Verified Voting Blog

This blog contains posts authored by the Verified Voting Team and by members of the Verified Voting Board of Advisors.

Verified Voting Blog: Verified Voting Names Voting Rights Lawyer and Pennsylvania Election Official Marian K. Schneider New President

Schneider: “Now more than ever, we need to secure our voting systems, and Verified Voting is leading the way.”

Nearly a year after intelligence agencies confirmed foreign interference in our elections – and with midterm primaries just around the corner – the U.S. is looking to safeguard its elections infrastructure. To that end, Verified Voting, the leading national organization focused solely on making our voting technology secure, has named voting rights lawyer and former Pennsylvania election official Marian K.  Schneider as its new president. Schneider, who most recently served as the special advisor to Pennsylvania Governor Tom Wolf on election policy, will focus on restoring faith in the democratic process of voting by securing our elections.

A lawyer with expertise in voting rights and election law, Schneider has extensive experience with state government administration as well as in the nonprofit social justice sector.

“Marian brings an uncommon mix of passion and experience as an on-the-ground election official and as an advocate to Verified Voting, and we couldn’t be more pleased to have her join,” said Barbara Simons who served as Interim President and will now return to her role as Board Chair. “We are confident that under Marian’s leadership, Verified Voting can achieve its goals to secure future elections.” Read More

Verified Voting Blog: Yes, Voting Machines Can Be Hacked – Now the Hard Work Begins

DEFCON Report on Machine Vulnerabilities Critical First Step in Raising Awareness, But to Secure Election Systems, States Must Adopt Paper Ballots

A new report on cyber vulnerabilities of our elections systems raises awareness of a critical issue, but in order to secure our elections, we need fundamental changes made at the state and local level. Verified Voting collaborated on the DEFCON Hacker Village to raise awareness of a chilling reality: our enemies have the will, intention and ability to tamper with our election infrastructure, potentially delegitimizing our elections and destabilizing our government. Verified Voting has known of this frightening possibility for years—we were founded in 2004, in the wake of election irregularities, to secure our democracy by ensuring that Americans’ votes would be counted the way they intended to cast them.

We know from deep experience: protecting our election infrastructure is a national security issue, and if we don’t act now, as former FBI Director James Comey has stated, ‘They’ll be back.’ That’s why Verified Voting has worked continuously with state election officials to safeguard their systems. Just last month, Verified Voting worked closely with Virginia’s Board of Elections in their move to decertify and remove its insecure, untrustworthy paperless voting machines and replace them with voter-marked paper ballots.  Read More

Verified Voting Blog: Verified Voting Is Seeking a New President

Download this announcement in PDF format.

Verified Voting Foundation (a 501(c)(3) organization) and (a 501(c)(4) organization) are nonprofit, nonpartisan organizations founded over a decade ago by election security experts. We strive to guarantee the accuracy, transparency, and verifiability of elections, so that citizens rightly can trust election outcomes. We are the only national organization with the exclusive mission of protecting the security of elections in the digital age.

This is an exciting time to be Verified Voting President. Citizens and policy makers are finally becoming aware of major security vulnerabilities of our election systems. The President of Verified Voting, who is the Chief Executive Officer of both organizations, will have a platform that can have significant national impact.

Verified Voting is a leading election security organization in the U.S., earning widespread respect among activists, academics, election officials, and other officials at all levels of government. We specialize in election technology and procedures, and we are the most trusted source of impartial information and expertise on these topics. Our Board and Advisory Board are comprised of a who’s who of election security and cybersecurity experts, as well as election officials and attorneys. Read More

Verified Voting Blog: Verified Voting Letter to the US Senate Select Committee on Intelligence

This letter was sent to the US Senate Select Committee on Intelligence following a hearing on June 21, 2017. (Download PDF)

Verified Voting vigorously applauds the Senate Select Committee on Intelligence for its leadership and commitment to securing our elections. With clear evidence that foreign attackers sought to attack our 2016 elections through various means, our intelligence agencies warn that hostile attackers will be back to attack future elections. Congress and the most vulnerable states should act with urgency to fund and implement protective reforms that will make our election systems resilient against cyber attack: funding the adoption of paper ballots and accessible ballot marking systems, and implementing robust, manual post-election audits of the votes.

The June 21 hearing is an important first step toward those reforms, providing valuable information through witness testimony and questions of the Senators. We wish to expand on several key points that were raised in the hearing to ensure a clear understanding of the challenges we face in securing our elections.

It is crucial to understand that further reforms are urgently needed to bolster the mitigations currently in place so that it is possible to detect and correct a cyber attack on the vote count.

Some testimony asserted that pre-election testing and post-election audits currently in place would catch errors in vote tallies caused by a malicious attacker or software failure. Unfortunately, pre-election testing, though helpful for ensuring the completeness of ballot programming, can be defeated by malicious software designed to detect when the system is in test mode. This is what happened with Volkswagen diesels cars: the software caused the cars’ emissions systems to behave correctly during testing, but then allowed them to pollute under non-testing conditions.

Read More

Verified Voting Blog: Alex Halderman: Expert Testimony before the US Senate Select Committee on Intelligence

This testimony was delivered at a hearing on June 21, 2017. (Download PDF)

Chairman Burr, Vice Chairman Warner, and members of the Committee, thank you for inviting me to speak today about the security of U.S. elections. I’m here to tell you not just what I think, but about concerns shared by hundreds of experts from across cybersecurity research and industry. Such expertise is relevant because elections—the bedrock of our democracy—are now on the front lines of cybersecurity, and they face increasingly serious threats. Our interest in this matter is decidedly non-partisan; our focus is on the integrity of the democratic process, and the ability of the voting system to record, tabulate, and report the results of elections accurately.

