Growing numbers of elections offices across the U.S. are using electronic devices to sign voters in at the polls — a shift that has occurred with little scrutiny despite a host of security questions and a history of balloting meltdowns.
Problems with the devices, known as electronic pollbooks, caused long lines during this year’s presidential primary in Los Angeles County and contributed to chaos and hours-long waits during Georgia’s primary in June. They led to past years’ snafus in places such as Philadelphia, North Carolina, Indiana and South Dakota.
While tampering with e-pollbooks wouldn’t directly change anyone’s vote, malfunctions or cyberattacks against the devices could sway the outcome in other ways — for instance by causing delays that prevent people from voting.
Pollbooks, unlike voting machines, do not undergo federal testing and certification and have no uniform standards governing their design or security. There is also no oversight of the handful of vendors who dominate the industry to ensure they keep their own networks secure. Kremlin-linked hackers attempted to breach the network of at least one U.S. e-pollbook provider in 2016, according to a leaked NSA document.
Federal lawmakers such as Sen. Ron Wyden (D-Ore.) have questioned electronic pollbook makers about the security of their products and networks. E-pollbooks and the companies that make them have gone too long without oversight, Wyden told POLITICO in an email.
“Electronic pollbooks have failed, repeatedly, in elections across the country and are clearly one of the weakest links in our election infrastructure,” he wrote.
Introduced more than a decade ago to replace printed pollbooks, the devices were used by election offices in 36 states in the 2018 elections, according to the National Conference of State Legislatures, which said the number of jurisdictions using them had risen 48 percent since 2016. Jurisdictions using the devices accounted for about half of all registered voters four years ago, according to the National Academy of Sciences. They are especially common in densely populated urban areas.
The Brennan Center for Justice, which has been involved in improving election administration for more than a decade, calls electronic pollbooks an “overlooked vulnerability.”
“Anecdotally, when you dig into problems that happen at polling places, more often than not it’s the electronic pollbooks rather than the voting machines” that cause issues, said Larry Norden, director of the center’s Election Reform Program. “I’ve spoken with a lot of election officials who are frustrated that there are no [national] standards for pollbooks and no testing.”
Election Systems & Software, one of the top providers of e-pollbooks, told POLITICO it would support a change to this state of affairs.
“[W]e believe Congress should establish standards for mandatory testing for both voter registration and pollbooks for all U.S. election providers,” ES&S spokesperson Katina Granger said in an email.
E-pollbooks serve multiple purposes: Voters use them to sign in at the polls, and poll workers use them to verify the voters’ eligibility to cast ballots. In some jurisdictions, they also tell electronic voting machines which digital ballot to display to the voter.
The devices often communicate wirelessly with each other and with backend voter registration databases, offering a potential pathway for hackers who get onto that wireless network to delete or alter voter records — to indicate falsely, for example, that someone has already voted. Hackers could further use the wireless connection to breach the backend databases and other systems connected to them.
Hackers could also manipulate voting machines via pollbooks in jurisdictions where those devices tell electronic voting machines which ballot to display. A hacker could potentially cause an e-pollbook to embed malicious commands in the voter access card, barcode or QR code that some of those devices use to convey instructions to the voting machines, according to Harri Hursti, a security expert and an organizer of the Voting Machine Hacking Village at the annual Def Con security conference.
Some pollbooks can be remotely locked or disabled by election staff, raising the possibility that a malicious actor could do the same.
‘That’s a system design problem’
Security risks aside, the devices have experienced trouble in multiple elections.
During South Dakota’s June 2018 primary, all 44 of Pennington County’s new electronic pollbooks crashed and had to be rebooted repeatedly, causing delays in voting. Precincts with paper backups of the voter roll switched to those, but voting halted for up to 90 minutes in more than a dozen precincts that had to wait for backups, prompting some voters to leave without voting.
In 2018’s midterm elections in Johnson County, Ind., voters waited two to three hours when software used to sync pollbooks slowed or froze. Other states using the same model of pollbooks made by ES&S also experienced problems. An investigation found that all ES&S pollbooks around the country were using the same cloud server to sync, providing a single point of failure when demand exceeded capacity.
