The purpose of a risk limiting audit (the topic of this thread!) is to efficiently determine if the tallying process gets the correct outcome. That's an important defense against hacking.

Social engineering / misinformation / disinformation is an important topic as well, but that's outside of the election system, in the sense that we can't fight misinformation by improving how our voting machines work. That said, fighting misinformation is a huge challenge that election officials now face. (Summary of the issues from the Brennan Center.)

This sounds like an attempt at voter intimidation, which can be a violation of federal and/or state laws. Here's the ACLU explainer.

There are a lot of variations on this, so I'm going to assume we're talking about how Microsoft's ElectionGuard project would work in the context of a ballot marking device. (I've written some of the code being used in ElectionGuard.)

Once the voter finishes specifying their vote, the machine computes an encrypted version of their vote. It's public key encryption, where the voting machine only knows the public key, so only the election official (or a group of election trustees working together, using a technique called threshold cryptography) can do the decryption.

The voting machine can also compute the hash of that encrypted ballot, and then hand it back to the voter, perhaps on a small receipt printer. Now here's the fun part: all the encrypted ballots for the entire election will be posted on some public web server somewhere. And you'll be able to use your receipt and figure out that a ballot matching your hash is right there where it's supposed to be. And now here's the crazy fun part: you can add all the encrypted ballots without first decrypting them. This is called an additive homomorphism. Every election observer can compute this same value, and compare it to the value that's ultimately decrypted by the election official, who provides a cryptographic proof that they did the decryption correctly. So, anybody can validate that their encrypted ballot is part of the big total and that the big total was decrypted correctly. But your receipt doesn't let you sell your vote, since it's the hash of an encrypted ballot, and that ballot is never individually decrypted. (This paragraph summarizes the "counted as cast" property.)

But wait, you ask, why should I believe that my ballot was correctly encrypted in the first place? Turns out, there are a number of independent ways to prove this.

1. Your paper ballot, which is human readable, includes the hash of your ciphertext below it. A risk-limiting audit would, for each ballot being audited, recompute the encryption of the ballot, based on the human-readable text, and make sure that the hash matches.
2. Ballots that are spoiled aren't tabulated. That means it's safe for the election official to decrypt those spoiled ballots. So we could create a process where regular voters and/or trained auditors are allowed to keep copies of spoiled ballots, and we'll check later on whether the human-readable text matches up with the ciphertext.

The cool trick here is that the machine doesn't know which ballots will be cast and which will be audited, so if it's going to cheat, it needs to cheat before it knows whether it might be caught. This is called a Benaloh challenge. Josh Benaloh is also, not coincidentally, one of the designers behind Microsoft's ElectionGuard.

Not just time, but the motivation and funds to change.

What is being done to secure elections against vote trafficking/muling?

Given the perceived vulnerabilities of electronic voting machines to remote bad actors, as well as the scalability for one bad actor to effect a large swath of machines, what are your thoughts on just reverting back to an entirely paper system? Is there a reason this would not be more secure?

Two questions: first, what reasonable questions about election security can or should be raised for elections with fully paper ballots? What about those without?

Second, are there any major real-world known cases of voting machine interference that have affected a democratic outcome, in the US or elsewhere?

Thank you for offering to answer our questions.

Not to mention electoral college and gerrymandering. Or the fact that federal elections aren't federally regulated. States can do whatever the hell they want as long as in the end, their electors produce their handful of votes.

The electors aren't even required to vote according to the states outcome!

U.S. elections are quite unusual relative to most other countries. Of particular note, we're often asked to vote on a huge number of contests. My ballot in Houston, Texas has I think 93 contests or propositions on it. This means that we require automation in order to get timely and accurate results. And therefore we must have computers around, but we need processes like risk limiting audits (the topic of this post!) to mitigate against the risks of malware or tampering with the computers.

Several countries are currently experimenting with Internet voting (Estonia, Switzerland, Canada, and more). This creates a variety of new risks that are harder to mitigate. What do you do to prevent malware on a voter's computer from tampering with their vote? What do you do to protect the servers against denial of service attacks? For contrast, consider that a paper ballot, whether marked by hand or by machine, once it gets into a ballot box, is beyond the reach of even the most sophisticated Internet attacker. There's nothing a foreign nation-state adversary can do over the Internet to modify ink on paper!

Of course, the real world is never quite so simple. I had the chance once to speak with Swiss officials about this, and they pointed out how 40% of Swiss nationals are physically outside the borders of Switzerland at any given time. And they might vote five times per year. Perhaps unsurprisingly, there's a strong demand for Internet voting, and an ongoing challenge to see if they can mitigate against those risks.

Not technology-related, why do you think armed militia types are guarding ballot boxes?

We summarize the adoption of RLAs in the article linked at the top. The idea is about a decade old and is growing in popularity among election officials.