My research in computer science and cybersecurity tackles a broad range of security challenges.1 I study attacks and defenses for the Internet protocols we all rely on every day to keep our personal and financial information safe. I also study the capabilities and limitations of the world’s most powerful attackers, including sophisticated criminal gangs and hostile nation states. A large part of my work over the last ten years has been studying the computer technology that our election system relies on.2 In this work, I often lead the “red team,” playing the role of a potential attacker to find where systems and practices are vulnerable and learn how to make them stronger.

I know firsthand how easy it can be to manipulate computerized voting machines. As part of security testing, I’ve performed attacks on widely used voting machines, and I’ve had students successfully attack machines under my supervision.

US Voting Machines Are Vulnerable

As you know, states choose their own voting technology.3 Today, the vast majority of votes are cast using one of two computerized methods. Most states and most voters use the first type, called optical scan ballots, in which the voter fills out a paper ballot that is then scanned and counted by a computer. The other widely used approach has voters interact directly with a computer, rather than marking a choice on paper. It’s called DRE, or direct-recording electronic, voting. With DRE voting machines, the primary records of the vote are stored i n computer memory.4

Both optical scanners and DRE voting machines are computers. Under the hood, they’re not so different from your laptop or smartphone, although they tend to use much older technology—sometimes decades out of date.5 Fundamentally, they suffer from security weaknesses similar to those of other computer devices. I know because I’ve developed ways to attack many of them myself as part of my research into election security threats.

Ten years ago, I was part of the first academic team to conduct a comprehensive security analysis of a DRE voting machine. We examined what was at that time the most widely used touch-screen DRE i n the country,6 and spent several months probing it for vulnerabilities. What we found was disturbing: we could reprogram the machine to invisibly cause any candidate to win. We also created malicious software—vote-stealing code—that could spread from machine-to-machine like a computer virus, and silently change the election outcome.7

Vulnerabilities like these are endemic throughout our election system. Cybersecurity experts have studied a wide range of U.S. voting machines—including both DREs and optical scanners—and in every†single†case¨†they’ve found severe vulnerabilities that would allow attackers to sabotage machines and to alter votes.8 That’s why there is overwhelming consensus in the cybersecurity and election integrity research communities that our elections are at risk.

Cyberattacks Could Compromise Elections

Of course, interfering in a state or national election is a bigger job than just attacking a single machine. Some say the decentralized nature of the U.S. voting system and the fact that voting machines aren’t directly connected to the Internet make changing a state or national election outcome impossible. Unfortunately, that is not true.9

Some election functions are actually quite centralized. A small number of election technology vendors and support contractors service the systems used by many local governments. Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters.

Furthermore, in close elections, decentralization can actually work against us. An attacker can probe different areas of the most important “swing states” for vulnerabilities, find the areas that have the weakest protection, and strike there.10 In a close election, changing a few votes may be enough to tip the result, and an attacker can choose where—and on which equipment—to steal those votes. State and local elections are also at risk.

Our election infrastructure is not as distant from the Internet as it may seem.11 Before every election, voting machines need to be programmed with the design of the ballot, the races, and candidates. This programming is created on a desktop computer called an election management system, or EMS, and then transferred to voting machines using USB sticks or memory cards. These systems are generally run by county IT personnel or by private contractors.12 Unfortunately, election management systems are not adequately protected, and they are not always properly isolated from the Internet. Attackers who compromise an election management system can spread vote-stealing malware to large numbers of machines.13

Russian Attack Attempts: The Threats Are Real

The key lesson from 2016 is that hacking threats are real.

This month, we’ve seen reports detailing Russian efforts to target voter registration systems i n up to 39 states14 and to develop a capability to spread an attack from an election technology vendor to local election offices.15 Attacking the IT systems of vendors and municipalities could put the Russians in a position to sabotage equipment on election day, causing voting machines or electronic poll books to fail, resulting in long lines or other disruptions. The Russians could even have engineered this chaos to have a partisan effect, by targeting localities that lean heavily towards one candidate or another.

Successful infiltration of election IT systems also could have put the Russians in a position to spread an attack to the voting machines and potentially steal votes. Although the registration systems involved were generally maintained at the state level, and most pre-election programming is performed by counties or outside vendors, counties tend to be even less well defended than state governments. They typically have few IT support staff and little, if any, cybersecurity expertise.

Another approach that the Russians might have been planning is to tamper with the voting system in an obvious, easily discovered way, such as causing reporting systems to send the news media incorrect initial results on election night. Even if the problem was corrected and no actual votes were changed, this would cause uncertainty in the results and widespread distrust of the system, which would injure our democratic processes. If voters cannot trust that their votes are counted honestly, they will have reason to doubt the validity of elections.16

I don’t know how far the Russians got in their effort to penetrate our election infrastructure, nor whether they interfered with equipment on election day. (As far as the public knows, no voting equipment has been forensically examined to check whether it was successfully attacked.) But there is no doubt that Russia has the technical ability to commit widescale attacks against our voting system, as do other hostile nations. As James Comey testified here two weeks ago, we know “They’re coming after America,” and “They’ll be back.”17

Practical Steps to Defend Election Infrastructure

We must start preparing now to better defend our election infrastructure and protect it from cyberattacks before the elections in 2018 and 2020. The good news is, we know how to accomplish this. Paper ballots, audits, and other straightforward steps can make elections much harder to attack.