In August 2019, Philadelphia’s new pollbooks made by KnowInk — the nation’s leading provider of the devices — failed to properly connect to printers during a test election, causing concern about using them in a November election. And in Georgia, which also rolled out KnowInk e-pollbooks statewide that year, the devices experienced issues during their first election that November.
During this year’s Georgia presidential primary, issues with the KnowInk pollbooks were again among a cascade of troubles that forced some voters to wait up to eight hours. Democratic Senate candidate Jon Ossoff denounced the plethora of election problems as a “disgrace” and “an affront to the principles of our Constitution.”
Georgia officials blamed the pollbook problems specifically on poll workers’ errors and poor training. But county officials and election integrity groups disagreed.
“Look, if one poll worker makes a mistake, that’s user error,” Eddie Perez of the Open Source Election Technology Institute told The Atlanta Journal-Constitution. “If you have many poll workers unable to operate the system, that’s a system design problem.”
This year presents new challenges for electronic pollbooks. Although more voters than ever are expected to vote from home because of the pandemic, longstanding problems with timely delivery of mail-in ballots will cause many to cast ballots in-person. With sports stadiums being recruited to stand in for some traditional polling places, the potential for meltdowns is high if election officials and pollbook vendors don’t plan for failures.
Wyden said election officials should ensure that every polling place has a paper backup of the voter roll, so poll workers can check in registered voters even if e-pollbooks fail. “Not fixing this issue is the definition of voter suppression,” he said.
Years of glitches
Electronic pollbooks came into vogue after Congress passed the Help American Vote Act in 2002, two years after Florida’s hanging-chad debacle. The law allocated nearly $4 billion for states to purchase new election equipment and make other upgrades.
Voting machine vendors like Diebold Election Systems and ES&S won lucrative contracts for their voting machines — most of them paperless touchscreen machines — and then persuaded election officials to go paperless with pollbooks, too.
Georgia and Maryland were the first to adopt their use statewide in 2006. Both states were already using Diebold voting machines statewide and purchased the company’s ExpressPoll pollbooks as well. But problems arose during their first use in the September 2006 primary in Maryland. A Johns Hopkins University computer science professor working as an election judge called them a “disaster,” and described machines failing to sync at his precinct and crashing and rebooting.
They were problematic in Georgia as well. During the presidential primary in 2008, voters waited up to 90 minutes because the pollbooks kept crashing. Diebold quit the election business in 2009, but Georgia didn’t replace its Diebold voting machines and pollbooks until this year. It now uses KnowInk pollbooks statewide.
No government agency or election integrity group tracks pollbook incidents, so problems generally come to light only in news coverage. Those stories rarely mention the make or vendor of these systems, making it difficult to track which companies and devices have had recurring problems.
To this end, Verified Voting, a nonprofit organization that has long tracked voting machine usage by jurisdiction, has for the first time begun compiling electronic pollbook usage data and made it available online. Though not yet complete, it shows that about a dozen companies sell electronic pollbook systems, with two vendors dominating the market — KnowInk and ES&S. Some states, such as Colorado and Michigan, developed their own pollbook software, which they use statewide.
KnowInk, based in St. Louis, was founded in 2011 by Scott Leiendecker, a former city election director, and has quietly become the leading provider. Leiendecker said his company’s PollPads are used in 29 states, which he declined to identify, plus the District of Columbia. Verified Voting has identified 22 states where jurisdictions use KnowInk e-pollbooks; in those jurisdictions alone, KnowInk accounts for more than 25 percent of all U.S. registered voters.
Second in line is ES&S, founded in Omaha, Neb., under another name in 1974 by brothers Bob and Tod Urosevich. ES&S’s ExpressPoll pollbooks are used in at least 17 states, according to Verified Voting.
How pollbooks work
E-pollbooks vary in design and functionality. Most use customized off-the-shelf laptops and tablets with the pollbook vendor’s software installed. Some can scan a voter’s driver’s license or ID card to speed lookup, and, as already noted, some are used to activate voting machines.
Electronic pollbooks offer advantages over paper pollbooks, such as faster voter check-in and the ability to determine the correct polling place for voters who show up at the wrong one. They can process Election Day voter registrations in states that allow those, and provide near-real-time syncing with other pollbooks and databases to prevent people from voting in multiple places.
