Even if an attacker can’t change vote totals, any disruption or technical glitches would raise questions about the integrity of the election in a highly contested primary contest.

Furthermore, critics have expressed concerns about the company that built the system, U.K.-based Smartmatic. The company was founded by three engineers from Venezuela and was at one time the subject of a Treasury Department inquiry into its potential ties to the Venezuelan government. It also came under scrutiny in the Philippines, where authorities charged three of its employees with illegally altering code on an election server during that country’s 2016 national election.

Smartmatic told POLITICO it never had ties to the Venezuelan government, but simply supplied voting machines used in elections there. It also disputes the Philippines charges.

Despite these issues, and heightened concerns in the U.S. over election hacking and warnings from the U.S. intelligence community over ongoing Russian interference, California’s secretary of state certified the Los Angeles County system — known as Voting Solutions for All People — for use in Tuesday’s primary. That approval came with conditions, including a requirement that the county tighten physical security around the back-end programming and vote tallying systems to prevent tampering.

The county says it has fixed or addressed many of the problems that the secretary of state’s assessment uncovered, and a state spokesperson said it is satisfied with those changes.

“[A]dditional mitigation measures — including software, hardware, and firmware changes — were taken before certification. These changes passed review and regression testing,” Sam Mahood, press secretary for Secretary of State Alex Padilla, wrote in an email. “Our office believes that these measures and conditions of certification (including poll worker training and voter education) should mitigate potential issues and provide a voting experience that is consistent with state law and serves the needs of all voters in the largest voting jurisdiction in the nation.”

But that’s not reassuring to the outside security experts, because the county and state acknowledge that other issues raised by the testers won’t be resolved until after Tuesday’s primary. And critics point out that the system has other security problems, unmentioned in the state’s assessment, that could allow someone to alter ballots or render them unreadable. They say there’s no reason the state had to approve the system before it’s fully vetted and fixed.

"Some of the security flaws found in VSAP are staggering and should be disqualifying,” said Susan Greenhalgh, vice president for programs and policy at National Election Defense Coalition, an election integrity advocacy group.

“[I]t's incumbent on the state and county to insist VSAP meet necessary minimum-security safeguards [before it’s used],” she said.

Adding to the qualms, the county has failed to live up to its promise to publicly disclose the system’s source code so that independent experts can scrutinize it for additional problems. Members of an advisory group who provided feedback to the county during the design phase told POLITICO they have not been allowed to see the finished source code either.

The failure to release the source code belies the county’s assurances about the system’s transparency and trustworthiness, said election security expert Philip Stark, a statistics professor at the University of California, Berkeley.

“The whole idea of building a publicly disclosed voting system was that the transparency would increase trust,” he told POLITICO. “I think the failure to disclose the source … is an inexplicable lack of transparency.”

County spokesperson Michael Sanchez told POLITICO the county still plans to release the source code but has to find a way that addresses “security protocols and licensing requirements.” It has created a technical advisory group to help develop a plan.

Kim Alexander, president of the California Voter Foundation, a nonprofit that works to improve the voting process, said the county should be commended for building a publicly owned system, but the delay in disclosing the source code is perplexing.

“At the end of the day the fact that L.A. owns the code, not Smartmatic, is something that should give voters peace of mind, especially once [the code] gets disclosed,” she said. “But it’s not like they’re being told after the fact that you have to disclose the code. It’s been part of the game plan from the get-go.”

Many registered voters in the county won’t be using the machines this year, because about 63 percent of them have requested absentee paper ballots to vote by mail. But that would still leave a significant percentage of voters using the machines in what could be a tight contest.

To accommodate voters casting ballots in person who don’t want to use the new VSAP system, the state has required every voting center in the county to have paper ballots on hand. But those ballots are blank, requiring voters to write in every candidate’s name.

Alexander said the state could have required the county to provide every voter with a mail-in ballot for the primary — something the county plans to do in the future — or install ballot-on-demand printers at vote centers that are capable of printing ballots with candidate names already on them.

But Mahood said the blank-ballots solution “was the most feasible method to provide a hand-marked paper ballot option for a jurisdiction of this size in time for” Tuesday.

A decade in development

Los Angeles County is one of the nation’s most populous voting districts, with more than 4 million registered voters — in a state that is the biggest electoral prize at stake in Tuesday’s 14-state contest. The county began looking about a decade ago to replace its aging election system with one that is accessible to disabled voters, accommodates thousands of possible ballot configurations and can address growing concerns about proprietary systems owned by vendors.

Voting machine vendors often will only lease the software on their machines to counties, instead of selling it to them. This keeps vendors in control of the proprietary software; when things go wrong in an election, vendors will often prevent a county from hiring independent experts to examine the code to determine the problem or will impose non-disclosure agreements on them, citing trade secrets. The Los Angeles County system, in contrast, is owned by the county itself.