I have entered into the record a letter from over 100 computer scientists, security experts, and election officials. This letter recommends three essential measures that can safeguard U.S. elections:

● First, we need to replace obsolete and vulnerable voting machines, such as paperless systems, with optical scanners and paper ballots—a technology that 36 states already use. Paper provides a resilient physical record of the vote18 that simply can’t be compromised by a cyberattack. President Trump made this point well shortly before the election in an interview with Fox News. “There’s something really nice about the old paper-ballot system,” he said. “You don’t worry about hacking. You don’t worry about all the problems that you’re seeing.”19

● Second, we need to consistently and routinely check that our election results are accurate, by inspecting enough of the paper ballots to tell whether the computer results are right.20 This can be done with what’s known as risk-limiting audits.21 Such audits are a common-sense quality control.22 By manually checking a relatively small random sample of the ballots, officials can quickly and affordably provide high assurance that the election outcome was correct.

Optical scan ballots paired with risk-limiting audits provide a practical way to detect and correct vote-changing cyberattacks. They may seem low-tech, but they are a reliable, cost-effective defense.23

● Lastly, we need to raise the bar for attacks of all sorts including both vote tampering and sabotage by conducting comprehensive threat assessments and by applying cybersecurity best practices to the design of voting equipment24 and the management of elections.

These fixes aren’t expensive. Replacing insecure paperless systems nationwide would cost between $130 million and $400 million.25 Running risk-limiting audits nationally for federal elections would cost less than $20 million a year.26 These amounts are vanishingly small compared to the national security improvement the investment buys. Yet such measures could address a prime cyber challenge, boost voter confidence, and significantly strengthen a crucial element of our national security. They would also send a firm response to any adversaries contemplating interfering with our election system.

Election officials have an extremely difficult job, even without having to worry about cyberattacks by hostile governments. The federal government can make prudent and cost-effective investments to help them defend our election infrastructure and uphold voters’ confidence. With leadership from across the aisle, and action in partnership with the states, our elections can be well protected in time for 2018 and 2020.

Thank you for the opportunity to testify. I look forward to answering any questions.


1 My curriculum vitae and research publications are available online at .

2 For an accessible introduction to the security risks and future potential of computer voting technologies, see my online course, Securing†Digital†Democracy†, which is available for free on Coursera: https://www. .

3 In many states, the technology in use even differs from county to county. Verified Voting maintains an online database of the equipment in use in each locality: .

4 Some DREs also produce a printed record of the vote and show it briefly to the voter, using a mechanism called a voter-verifiable paper audit trail, or VVPAT. While VVPAT records provide a physical record of the vote that is a valuable safeguard against cyberattacks, research has shown that VVPAT records are difficult to accurately audit and that voters often fail to notice if the printed record doesn’t match their votes. For these reasons, most election security experts favor optical scan paper ballots. See: S. Goggin and M. Byrne, “An Examination of the Auditability of Voter Verified Paper Audit Trail (VVPAT) Ballots.” In Proceedings†of†the†2007†USENIXØACCURATE†Electronic†Voting†Technology Workshop†, August 2007. Available at: . See also: B. Campbell and M. Byrne, “Now Do Voters Notice Review Screen Anomalies?” In Proceedings of the 2009 USENIX/ACCURATE/IAVoSS Electronic Voting Technology Workshop, August 2009. Available at: .

5 In 2016, 43 states used computer voting machines that were at least 10 years old—close to the end of their design lifespans. Older hardware and software generally lacks defenses that guard against more modern attack techniques. See: L. Norden and C. Famighetti, “America’s Voting Machines at Risk,” Brennan Center, 2015. See also: S. Checkoway, A. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham, “Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage.” In Proceedings of the 2009 USENIX/ACCURATE/IAVoSS Electronic Voting Technology Workshop, August 2009. Available at: .

6 The machine was the Diebold AccuVote TS, which is still used statewide in Georgia in 2017.

7 A. J. Feldman, J. A. Halderman, and E. W. Felten, “Security Analysis of the Diebold AccuVote-TS Voting Machine.” In Proceedings of the 2007 USENIX/ACCURATE Electronic Voting Technology Workshop (EVT), August 2007. The research paper and an explanatory video are available at: .

8 For a partial bibliography of voting machine attack research, see: J. A Halderman, “Practical Attacks on Real-world E-voting.” In F. Hao and P. Y. A. Ryan (eds.), Real-World Electronic Voting: Design¨ Analysis and Deployment , CRC Press, December 2016. Available at: .

9 I explained how attackers can bypass these obstacles in a recent congressional briefing: Strengthening Election Cybersecurity , May 15, 2017. The video is available at .

10 For a more detailed description of how adversaries might select targets, see J. A. Halderman, “Want to Know if the Election was Hacked? Look at the Ballots,” November 2016, available at: .

11 Fortunately, the U.S. has resisted widespread use of Internet voting—a development that would paint a fresh bull’s eye on our democratic system. I myself have demonstrated attacks against Internet voting systems in Washington, D.C., Estonia, and Australia. See: S. Wolchok, E. Wustrow, D. Isabel, and J. A. Halderman, “Attacking the Washington, D.C. Internet Voting System.” In Proceedings of the 16th Intl Conference on Financial Cryptography and Data Security, February 2012. Available at: D. Springall, T. Finkenauer, Z. Durumeric, J. Kitcat, H. Hursti, M. MacAlpine, and J. A. Halderman, “Security Analysis of the Estonian Internet Voting System.” In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), November 2014. Available at: J. A. Halderman and V. Teague, “The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election.” In Proceedings of the 5th International Conference on E-voting and Identity, September 2015. Available at: . For a broader discussion of why secure Internet voting systems are likely decades away, see: R. Cunningham, M. Bernhard, and J. A. Halderman, “The Security Challenges of Online Voting Have Not Gone Away.” IEEE Spectrum, November 3, 2016. .

