In addition, DEF CON attendees habitually criticize the machine vendors for keeping their code secret. Not only is Prime III open source, but Gilbert’s BMD, with its transparent casing and automatic reboot after every vote, would present a unique challenge.
The DEF CON culture has frustrated some observers. “At some point, you have to move beyond just the constant critiquing and move on to productive solutions,” says Amber McReynolds, the former director of elections for the City and County of Denver and a current member of the Postal Service Board of Governors. Otherwise, she says, you risk having your research weaponized by people bent on discrediting the whole system. “I’d like to see the community of election security professionals be more thoughtful about the downstream impacts of their comments and their work on election officials, and also democracy as a whole.”
By September, Gilbert still hadn’t heard from Hursti. In fact, nobody had agreed to test the machine.
When Undark reached out to the experts Gilbert had originally contacted, they offered different explanations for their silence. One said that he had retired. A second was in the hospital. Hursti said that Gilbert had emailed his personal account, not the official one for DEF CON’s Voting Village. Asked whether he would include the machine in next year’s event, Hursti did not respond to repeated messages from Undark. The day before the publication of this story, he wrote to clarify that Gilbert’s machine would be welcome at next year’s convention, provided that he followed certain DEF CON policies, including that the hackers not be required to sign nondisclosure agreements.
Appel declined to test the machine, saying he didn’t have the resources to give it a thorough vetting. But he had seen the video of the device in action and heard Gilbert give a presentation on the new model. It was a good design idea, he said, and the lack of a hard drive provides fewer attack surfaces for a hacker to exploit. The device, he added, is addressing a problem with ballot-marking devices that nobody else has really tried to tackle.
Still, Appel said, he is skeptical of the very idea of unhackability. And he imagined scenarios during which, he said, Gilbert’s design might founder. In a blog post published in April of last year, for example, he wrote that the system depends a great deal on human voters’ being prompted to review their votes. A subtle hack, Appel suggested, could simply remove that prompt. “This gives the opportunity to deliberately misprint in a way that we know voters don’t detect very well,” he wrote.
Appel brought up another scenario: say that a voter tells a poll worker that the machine printed the wrong name on the ballot. Gilbert has prepared for this scenario: it’s possible to compare the master disc to the one in the machine to detect if there’s fraudulent code. Assume that the poll worker is able to execute that plan perfectly during the confusion of Election Day, and it reveals that the machine’s been tampered with. What then?
It’s unclear whether Gilbert’s machine will ever find wider use. Dan Wallach, a computer scientist at Rice University, said the machine was a promising step forward. Still, he voiced concerns about the durability of the machine’s parts. Appel pointed out that any new technology will face issues in being scaled for mass production and require training and for voters and poll workers.