In the days after November’s election, a news report described a professor of computer science and engineering at the University of Michigan at Ann Arbor, J. Alex Halderman, as having a made a provocative discovery.
The report suggested he had found "persuasive evidence" of voting anomalies in three key swing states, each barely won by Donald J. Trump, that gave him the margin of his surprise victory, and asked whether computer hacking could have been responsible.
Claims that Hillary Clinton’s vote totals were suspiciously lower in counties that relied on computerized voting machines helped fuel recount demands by Jill Stein, the Green Party’s presidential nominee, that later were joined by Mrs. Clinton’s campaign.
The national election was eventually certified in favor of Mr. Trump, and the legal challenges faded away. Mr. Halderman, director of the university’s Center for Computer Security and Society, contends that the initial reports of his suspicions were overstated. The most likely scenario, he believes, is that Mr. Trump legitimately won the election through the Electoral College system.
Still, Mr. Halderman has long warned about the dangers of relying on computerized voting with no paper trail. Now back outside the legal spotlight, he continues to seek data from the states — Michigan, Pennsylvania, and Wisconsin — that could help him determine if anything improper affected the election results.
In an interview with The Chronicle, edited for brevity and clarity, he provided an update this week on where things stand.
Q. Was it the case that in some precincts the machines had a statistically larger variation from the expected outcome than those precincts without machines?
A. It depends on what you mean by "unexpected." The problem with any kind of analysis like that is that there are all kinds of confounding demographic variables. You can use it to suggest all kinds of things are wrong, but it’s never going to prove that things are incorrect, or that things are just fine.
Q. By "unexpected," I just meant whatever measure you have where the result might look funny.
A. I respect that instinct, that you should look at the figures and see if anything looks funny. And when you do look at the numbers, there’s lots and lots of stuff that looks funny. But almost all of it can be explained if you dig deeply enough.
Q. So have you just gone on to other things?
A. No. We’re doing some work now, actually, to try to use the data from the recount to establish, with as high a confidence as we can, the likely hypothesis that there wasn’t any large-scale fraud, and to use the recount data to try to bound the likelihood of various kinds of cyberattacks.
The recount process has looked at a certain fraction of the ballots for 2016, and a very poorly distributed sample, unfortunately — basically half of Wisconsin, a little bit less than half of Michigan, a very, very small part of Pennsylvania, and a large fraction of Nevada. And based on that sample, we can do things statistically to estimate, under reasonable assumptions, what a cyberattack that aimed to change the outcome would look like.
I think the recounts should give you additional confidence that the outcome was correct. Just looking at what we recounted, there wasn’t systematic deviation from the election results. But the question is, how much confidence do we gain from that? We’re doing the analysis to find out.
Q. Because you’re finding it difficult to get in there and investigate?
A. Because even under the circumstances in 2016, it was so exceedingly difficult to get states to look at a substantial amount of the physical evidence.
Q. By physical evidence, you don’t just mean the ballots, but also the computer equipment in the locations without paper ballots?
A. Yes, I’m talking about two kinds of things. I’m talking about the actual paper, where it’s available, which is the cheapest and most direct evidence to look at, but beyond that you could do digital forensics on some of the paperless machines to get some confidence that you would detect an attack if one had occurred.
Q. And you’re not able to get access to the computers to do that?
A. As far as I know, that has been done nowhere.
Q. I trust you’ve been asking?
A. Yes. I asked in collaboration with the Stein recount effort; they sued in Pennsylvania to try to do that. Pennsylvania is one of the handful of holdout states that don’t have paper, and they sued unsuccessfully to try to do forensics on the machines.
Q. Do we have to assume there would always be a fight over recounts? Might local governments have an interest in finding out about their elections?
Q. Donald Trump might not, but the governor?
A. No, the Pennsylvania Republican Party intervened in the original lawsuits, and the secretary of state’s office, which is under Republican control, mounted a very vigorous opposition to the recount and forensic efforts too.
Wisconsin actually did complete the statewide recount, though only about half the ballots were counted by hand.
We got a lot of good data from Wisconsin that didn’t reveal any systematic irregularities.
It did reveal more changed ballots than the margin of victory, but the changes were basically canceling each other out. It’s what you would expect from the machines just being imperfect in reading the ballots.
Q. If you were given full access to the computer equipment now, how confident would you be that you could detect something that had been done?
A. Less than absolutely confident. It’s kind of hit or miss when you’re doing that kind of forensic investigation, because a very well-designed attack would have removed most of the evidence.
What the paper lets us know is whether the outcome was tampered with. Whether someone tried — you might be able to find out more about that by looking at the equipment. But as time goes on, my understanding is that the equipment is not all forensically preserved: Memory cards are being reused for other things, the chain of custody is no longer certain. Who knows how much of the evidence, if there is any evidence, is still intact?
Q. Are these things that need to be changed, maybe through the creation of some outside monitoring body?
A. There is one easy and cheap thing that we could do, which is to statistically sample precincts after each federal election and just have people manually count those precincts until we have a high level of confidence that the outcome is correct.
Q. You mean a postelection poll?
A. No, I mean that in a state with 2,000 precincts, pick 100 of them at random and recount all of them. It’s called a statistical audit.
Q. But if the Russians or somebody slipped a virus into the computer system that made them vote a certain way, you wouldn’t find that, right?
A. You would, when you have paper to recount. Because slipping a bug into the computer can’t change what’s on the pieces of paper that voters saw.
Q. Yes, paper. But isn’t the issue with systems that don’t use paper?
A. This is a place where the 2016 election has really radically changed my thinking. I was thinking going into this election that paper was an adequate defense for us, and for that reason a cyberattack can’t change what’s on the paper. And indeed, in 2016, 70 percent of ballots nationwide were cast with some form of paper.
Q. What about just having all voters use paper?
A. Most of the country does that already. There is no technical obstacle to doing that everywhere. It’s just that some states are holding on to machines that don’t have a physical record, and that is dangerous.
Q. Should paper just be a requirement? It doesn’t slow down the voting, does it?
A. No. In fact, places that have long lines tend to be places that are voting on computers where you have only a fixed number of computers. It’s really easy to add a few more ballot stations with paper.
That definitely should be a requirement — that we have paper records for every vote. To me, it’s a completely common-sense security measure.
But we need to also look at that paper. We have to not throw it away. And unfortunately the law in many states predates computerization, so it’s not thinking about the paper as a cyberdefense, which it really is. This is a quality check that’s necessary to prevent computer fraud and error.
Q. So you haven’t given up, but the obstacles are significant?
A. The takeaway message is the 2016 election is pretty well settled, but I am extremely worried about what is going to happen in 2018 and 2020 unless we act now to beef up the defense of these systems.
Q. Scientists often are harassed when their work challenges powerful political forces. Tell me how that has been happening to you.
A. There’s been some of that. I think the president-elect’s lawyer declared in state court that my tenure should be revoked, but fortunately it’s not his decision.
More recently, just the week before last, there were some horrible racist and anti-Semitic emails sent out to all the undergraduate computer-engineering students here at Michigan. The sender forged my name and the name of my graduate student who worked on the recount effort. And this student has been getting harassing death-threat-style emails forged in a similar way. In my mind it’s certainly someone who is upset about the politics of all this.
A. It’s just been on the internet, and I don’t think we really need extra security, but it did disturb the undergrads enough that I did ask the campus police to send someone over and sit outside the lecture hall the next day while I was teaching, just to make sure people would feel safe.
Strange times, isn’t it? But I have a pretty thick skin. I’ve been through this sort of thing before a few times, but I feel bad for the students.