12 In my own state, Michigan, about 75% of counties outsource pre-election programming to a pair of independent service providers. These are small companies with 10–20 employees that are primarily in the business of selling election supplies, including ballot boxes and “I Voted” stickers.

13 See, for example, J. Calandrino, et al., “Source Code Review of the Diebold Voting System,” part of the California Secretary of State’s “Top-to-Bottom” Voting Systems Review, July 2007. Available at: .

14 M. Riley and J. Robertson, “Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known.” Bloomberg†, June 13, 2017. .

15 M. Cole, R. Esposito, S. Biddle, and R. Grim, “Top-secret NSA Report Details Russian Hacking Efforts Days Before 2016 Election.” The†Intercept†, June 5, 2017. .

16 See, as one example, E. H. Spafford, “Voter Assurance.” NAE The†Bridge†, December 2008. .

17 Testimony of former FBI Director James B. Comey before the Senate Select Committee on Intelligence, June 8, 2017.

18 Of course, paper ballots can be tampered with too, by people handling them. Optical scan tabulation has the advantage that it produces both paper and electronic records. As long as officials check that both sets of records agree, it would be very difficult for criminals to alter the election outcome without being detected, whether by a cyberattack or by old-fashioned ballot manipulation.

19 See: election-day-fox-news-2016-11 .

20 At least 29 states already require some form of post-election audit. However, since the procedures in most states are not designed as a cyber defense, the number of ballots that are audited may be much too low or geographically localized to reliably detect an attack. Some states also allow auditing by rescanning paper ballots through the same potentially compromised machines. Results from paperless DRE voting machines cannot be strongly audited, since there is no physical record to check. For state-by-state details, see National Conference of State Legislatures, “Post-election Audits,” June 2017. Available at: .

21 For a detailed explanation of risk-limiting audits, see J. Bretschneider et al., “Risk-Limiting Post-Election Audits: Why and How.” Available at: New Mexico already requires something similar to a risk-limiting audit, and Colorado is implementing risk-limiting audits starting in 2017. Risk-limiting audits have been tested in real elections in California, Colorado, and Ohio.

22 One of the reasons why post-election audits are essential is that pre-election “logic and accuracy” testing can be defeated by malicious software running on voting machines. Vote-stealing code can be designed to detect when it’s being tested and refuse to cheat while under test. Volkswagen’s emission-control software did something similar to hide the fact that it was cheating during EPA tests.

23 Former CIA director James Woolsey and Lt. Col. Tony Shaffer call for paper ballots and auditing in a May 12, 2017 op-ed in Fox News: “Ultimately, we believe the solution to election insecurity lies in President Reagan’s famous old adage: ‘trust but verify’.” .

24 One notable effort to develop secure voting equipment is STAR-Vote, a collaboration between security researchers and the Travis County, Texas elections office. STAR-Vote integrates a range of modern defenses, including end-to-end cryptography and risk limiting audits. See S. Bell et al., “STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System.” USENIX Journal of Election Technology and Systems (JETS) 1(1), August 2013. .

25 Brennan Center, “Estimate for the Cost of Replacing Paperless, Computerized Voting Machines,” June 2017. . This cost might be significantly reduced by developing voting equipment based on open-source software and commercial off-the-shelf (COTS) hardware.

26 This estimate assumes that auditing a federal race will have an average cost similar to manually recounting 10% of precincts. In a risk-limiting audit, the actual number of ballots that must be checked varies with, among other factors, the margin of victory.

Verified Voting Blog: Technology Experts’ Second Letter to Georgia Secretary of State Brian Kemp

This letter was sent to Georgia Secretary of State Brian Kemp on May 24, 2017. Download PDF

On March 14th we sent a letter to you expressing grave concerns regarding the security of Georgia’s voting systems and requesting transparency from your office concerning key questions about the reported breach at Kennesaw State University Center for Election Systems (KSU).

The FBI has reportedly closed its investigation into the breach at KSU and will not be pressing federal charges1 but regrettably little more is known. We remain profoundly concerned about the security of Georgia’s votes and the continued reliance on Diebold paperless touchscreen voting machines for upcoming elections.2

The FBI’s decision not to press charges should not be mistaken for a confirmation that the voting systems are secure. The FBI’s responsibility is to investigate and determine if evidence exists indicating that federal laws were broken. Just because the FBI concluded this hacker did not cross that line does not mean that any number of other, more sophisticated attackers could not or did not exploit the same vulnerability to plant malicious software that could be activated on command. Moreover, the FBI’s statement should not be misinterpreted to conclude that KSU or the Georgia voting system do not have other security vulnerabilities that could be exploited by malicious actors to manipulate votes.

Any breach at KSU’s Election Center must be treated as a national security issue with all seriousness and intensity. We urge you to engage the Department of Homeland Security and the US Computer Emergency Readiness Team (CERT) to conduct a full forensic investigation. We cannot ignore the very real possibility that foreign actors may be targeting our election infrastructure. Read More

Verified Voting Blog: Amid Cybersecurity Concerns, France Abandons Plans for Internet Voting in Upcoming Elections

Earlier this month, the French government announced that it was cancelling plans to allow citizens abroad to vote over the Internet in legislative elections this June. Calling allegations of Russian hacking in western countries worrisome, the National Cybersecurity Agency of France (ANSSI) described the current risk of cyberattack as “extremely high,” and advised “that it would be better to take no risk that might jeopardize the legislative vote for French citizens residing abroad.”

