hispanic Pew Research Center 3 million non citizens voted in the 2004 election, THAT WAS 2004!

Bones
Mon, 07/08/2019 - 9:59pm

GTFO with your fake news trash

Diana
Wed, 07/10/2019 - 8:39am

Paper voting along with electronic is key. Voter ID voting is also key so we avoid non citizens from voting.