This scientist is making an attempt to create an accessible, unhackable voting machine

This text was initially revealed on Undark. Learn the unique article.

In late 2020, a big field arrived at Juan Gilbert’s workplace on the College of Florida. The pc science professor had been on the lookout for this sort of product for months. Earlier orders had yielded poor outcomes. This time, although, he was optimistic.

Gilbert drove the bundle dwelling. Inside was a clear field, constructed by a French firm and geared up with a 27-inch contact display screen. Nearly instantly, Gilbert started modifying it. He put a printer inside and linked the machine to Prime III, the voting system he has been constructing because the first time period of the George W. Bush administration.

After 19 years of constructing, tinkering, and testing, he informed Undark this spring, he had lastly invented “essentially the most safe voting know-how ever created.”

Gilbert didn’t simply need to publish a paper outlining his findings. He wished the election safety group to acknowledge what he’d completed—to acknowledge that this was, the truth is, a breakthrough. Within the spring of 2022, he emailed a number of of essentially the most revered and vocal critics of voting know-how, together with Andrew Appel, a pc scientist at Princeton College. He issued a easy problem: Hack my machine.

Their entry could be unfettered—no tamper-evident seals to keep away from, chain-of-custody procedures to subvert, or mock ballot staff to dupe—and so they’d need to conform to just one situation: Flip each vote to the identical candidate.

By this level, Gilbert had revealed a video of his ballot-marking machine, or BMD, in motion, however he was uncertain how the hacking group would reply. “There’s part of that group that’s very assured in what they do,” he mentioned. “And in the event that they hear the way it works, they might run away from it.”

After almost twenty years within the election house, Gilbert knew he was leaping feet-first into maybe essentially the most contentious debate over election administration in the USA—what function, if any, touch-screen ballot-marking units ought to play within the voting course of. Federal regulation requires polling websites to have at the very least one voting machine on-site that may serve voters with disabilities, and at the very least 30% of votes had been forged on some type of machine within the 2020 normal election, as opposed a hand-marked poll.

A curbside voting machine stands in a parking lot in South Carolina
A curbside voting machine stands in a parking zone in Charleston, South Carolina. Voters 65 and older and people who find themselves unable to face in line to vote due to a incapacity are allowed to vote from their car.
MICHAEL CIAGLO/GETTY IMAGES

Advocates say the digital voting techniques might be comparatively safe, enhance accessibility, and simplify voting and vote tallying. In the meantime, educational critics like Appel have argued that they’re insecure and must be used as sometimes as attainable. These arguments have at instances been bolstered by a wealthy, casual group of hackers who spend their time proving that they’ll hack the units.

Just lately, this previously area of interest debate has been embraced by a refrain of conspiracy theorists who declare, with no proof, that compromised machines value Donald Trump the presidency.

Amid these issues about election know-how, a handful of innovators—together with Gilbert—have looked for an answer that may silence critics: a voting machine that’s straightforward to make use of, primarily based in open-source software program, and considerably tougher to hack than current fashions. However some specialists consider that the pursuit is misguided, as a result of no laptop might ever be unhackable. And even when Gilbert’s machine had been foolproof, he and others argue that vote hacker tradition—one which’s extra intent on destroying units than creating them—makes it unlikely the machine would ever get a good listening to, not to mention be adopted.

For twenty years, the rise of voting know-how has enabled a number of the United States’ loftiest democratic beliefs, and likewise embodied its most visceral political suspicions.

Gilbert believes he’s invented his manner out of that dilemma. Who will show him mistaken?


At the moment, the voting machine market is dominated by three main distributors: Election Techniques & Software program, Dominion Voting Techniques, and Hart InterCivic. In accordance with one estimate, your entire trade generates roughly $300 million in income yearly.

In a lot of the nation, when any individual votes, they only fill out a paper poll, which is often fed by way of a tallying machine referred to as an optical scanner. Elsewhere, some voters use absolutely digital setups, referred to as direct recording digital techniques, that generally use the pc to each mark and tally the votes.

A ballot-marking machine has parts of each sorts of techniques. Whereas particular designs fluctuate, BMDs have a pc contact display screen for voters to make their alternatives. The machine then prints out a paper poll that may be fed right into a scanner. In contrast to hand-marked paper ballots, BMDs have the power to accommodate each voter utilizing a wide range of accessibility units—together with voters who can’t see, deal with paper, and even contact a display screen.

