Voting machine maker ES&S has said it “will no longer sell” paperless voting machines as the primary device for casting ballots in a jurisdiction.
ES&S chief executive Tom Burt confirmed the news in an op-ed.
TechCrunch understands the decision was made around the time that four senior Democratic lawmakers demanded to know why ES&S, and two other major voting machine makers, were still selling decade-old machines known to contain security flaws.
Burt’s op-ed said voting machines “must have physical paper records of votes” to prevent mistakes or tampering that could lead to improperly cast votes. Sen. Ron Wyden introduced a bill a year ago that would mandate voter-verified paper ballots for all election machines.
The chief executive also called on Congress to pass legislation mandating a stronger election machine testing program.
Burt’s remarks are a sharp turnaround from the company’s position just a year ago, in which the election systems maker drew ire from the security community for denouncing vulnerabilities found by hackers at the annual Defcon conference.
Security researchers at the conference’s Voting Village found a security flaw in an old but widely used voting machine in dozens of states. Their findings prompted a response by senior lawmakers on the Senate Intelligence Committee, who said that independent testing “is one of the most effective ways to understand and address potential cybersecurity risks.”
But ES&S disagreed. In a letter firing back, Burt said he believed “exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”
Days later, NSA cybersecurity chief Rob Joyce criticized the response. “Ignorance of insecurity does not get you security,” he tweeted. “The investigation of these devices by the hacker community is a service, not a threat.”
Although unexpected, election security experts have generally applauded ES&S’ shift in position.
Matt Blaze, a cryptography and computer science professor at the University of Pennsylvania, said in a tweet he was “genuinely glad” the company is calling for paper ballots and mandatory security testing.
“Hopefully they’ll also stop threatening to sue people like me and the Defcon Voting Village when we examine and report on their equipment and software,” he said. Blaze, who co-founded the Voting Village, faced legal pressure from ES&S at the time. The election security experts responded to the “vague and unsupportable threats” by accusing the voting machine maker of “discouraging” researchers from examining its machines “at a time when there is significant concern about the integrity of our election system.”
ES&S spokesperson Katina Granger said the company “supports third-party, white-hat, ethical research and penetration testing,” and added that it “believes Congress should establish a mandated security testing program for all voting machine manufacturers, holding each of us to the same standards of testing and research to help restore faith in the security of our nation’s elections.”
The company denied making legal threats.
Updated with comment from ES&S.