The Verified Voting Blog

This blog contains posts authored by the Verified Voting Team and by members of the Verified Voting Board of Advisors.

Verified Voting Public Comments on VVSG 2.0 Principles and Guidelines

Download the PDF Verified Voting is pleased to see the VVSG 2.0 principles and guidelines finally moving forward. We are enthusiastic about the VVSG 2.0 structure and, with some reservations, about the content of the principles and guidelines. Full implementation of the VVSG 2.0 will, in time, help bring about voting systems that set new standards for universal usability, security, and verifiability. All these properties – backed by sound procedures – are essential to enable officials to run resilient elections, and to reassure voters that their votes have been cast as intended and counted as cast. We urge the EAC to allow the technical requirements and test assertions to be approved and revised without a vote of the commissioners. We agree with the TGDC, the NASED executive council, and others that for several reasons, these documents are best managed by technical staff, adhering to a well-defined process with broad consultation and opportunity for public comment. Verification and the VVSG Verified Voting especially welcomes Principle 9, which stipulates that a voting system “is auditable and enables evidence-based elections,” and the associated guidelines. No matter how otherwise usable and reliable a voting system may be, it is unacceptably dangerous if it cannot provide trustworthy, software-independent evidence that people’s votes have been accurately recorded and counted. A voting system alone can “enable” evidence-based elections but cannot provide them. As Philip Stark and David Wagner wrote in their seminal paper, the basic equation is that “evidence = auditability + auditing.” A voting system with a voter-verifiable audit trail, such as a voter-marked paper ballot, provides auditability. Compliance audits to ensure that the audit trail is substantially complete and accurate, and risk-limiting tabulation audits of the audit trail, provide actual evidence that outcomes are correct.

Verified Voting Testimony before the Allegheny County Pennsylvania Board of Elections

Download the pdf Thank you, Chairman Baker and members of the Board, for allowing Verified Voting to submit written testimony in connection with the Public Meeting on the Purchase of Voting Systems. We hope to provide background on the security needs that counsel for the adoption of a new voting system with a verifiable and auditable paper ballot, and provide some high-level recommendations for consideration by the Board as it deliberates the purchase of new voting equipment for Allegheny County. Election administration depends on computers at multiple points in the election process. Equipment for voting is but one part of a broad array of election technology infrastructure that supports the conduct of elections today. Some of that technology infrastructure includes voter registration databases, internet facing applications such as online voter registration and polling place lookup, network connections between state government and local jurisdictions, the computers that program the voting devices that record and count votes in addition to the voting devices themselves. Some jurisdictions also use electronic poll books to check voters in at polling sites and most states and localities report election night returns via a website. To the extent that any of these can be compromised or manipulated, can contain errors, or can fail to operate correctly—or at all—this can potentially affect the vote. Election system security requires not only efforts to prevent breaches and malfunctions, but also fail-safes that address breaches or malfunctions that do occur and procedures to confirm the correctness of election outcomes.

Verified Voting Applauds Oregon’s Senate for Passing Bill Requiring Robust Post-Election Audits to Verify Elections

Marian K. Schneider: “Oregon is leading the way towards better integrity and security with the passage of SB 944.” The following is a statement from Marian K. Schneider, president of Verified Voting, on Oregon’s Senate passage of SB 944, offering counties the option to audit elections using a process known as risk-limiting audits, which are designed to bolster public confidence in elections. For additional media inquiries, please contact aurora@newheightscommunications.com   “Oregon is leading the way towards better election integrity and security with the Senate’s passage of SB 944. This bill requires county clerks across the state to conduct audits after every election -- not just general elections -- and lets them choose between a partial hand count and risk-limiting audits (RLAs). An RLA examines a sample of the paper ballots to check if the election outcome is correct.  RLAs provide strong evidence when election outcomes are correct, and have a guaranteed large chance of correcting wrong outcomes or, outcomes that are wrong because of counting errors.