In February Emmanuel Macron’s En Marche (Onwards!) party alleged that their campaign was the target of ‘fake news’ put out by Russian news agencies and they had been victims of cyberattacks. Following these allegations, outgoing president Bernard Hollande called a meeting of the French Defense Council and asked for a report on “specific monitoring and protection measures, including in the cyber domain, to be taken during the election campaign.” Read More

Verified Voting Blog: Technology Experts’ Letter to Georgia Secretary of State Brian Kemp

This letter was sent to Georgia Secretary of State Brian Kemp on March 14, 2017. Download PDF

On March 3rd it was reported that the Federal Bureau of Investigations is conducting a criminal investigation into an alleged cyber attack of the Kennesaw State University Center for Election Systems. According to the KSU Center for Election Systems’ website, “the Secretary of State authorized KSU to create a Center for Election Systems, dedicated to assisting with the deployment of the Direct Record Electronic (DRE) voting technology and providing ongoing support.”[1] The Center is responsible for ensuring the integrity of the voting systems and developing and implementing security procedures for the election management software installed in all county election offices and voting systems.

The Center has access to most if not all voting systems and software used in Georgia. It also is responsible for programming these systems and accessing and validating the software on these systems. It is our understanding that the Center also programs and populates with voter records the electronic poll books used in polling places statewide. A security breach at the Center could have dire security consequences for the integrity of the technology and all elections carried out in Georgia.

In order for citizens to have faith and confidence in their elections, transparency is crucial, including about events such as the KSU breach, and its extent and severity. While we understand that this investigation is ongoing and that it will take time for the full picture to emerge, we request that you be as forthcoming and transparent as possible regarding critical information about the breach and the investigation, as such leadership not only will be respected in Georgia but also emulated in other states where such a breach could occur. We expect that you are already pursuing questions such as the following, regarding the breach, and trust that you will make public the results of such inquiry:

  1. Can you estimate when the attacker breached KSU’s system?
  2. How did the attacker breach KSU’s system?
  3. How was the breach discovered?
  4. Which files were accessed?
  5. Were any files accessed that related to software or “hashes” for the voting machines?
  6. Is there any evidence that files were modified?  If so, which files?
  7. Had KSU begun ballot builds for the upcoming special election?
  8. To whom are these attacks being attributed? Could this be an insider attack? Has the FBI identified any suspects or persons of interest?
  9. Has the FBI examined removable media for the possibility of implanted malware?
  10. Has the FBI examined the hash or verification program for tampering? \
  11. What mitigations are planned for the near- and long-term?

In any state an attack on a vendor providing software and system support with such far-reaching responsibilities would be devastating. This situation is especially fragile, because of the reliance on DRE voting machines that do not provide an independent paper record of verified voter intent. KSU has instead sought to verify the validity of the software on the voting machines by running a hash program on all machines before and after elections in an effort to confirm that the software has not been altered.  However, if KSU’s election programming were compromised, it is also possible that the verification program could have been modified to affirm that the software is correct, even if it were not. This is a risk of using software to check the correctness of software.

Of course all Georgia elections are important. This month and next include special elections as well. If these upcoming elections are to be run on DREs and e-pollbooks that are maintained and programmed by KSU while the KSU Center for Election Systems is itself the subject of an ongoing criminal investigation, it can raise deep concerns. And today’s cyber risk climate is not likely to improve any time soon.

We urge you to provide Georgia’s citizens with information they need to confirm before going to vote that their name will appear correctly on the voter rolls, as well as back-up printed voter lists in case anomalies appear. Most importantly, we urge you to act with all haste to move Georgia to a system of voter-verified paper ballots and to conduct post-election manual audits of election results going forward to provide integrity and transparency to all of Georgia’s elections. We would be strongly supportive of such efforts and would be willing to help in any way we can.


Dr. Andrew W. Appel
Eugene Higgins Professor of Computer Science,
Princeton University

Dr. Duncan Buell
Professor, Department of Computer Science & Engineering, NCR Chair of Computer Science & Engineering,
University of South Carolina

Dr. Larry Diamond
Senior Fellow, Hoover Institute and Freeman Spogli Institute,
Stanford University

Dr. David L. Dill
Professor of Computer Science,
Stanford University

Dr. Richard DeMillo
Charlotte B, and Roger C. Warren Professor of Computing
Georgia Institute of Technology

Dr. Michael Fischer
Professor of Computer Science,
Yale University

Dr. J. Alex Halderman
Professor, Computer Science and Engineering
Director, Center for Computer Security and Society
University of Michigan

Dr. Joseph Lorenzo Hall
Chief Technologist,
Center for Democracy & Technology

Martin E. Hellman
Professor Emeritus of Electrical Engineering,
Stanford University

Candice Hoke
Co-Director, Center for Cybersecurity & Privacy Protection and Professor of Law,
Cleveland State University

Harri Hursti
Chief Technology Officer and co-founder, Zyptonite,
founding partner, Nordic Innovation Labs

Dr. David Jefferson
Lawrence Livermore National Laboratory

Dr. Douglas W. Jones
Department of Computer Science
University of Iowa

Dr. Joseph Kiniry
Principal Investigator, Galois
Principled CEO and Chief Scientist, Free & Fair

Dr. Justin Moore
Software Engineer, Google

Dr. Peter G. Neumann
Senior Principal Scientist, SRI International Computer Science Lab, and moderator of the ACM Risks Forum

Dr. Ronald L. Rivest
MIT Institute Professor

Dr. John E. Savage
An Wang Professor of Computer Science,
Brown University

Bruce Schneier
Fellow and lecturer
Harvard Kennedy School of Government

Dr. Barbara Simons
IBM Research (retired),
former President Association for Computing Machinery (ACM)

Dr. Philip Stark
Associate Dean, Division of Mathematics and Physical Sciences,
University of California, Berkeley

Dr. Vanessa Teague
Department of Computing & Information Systems,
University of Melbourne

Affiliations are for identification purposes only, they do not imply institutional endorsements.


