Verified Voting Policy on Direct Recording Electronic Voting Machines and Ballot Marking Devices

Introduction

The following is a policy statement issued by the staff of Verified Voting Foundation. Ahead of the 2020 presidential election, the U.S. finds itself again in the position of widespread deployment of a relatively newer voting technology — ballot marking devices (“BMDs”). Because devices vary widely, Verified Voting is explicitly stating our current views on evaluation, ongoing development and best practice deployment of this technology. Should you have any questions about this policy please contact Marian K. Schneider at marian@verifiedvoting.org.

Principles & Policy

Verified Voting’s policies are grounded in a few core principles for secure, accessible, and verifiable elections:

  1. Verification through voter-marked paper ballots: For the foreseeable future, elections should use durable paper ballots, which voters mark by hand or through the use of an assistive device, and can verify before casting. Post-election audits and, when necessary, recounts, should rely upon the voter marks on these ballots – not barcodes, images, or any other artifacts that voters cannot verify.
  2. Private and independent voting: Voting systems and processes should support all voters in marking, verifying, and casting their ballots privately and independently.
  3. Affirmative verification support: Voting systems and processes should affirmatively encourage and assist all voters to deliberately verify that their marked ballots record their votes as intended.
  4. Universal usability standards: Voting systems should be demonstrated to meet performance standards for usability and accessibility – including verifiability – for all voters.
  5. Resilience: Voting systems and processes should be resilient against various kinds of failures and emergencies.
  6. Transparency: Any election information that does not have to be kept secret for good legal or public policy reasons should be open and transparent to the public.

Applying these principles and our understanding of present knowledge to contemporary Direct Recording Electronic (DRE) voting systems and Ballot Marking Devices (BMDs), we reach several broad conclusions:

  1. Vote tabulation, audits, and recounts should rely on voter-marked paper ballots that voters are readily able to verify before casting1 — not votes recorded directly into computer memory, which voters are not able to verify. “Paper audit trails” have not adequately mitigated this problem: they generally are difficult for voters to verify and for election officials to use in audits or recounts.2
  2. Voters should be allowed to choose, individually, whether to hand-mark their ballots or use a ballot marking device. BMD usage should not be limited to voters with identified disabilities; nor should all in-person voters be compelled to use BMDs.
  3. For several reasons, at this time, many precinct-based polling places are well-served by one BMD and a separate tabulator. In this configuration, election procedures must assure that a sufficient number and variety of voters use the BMD. For instance, if necessary, some fraction of voters (such as every 20th voter) can be explicitly invited, but not required, to use the BMD.
  4. BMDs, and the ballots that they mark, should support and encourage accurate verification by voters. BMDs that do not facilitate voter verification should not be used.
    1. BMDs should present marked paper ballots to voters, giving voters the choice of handling or not handling their ballots,3 should enable all voters to review their ballots carefully before casting them. It should not be possible to skip this important verification step. The system should enable voters to understand how to obtain a fresh ballot if the marked ballot does not accurately reflect their intent.
    2. Ballots — whether marked by BMDs or by hand — should make it easy for voters to verify their votes, listing all contests and selections (including, when applicable, non-selections) in enough detail to allow all voters to verify accuracy. Jurisdictions must treat these human-readable marks, not barcodes or ballot images, as authoritative for purposes of recounts and audits and to determine voter intent.4
    3. The hardware must be incapable (even if directed by fraudulent software) of adding marks to the ballots that could add, change or void any votes on a ballot, after the voter verifies the ballot
    4. If barcodes appear along with text on BMD-marked ballots, all voters must have a means to fully interpret the content encoded by those barcodes, if they wish to do so. (See the further discussion below)
  5. No aspect of the ballot may reveal any voter’s identity directly or indirectly. In particular, no identifying information should be encoded in any barcode.
  6. Election processes, including voter education and polling place design and operation, should emphasize the importance of paper ballots and of each voter verifying that the paper ballot accurately represents the voter’s selections. Voters must have ample instruction, means, and time to deliberately verify their ballots.
  7. Routine, rigorous post-election tabulation audits should use the human-readable portion of voter-marked paper ballots and must occur in every election.
  8. Contingency plans, including ample access to hand-markable paper ballots, must be in place in the event that some or all BMDs fail or malfunction.
  9. Too little is known about the usability of BMDs and the ballots they produce, whether they facilitate verification of choices and what interventions increase the rate of verification. Comprehensive usability research is needed to inform continued improvements.