The system consists of about 22,000 “ballot-marking devices” set up in vote centers across the county: After voters insert blank ballot paper into a machine and use its touchscreen to make their selections, the device prints out a machine-generated paper ballot marked with their choices. The ballot-marking stations don’t store or tally the votes — that’s done at the county election office.

To save time, voters also can select their candidate and referendum choices ahead of time on a sample online ballot. Then they receive a QR code on their phone, which they can scan on a VSAP machine to pull up that pre-filled ballot on the system’s touchscreen before printing it out.

Either way, the voter can review the ballot before re-inserting it into the machine, which sends it to an attached ballot box.

Smartmatic won the $282 million contract to build the VSAP system in 2018 in a procurement process that included just one other bidder: CGI, the parent of the federal contractor that developed the infamous Healthcare.gov website for the Obama administration. Dean Logan, the county’s registrar-recorder, has said Smartmatic was chosen based on technical, legal and financial merits.

When POLITICO asked him about Smartmatic’s past relationship with the Venezuelan government, Logan’s office didn’t respond.

But that past is not a secret, either.

The Venezuela connection

The company, founded in Florida in 1999 by Venezuelan engineers Antonio Mugica, Alfredo José Anzola and Roger Piñate, initially focused on developing networking applications for sharing information between electronics devices, such as cameras. The founders listed a residential address in Boca Raton, Fla., as their headquarters on corporate documents they filed in Delaware the next year.

But the company’s focus switched to voting machines, and its business operations became concentrated in Venezuela, after the government there awarded a contract to Smartmatic and Bizta, another small software company Mugica owned with his father. The transaction raised a lot of concern.

Neither Smartmatic nor Bizta were very successful until their fortunes began to change in June 2003, when the latter received $200,000 from an organization that acted as an investment arm of the Venezuelan government, according to reporting by The Miami Herald. The money gave the government a 28 percent stake in Bizta, making it the company’s top shareholder, The New York Times later reported. The investment also gave the government a seat on Bizta’s board, which went to a close associate of the president of Venezuela at the time, Hugo Chávez.

The investment came as support was growing in the country for a recall election aimed at removing Chávez, a longtime foe of the U.S. who had been fighting internal opposition for years. In December 2003, Chávez’s political opponents announced they had obtained enough signatures to initiate a recall referendum. And in February 2004, six months before the recall election was to occur, the National Electoral Council announced that it had awarded a contract to Bizta and Smartmatic to replace the nation's existing voting machines — optical-scan machines made by the U.S. company Election Systems & Software — with new touchscreen machines.

Bizta, Smartmatic and the state-run telecommunications organization CANTV won the $91 million contract in a bidding process denounced by two of the five members of the electoral council, who voted against the contract.

Neither Bizta nor Smartmatic had ever built systems used in an election, and the two council members alleged that the bidding process had been secret, according to the Miami Herald. Chávez survived the subsequent referendum amid allegations that he and his supporters rigged the election.

Accusations about their association with the election and the government have dogged Bizta and Smartmatic ever since. Both companies have long said they have no ties to the Venezuelan government. After the Miami Herald exposed the $200,000 investment in Bizta, the company said the money was merely a loan and paid it back. As for Smartmatic, 83 percent of the company’s shares are owned today by the Mugica and Piñate families, according to company spokesperson Daniel Murphy, with the remaining shares held by employees and investors.

Following its success in the Venezuelan election, Smartmatic set its sights on the U.S. market. In 2005, it paid $16 million to acquire Sequoia Voting Systems, a British-owned, California-based company whose touchscreen voting machines were used in Washington, D.C., and 17 states at the time. But in June 2006, following a request from Rep. Carolyn Maloney (D-N.Y.), the Committee on Foreign Investment in the United States began investigating the purchase and the company’s possible connections to the Venezuelan government.

This proved complicated because the company had diversified into a series of holding companies and trusts in the Netherlands and the Caribbean island of Curacao in the Netherlands Antilles. Maloney accused executives of trying to obscure ownership of the company, but Smartmatic said the reorganization was simply part of its push to expand internationally. Smartmatic initially refused to cooperate with the government probe, according to Maloney, then agreed to participate, before announcing in December 2006 that it was going to sell Sequoia to put an end to the inquiry.

“[T]he CFIUS review recommended measures and conditions that both Sequoia and Smartmatic found too onerous to accept,” Murphy wrote in an email to POLITICO. “Smartmatic and CFIUS agreed the best way forward was for Smartmatic to voluntarily dispose of its interest in Sequoia.”

The company focused its attention instead on markets outside the U.S., most notably in Europe, where it’s been pushing internet voting, and in the Philippines, where it was embroiled in further controversy in 2016.