Verified Voting Blog: Our Voting System Is Hackable by Foreign Powers | David Dill

This article appeared originally in the March 2017 issue of Scientific American.

The FBI, NSA and CIA all agree that the Russian government tried to influence the 2016 presidential election by hacking candidates and political parties and leaking the documents they gathered. That’s disturbing. But they could have done even worse. It is entirely possible for an adversary to hack American computerized voting systems directly and select the next commander in chief.

A dedicated group of technically sophisticated individuals could steal an election by hacking voting machines in key counties in just a few states. Indeed, University of Michigan computer science professor J. Alex Halderman says that he and his students could have changed the result of the November election. Halderman et al. have hacked a lot of voting machines, and there are videos to prove it. I believe him.

Halderman isn’t going to steal an election, but a foreign nation might be tempted to do so. It needn’t be a superpower like Russia or China. Even a medium-size country would have the resources to accomplish this, with techniques that could include hacking directly into voting systems over the Internet; bribing employees of election offices and voting-machine vendors; or just buying the companies that make the voting machines outright. It is likely that such an attack would not be detected, given our current election security practices.

Read More

Verified Voting Blog: New Report: Internet Voting Threatens Ballot Secrecy

Casting a secret ballot in the upcoming election might not be so secret or secure depending on where – and how – you vote, according to a new report The Secret Ballot at Risk: Recommendations for Protecting Democracy. The report was coauthored by three leading organizations focused on voting technology, the Electronic Privacy Information Center (EPIC), Verified Voting and Common Cause.

Caitriona Fitzgerald, State Policy Coordinator for EPIC and a co-author of the report, said, “The secret ballot is a core value in all 50 states. Yet states are asking some voters to waive this right. That threatens voting freedom and election integrity. This report will help safeguard voter privacy.”

This year 32 states will allow voting by email, fax and internet portals – mostly for overseas and military voters. In most states, voters using Internet voting must waive their right to a secret ballot.

Giving up the right to a secret ballot threatens the freedom to vote as one chooses, argue the report authors. The report cites several examples of employers making political participation a condition of employment — such as an Ohio coal mining company requiring its workers to attend a Presidential candidate’s rally – and not paying them for their time.

“On Election Day, we all are equal. The Secret Ballot ensures voters that employers’ political opinions stop at the ballot box,” said Susannah Goodman, director of Common Cause’s national Voting Integrity Campaign. “The Secret Ballot was established for a reason. The Secret Ballot ensures that we can all vote our conscience without undue intimidation and coercion.”

Marc Rotenberg, EPIC President, agreed, “The secret ballot is the cornerstone of modern democracy. The states must do more to protect the privacy of voters.” Read More

Verified Voting Blog: Give Us The Ballot | Dr. Martin Luther King Jr.

The following passage is excerpted from a speech that Dr. King delivered before the Lincoln Memorial at the March on Washington on May 17 1957, three years after Brown v. Board of Education and eight years before the enactment of the Voting Rights Act.

Three years ago the Supreme Court of this nation rendered in simple, eloquent and unequivocal language a decision which will long be stenciled on the mental sheets of succeeding generations. For all men of good will, this May 17 decision came as a joyous daybreak to end the long night of segregation. It came as a great beacon light of hope to millions of distinguished people throughout the world who had dared only to dream of freedom. It came as a legal and sociological deathblow to the old Plessy doctrine of “separate-but-equal.” It came as a reaffirmation of the good old American doctrine of freedom and equality for all people.

Unfortunately, this noble and sublime decision has not gone without opposition. This opposition has often risen to ominous proportions. Many states have risen up in open defiance. The legislative halls of the South ring loud with such words as “interposition” and “nullification.” Methods of defiance range from crippling economic reprisals to the tragic reign of violence and terror. All of these forces have conjoined to make for massive resistance.

But, even more, all types of conniving methods are still being used to prevent Negroes from becoming registered voters. The denial of this sacred right is a tragic betrayal of the highest mandates of our democratic traditions and its is democracy turned upside down.

So long as I do not firmly and irrevocably possess the right to vote I do not possess myself. I cannot make up my mind — it is made up for me. I cannot live as a democratic citizen, observing the laws I have helped to enact — I can only submit to the edict of others. Read More

Verified Voting Blog: A Democracy Worth the Paper — Ballot — it’s Written on | Mark Halvorson and Barbara Simons

This oped appeared originally at on December 19, 2016.

As the CIA digs deep to investigate foreign influence on our election, we should recognize that we don’t need cybersecurity experts to tell us if our votes have been accurately counted. Citizen observers can do the job, if we fix the way we vote and the way we verify those votes.

Our democracy is in crisis because we have introduced computers into our voting systems without proper safeguards. First and foremost, every vote must be cast on a paper ballot marked by the voter. In addition, we must require that at least a random sample of those paper ballots be counted by hand to determine if the electronically reported election results are correct.

About 25 percent of the 2016 votes, including almost all of Pennsylvania, were cast on paperless, computerized voting machines. Since software can contain bugs, programming errors, and even malware, we never should have allowed paperless voting machines to record and count our votes, because there is no way to verify that votes are properly recorded and counted inside the machines. Voting on a paperless electronic voting machine is like speaking your vote to a stranger behind a screen and ­­­­­trusting him to cast it for you, without ever seeing the person or how he marked your ballot.

Furthermore, even states with paper ballots tabulate almost all of them using computerized optical scanners. Paper ballots provide no protection unless they are manually checked after the election to verify or correct the computer-declared results. There are only two ways to independently verify electronic tallies (that is, to confirm whether or not the person behind the screen was honest and accurate): post-election audits and recounts done by hand by examining the original paper ballots. Read More

Verified Voting Blog: Election Security Is a Matter of National Security | David Dill

This article appeared originally at Scientific American on November 30, 2016.

