The Basics About the Walled City of Election Administration

CommentaryCritical Infrastructureelection securityResearch & Development
Written By Gregory Miller

Ed. Note: Special thanks to our CTO and my co-founder John Sebes for providing the lion’s share of co-writing this piece to follow-up from an earlier social media posting.

Our readers and followers may recall this tweet thread we posted in late November about where votes are counted and stored and how exactly basic voting systems function. However, the Trump Administration’s persistence of a false narrative about election rigging (“stop the steal”) shows no sign of abating. So, many continue to be reasonably confused and frustrated by the continuing wild and baseless claims about where cast votes are stored and how they can be tampered with.

In the waning days of the Trump Administration it’s time to debunk these claims with a fact-based narrative, rather than continuing a whac-a-mole approach of pointing out each of the many falsehoods as they pop up, and individually responding. So, the objective here is to offer a simple article by myself and co-founder John Sebes to describe what is reality.

Since a picture is worth 1,000 words, we’re going to rely on to the diagram above in order to visualize an explanation intended to clear the misconceptions and misunderstandings that drive unfounded concerns about election fraud.

For the election geeks among the readers, yes, this diagram is a very (perhaps overly) simplified view of how ballots and votes fit into the larger ecosystem of election administration. Regardless, there are two important concepts.

  1. First, the handling of ballots and vote counts are composed of activities that occur in a controlled environment and we refer to it like a  “walled city.

  2. Second, that walled city has an “air gap” around it, which means that (in most cases, with few exceptions…more on this in a moment) there’s no connection to any external network, and hence no way that a network connection can allow adversaries to digitally enter the walled city and tamper with its contents.

Pre-voting activities associated with voter registration and voter qualification occur outside this walled city, including:

  • Every aspect of voter registration and voter list management;

  • Preparation of paper and electronic poll books; and

  • Sourcing the data (e.g., districts, precincts, and contest information) that voting machines and ballot counting machines need in order to create and understand this election’s ballots.

What is contained inside and happens inside the walled city is:

  • The resulting data from the activities outside the walled city outlined above;

  • The election management system or “EMS” (in order to create and tabulate ballots); and

  • The voting (casting and counting) machinery.

What comes out from the walled city: unofficial tallies of votes recorded from the ballots that remain in the walled city. Those tallies can be used for unofficial election results, and the numbers crunched by analytics to create insights on the voting that happened.

The Most Important Takeaways From This Diagram

The key thing to understand from this illustration above is that all the pre-voting activities and all the use of the unofficial results, all happen in the world outside of the walled city, without a digital connection to the ballots, machines, and votes inside the “walled city.” That’s what “air-gapped” means.

The next takeaway from this diagram is that the core machinery of voting — technologies and processes for casting ballots and counting them — is separate from election administration systems and processes on the front-end (e.g., voter registration, voter check-in), and separate from all the back-end activity among those who use the vote tally data that comes out of the ballot casting/counting process.

What is “the Wall” Exactly?

The “Wall” is just a metaphor (but not of the nature of this famous 1979 wall). It’s intended as a metaphor to explain how the technology, the people, and the processes that join them — all fit together in “best practices” for protecting the ballot casting and counting process. In a locality (county, parish, or township) that follows these best practices, there is no way for cyber-adversaries to attack the system, change election results, and get away with it. Ballot casting, counting, and results tabulation are protected from that so long as

… so long as the people use the technology properly and follow the processes properly.

  • The walled city is safe so long as the administrators do not make a mistake and unwittingly open a hole in the wall.

  • The wall is only as strong as the weakest aspect of people, process, platform, and policies that configure it.

The reality is, that with thousands of these localities, in a few of them, people will make mistakes. That’s why the best practices are important, and that they are supported by well-documented configurations, processes, protocols, procedures and policies with verifiable compliance.

So, how widespread are these best practices, and how well do they work? They’re quite widespread, fairly common in details across the states (though each state’s different election laws drive some local variation), and as any impartial observer of election 2020 would agree, working fairly well despite extraordinary stress of multiple kinds.

Sure, there are exceptions, and some states are different. A handful of states (including FL, MI, and WI), have practices for remote transmission of vote tallies from voting places to headquarters, but – very importantly – not for being the data that drives the official results, but rather for rapid reporting of election-night unofficial and in-process ballot counting.

You may think that looks like breaking down the air-gap (and it could if done carelessly), but it’s actually a separate process. Yet at the same time, it is complicated and can easily give rise to some of the nonsense claims that have emerged.