Election Cybersecurity Legislation Hits a Wall, RobinHood Visits Baltimore, and of course Florida

“According to a joint report from the Australian Strategic Policy Institute (ASPI) and IT industry professional association ACS, one in five national elections held worldwide since 2016 were potentially influenced by foreign interference, … “Democracies around the world have been struggling to grapple with foreign interference from state actors during elections,” International Cyber Policy Centre head Fergus Hanson said. “More empirical data means they can respond in a more targeted way calibrating policy responses to the likely risk, methods and adversary.” Technology Decisions

In an extensive Roll Call article this morning, Gopal Ratnam reports that despite the best intentions of election officials and many lawmakers, in 2020 many jurisdictions will be using “voting machines that are woefully outdated and that any tampering by adversaries could lead to disputed results.”

In addition to eliminating direct recording electronic (DRE) voting machines and requiring routine post-election audits, many of the legislative efforts have addresses cybersecurity vulnerabilities in voting systems. Edgardo Cortés, election security advisor at the Brennan Center for Justice noted, “In some sense, anything that has an internet connection can be hacked. Wireless capability, even if the functionality can be turned off through hardware or software, poses risks of remote access by adversaries, he said.”

Verified Voting President Marian Schneider explained inthe article that beyond prohibiting voting equipment that can connect to the internet, “machines may still need to have some type of wireless communication system so that administrators can upload new ballot information ahead of each election. Some counties and precincts insert manual cartridges into machines to upload ballot information, but others push out that information wirelessly because it’s easier.”

“The software on new models of voting machines would also need routine updates, and that would require some type of connectivity,” Schneider continued, “the question is, how you do it safely? Because we can’t reduce the risk to zero, we need to do audits to check the results after. Post-election audits, in which samples of cast paper ballots are recounted, is considered the gold standard for verifying election results, but few states conduct them.”

The concern over election cybersecurity was reflected in the many federal election cybersecurity related bills that have been introduced in the past several days. Those bills met an icy reception yesterday, as Senate Rules Committee Chairman Roy Blunt (R-MO) said he doesn’t expect to hold hearings on any election security bills this Congress because he doesn’t think Senate Majority Leader Mitch McConnell (R-KY) will bring them to a floor vote.

On May 10 House Democrats introduced the Election Security Act, portions of which were included in H.R. 1, the For the People Act, an omnibus bill including a broad range of electoral reforms. Read More

Counting Votes: Paper Ballots and Audits in Congress, Crisis at the EAC?, Florida’s Mystery Counties

In her testimony at an election security hearing before the Committee on House Administration last week, Verified Voting President Marian Schneider joined advocates and election officials in calling on Congress to help states and local jurisdictions replace aging voting systems, conduct risk-limiting audits and enhance election infrastructure security. In order to prepare for 2020, Congress must provide “adequate financial investment in cyber security best practices, replacement equipment and post-election audit processes … immediately and continue at a sustainable level moving forward.” Writing in Governing, Graham Vyse highlighted the significant bipartisan agreement between the two secretaries of state who testified, Jocelyn Benson (D-MI) and John Merrill (R-AL), on efforts needed to address emerging threats to election security. Significantly, the state election officials, along with all the witnesses, were unanimous in recommending the replacement of direct recording electronic voting machines with paper ballot voting systems and conducting post-election ballot audits. Two days after the hearing, House Homeland Security Committee Chairman Bennie Thompson (D-MS), House Administration Committee Chairwoman Zoe Lofgren (D-CA) and Rep. John Sarbanes (D-MD), the chairman of the Democracy Reform Task Forcereintroduced The Election Security Act. Aimed at reducing risks posed by cyberattacks by foreign entities or other actors against U.S. election systems, the bill would establish cybersecurity standards for voting system vendors and require states to use paper ballots during elections. Last month legislation was introduced in both chambers intended to strengthen election security by providing government grants to assist states, as well as local and tribal governments, in developing and implementing plans to address cybersecurity threats or vulnerabilities. This week Verified Voting wrote an open letter to the bills’ sponsors supporting their efforts and encouraging them to add provisions specifically prohibiting these funds from being used for internet-based voting. The letter notes that “[c]ybersecurity experts agree that no current technology, including blockchain voting, can guarantee the secure, verifiable, and private return of voted ballots over the internet.” The departure of Ryan Macias from his position as acting head of the Election Assistance Commission’s head of voting system testing and certification program reflects an agency in crisis, according to Politico’s Morning Cybersecurity. Macias’ departure may be related to an exchange at an EAC field hearing, when Chairwoman Christy McCormick repeatedly asked Macias why EAC commissioners didn’t have final approval over the details of federal voting system standards.