Background

Computerized voting and counting systems, like all computer systems, are subject to equipment failures, accidental misconfiguration, and deliberate subversion. Care must be taken not only to assure that the systems perform correctly, but to provide trustworthy public evidence that they did – and, if necessary, to correct errors in contest results.

Voter-marked paper ballots can provide a trustworthy verification bridge from voter intent to vote tabulation: voters can verify that their marks reflect their intended selections and election officials can verify, through audits and recounts, that the vote counts accurately reflect the voter marks. Both parts of the bridge are necessary. If a voting system does not provide a ballot that voters can verify, it is fatally insecure. If the system produces a marked ballot that in principle the voter can verify, then the system’s security and trustworthiness depend in significant part on how many voters verify their ballots, how carefully, and what happens if they note discrepancies. It is important to design all voting systems and procedures to strongly encourage as many voters to verify their ballots as possible, and to intervene if voters report to election officials that BMDs appear to be mismarking ballots for any reason. Verified Voting supports routine, rigorous post-election audits of voter-marked ballots in all elections.

In the 2018 election, most in-person polling places (precincts and vote centers) in the country used one of three basic voting setups:

  1. A uniform full-size ballot for all voters, which most voters mark by hand, and others mark using a BMD with assistive interfaces. Usually these ballots are tabulated by scanners at the polling place.
  2. A DRE voting system for all voters, which records people’s votes directly to computer memory, and which may also have a voter-verifiable paper audit trail (VVPAT) that the voter may (if able) monitor for accuracy.
  3. Two ways to record votes: hand-marked paper ballots plus DRE systems. Often the DRE systems are used only by voters who rely upon their special accessibility features (or not at all); sometimes voters divide themselves more evenly between the two voting methods.

A growing number of jurisdictions are adopting a new type of BMD that – unlike earlier BMDs – produce ballots that differ from those marked by hand. These systems produce summary ballots that show, for each contest that the voter could vote in, only the name of the contest and the voter’s selection(s) – or show that the voter did not make a selection in that contest. Summary ballots may be the same size as the hand-marked ballots (although very different in appearance), or they may be substantially smaller. Many of these summary ballots also encode the voter selections as barcodes, which are easier to tabulate in those systems than the human-readable text of the selections.

The new BMDs, like DREs, can be deployed either along with hand-marked paper ballots, or by themselves to be used by all in-person voters. Compelling all in-person voters to use BMDs raises serious concerns, which we discuss below.

Some voting systems are, or can be configured as, “all-in-one” systems that can both mark (or print) ballots and tabulate the ballots. All-in-one systems raise additional concerns, also discussed below.

Direct Recording Electronic Systems

Recording people’s votes directly to computer memory is inherently unsafe because voters cannot observe and verify their own votes. If these votes are recorded only to computer memory, it becomes impossible for the voter or others to know whether they were recorded as the voter intended. Equipment failure or malicious subversion may be undetectable – and nobody can prove that they didn’t occur. Disputes about whether election outcomes match voters’ intentions cannot be resolved.

Some systems attempt to mitigate the inherent dangers of DRE systems by providing so-called “voter-verifiable paper audit trails” (VVPATs) that record voters’ selections on paper, usually at the same time as the selections are recorded to memory. However, the mere existence of “voter-verifiable paper” does not make DRE systems secure. Equipping DRE systems with VVPATs has generally been a poor solution because the designs treat voter verification of the paper record as an afterthought.5 Typically, the paper records are printed off to one side, often on a thin roll of thermal paper behind a plastic window. Voters may not even realize that these printouts exist, much less why they are important. Research indicates that many voters do not read or even look at the paper records, and those who do often don’t notice differences between their selections and the paper records.6

Most VVPAT systems cannot display the complete paper record of a voter’s vote selections: if a voter checks the record only after making all selections, the top-of-ticket contests are no longer visible.

