The Myth of the Voting Machine Air Gap

One of the great myths of our election system is that voting machines are “air gapped”. In other words, they are neither networked together nor connected to the internet – rather the local data is recorded on a medium such as a memory stick or CD and transported to a central location where it is loaded onto a computer which “tabulates” or adds up the votes. Let’s look at the election systems provided by three different companies – Dominion Voting, Scytl, and ES&S vote to determine whether election data or results are ever electronically transmitted in a way that might leave this critical information vulnerable to being altered.

Dominion Voting Systems

Here is a typical diagram provided by a voting machine company — in this case Dominion Voting Systems — showing how votes are tabulated and reported. The diagram below shows an “air gap” between “XSLT Transformations to any Data Format” and the “Results Publishing Server”.

First, is this plausible? Are they saying the data is hand-carried to the publishing server? This server may be hundreds of miles away from a given

Second, what about the rest of the system? How do you votes get from the precincts to the “central site” where they are tallied? No air gap here.

 

The process of adding up the votes for the candidates is known as tallying, or tabulation. How hard would it be to access these tallying systems illicitly? Not hard enough. This New York Times article by Kim Zetter describes how easily a county-level vote tallying computer could be remotely accessed.


Further, as reported in CSO, these voting and tallying systems could be compromised by a third party  —  someone logged on remotely using the credentials, of an insider – for example an election official or a voting machine company employee.

In order to understand better how these systems work we took a close look at the technologies provided by two more of these companies – Scytl and ES&S.

Scytl

Founded and based in Barcelona, Scytl has offices worldwide, including one in Tampa, Florida.

Scytl was used by 31% of Electoral Jurisdictions during the 2016 US Election – 36% of voters benefited from Scytl technology. (image: scytl.png)

Let’s take a close look at the election systems this company creates – starting with a 2010 patent for the company’s system for “Secure and Verifiable Consolidation of the Results of Election Processes”.

Is this system networked? Why yes it is.

The security this patent provides is simply a “validation test”. This means it sends a request back through the same network, to the same source of information, and asks that source of information if they are who they say they are. All well and good. But what if a login has been spoofed? What if the source is NOT what it says it is?

In plain English  this means that these systems are fairly secure as long as no bad actor can log into the system using the credentials of an election official or election company employee.

ES&S Vote

How common is this type of networking? https://www.michigan.gov/documents/localgov/7700120_559033_7.pdf

DS200 – optional items – landline or wireless modem.

Note 6: Regional Results Transmission is a software application that can be installed on any Windows 7 computer. It can be used to transmit results from a DS200
election stick directly to the county. It is very similar to using a DS200 with an internal wireless modem to transfer results, only instead of using an internal wireless modem, the stick with results is removed from the DS200 after poll closing and inserted into a computer running the Regional Results application. Regional Results processes the data on the stick and automatically transfers the results to the county. It does this by establishing a direct Secure File Transfer Protocol (SFTP) connection to the county’s secure server.

Using Regional Results Transmission is not mandatory but has many helpful uses that could benefit Michigan counties and local jurisdictions. The first example involves a county that chooses not to use internal wireless modems in their DS200’s. After the polls have been closed, the DS200 results sticks could be driven to the local jurisdiction’s election headquarters. Using Regional Results, the locals could quickly and securely transmit all of their election results directly to the county just by inserting the sticks into the Regional Results computer. A second example involves Michigan Counties using the DS200 at their AV Counting Board locations, who could transmit results directly to the county using Regional Results. And finally, the Regional Results application can be used to supplement wireless modeming directly from the DS200’s. Many of our customers who modem from the DS200 choose to set up a few “regional transmission sites” around their county. These locations are for emergency use only should the DS200 be unable to connect to a cellular tower due to a weak signal. In that situation, the pollworker removes the results USB stick from the DS200 and brings it to the nearest regional site, where the data can be securely transferred to the county using the Regional Results application.