Verified Voting Letter in Support of Congressional Election Cybersecurity Legislation

This letter was sent to Senators Cory Gardner (R-CO), Mark Warner (D-VA) and Representatives Derek Kilmer (D-WA) and Michael McCaul (R-TX) on May 14, 2019. Download the PDF. Thank you for introducing legislation aimed at increasing cybersecurity at the state and local levels of government. We recognize the need for this important legislation, which is aimed at hardening cyber resiliency efforts and preventing vulnerabilities from becoming nightmare realities. For the states that would respond to the proposed grants in H.R. 2130 and S.1065, and for the protection of the citizens who live in them, we applaud your support in the battle against cyberattacks. At the same time that you are bolstering cybersecurity defenses, we encourage you to add provisions specifically prohibiting these funds from being used for internet-based voting. Cybersecurity experts agree that internet return of marked ballots lacks sufficient safeguards for security and privacy. We urge you to specifically name internet voting as a threat and prohibit the funding provided by your legislation from being used to support internet voting programs and pilots. Cybersecurity experts agree that no current technology, including blockchain voting, can guarantee the secure, verifiable, and private return of voted ballots over the internet. Both because vote-rigging malware could already be present on the voter's computer and because electronically returned ballots could be intercepted and changed or discarded en route, local elections officials would be unable to verify that the voter’s ballot accurately reflects the voter’s intent. Furthermore, even if the voter's selections were to arrive intact, the voted ballot could be traceable back to the individual voter, violating voter privacy.

Statement on Maryland HB706/SB919 Online Delivery and Marking of Absentee Ballots

To download the PDF click here.

Verified Voting supports Maryland House Bill 706 (Senate Bill 919) as an immediate, short-term mitigation to reduce risks inherent in Maryland’s current online absentee ballot system by limiting its use to only those who would otherwise be unable to vote. Going forward, substantial changes are necessary to provide Maryland’s voters with secure, reliable, accessible means of voting absentee.

Verified Voting supports the objective of helping voters to obtain their ballots and cast their votes, but any technology used for this purpose must be carefully evaluated. Regrettably, computer scientists and others have found that Maryland’s system has several grave shortcomings.

Because Maryland does not check signatures on returned absentee ballots, there is no way to distinguish legitimate from illegitimate ballots. Using information that is widely available, an attacker could readily request, electronically receive (at multiple fake email addresses), and cast any number of absentee ballots.1 Even if the attacker did not cast the ballots, any voters purported to have requested absentee ballots would be required to cast provisional ballots, creating chaos and suspicion and increasing the likelihood that the voter will be disenfranchised. Read More

Verified Voting Applauds Rep. Daryl Metcalfe, Rep. Garth Everett and Lt. Col. Anthony Shaffer’s Nonpartisan Call for the Penn. General Assembly to Appropriate Funding to Replace Vulnerable Electronic Voting Machines

Marian K. Schneider: “Election security is a nonpartisan issue and the goal of hardening our voting systems against potential threats is shared across the aisle.”

The following is a statement from Marian K. Schneider, president of Verified Voting, formerly Deputy Secretary for Elections and Administration in the Pennsylvania Department of State, following the press conference with Lt. Col. Anthony Shaffer this morning in Harrisburg, PA. Lt. Col. Shaffer also testified during the Senate Committee on State Government Hearing on Senate Bill 48 this morning.

“Verified Voting applauds Lt. Col. Anthony Shaffer’s testimony this morning urging Pennsylvania to replace all paperless DREs and for underscoring that this is a cybersecurity threat that needs to be addressed. The Pennsylvania legislature needs to appropriate additional funding to reimburse counties for the cost of replacing aging and vulnerable electronic voting machines with ones that have a voter-marked paper ballot of votes cast before the 2020 election. Read More

Verified Voting Statement on EAC Chair Christy McCormick

The following is a statement from Verified Voting's president, Marian K. Schneider:

"Verified Voting congratulates Christy McCormick on her election as Chair of the Election Assistance Commission and her three priorities for her tenure: election preparedness, replacing aging voting equipment, and working towards improving accessibility for all voters including voters with disabilities, military and overseas voters and limited English proficient voters.