The machines have proliferated since 2002, when Congress handed the Assist America Vote Act.

Amongst different momentous adjustments, HAVA phased out punch-card techniques, just like the one which produced the notorious “hanging chads” in Florida in 2000, and allotted roughly $three billion to states, a part of which was used to purchase new machines—whether or not they wished to or not. As a requirement of the invoice, each polling web site within the nation should have at the very least one machine for individuals with disabilities.

The significance of HAVA to the incapacity vote “can’t be overstated,” says Michelle Bishop, voter entry and engagement supervisor for the Nationwide Incapacity Rights Community, the nation’s largest supplier of authorized advocacy providers for individuals with disabilities. Previous to the regulation, she says, “we had simply kind of been residing with techniques that primarily disenfranchised giant numbers of voters.”

Machines produce other benefits over paper ballots: they’ll provide a number of language choices, assist bigger jurisdictions that want hundreds of various poll varieties, and make sure that voters don’t inadvertently miss a race or make a mistake that disqualifies their poll. These errors can generally have a decisive impact: in 2008, for instance, the margin of victory in Minnesota’s Senate race was nicely beneath the variety of ballots rejected for voter error.

However mechanized voting brings its personal set of fears, too—particularly, that somebody might tamper with the machines and manipulate the outcomes. And, some specialists say, the businesses’ habits has performed little to encourage public belief. “They’ve typically performed issues the best way I’d say a ’90s IT agency would do issues,” mentioned Ben Adida, the manager director of VotingWorks, a nonprofit that has developed its personal open-source voting machine. “Very secretive, don’t speak to the press a lot, undoubtedly don’t speak to researchers, curl up right into a ball each time there’s a safety report and deny, deny, deny.” (The businesses inform the story otherwise—saying that defending their supply code, audit logs, and elements of the machines’ working manuals is a essential safety protocol, particularly now.)

Over the previous two years, questioning the safety of our voting machines has turn out to be its personal political motion.

In York County, Pennsylvania, residents tried to get an initiative on the November poll that may take away the realm’s digital voting machines. In Arizona, Kansas, Michigan, New Hampshire, and Oregon, there are pending lawsuits difficult the reliability of digital voting machines, and a particular prosecutor in Michigan will examine whether or not the Republican candidate for lawyer normal illegally gained entry to voting machines after the 2020 election to carry out “assessments.”

These advocates provide little proof that the machines have been hacked.

Nonetheless, there’s a legit concern that they could possibly be, say laptop scientists like Appel, the Princeton professor. An skilled in programming languages and laptop safety, Appel has publicly questioned voting know-how for years. In a single 2009 look earlier than a courtroom in New Jersey, he put in vote-stealing software program in a machine in simply seven minutes, utilizing solely a lock choose and a screwdriver.

Appel and different laptop scientists worry {that a} hacker might slip malicious code onto a ballot-marking machine—altering votes, sowing chaos, and maybe even altering the end result of an election.

Hands of an election official conducting a count of paper test ballots.

STEPHEN MATUREN/GETTY IMAGES

These critics say that the code in BMDs is complicated, usually poorly organized, and intensely lengthy, making it simpler to insert code that goes undetected. As a result of the races and candidates change each election, a brand new poll design should be uploaded earlier than each contest, providing one other alternative for malicious code to slide in. And since voting is finished anonymously, Appel notes, it’s not possible to hyperlink a particular poll to the one that forged it. “There isn’t any motion a voter can take to exhibit to election officers {that a} BMD altered their expressed votes,” Appel and two colleagues wrote in a 2020 paper.

In response to such issues, voting machine corporations acknowledge that their gear might have vulnerabilities. However, they are saying, almost all of the machines go away a paper path that may be audited, making it attainable to catch incidents.

Nonetheless, specialists say, a hack might have far-reaching results. In September 2016, Appel submitted written testimony to a Home committee listening to on election integrity. “I strongly advocate,” he wrote, “that, at a minimal, the Congress search to make sure the elimination of ‘touchscreen’ voting machines, instantly after this November’s election.”


