Voting Machine Company Threatens Researchers for Exposing Valid Security Flaws

Election Systems and Software (ES&S) is sending cease and desist letters to organizations simply for highlighting proven security vulnerabilities.
January 13, 2021, 2:00pm
Image: AAron Ontiveroz/The Denver Post via Getty Images

A major manufacturer of voting machine hardware has threatened researchers for highlighting proven privacy and security vulnerabilities in their products.

Last week, Election Systems and Software (ES&S) fired off a cease and desist letter to SMART Elections, a New York State based non-partisan project designed to bring greater public awareness to the lack of security in electronic election equipment.

In the letter, ES&S accuses the organization of “false, defamatory, and disparaging” comments related to the company’s ExpressVote XL touchscreen-enabled barcode voting system, which SMART Elections has been warning New York State officials suffers from design flaws that make it open to vote manipulation.

Security experts and good government groups say that the ExpressVote XL has a flawed design that makes it dangerously insecure, and that it is also glitchy and over-priced,” the group warned. “Many of them strongly oppose its use. Voters with disabilities have often struggled to use it.

ES&S didn’t take the criticism particularly well, and in its cease and desist letter claims the organization was engaged in “defamation and trade disparagement.”

“We demand that you immediately and permanently cease and desist from communicating false allegations about ES&S, and immediately retract and correct the false, defamatory and disparaging accusations you have made against ES&S,” the company threatened.

ES&S lawyers appear particularly annoyed by claims that the “ExpressVote XL can add, delete, or change the votes on individual ballots,” will “deteriorate our security and our ability to have confidence in our elections,” and is a “bad voting machine” in general. 


But many experts, including Princeton University professor Andrew Appel, say the accusations and criticism levied against ES&S are absolutely correct

“The ExpressVote XL, if hacked, can add, delete, or change votes on individual ballots — and no voting machine is immune from hacking,” Appel said. “That’s why optical-scan voting machines are the way to go, because they can’t change what’s printed on the ballot. And let me explain some more: The ExpressVote XL, if adopted, will deteriorate our security and our ability to have confidence in our elections, and indeed it is a bad voting machine. And expensive, too!”

Election security experts, integrity advocates, and experts have spent the better part of the last few decades warning local and state election officials about the dangers of touch-screen voting machines. The installation of fraudulent vote-stealing software, they’ve warned, can undermine democracy in an undetectable, uncorrectable way that’s easily avoided.

That hasn’t stopped officials from embracing such solutions anyway, usually doling out massive, lucrative contracts to a handful of powerful companies that routinely find themselves above meaningful scrutiny and the law. When experts and researchers point out the lack of robust security in such devices, lawsuits and threats are frequently their reward. 

Such threats often work. In May of last year, the New York State Board of Elections halted certification of the ExpressVote XL over concerns that state regulations might not allow for its use. After ES&S threatened to sue the board, it capitulated and is now prepared to certify the device for use against the warnings of experts.

But detailed research on several fronts shows how the ExpressVote XL software could theoretically be modified to change votes if successfully hacked, without voters ever noticing. And states like Pennsylvania that recently purchased the machines say their first experience with the devices was “marred by miscounted vote tallies” in some counties.

While the general consensus among security researchers is that the 2020 election went smoothly, this success was largely thanks to researchers and experts who diligently exposed system vulnerabilities and shortcomings in a quest for transparency and accountability, and in some cases, a paper trail election officials can rely on and that couldn't be hacked. Georgia's close election, for example, recounted its 5 million votes by hand, ensuring the results were valid despite an unprecedented attack on election officials by the President of the United States.

The President's attacks on the democratic process are of course making an already difficult issue more confusing than it needs to be. Dominion Voting Systems, another major voting systems vendor, is currently suing Donald Trump's lawyer Sidney Powell for $1.3 billion for baselessly accusing the company of stealing the election from Trump. 

Any voting systems company is right to push back against wild and misleading accusations, but another side effect of Trump's destructive attempt to steal the election here is that it muddies the waters around the very legitimate and critical work of election security experts who are trying to find real flaws with our voting systems.

The endless efforts to sow distrust in our election system via disinformation, combined with efforts to silence researchers for exposing valid security vulnerabilities and flaws, means there’s no guarantee our recent good fortune on the election security front continues.