"With those laudable goals in mind, Verified Voting urges Christy McCormick and the EAC to ensure that the next generation of voting systems provide most voters the opportunity to mark their ballots by hand and support robust post-election tabulation audits. These post-election audits can protect the integrity of the election outcomes with the existing systems.Technology has evolved so that improved security, verifiability and accessibility are not mutually exclusive, but can give everyone, the candidates, voters, the press and the public assurance that our voting system is resilient against attack."

No to Online Voting in Virginia | Electronic Frontier Foundation

This article originally appeared on Electronic Frontier Foundation’s website on February 4th, 2019

Experts agree: Internet voting would be an information security disaster. Unfortunately, the Commonwealth of Virginia is considering a pair of bills to experiment with online voting. Pilot programs will do nothing to contradict the years of unanimous empirical research showing that online voting is inherently vulnerable to a variety of threats from malicious hackers, including foreign nations.

EFF strongly opposes Virginia H.B. 2588 and S.J.R. 291, and all online voting. Instead, EFF recommends that absentee voting, like all voting, be conducted with paper records and risk-limiting audits, the current state-of-the art in election security.

Read More

Verified Voting Calls on Governor Tom Wolf and the Pennsylvania General Assembly to Appropriate Funding to Replace Vulnerable Electronic Voting Machines

Marian K. Schneider: “Verified Voting calls on the Pennsylvania legislature to appropriate additional funding to subsidize the cost of replacement.”

The following is a statement from Marian K. Schneider, president of Verified Voting, formerly Deputy Secretary for Elections and Administration in the Pennsylvania Department of State, following Gov. Tom Wolf’s budget address to the joint legislative session on Tuesday morning. 

“The security of Pennsylvania’s elections is at a crossroads. In 2018, 83 percent of Pennsylvanians have voted on unverifiable direct recording electronic (DRE) systems. The state already recognizes the need to replace aging and vulnerable electronic voting machines with ones that have a voter-verifiable paper ballot or record of votes cast before the 2020 election. Governor Tom Wolf committed to this nearly a year ago, yet his budget address to the joint legislative session today falls short of providing the resources counties need to implement best election security practices. In light of the inadequacy of the funding request and the timing of the directive, the Governor should allow the 17 counties that already vote on paper ballots to keep their systems until more resources are available.  Regardless, the remaining counties who do not have a plan to replace their systems are risking another presidential election in which the reported outcome cannot be verified. Read More

To Enhance Election Security, Rhode Island Tests A New Way to Verify Election Results

Rhode Island is making good on its promise to road-test risk-limiting election audits, following 2017 passage of legislation by the Rhode Island General Assembly, requiring them. Beginning with the presidential primary in April 2020, Rhode Island will become the second state to require these audits to verify election results. A “risk limiting” audit checks if the election result is correct. Specifically it checks the counting of the votes. A “risk-limiting” audit limits the risk that the wrong election result will be certified. It can catch errors which change the result and correct a wrong result.

For more background on the legislation, visit here: and here.

To prepare for next year’s full implementation, the Rhode Island Board of Elections will conduct three pilot audits on January 16 and 17 at 50 Branch Avenue in Providence, Rhode Island beginning at 9:30 a.m. These pilot audits will be conducted with local election officials from Bristol, Cranston and Portsmouth, Rhode Island. Read More

Verified Voting Recommends Hand-Marked Paper Ballots for Georgia to SAFE Commission

Verified Voting sent a letter to the Secure, Accessible, Fair Elections (SAFE) Commission on Friday, January 4 with their recommendations for a new voting system in Georgia. Read the letter below or download it here

Verified Voting submits the following statement endorsing hand-marked paper ballots that are scanned as the primary voting method for voters. Verified Voting respectfully requests that this statement be shared with the entire SAFE commission in advance of the next meeting scheduled for January 10, 2019.