Juan Gilbert might look like an unlikely candidate for a voting machine inventor. His household wasn’t significantly political rising up, he says. He doesn’t bear in mind when he first voted.

However Gilbert loves a problem.

Throughout Gilbert’s junior 12 months of school, when a professor of his prompt he turn out to be an educational himself, Gilbert thought it was a joke. At Miami College, 20 minutes from the place he grew up in Hamilton, Ohio, he deliberate to get an undergraduate diploma, discover a job, and begin incomes a residing.

“I had by no means seen an African-American laptop science professor,” he wrote in a 2002 essay, “and so had concluded that it was not a job for me.” In 2001, he was the primary African-American on the College of Cincinnati to obtain a PhD in laptop science.

Ever since, Gilbert has labored to diversify the sector. The graduate college students in his Computing for Social Good Lab are largely girls and largely Black, and Gilbert additionally does outreach at organizations like UF’s chapter of the Nationwide Society of Black Engineers. At a type of conferences a number of years again, he met Jean Louis, then an undergraduate who had by no means thought of graduate college. “Beforehand, I had a special view of what a pc science PhD was speculated to appear like,” Louis says.

Louis now works in Gilbert’s lab, the place he and different researchers are using know-how to try to resolve large, formidable issues. One piece of software program they developed, Purposes Quest, makes use of synthetic intelligence to deal with the problem of range in admissions and hiring. (It’s at the moment utilized by the College of Florida for scholarship choice.) One other product, Digital Visitors Cease, permits law enforcement officials to provoke a video name with the motive force they’ve simply pulled over, making the encounter safer for each events.

“The central level is that this know-how interacts with individuals,” says Louis of the work being performed in Gilbert’s lab.

“It’s not simply idea,” he says, “however like truly placing into apply the place you possibly can assist individuals out.”

Louis was a coauthor with Gilbert on one in all their current papers concerning the BMD, and the voting machine, he mentioned, has been a particular obsession for Gilbert. “Dr. G is on one other degree,” Louis says. “He’s visibly, auditorily, all of the ‘-lys’ keen about Prime III.”

Within the early 2000s, Gilbert says, he was at an engineering convention together with his graduate college students. None of them had been beforehand voting machine design, however they had been , particularly after the 2000 election and the meltdown of Florida’s punch-card system. The scholars had been crushed by what the audio system there needed to say: “You’ll be able to’t use machines. It gained’t work. There’s no option to do it,” remembers Gilbert.

Now that Gilbert had heard somebody say it couldn’t be performed, he was fired up. In 2003, he and his crew launched their first prototype of Prime III. The machine allowed voters to make their alternatives not simply by touching a display screen, but in addition by utilizing a headset and microphone or a paddle system, accommodating voters with bodily disabilities and people who have issue seeing, listening to, talking, or studying. Actual-world testing led to changes. After there was a distracting quantity of background noise throughout a check run on the Alabama Institute for the Deaf and Blind, he modified the system to raised detect a voter’s voice. Earlier than it was utilized by a bunch of voters with various levels of literacy, he added footage to the poll.


As Gilbert’s machine was taking form within the early 2000s, the politics round voting know-how turned more and more sophisticated.

In August 2003, the 12 months earlier than George W. Bush would win reelection, Walden O’Dell, the CEO of Diebold, wrote a letter inviting 100 buddies to a Republican fundraiser at his dwelling. Within the letter, O’Dell, whose firm made the machines that roughly 8% of voters utilized in 2000, mentioned he was “dedicated to serving to Ohio ship its electoral votes to the president subsequent 12 months.” The letter alarmed some observers. “There are sufficient conflicts on this story to fill an ethics guide,” then senator Jon Corzine, a New Jersey Democrat, informed the New York Occasions that 12 months.

In 2007, one other voting machine vendor, Smartmatic, bought its US subsidiary as a way to finish a months-long evaluation by the Committee on Overseas Funding in the USA of whether or not the Venezuelan-owned firm had ties to the Venezuelan authorities.

Across the identical time, some laptop scientists and hackers had been exposing grave insecurities. In California, a crew commissioned by then secretary of state Debra Bowen discovered a litany of issues with one of many state’s machines: viruses might soar from machine to machine and even to the election administration system; a voter might delete all digital data of the earlier votes forged, even the backup copies; and the digital and paper data had sufficient element to place the secrecy of the poll a threat.