State-sponsored cyber-attacks seemingly intended to influence the 2016 Presidential election have raised a question: Is the vulnerability of computerized voting systems to hacking a critical threat to our national security? Can an adversary use methods of cyber-warfare to select our commander-in-chief?

A dedicated group of technically sophisticated individuals could steal an election by hacking voting machines key counties in just a few states. Indeed, University of Michigan computer science professor J. Alex Halderman says that he and his students could have changed the result of the presidential election. Halderman et al. have hacked a lot of voting machines, and there are videos to prove it. I believe him.

Halderman isn’t going to steal an election, but a foreign power might be tempted to do so. The military expenditures of a medium-size country dwarf the cost of a multi-pronged attack, which could include using the internet, bribing employees of election offices and voting machine vendors, or just buying voting machine companies. It is likely that such an attack would not be detected, given our current election security practices.

What would alert us to such an attack? What should we do about it? If there is reason to suspect an election result (perhaps because it’s an upset victory that defies the vast majority of pre-election polls), common sense says we should double-check the results of the election as best we can. But this is hard to do in America. Recount laws vary with each state. In states where it is possible to get a recount, it often has to be requested by one of the candidates, often at considerable expense.

In the recent election, it is fortunate that Green Party Presidential candidate Jill Stein, citing potential security breaches, recently requested a recount of the 2016 presidential vote in Wisconsin and Pennsylvania and plans to do so in Michigan. Donald Trump unexpectedly won these three states by very narrow margins, and their recount laws are favorably compared with some of the other swing states. Read More

Verified Voting Blog: Want to Know if the Election was Hacked? Look at the Ballots | J. Alex Halderman

This response was originally posted at and is cross-posted here with permission of the author.

haldermanYou may have read at NYMag that I’ve been in discussions with the Clinton campaign about whether it might wish to seek recounts in critical states. That article, which includes somebody else’s description of my views, incorrectly describes the reasons manually checking ballots is an essential security safeguard (and includes some incorrect numbers, to boot). Let me set the record straight about what I and other leading election security experts have actually been saying to the campaign and everyone else who’s willing to listen. 

How might a foreign government hack America’s voting machines to change the outcome of a presidential election? Here’s one possible scenario. First, the attackers would probe election offices well in advance in order to find ways to break into their computers. Closer to the election, when it was clear from polling data which states would have close electoral margins, the attackers might spread malware into voting machines in some of these states, rigging the machines to shift a few percent of the vote to favor their desired candidate. This malware would likely be designed to remain inactive during pre-election tests, do its dirty business during the election, then erase itself when the polls close. A skilled attacker’s work might leave no visible signs — though the country might be surprised when results in several close states were off from pre-election polls.

Could anyone be brazen enough to try such an attack? A few years ago, I might have said that sounds like science fiction, but 2016 has seen unprecedented cyberattacks aimed at interfering with the election. This summer, attackers broke into the email system of the Democratic National Committee and, separately, into the email account of John Podesta, Hillary Clinton’s campaign chairman, and leaked private messages. Attackers infiltrated the voter registration systems of two states, Illinois and Arizona, and stole voter data. And there’s evidence that hackers attempted to breach election offices in several other states.

In all these cases, Federal agencies publicly asserted that senior officials in the Russian government commissioned these attacks. Russia has sophisticated cyber-offensive capabilities, and has shown a willingness to use them to hack elections. In 2014, during the presidential election in Ukraine, attackers linked to Russia sabotaged the country’s vote-counting infrastructure and, according to published reports, Ukrainian officials succeeded only at the last minute in defusing vote-stealing malware that was primed to cause the wrong winner to be announced. Russia is not the only country with the ability to pull off such an attack on American systems — most of the world’s military powers now have sophisticated cyberwarfare capabilities. Read More

Verified Voting Blog: Still time for an election audit | Ron Rivest and Philip Stark

This oped was originally published by USA Today on November 18, 2016.

A Washington Post–ABC News poll found that 18% of voters — 33% of Clinton supporters and 1% of Trump supporters — think Trump was not the legitimate winner of the election. Sen. Lindsey Graham, R-S.C., has called on Congress to investigate the Russian cyberattack on the Democratic National Committee and the election. There are reasons for concern. According to the director of national intelligence, the leaked emails from the DNC were “intended to interfere with the U.S. election process.” The director of national intelligence, the Department of Homeland Security, and the National Security Agency concluded that the Russian government is behind the DNC email hack and that Russian hackers attacked U.S. voter registration databases.

We know that the national results could be tipped by manipulating the vote count in a relatively small number of jurisdictions — a few dozen spread across a few key states. We know that the vast majority of local elections officials have limited resources to detect or defend against cyberattacks. And while pre-election polls have large uncertainties, they were consistently off. And various aspects of the preliminary results, such as a high rate of undervotes for president, have aroused suspicion.

Computers counted the vast majority of the 130 million votes cast in this year’s election. Even without hacking, mistakes are inevitable. Computers can’t divine voter intent perfectly; computers can be misconfigured; and software can have bugs. Did human error, computer glitches, hacking, or other problems change the outcome? While there is, as yet, no compelling evidence, the news about hacking and deliberate interference makes it worth finding out. Read More

Verified Voting Blog: Election integrity: Missing components to remedy

This oped appeared originally at the The Hill on November 8, 2016.

Our election systems’ vulnerabilities received unprecedented bipartisan and media attention from mid-summer onward, sparked by the apparently Russian origins of hacks into the Democrat’s communications systems. If tampering with the U.S. election process was a goal, then election technologies used for voter registration and vote tabulation, and the Internet itself, were hypothesized as additional potential targets. Further disclosures added fire to the considerable smoke.