Recommendation. In light of the pervasive security vulnerabilities of all electronic voting systems, including Ballot Marking Devices (BMDs), as well as the considerable cost of BMDs, Verified Voting Foundation endorses the use of hand-marked paper ballots as the best primary method for recording votes in public elections. BMDs do play an important role for some voters, including voters with disabilities, that prevent them from hand-marking paper ballots. However, the primary voting method for most voters should be hand-marked paper ballots.

Rationale. Hand-marked paper ballots offer better voter verification than can be achieved with a computerized interface. A paper ballot that is indelibly marked by hand and physically secured from the moment of casting is the most reliable record of voter intent. A hand-marked paper ballot is the only kind of record not vulnerable to software errors, configuration errors, or hacking. With hand-marked paper ballots, voters are responsible only for their own errors, while with a BMD, voters are responsible for catching and correcting errors or alterations made by the BMD. Consequently, well-designed hand-marked paper ballots combined with a risk-limiting post-election tabulation audit provide the gold standard for ensuring that reported election results accurately reflect the will of the people. Read More

Verified Voting Welcomes Colorado Secretary of State Wayne Williams to its Board of Advisors

Wayne Williams: “I’m excited to share my expertise so that we can continue to strengthen our nation’s election systems and voters’ confidence in those systems.”

Verified Voting, a leading national organization focused solely on making our voting technology secure, welcomes Wayne Williams to its Advisory Board. Williams, while serving as Colorado Secretary of State from 2015 to 2019, adopted new voting standards requiring voter-verifiable paper ballots and implemented the nation’s first statewide risk-limiting audit (RLA) in Colorado.

“Voter confidence in elections is critical for Americans’ faith in our democratic republic. The election reforms we adopted in Colorado, including paper ballots and the nation’s first full risk-limiting audit, helped encourage Coloradans to vote in record numbers. I’m excited to share my enthusiasm and election expertise on the Verified Voting Board of Advisors so that we can continue to strengthen our nation’s election systems and voters’ confidence in those systems,” said Williams. Read More

Election Security Experts Applaud City of Fairfax, VA and Orange County, CA for Leading in New Election Integrity Methods

New Reports from Verified Voting Show How Risk-Limiting Audits in California and Virginia Can Improve Election Security and Public Confidence

Robust post-election audits are changing the election security landscape and the City of Fairfax, Virginia and Orange County, California are leading the way. Risk-limiting audits (RLAs) of voter-marked paper ballots can promote election security and public confidence by providing rigorous statistical evidence that election outcomes match the ballots — and a means to detect and correct outcomes that don’t match. If the method is widely adopted it will bolster confidence in elections. In the months leading up to the midterms, the City of Fairfax and Orange County implemented pilot projects that, as documented in two new reports by the Verified Voting Foundation, with funding support from Microsoft, demonstrated the benefits of risk-limiting audits.

The “Pilot Risk-Limiting Audit” reports, released today at the MIT Election Audit Summit, detail how Orange County and the City of Fairfax conducted pilots — in June and August 2018, respectively — and how these pilots provide lessons for election officials and policymakers around the country. Read More

Why voters should mark ballots by hand | Andrew Appel

Because voting machines contain computers that can be hacked to make them cheat, “Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner).  Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots.”

Ballot-marking devices (BMD) contain computers too, and those can also be hacked to make them cheat.  But the principle of voter verifiability is that when the BMD prints out a summary card of the voter’s choices, which the voter can hold in hand before depositing it for scanning and counting, then the voter has verified the printout that can later be recounted by human inspection.

But really?  As a practical matter, do voters verify their BMD-printed ballot cards, and are they even capable of it?  Until now, there hasn’t been much scientific research on that question.

A new study by Richard DeMillo, Robert Kadel, and Marilyn Marks now answers that question with hard evidence:

  1. In a real polling place, half the voters don’t inspect their ballot cards, and the other half inspect for an average of 3.9 seconds (for a ballot with 18 contests!).
  2. When asked, immediately after depositing their ballot, to review an unvoted copy of the ballot they just voted on, most won’t detect that the wrong contests are presented, or that some are missing.