These and other shortcomings make VVPATs hard for voters to use, and often also hard for election officials to use in audits and recounts. We strongly recommend phasing out DRE systems. Most jurisdictions are doing so but these systems are still being manufactured and sold.

BMD Controversies

It is important to provide high quality BMDs that can assist voters who prefer to use a BMD to mark, verify, and cast their ballots privately and independently. The Americans with Disabilities Act and the Help America Vote Act establish legal requirements to provide accessible voting systems. Voters who do not self-identify as having disabilities can benefit from BMD features as well as those who do, and such devices can facilitate alternative language access.

However, opinions differ sharply about whether all in-person voters should use BMDs, whether only voters with disabilities should use these systems, or something in between. To complicate the discussion, current BMDs (including all-in-one systems) differ in many ways, some of which depend on how the systems are configured and deployed: it is hard to generalize about their voter verification and usability properties. One needs to look carefully at the particulars.

BMDs raise voter verification concerns because voters who use them cannot verify the selections on their ballots until after entering all the selections and printing the ballot. In contrast, a voter who hand-marks a ballot can verify each selection as it is marked, then review the entire ballot before finally casting the ballot.

When verification of the marked (printed) selections cannot begin until late in the voting process, voters may tend to rush past it. Consequently, voters can easily overlook errors, unintended selections, malicious changes in their selections, or even which contests are listed on their ballots. This potential for missing mistakes in BMD paper ballots elevates the risk that an attacker can steal votes unnoticed. In light of this, Verified Voting supports processes that encourage deliberate and intentional verification of paper ballots produced by BMDs and clear instructions for voters and pollworkers about what to do in the event voters detect a discrepancy and report it.7

The voter verification challenge can be mitigated – or intensified – by several factors, including the following:

  1. Ballot design: Are the ballots highly readable, avoiding small fonts and cryptic abbreviations? Can voters verify selections easily using assistive devices or procedures of their choice?
  2. System design: Are ballots presented to voters in an obvious way, instead of being retained off to the side? Does the system allow voters the option to remove their ballots from the machine and check them before casting them? Does it make it easy for voters with various kinds of limitations to verify their ballots? Does the system prevent voters from printing and casting their ballots without an opportunity for verification? Is the system designed to prohibit additional marks on the paper ballots that could either add votes or void them after voters cast them?
  3. Machine availability: Are there enough machines to keep lines fairly short throughout the voting period, or do voters feel hurried in casting their ballots, thus restricting their review and verification time — particularly when a substantial fraction of machines are not functioning?
  4. Polling place design: Are voters encouraged to deliberately and intentionally check their ballots?
  5. Instructions and pollworker support: Are voters told before and during the time they are voting to check their ballots and why that is important? Do they know what to do if their ballots contain errors, so that they do not inadvertently cast an incorrect ballot? Are procedures specified for dealing with voter complaints, minimally by documenting them, and if necessary by taking some or all BMDs out of service? Without such procedures, there is no recourse if BMDs are subverted or mis-programmed.

Existing all-in-one systems are especially problematic for voter verification. Although these systems do allow voters with certain motor disabilities to cast their ballots independently, they often make it hard for all voters to verify their ballots. Some can be configured to “auto-cast” ballots, printing and casting the ballots without a voter verification step; a serious security flaw because malware could undetectably alter voter selections on these ballots. Also, some existing systems can print on ballots after voters cast them, a grave security threat.8

In principle, a BMD with a highly usable interface for making selections and a readily verified summary ballot could be easier for many voters to navigate and check than a hand-marked ballot with dozens of contests and candidates. However, we know of no data that show that presently available BMD systems support voter verification as well as hand-marked paper ballots that follow best practices for ballot layout. We welcome research in this area and will re-examine this policy based on the results of such research. Some BMD design efforts – most strikingly, Los Angeles County’s VSAP project – have paid careful attention to comprehensive usability including verification. But to our knowledge, no system has demonstrated itself to be the best choice for all in-person voters. We believe that no voter should be compelled to use a BMD.9