Based mostly on these discoveries, Bowen took the unconventional step of briefly decertifying most of the state’s machines in 2007, simply three months earlier than the state’s presidential major. “It was a scary factor, occupied with not having a system,” mentioned Cathy Darling Allen, the county clerk for Shasta County, in Northern California.

However “in hindsight,” she mentioned, “it was actually the best factor to do.”

As hackers started to problem voting machines, Gilbert stored growing his answer. In 2018, Prime III’s software program was utilized in New Hampshire, after being piloted a couple of years prior. That 12 months, it additionally debuted in Butler County, Ohio, the place Gilbert grew up.

“It’s good to see any individual who’s passionate concerning the work he does,” says Eric Corbin, deputy director of Butler County’s elections board. Corbin often wants technical assist and small tweaks to the Prime III code, so he calls or texts Gilbert. “I’d be shocked if I seemed again and it took him greater than 24 hours to get again to us,” Corbin says.

The most recent model of the machine, which Gilbert and his college students finalized this 12 months, has all of the elements of a standard voting machine: a contact display screen for voters to make their alternatives and a printer to create a paper poll that’s then fed right into a scanner.

closeup of the back of electronic voting machine with paper receipt spooling out
Voters in Wellington, Florida, forged their ballots on new touch-screen voting machines for the 2004 election. Palm Seashore County was one in all contested counties within the 2000 Bush-Gore election.
MARIO TAMA/GETTY IMAGES

The machine additionally has some extra distinctive safety features. The contact display screen is clear, permitting voters to observe the machine print their poll, in actual time, and spot any points. The entire machine can be encased in absolutely clear glass, making it tough to insert, say, a malicious USB drive undetected. And the machine’s working system, software program, printer connection, and poll info are saved on a read-only Blu-ray disc. In contrast to a typical exhausting drive, which voting know-how skeptics say could possibly be manipulated to alter an individual’s votes, the disc can’t be overwritten, modified, or modified in any manner. “I’ve taken away that capability,” mentioned Gilbert. “You can’t change it.”

To additional make sure that the USB ports can’t be used to add mischievous code, Gilbert’s machine reboots after each forged vote. “That caveat blows out an entire lot of their points,” he says. “No software program can persist, proper?”

Like most BMDs immediately, the machine additionally produces a paper poll that may be audited. One long-standing concern about these paper trails is that voters don’t truly confirm whether or not what’s printed on their poll matches what they chose on the machine. If that’s the case, then audits are not any use.

This is the reason Gilbert’s machine is so progressive, he says. The clear contact display screen forces voters to look straight on the paper being printed, making it much more seemingly that voters will discover any tampering. And if that occurs, he says, the voter can increase an alarm.


By early Might, Gilbert says, he had emailed a couple of half-dozen specialists, together with Appel and Harri Hursti, the cofounder and co-organizer of the Voting Machine Hacking Village at DEF CON, the annual hacking convention in Las Vegas. He’d issued his problem: Might they hack the machine?

DEF CON, particularly, appeared like the right alternative for Gilbert to showcase his BMD.

In accordance with a 2017 report written by Hursti and several other collaborators, the Voting Village was launched in 2017 “to focus on cyber vulnerabilities in US election infrastructure.” On the gathering, attendees have the instruments, entry, and free time to unscrew, disassemble, and primarily destroy the entire machines on-site. The occasion generally produces viral content material, like a 2018 Twitter video by which hacker Rachel Tobac mentioned she’d gained administrator entry on a voting machine utilized in 18 states. “Requires no instruments and takes underneath 2 minutes,” Tobac wrote on Twitter. “I’m involved for our upcoming elections.”

Hackers there do precisely what Gilbert had been asking for—spend days tearing machines aside, freed from cost—and their confidence that every one BMDs are insecure rivals Gilbert’s confidence that his just isn’t.

“We all know each single machine on this room might be hacked,” Hursti mentioned initially of the conference in August 2021. “And each future machine might be hacked.” 

As well as, DEF CON attendees habitually criticize the machine distributors for preserving their code secret. Not solely is Prime III open supply, however Gilbert’s BMD, with its clear casing and computerized reboot after each vote, would current a novel problem.