Authorities there accused the company’s employees of altering a script on an election server without authorization as results were being transmitted during a national election that year. The Philippine Justice Department charged the head of Smartmatic’s technical support team and two subordinates, along with three employees of the Commission on Elections, who gave them access to the server.

In court documents, the Smartmatic employees said they only corrected an error in the script that was turning the letter “n” in candidates’ names into a question mark whenever the “n” had a tilde over it. But critics contended that votes in the race for vice president changed dramatically after the script change. Investigators didn’t probe the nature of the changes to determine if they did affect the outcome, according to the Justice Department; they focused only on the fact that the script was changed without authorization.

Smartmatic’s Murphy told POLITICO the changes occurred on a server that provided the media and political parties with unofficial results, not on the system that tallies votes. He also said that a regional court dismissed the case in August on grounds that prosecutors could not prove the facts. POLITICO has not been able to independently verify that.

As for the Los Angeles County project, Murphy told POLITICO that the system was created by employees in its U.S.-based office and that all code used in the system “was developed in the United States and has never been offshore.”

Smartmatic has since approached its latest foray into U.S. elections more strategically than in the past, gradually reforming its previous image as an uncooperative outsider.

It was one of the first voting system vendors to join the Department of Homeland Security’s Sector Coordinating Council for the Election Infrastructure Subsector. The company also established a U.S. division — Smartmatic USA — and installed an American president. And after it won the Los Angeles County contract, it opened an office in California and hired local workers to help build the VSAP system.

But security experts are still concerned about the company’s foreign involvement in light of the security issues uncovered by the state’s testers and the county’s failure to disclose the source code for public scrutiny. They’re also concerned that the Los Angeles County system, if it proves successful, will be adopted elsewhere in the country.

The technical security concerns

Many cybersecurity experts and election integrity activists generally dislike the type of voting system that Los Angeles County has chosen because the machines — not the voter — actually mark the ballot. That could allow software bugs or a hacker to mark the ballot differently than what the voter intends. A recent study of a mock election using these kinds of devices found that only about 40 percent of voters double-checked their machine-marked ballots, and the voters missed more than 93 percent of the errors the machines introduced.

Furthermore, many ballot-marking devices embed the voter’s selections in either a barcode or QR code that’s printed on the ballot. In Los Angeles County, the QR code is what the county’s tallying system will read to calculate the results, not the human-readable portion the voter can verify.

Some types of ballot-marking devices, including the one used in Los Angeles County, introduce yet another risk: When the voter inserts the ballot back into the device to send it to the attached ballot box, the ballot passes again under the machine’s printer head. If the system is hacked, the printer could alter the voter’s choices or make the ballot unreadable — with no further chance for the voter to review it, Princeton University computer science professor Andrew Appel told POLITICO in an email.

Stark said the county could have avoided this risk by having voters deposit their ballots into a standalone ballot box, “but the secretary of state decided not to address that.”

The county says such a hack wouldn’t be possible because the printer head is raised when the ballot comes back through the machine. But a hacker could cause the machine to re-lower the printer head, Appel said.

In addition to those inherent issues, California’s own experts found security problems with the VSAP that could allow someone to compromise the system and potentially subvert an election. That could occur if an attacker gains physical access to a back-end system, known as the ballot marking device manager, that is used to program the voting machines before an election or to the tallying workstations that produce results.

The latter workstations and other back-end systems have a USB port that could allow someone to boot the machines with a USB stick in a manner that would bypass their password protection and security software, according to the state’s security analysis. Once on these and other systems, the testers found there was little internal security as well.

The systems' hard drives were unencrypted, according to the security report, which could allow an intruder to view and alter configuration and data files. Cryptographic keys also were unencrypted, according to the report. The report wasn’t specific about how all of these keys are used other than to say they “protect the integrity of elections.”

According to the state’s voting system standards, voting machines are supposed to have safeguards that limit both physical access to the systems and digital access to critical parts of their software and files. But the testers found a number of expected safeguards missing in the VSAP machines, including a failure to carefully control the “root password” that provides the highest level of access and privileges on the machines.

The report also noted that Smartmatic and the county had not shown that the system’s encryption algorithms meet a specific government-set standard that the state requires. Smartmatic told POLITICO that the algorithms meet the standard, but that the company simply has yet to show they do so on the exact version of the operating system that is used on the county’s machines. It plans to do this after the primary. The state has given the county until the end of June to do this and address other changes it requested.

To meet the state’s conditional certification for use in Tuesday’s primary, the county put physical locks on the USB ports on county workstations to prevent someone from inserting a rogue USB stick into them. The county plans to reconfigure the systems after the primary to disable the USB ports or otherwise prevent anyone from booting from them. The county also said it replaced cryptographic keys that allow access to critical parts of the system with new keys that it planned to share only with select elections staff — but not Smartmatic employees — and also fixed the root password issue.