We also believe that polling places with dual voting systems – those that make both hand-marked ballots and BMDs available to all voters – are more resilient and at lower cost than polling places that rely on BMDs alone. All-BMD setups tend to produce unnecessary scarcity: the number of voters who can mark their ballots simultaneously depends on the number of working BMDs. If too few BMDs are provided to accommodate turnout at a polling place, or if some BMDs fail during election day, long lines can result, and some voters may be unable to vote. In the worst case, it might be necessary to remove all BMDs from service because of widespread reports of mis-recorded votes. The deployment of BMDs for all voters requires jurisdictions to train pollworkers and advise voters of the necessity to check their paper ballots and make sure they correctly reflect their choices. Otherwise, BMD problems may go unnoticed and uncorrected.10 In any all-machine polling place, contingency plans must be in place to provide hand-markable paper ballots if needed.

In contrast, privacy stations for hand-marking ballots are far cheaper and less failure-prone than BMDs, so many voters can mark their ballots simultaneously at low cost. If polling place scanners fail, ballots still can be securely deposited for later tabulation.11 Given both resilience and voter verification concerns, most precinct-based polling places probably are best served by one scanner that can handle both hand-marked and machine-marked ballots, plus at least one BMD. (The optimal number of BMDs may depend on precinct size, voter preference, and other considerations.)

However, we acknowledge plausible arguments against dual-system setups. Existing dual-system setups often have failed voters with disabilities. Many currently deployed “accessible” DREs or BMDs – often over a decade old – have poor usability features. Many provide no way for voters with disabilities to independently verify their votes. Moreover, because often these systems are used by very few voters, they often are treated as low priorities during training and/or setup. Voters with disabilities report that the systems sometimes are not set up at all, that pollworkers prevent or discourage voters from using them, or that pollworkers are unable to provide even the most basic support. Also, when these systems produce paper records that differ from the hand-marked paper ballots used by most voters, and when just one or a few voters use them, the privacy of their votes is put at risk. No voter should have to endure these problems.

We do not believe that compelling all in-person voters to use BMDs is an effective way to protect the rights of voters with disabilities – especially when those BMDs have poor or questionable security, usability, and verification properties for all voters. At the same time, BMD use should not be restricted to voters who are unable to hand-mark their ballots. For several reasons, including ballot anonymity, quality assurance, and voter dignity, it is best to have a variety of voters using polling place BMDs throughout election day, supported by pollworkers who are trained to help all voters appropriately. If necessary, procedures should be implemented to ensure that BMDs are used by a variety of voters: for instance, by explicitly inviting every 20th voter to use a BMD. Crucially, to support this objective, the BMDs and election processes should meet the verifiability standards we have discussed. Everyone deserves good voting systems. If a BMD is so flawed that voters should not be allowed to volunteer to use it, then it does not provide an accessible voting method, and no voter should have to use it.

Some suggest minimizing the impact of BMDs’ voter verification weaknesses by discouraging voters from using BMDs unless necessary. We believe that considering all the other threats to election security, the approach we recommend here strikes a reasonable balance among all the important values that election processes should respect.

Parallel testing of BMDs on election day can provide an additional means to detect BMD malfunctions due to subversion or any other cause. Researchers and election officials should investigate the feasibility of parallel testing. In the worst case, if parallel testing and/or polling place reports indicate that the BMDs are fundamentally untrustworthy, it may be necessary to reschedule the election – as if a natural disaster had occurred.

Barcodes

Many election integrity advocates have expressed reservations about the use of barcodes on BMD-marked ballots. Some barcodes encode information about ballot style and other ballot characteristics; other barcodes encode voter selections, as an aid to accurate and efficient tabulation.