This can be seen as a refutation of Ballot-Marking Devices as a concept.  Since we cannot trust a BMD to accurately mark the ballot (because it may be hacked), and we cannot trust the voter to accurately review the paper ballot (or even to review it at all), what we can most trust is an optical-scan ballot marked by the voter, with a pen.  Although optical-scan ballots aren’t perfect either, that’s the best option we have to ensure that the voter’s choices are accurately recorded on the paper that will be used in a recount or random audit. Read More

Verified Voting Outlines Steps Voters Can Take to Report Problems on Election Day

Recent reports of possible threats to voting systems and registration databases are alarming, but voters should not be deterred from voting this Election Day. Election officials at the state-level are more prepared for cybersecurity threats or problems with computers than they were two years ago.

“The only way to ensure your vote doesn’t count is if you don’t vote,” said Marian K. Schneider, president of Verified Voting.

Verified Voting urges voters who notice anything wrong with their voter registration or at their polling place to call the Election Protection Hotline: 866-OUR VOTE / 1-888-Ve-y-vota or check out 866OURVOTE.org. Voters should also report any problems to their local county board of elections or to the Secretary of State’s office or both. Doing so will allow officials to understand how widespread the issue is and assist in efforts to pinpoint the cause.

For statewide information about polling place equipment, please visit the Verifier.

Verified Voting Calls on Texas to Investigate Straight-Ticket Voting Issues; Voters Should Carefully Check Choices

Marian K. Schneider: “Verified Voting urges Secretary of State Rolando Pablos to move Texas toward reliable, verifiable voting systems that include a voter-marked paper ballot statewide.”

The following is a statement from Marian K. Schneider, president of Verified Voting, in response to reports that voters in six counties in Texas (Harris, Montgomery, Fort Bend, Travis, Tarrant, and McLennan) experienced straight-ticket voting issues using the Hart eSlate voting machines. At a minimum, 5.1 million Texas voters in six of the largest counties in Texas that use Hart eSlate voting machines may be affected by this issue. For additional media inquires, please contact aurora@newheightscommunications.com

“Verified Voting calls on Secretary of State Rolando Pablos to launch a broader and more robust statewide public information effort to advise voters to carefully check their choices as displayed before submitting them on direct recording electronic (DRE) voting machines manufactured by Hart InterCivic.

“Verified Voting appreciates that the Secretary of State issued an advisory warning voters to check their choices carefully before submitting the ballot. More work needs to be done to ensure that all voters in the affected counties are equipped to cast their votes as they intend.

“The reported problems underscore the design flaw in voting systems that do not incorporate a voter-marked paper ballot. Paper ballots that are retained can be later sampled to check if the software is correctly reporting the voters’ selections. Without such a safeguard, public confidence in elections diminishes. Verified Voting urges Secretary Pablos to move Texas toward reliable, verifiable voting systems that include a voter-marked paper ballot statewide.

“Verified Voting also calls on Secretary Pablos to investigate the reports of voting problems, determine the root cause of the issue and publicize the results of such an investigation. Voters should be instructed to report any problems to their local county board of elections or to the Secretary of State’s office or both. Doing so will allow officials to understand how widespread the issue is and assist in efforts to pinpoint the cause.

“Verified Voting also urges voters who experience problems to call the Election Protection hotline at 866-OUR VOTE / 1-888-VE-Y-VOTA. Read More

An unverifiability principle for voting machines | Andrew Appel

This article was originally posted at Freedom to Tinker on October 22, 2018.

In my last three articles I described the ES&S ExpressVote, the Dominion ImageCast Evolution, and the Dominion ImageCast X (in its DRE+VVPAT configuration).  There’s something they all have in common: they all violate a certain principle of voter verifiability.

  • Any voting machine whose physical hardware can print votes onto the ballot after the last time the voter sees the paper,  is not a voter verified paper ballot system, and is not acceptable.
  • The best way to implement this principle is to physically separate the ballot-marking device from the scanning-and-tabulating device.  The voter marks a paper ballot with a pen or BMD, then after inspecting the paper ballot, the voter inserts the ballot into an optical-scan vote counter that is not physically capable of printing votes onto the ballot.