Again, disinformation is the product of a fact or two, combined with baseless theories, weird imaginings, and sometimes flat-out lies. Our CTO, John Sebes starts an examination of this with a really simple breakdown of how to decipher the conspiracy theories in his new Decoder series.

Sure, there are other complexities too, like external connectivity that is “potential” and usually not actual — yet possible. And human error can creep in as well, lapses in the best practices that can create a hole in the wall. This high level summary and the diagram paint the picture of what should happen — and usually does — without details and things that can go wrong from breaking a physical chain of custody, to using an unauthorized USB stick.

But remembering the core concept of the protected place (i.e., “the walled city”) for ballot casting and counting, here are some ideas floating around that just flat do not fit the reality:

  • The nonsensical assertions of attorneys Sydney Powell and Rudy Giuliani about “votes” being exported and manipulable; actually it’s just copies of data exported from the walled city to enable reporting of unofficial results that will be based on what remains behind walls.

  • The idea that vendors such as Dominion are villains making intentionally malicious products. No, they are not villains, though that does not make them free of fault for low quality and lack of transparency in their black-box systems.

  • The idea that Smartmatic or Scytl or Soros or Venezuela had any nefarious role here. That’s entirely made up of retreads of old debunked, but zombie-like conspiracy theories, perhaps with misunderstanding that (the now-bankrupt) Scytl did, for a while, have a U.S. subsidiary with product whose job was to take the unofficial data output from the walled city and help analyze and report it.

  • “Hammer and scorecard” types of nonsense  that rest on the false assumption that real election results are transmitted digitally and can be intercepted and tampered with, in order to steal an election. Sorry, what goes on inside these walled cities of election administration is boring, and doesn’t include anything like that – please, look at the diagram above again if that’s not clear.

In fact, with one more look at the diagram, let’s recap the essentials:

  1. Election night results are not official or final, or complete; they are just numbers copied over the wall for news-hungry people to consume.

  2. The actual election results come out of a routine and lengthy post-election-day canvas period during which results are verified and identified mistakes are corrected before results are final and certified.

  3. Ballot casting and counting technology, and people and process all typically work in an isolated environment where ballots and votes and tallies remain until the official results are certified.

  4. Ballots cast in the United States are counted in the United States. Full stop.

  5. External forces are blocked from access, provided proper use of best practices are actually followed, and absent from human error.

  6. People make mistakes that can weaken the wall; however, the canvass process finds and corrects the mistakes — that’s why it takes weeks to certify an election result!

That’s right, all the lengthy time to finalize an election is not a “delay” but careful due process to make sure that everything was done right and the real election winners are named in certified results.

That’s probably the right place to stop, there are a few caveats or post-scripts for the detail oriented folks.

Postscripts—The TL;DR

For those who enjoy waltzing in nuance and for our election geek colleagues, we offer some postscripts out of a passion for intellectual honesty.

  • We acknowledge that within the walled city, there is no infallible way to count votes. All methods (optical scan, touchscreen, or even hand counting) are subject to errors, procedural goofs, and intentional manipulation.

  • Nearly all jurisdictions count votes using digital technology, (e.g., touch-screens, and/or optical-scan machines). Technology is vulnerable to hacking, in this case meaning modifying legitimate vote-counting software with malware that can change vote data. However, it’s critical to remember that just because technology has vulnerabilities, that does not mean that the election was “rigged.” The existence of vulnerabilities does not mean that they were actually exploited – and that’s why evidence matters.

  • Despite the walled-city processes, lapses can enable hacks that can be performed remotely (e.g., via USB device). This is why machinery is tested before an election and this emphasizes how critical & imperative paper ballots and audits are to #TrustTheVote.

  • That acknowledged, it is possible to count votes by computer and still achieve trustworthy election outcomes. But it requires both a trustworthy paper trail of voter choices, and an audit process that’s used to check or correct outcomes of an election.

  • Finally, for you Easter egg hunters, since its a style of mine (Gregory) to toss in a fun reference occasionally, if you paused on the discussion of the Wall metaphor and discovered we were not referring to that rock opera (chalk full of metaphors of its own about “walls” —a 4 minute distraction if that’s your genre), then here is one more. It’s special for myself because it trips 26 years back to Hanover, Germany on August 16, 1994 with an epic live performance by David Gilmour… and I am there in that mob of 90,000+ to witness it. Again, if that’s your genre, take 9 minutes and enjoy a classic from their version of “The Wall.”

Gregory Miller
Previous

Kraken Busting and the "Most Secure Election Ever"
Next

Election 2020: The Most Secure Ever...