Although legitimate use cases for barcodes exist, barcodes have serious pitfalls. They are mysterious to the voter and engender distrust in the system, may distract from or even crowd the human-readable information, and can introduce other security risks. We believe that barcodes on BMD-marked ballots are acceptable only under the following conditions:

  1. Voters can readily verify the human-readable information on their ballots;
  2. Routine, rigorous post-election audits must use the human-readable information to confirm that the ballots were tabulated accurately;12
  3. The barcodes do not directly or indirectly identify voters; and
  4. All voters have a means to fully interpret the content of all barcodes, to provide transparency and to mitigate any fears that the barcodes do identify the voters.13
  1. If some ballots are remade and the remade ballots are tabulated, the original voter-marked, voter-verifiable ballots should be used in audits and recounts.
  2. For instance, see Sharon B. Cohen, “Auditing Technology for Electronic Voting Machines,” Caltech/MIT Voting Technology Project Working Paper #46, May 2005, available at http://vote.caltech.edu/documents/96/vtp_wp46.pdf; and Stephen N. Goggin and Michael D. Byrne, “An Examination of the Auditability of Voter Verified Paper Audit Trail (VVPAT) Ballots,” 2007, available at https://www.usenix.org/legacy/events/evt07/tech/full_papers/goggin/goggin.pdf.
  3. We prefer a device that allows voters who choose to do so to handle their ballots to check their choices before casting their ballots.
  4. BMD-marked paper ballots should never present barcodes to the voter without human-readable text, and audits should never rely on barcodes but must rely on the human-readable text.
  5. It may be possible to design a system that records votes directly to computer memory, but also provides excellent support for voter verification based on voter-marked paper ballots. This was the intention of the STAR-Vote system designed by Travis County, Texas, but never manufactured or deployed.
  6. See Cohen, supra n. 1 at 51.
  7. Because the current commercially available BMDs are new devices, and in light of concerns about whether voters actually verify their choices on BMDs, specific procedures to encourage ballot verification need to be developed, as well as procedures for pollworker response to voter reports of discrepancies on the paper ballots. One example of this type of instruction for pollworkers may be found in Montana’s guide: Uniform Ballot and Voting System Procedures Guide, Security, Testing, Inventory Control and Troubleshooting, Montana Secretary of State, at 17-18 (Nov. 2015) available here: https://sosmt.gov/Portals/142/Elections/Documents/Officials/Uniform-Voting-Systems-Guide.pdf?dt=1523479664710; See also Virginia General Registrar Election Board Handbook, Ch. 11 Election Day Manual, at 9-10, available here: https://www.elections.virginia.gov/media/grebhandbook/GREB-2019.pdf and Code of Virginia §24.2-118, available here https://law.lis.virginia.gov/vacode/title24.2/chapter6/section24.2-642/.
  8. For systems that use hand-markable paper ballots, this attack cannot be detected by visual inspection. In systems with summary ballots, the attack might be detectable but could go undetected. For instance, consider malware that changes deliberate undervotes to votes for a candidate. Most systems are designed to rule out this possibility by printing “NO SELECTION MADE” or a similar indication. But what if the malware instead prints a blank space, and the voter does not realize that this behavior is wrong? Then, after the voter casts the ballot, the malware can print the candidate’s name in the human-readable text, undetectable by subsequent visual inspection.
  9. The VSAP system may not provide the option to hand-mark paper ballots at vote centers. Although we favor providing this choice to all in-person voters, the VSAP model does provide all voters with options to mark vote selections without solely relying on the BMD. We are most concerned about jurisdictions that provide no alternative to BMDs for most voters, or that provide only the alternative of mail ballots.
  10. Note that depending on the number of votes already cast on BMDs, there could be grave concerns about the integrity of the election. Rescheduling the election might be the only recourse. This possibility, among others, underscores the importance of managing, not dismissing, the inherent security risks of BMDs
  11. Note that, in the event of scanner failure, poll workers should not scan any ballots deposited in the separate secure receptacle until after the polls close. Any other process that would allow scanning during the voting period could cause alarm or mistrust or even delay other voters from scanning their ballots.
  12. All voted ballots, whether marked by BMD or by hand, should be subject to such audits.
  13. Fully interpreting the content of barcodes generally will entail both the ability to decode the barcode format and access to further information. For instance, one voting system’s barcodes encode six-digit numbers that represent where a candidate or choice would be located on a printed ballot. Thus, voters would need information on how to convert the numbers to candidates or choices.