The DEF CON tradition has pissed off some observers. “At some level, it’s important to transfer past simply the fixed critiquing and transfer on to productive options,” says Amber McReynolds, the previous director of elections for the Metropolis and County of Denver and a present member of the Postal Service Board of Governors. In any other case, she says, you threat having your analysis weaponized by individuals bent on discrediting the entire system. “I’d prefer to see the group of election safety professionals be extra considerate concerning the downstream impacts of their feedback and their work on election officers, and likewise democracy as an entire.” 

By September, Gilbert nonetheless hadn’t heard from Hursti. The truth is, no person had agreed to check the machine.

When Undark reached out to the specialists Gilbert had initially contacted, they provided completely different explanations for his or her silence. One mentioned that he had retired. A second was within the hospital. Hursti mentioned that Gilbert had emailed his private account, not the official one for DEF CON’s Voting Village. Requested whether or not he would come with the machine in subsequent 12 months’s occasion, Hursti didn’t reply to repeated messages from Undark. The day earlier than the publication of this story, he wrote to make clear that Gilbert’s machine would be welcome at subsequent 12 months’s conference, offered that he adopted sure DEF CON insurance policies, together with that the hackers not be required to signal nondisclosure agreements. 

Appel declined to check the machine, saying he didn’t have the sources to present it an intensive vetting. However he had seen the video of the machine in motion and heard Gilbert give a presentation on the brand new mannequin. It was a great design concept, he mentioned, and the shortage of a tough drive gives fewer assault surfaces for a hacker to take advantage of. The machine, he added, is addressing an issue with ballot-marking units that no person else has actually tried to sort out.

Nonetheless, Appel mentioned, he’s skeptical of the very concept of unhackability. And he imagined situations throughout which, he mentioned, Gilbert’s design may founder. In a weblog put up revealed in April of final 12 months, for instance, he wrote that the system relies upon an ideal deal on human voters’ being prompted to evaluation their votes. A delicate hack, Appel prompt, might merely take away that immediate. “This provides the chance to intentionally misprint in a manner that we all know voters don’t detect very nicely,” he wrote.

Appel introduced up one other state of affairs: say {that a} voter tells a ballot employee that the machine printed the mistaken title on the poll. Gilbert has ready for this state of affairs: it’s attainable to match the grasp disc to the one within the machine to detect if there’s fraudulent code. Assume that the ballot employee is ready to execute that plan completely in the course of the confusion of Election Day, and it reveals that the machine’s been tampered with. What then?

It’s unclear whether or not Gilbert’s machine will ever discover wider use. Dan Wallach, a pc scientist at Rice College, mentioned the machine was a promising step ahead. Nonetheless, he voiced issues concerning the sturdiness of the machine’s elements. Appel identified that any new know-how will face points in being scaled for mass manufacturing and require coaching and for voters and ballot staff.

There are different hurdles, too. For potential newcomers to the trade, it’s powerful to interrupt in, says Ben Hovland, a commissioner with the Election Help Fee, which was initially created by HAVA to enact the regulation’s necessities, together with distributing the federal funding for machines. For starters, the trade isn’t that large. “Whereas there are lots of jurisdictions all around the nation, there’s a set quantity of kit to promote,” he says.

“And if the jurisdiction lately purchased gear, they is probably not on the lookout for 10 years, possibly extra.”

Most states additionally require machines to be licensed, which the distributors should pay for. Underneath EAC tips, Gilbert might need to fork over lots of of hundreds of {dollars} to endure that course of.

Transferring ahead, Gilbert is planning to put in writing a brand new paper detailing his design, and he’s nonetheless hoping to discover a hacker prepared to check out the machine. The expertise has left him sounding jaded concerning the world of election hacking —a world, he suggests, that usually appears centered extra on performatively tearing aside machines than truly working towards options.

“They solely take a look at issues they know they’ll break,” Gilbert says.

“In case you have one thing you could’t on the face of it determine earlier than you contact it, they’re not going to the touch it.”


Spenser Mestel is a ballot employee and impartial journalist. His bylines embrace the New York Occasions, the Atlantic, the Guardian, and the Intercept.

Related Posts

Leave a Reply

Your email address will not be published.