The ExpressVote, IC-Evolution, and ICX all violate the principle in slightly different ways: The IC-Evolution one machine allows hand-marked paper ballots to be inserted (but then can make more marks), the ExpressVote in one configuration is a ballot-marking device (but after you verify that it marked your ballot, you insert it back into the same slot that can print more votes on the ballot), and IC-X configured as DRE+VVPAT can also print onto the ballot after the voter inspects it.  In fact, almost all DRE+VVPATs can do this:  after the voter inspects the ballot, print VOID on that ballot (hope the voter doesn’t notice), and then print a new one after the voter leaves the booth.

Continuous-roll VVPAT under glass: an idea whose time has passed | Andrew Appel

This article was originally posted at Freedom to Tinker on October 19, 2018.

States and counties should not adopt DRE+VVPAT voting machines such as the Dominion ImageCast X and the ES&S ExpressVote. Here’s why.

Touchscreen voting machines (direct-recording electronic, DRE) cannot be trusted to count votes, because (like any voting computer) a hacker may have installed fraudulent software that steals votes from one candidate and gives them to another. The best solution is to vote on hand-marked paper ballots, counted by optical scanners. Those opscan computers can be hacked too, of course, but we can recount or random-sample (“risk-limiting audit”) the paper ballots, by human inspection of the paper that the voter marked, to make sure.

Fifteen years ago in the early 2000s, we computer scientists proposed another solution: equip the touchscreen DREs with a “voter verified paper audit trail” (VVPAT). The voter would select candidates on a touchscreen, the DRE would print those choices on a cash-register tape under glass, the voter would inspect the paper to make sure the machine wasn’t cheating, the printed ballot would drop into a sealed ballot box, and the DRE would count the vote electronically. If the DRE had been hacked to cheat, it could report fraudulent vote totals for the candidates, but a recount of the paper VVPAT ballots in the ballot box would detect (and correct) the fraud.

By the year 2009, this idea was already considered obsolete. The problem is, no one has any confidence that the VVPAT is actually “voter verified,” for many reasons:

  1. The VVPAT is printed in small type on a narrow cash-register tape under glass, difficult for the voter to read.
  2. The voter is not well informed about the purpose of the VVPAT. (For example, in 2016 an instructional video from Buncombe County, NC showed how to use the machine; the VVPAT-under-glass was clearly visible at times, but the narrator didn’t even mention that it was there, let alone explain what it’s for and why it’s important for the voter to look at it.)
  3. It’s not clear to the voter, or to the pollworker, what to do if the VVPAT shows the wrong selections. Yes, the voter can alert the pollworker, the ballot will be voided, and the voter can start afresh. But think about the “threat model.”  Suppose the hacked/cheating DRE changes a vote, and prints the changed vote in the VVPAT. If the voter doesn’t notice, then the DRE has successfully stolen a vote, and this theft will survive the recount.  If the voter does notice, then the DRE is caught red-handed, except that nothing happens other than the voter tries again (and the DRE doesn’t cheat this time). You might think, if the wrong candidate is printed on the VVPAT then this is strong evidence that the machine is hacked, alarm bells should ring– but what if the voter misremembers what he entered in the touch screen?  There’s no way to know whose fault it is.
  4. Voters are not very good at correlating their VVPAT-in-tiny-type-under-glass to the selections they made on the touch screen. They can remember who they selected for president, but do they really remember the name of their selection for county commissioner? And yet, historically in American elections, it’s as often the local and legislative offices where ballot-box-counting (insider) fraud has occurred.
  5. “Continuous-roll” VVPATs, which don’t cut the tape into individual ballots, compromise the secrecy of the ballot.  Since any of the political-party-designated pollwatchers can see (and write down) what order people vote on the machine, and know the names of all the voters who announce themselves when signing in, they can (during a recount) correlate voters to ballots. (During a 2006 trial in the Superior Court of New Jersey, I was testifying about this issue; Judge Linda Feinberg saw this point immediately, she said it was obvious that continuous-roll VVPATs compromise the secret ballot and should not be acceptable under New Jersey law. )