That’s interesting. How is verification that your vote correctly tabulated your choice achieved without giving you proof another person would recognize?

To be absolutely clear, there is no evidence of any tampering with the 2020 presidential election. We have high confidence that the election outcome was correct.

Here's the crazy part: there's nothing inconsistent with the above statement and saying that there are a number of security weaknesses in our election systems that we need to improve. We'd love to see more states adopt risk-limiting audits (the topic of this post!), which would improve our confidence in their elections. Similarly, it's great that the older generation of paperless electronic voting systems are being replaced with newer machines that use paper ballots. This helps mitigate against the worst risks of malware or tampering with voting systems' software.

Is there an inadvertent strength against systemic hacking since the US has so many different types of voting machines and laws?

For starters, the modern Dominion equipment uses a printed paper ballot. This means that every voter can (and should!) take the time to read the paper ballot that the machine produces and, if something is wrong, they can "spoil" their ballot and do it again. This is an important defense against any hypothetical tampering or malware with the software inside the machines.

After that, you're not being asked to trust machines. You're being asked to trust process. Those paper ballots travel in ballot boxes that are suitably sealed. Election officials tabulate the paper ballots with election observers and the press watching what they do. Georgia also did a risk-limiting audit (the topic of this Reddit post!) during the 2020 election which confirmed the result in the presidential race. (More details: Carter Center report, Georgia SoS's page)

As you might imagine, there's a lot more to it than I can summarize in a few paragraphs, but you should have some comfort that the combination of certification & testing, plus the use of the right kinds of policies & procedures, are where we gain confidence in our election systems.

There's an entire academic discipline dedicated to the world of election integrity, and an important technique that's crossing the divide from academia to practice is called "end-to-end verifiable elections". Without getting lost in the technical details of how and why different encryption techniques are used, all of these voting systems generally include a concept called a "public bulletin board". If you squint at it, there isn't all that much difference between a public bulletin board and a blockchain. Both use cryptographic hash functions to build linear chains or tree-like structures.

The essential difference is that blockchains are "decentralized", which means that nobody is in charge. Instead, a series of unrelated parties reach a consensus as to what the blockchain means. In an election, however, all the parties are known in advance, and disputes are generally resolved through administrative processes or lawsuits. This means that public bulletin boards don't need consensus mechanisms. Instead, they're generally about publishing encrypted votes in such a way that a voter can verify that their vote was "counted as cast" (i.e., you get a strong proof that your vote was tabulated exactly as you cast it) as well as "cast as intended" (i.e., the machine didn't misinterpret your vote as you cast it). The exciting part of the cryptography is that we can achieve both of these properties without allowing you, the voter, to have enough evidence to be able to prove to anybody else how you voted (so, we don't enable bribery or coercion).

Assuming the basic voting equipment is secure, how secure are the systems for agglomerating all those individual counts against, say, hacking or social engineering?

Physical security (or, if you prefer, "chain of custody") is essential to all elections. Even if we're talking about hand-marked and hand-counted paper ballots, we still need to ensure that ballot boxes were sealed properly, transported properly, and guarded properly. Of course, when you add computers to the mix, physical security is even more important. This is an important reason for having post-election audits, like the RLAs we talk about in the linked article at the top of this post. An efficient post-election audit allows for discrepancies to be discovered before an election result is certified.

For more AMAs on this topic, subscribe to r/IAmA_Academic, and check out our other topic-specific AMA subreddits here.

The current business model of elections is that the vendors have no requirements for open source, but they do have the requirement that their systems are subject to certification and testing. The certification process requires the vendors to share their source code with the testing labs.

For what it's worth, there have been a number of attempts at doing an open source voting system that could be commercially viable in the U.S. market, but none of them have achieved significant market share to date, except perhaps the Los Angeles VSAP system, but the source code isn't actually open yet (article from 2018, but I don't think anything has changed since then).

(I do consulting with another open source vendor, VotingWorks.)

Several years ago, when Dominion voting machines were first introduced into Georgia, NPR ran an article that associated them with large donations to the Republican party.

Why should we trust/not trust Dominion to deliver unadulterated voting results?

Am I crazy to think the Q-Anon morons might be right, but not for the correct reasons.

How do you feel about the overall election security of the 2020 presidential race? Do you think there was any significant security gaps that heavily impacted the result?

Physical security remains crucially important for risk-limiting audits as it requires the set of ballots cast by voters not to be altered (reflecting the set of legitimate cast ballots).

Part of the issue is that elections are managed by municipalities. States have different rules and inside of states many counties have their own rules.

For a long time, hiding source code was thought to improve security. Voting machines are expected to last 10-20 years so it takes time to move to more modern notions of what makes something "secure."

They have been used in Colorado for years, Rhode Island and Georgia in 2020. In addition, they have been used in counties in California, Indiana, and Illinois. Pilots have been done in at least 10 states.