The devices also let counties replace traditional precincts with large vote centers, so that people can cast ballots at any convenient location rather than be tethered to their neighborhood. Vote centers need a county’s entire voter list, not just a neighborhood subset, which makes printed pollbooks impractical for them.
But these advantages fade when the machines fail and poll workers can’t verify a voter’s registration. The fallback when that happens is to make voters cast provisional ballots, but polling places often fail to stock enough of those. Provisional ballots also require more processing and can’t be counted until the voter’s eligibility is verified, therefore increasing the risk that they might not be counted before election results have to be certified.
The Brennan Center found that 17 states using e-pollbooks don’t require a paper backup of the voter roll at polling places, and 32 states using e-pollbooks don’t have contingency plans requiring a minimum number of provisional ballots be available.
When pollbooks fail
The devices generally fail in predictable ways: Crashing or failing to sync are the primary ones. When the problem isn’t poor design or software bugs, it’s usually poor contingency planning on the part of vendors or officials.
The March 3 meltdown in Los Angeles County, for example, was due mostly to poor planning, according to a county report obtained by POLITICO. The county had 10 days of early voting before Election Day but used only a handful of pollbooks during that period. On the day of the presidential primary, when the remaining pollbooks had to be synced, 10 days of voter data had to update at once, which caused the devices to lock up.
Another type of failure causes even more insidious damage to voters’ faith in the system: This occurs when pollbooks indicate falsely that voters are not registered, are in the wrong polling place or have already cast a ballot. The cause is sometimes a software glitch but more often out-of-date voter data that election workers have mistakenly left on pollbooks from a previous election. But these kinds of problems also resemble what would occur if a malicious actor altered individual voter records or replaced the entire database on pollbooks.
In 2010 in Shelby County, Tenn., for example, pollbooks incorrectly indicated that 5,400 voters had already voted. The issue disproportionately affected communities of color.
One of the most high-profile failures of this sort occurred during the 2016 presidential election, when pollbooks in Durham, N.C., indicated falsely that some voters weren’t registered or had already voted. The incident later raised alarms following revelations that Russian hackers had targeted the pollbooks’ vendor, Florida-based VR Systems, and that two days before the election Durham had experienced problems with its VR Systems software and voter database. (VR Systems has denied that its systems were compromised.)
A partial investigation by a contractor hired by the county found that old voter data had been left on some of the pollbooks — attributed to an election staff error — but a definitive investigation never occurred.
Who’s watching the vendors?
Although no federal testing and certification exists for electronic pollbooks, 13 states have certification programs to ensure that the devices meet their own functionality and design requirements. But the requirements vary by state, and not all certified systems are tested or undergo a security review.
KnowInk’s Leiendecker would not answer questions about the security of his company’s systems. “[W]e do not discuss, disclose or divulge any sensitive information involving election security or any specific security initiatives we are engaged in on behalf of our clients,” he wrote in an email.
ES&S did not say whether it had ever hired outside experts to conduct an independent security review of its pollbook. “ES&S thoroughly tests our pollbook product for security, and some of our customers do their own security evaluations of the product,” spokesperson Granger wrote in an email.
To address the absence of independent testing, the nonprofit Center for Internet Security launched a pilot project this year with the federal Election Assistance Commission to develop methods for assessing electronic pollbooks and other election systems that don’t fall under the EAC’s existing testing and certification program.
“This is a very different technology than voting systems,” said Aaron Wilson, senior director of election security at CIS. “It’s often connected to the internet, and the security of these systems is often predicated on the ability to change and update them rapidly to meet the ever-changing security landscape.”
KnowInk and VR Systems have submitted systems for the pilot project. ES&S has not submitted its e-pollbook to the project but plans to submit it to a private security firm, Synack, for examination.
Wilson said CIS will assess each vendors’ internal development processes to verify that they’ve followed security best practices, perform tests to see if their devices can be hacked and assign the pollbook and vendor a series of scores.
“We’re leaving [the conclusions] to the states,” Wilson said.
Ben Hovland, an EAC commissioner since last year, told POLITICO that creating such a centralized program is a no-brainer.
“Why should 50 states have to build 50 different certification programs? That doesn’t make any sense,” he said.