While correction of U.S. election vulnerabilities may appear to be largely a simple matter of upgrading the election technologies, including voting devices and voter registration databases, that focus alone would be window dressing.  It would conceal and permit continuation of a broad array of vulnerabilities warranting reassessment and remedy.  Indeed, a full cyber risk assessment of our “mission critical” election processes would highlight a broad range of soft points that include many not yet a part of public and policymaker scrutiny. Outdated technology may appear to be the easiest correction, yet it is not. Other weak links in the process will defeat secure and resilient elections processes unless they, too, are redressed—like any weak chain.

The illustrative list below elucidates some agenda items relevant on the eve of casting, counting, and reporting tallies — and on checking the accuracy of vote tallies if hacking may have occurred. Read More

Verified Voting Blog: Trump’s claim the election is rigged is unfounded

This article was posted originally at The Hill on October 20, 2016.

I serve as President of Verified Voting, a voting security organization that seeks to strengthen democracy by working to ensure that on Election Day, Americans have confidence that their votes will be counted as we intended to cast them. Election officials, security experts and advocates have been working together around the country toward that goal, at a level that also is unprecedented.

Elections are administered by local officials. America doesn’t have one monolithic national voting system the way there is in other countries. We have thousands of them, operating under state and local supervision.

In recent years, the way in which America votes has trended toward increasingly reliable and verifiable methods. More than 75 percent of Americans will vote this election on paper ballots or on voting machines with voter verifiable paper trails. That’s more than in past elections, including 2012 and 2014. (You can check out how your local area votes on our map of voting systems.) That means more voters than ever will be voting on recountable, auditable systems.

Why is that important? Because it offers officials a way to demonstrate to the loser of an election and the public that yes, they really did get fewer votes than their opponent or opponents.This is a nonpartisan issue. If you lose an election because something went wrong with a voting system somewhere, that’s fundamentally unfair. The more checks and balances we have in place (such as paper backup trails and audits), the greater our ability to withstand tampering or just general malfunction.

That’s not to say that our systems have no vulnerabilities. We have a higher degree of reliability in our election systems than in the past, but there’s still work to be done. What’s notable is that more is being done to ensure security this year than ever before. Read More

Verified Voting Blog: David Dill: Why Can’t We Vote Online? | KQED

This interview was posted at KQED on October 4, 2016, where audio of the interview can be heard.

david_dillWe can bank online and we can shop online so why can’t we vote online? To answer that question, we first need to agree on what it means, said David Dill, a computer science professor at Stanford and the founder of the Verified Voting Foundation. In other words, what do people mean when they ask: “Why can’t we vote online?”

“The reason people want internet voting is because they want the convenience to vote at home or vote on their smartphone,” Dill said. I have to agree. I want to vote online like I do everything else online. I want to vote anywhere, anytime and on any device. If that’s the case, Dill said the answer is simple: We can’t vote online because our personal devices are too easy to hack. “If we had online elections, we would never be able to trust the results of those elections,” Dill said. “These systems are just notoriously insecure.”

If you follow the news, you know that our smartphones and personal computers are constantly getting hacked. While antivirus companies try, no software can stop all viruses. In fact, you might have a virus on your computer right now and not realize it, Dill said. “Now you can imagine the impact on trying to cast a ballot on such a machine,” Dill said. “The technology does not exist for secure online voting.”

But aren’t there places that have voted online? Yes, but Dill says they’ve all been hacked. Read More

Verified Voting Blog: Andrew W. Appel: My testimony before the House Subcommittee on IT

This article appeared originally at Freedom to Tinker on September 30, 2016. I was invited to testify yesterday before the U.S. House of Representatives Subcommittee on Information Technology, at a hearing entitled “Cybersecurity: Ensuring the Integrity of the Ballot Box.”  My written testimony is available here.  My 5-minute opening statement went as follows:

My name is Andrew Appel.  I am Professor of Computer Science at Princeton University.   In this testimony I do not represent my employer. I’m here to give my own professional opinions as a scientist, but also as an American citizen who cares deeply about protecting our democracy. My research is in software verification, computer security, technology policy, and election machinery.  As I will explain, I strongly recommend that, at a minimum, the Congress seek to ensure the elimination of Direct-Recording Electronic voting machines (sometimes called “touchscreen” machines), immediately after this November’s election; and that it require that all elections be subject to sensible auditing after every election to ensure that systems are functioning properly and to prove to the American people that their votes are counted as cast. There are cybersecurity issues in all parts of our election system:  before the election, voter-registration databases; during the election, voting machines; after the election, vote-tabulation / canvassing / precinct-aggregation computers.  In my opening statement I’ll focus on voting machines.  The other topics are addressed in a recent report I have co-authored entitled “Ten Things Election Officials Can Do to Help Secure and Inspire Confidence in This Fall’s Elections.” Read More

Verified Voting Blog: What are the post-Election Day procedures states can take to confirm the election went well?

This article was originally posted in the September 16 issue of NCSL’s The Canvas.

Ensuring the accuracy and integrity of the vote count can help generate public confidence in elections. Two of the most important steps happen after voting concludes on Election Day. Ballot accounting and reconciliation (BA&R) is a not-so-exciting name for a crucial best practice. BA&R is a multi-step process that is designed to account for all ballots, whether cast at the polling place or sent in remotely, and compare that with the number of voters who voted, as the first pass. After that, the next step is to ensure that all batches of votes from all the polling places are aggregated into the totals once (and only once). This is a basic “sanity check” that makes sure no ballots are missing, none are found later, none were counted twice, etc. Most jurisdictions do a good job at this task. Read More