State

Ohio takes tougher line on election tech wireless connectivity

Ohio Secretary of State Frank LaRose said his state's voting machine standards go further than the U.S. Election Assistance Commission's VVSG 2.0, which didn't ban Wi-Fi capabilities.

By Benjamin Freed

June 15, 2021

Ohio Secretary of State Frank LaRose at a voter registration event in Cleveland in September 2020. (Megan Jelinger / AFP / Getty Images)

Back in February, the U.S. Election Assistance Commission, the federal board that sets guidance on how Americans vote, adopted a comprehensive, and long-awaited update to its security standards on election technology.

But while the election security community largely embraced the Voluntary Voting System Guidelines 2.0, the four-member EAC stopped short of banning wireless connectivity in ballot scanners and electronic tablets, a decision that led to a group of technologists and former election officials saying that even switched off, wireless capabilities pose a security risk.

Still, individual states are free to set their own guidelines for election technology, and on Tuesday, Ohio Secretary of State Frank LaRose announced updated standards that explicitly prohibit wireless capabilities in the equipment used there.

“VVSG was a big change. This was a small but impactful change,” LaRose told StateScoop of the EAC update that allows the inclusion of wireless radios.

The changes were made by the Ohio Board of Voting Machine Examiners, a four-person bipartisan group that reviews and certifies the election equipment used by the state’s 88 county boards of elections, including electronic pollbooks, printers and ballot scanners.

“A voting machine shall not be connected to the Internet.  A voting system or voting machine is prohibited from containing any wireless communication hardware or software components,” the updated standards read.

The change comes on top of an existing Ohio law meant to block voting machines from connecting to the internet at all, but LaRose said it was necessary as more election-tech vendors sell products with wireless capabilities built-in. Many of those products are based on off-the-shelf, commercially available technology that includes Wi-Fi as a standard feature.

“It’s hard to find a printer that doesn’t have wireless built in,” LaRose said. “But they are available. Now that VVSG 2.0 has come out, I think you’re going to start having voting machine vendors that have wireless capability built in but say there’s nothing to worry about because it’s disabled.”

In their February letter, the experts who objected to the EAC’s wireless decision wrote that “networking capability can easily be enabled unintentionally through a misconfiguration, a software update, or a technical error” by someone like a warehouse clerk or poll worker. They also wrote that even the potential for an attack raises the risk of public distrust in the election process.

LaRose echoed those concerns to StateScoop.

“Why even have that ability there that could be a vector for illicit behavior?” he said. “Or it could create a public confidence problem.”

Equipment compliant with VVSG 2.0 isn’t expected to hit the market until 2022 at the earliest, making it highly unlikely to be used in live election for a few more years. Election devices currently in use — in Ohio and elsewhere — were certified under VVSG 1.0, which was adopted in 2005. (Work on version 2.0 began in 2017.)

According to LaRose’s office, every ballot in the state has some sort of paper trail. Most counties use one of seven hand-marked paper ballots systems certified by both the EAC and the Ohio board; the remainder use ballot-marking touchscreen devices that spit out a paper record that can be tabulated and audited later.

Most counties also obtained new voting equipment in 2019, while another “five or six” are in procurement cycles this year, he said, replacing inventory that had been in use since the mid-2000s.

“I’m no luddite when it comes to this stuff,” LaRose said. “I’m all about embracing technology. But the actual casting of ballots, that should be completely air-gapped.”

While LaRose has stressed the necessity of paper ballots, his office has also implemented several tech-ier projects over the past few years, including online ballot-tracking so people can see the status of their votes, moving all 88 county boards of elections to the federally administered .gov domain and a first-in-the-nation vulnerability disclosure policy for election-related websites.

“We have a hard-copy paper trail that goes with every ballot,” he said. “You’ve got a dead-tree, ink-on-paper copy, and then you’ve got the digital record.”