March 7, 2021

Archives for October 2018

An unverifiability principle for voting machines

In my last three articles I described the ES&S ExpressVote, the Dominion ImageCast Evolution, and the Dominion ImageCast X (in its DRE+VVPAT configuration).  There’s something they all have in common: they all violate a certain principle of voter verifiability.

  • Any voting machine whose physical hardware can print votes onto the ballot after the last time the voter sees the paperis not a voter verified paper ballot system, and is not acceptable.
  • The best way to implement this principle is to physically separate the ballot-marking device from the scanning-and-tabulating device.  The voter marks a paper ballot with a pen or BMD, then after inspecting the paper ballot, the voter inserts the ballot into an optical-scan vote counter that is not physically capable of printing votes onto the ballot.

The ExpressVote, IC-Evolution, and ICX all violate the principle in slightly different ways: The IC-Evolution one machine allows hand-marked paper ballots to be inserted (but then can make more marks), the ExpressVote in one configuration is a ballot-marking device (but after you verify that it marked your ballot, you insert it back into the same slot that can print more votes on the ballot), and IC-X configured as DRE+VVPAT can also print onto the ballot after the voter inspects it.  In fact, almost all DRE+VVPATs can do this:  after the voter inspects the ballot, print VOID on that ballot (hope the voter doesn’t notice), and then print a new one after the voter leaves the booth.

It is to obey this principle that we should separate ballot marking devices from ballot scanning/tabulation devices (better known as “optical scanners”).  Here’s my favorite ballot-marking device:

But here are some other acceptable BMDs (from ClearBallot, ES&S, Hart, Dominion, and Unisyn):


Any of these can mark a paper ballot to be inserted in a separate optical-scanner.  You might notice that the second picture is an ExpressVote, which if used as an all-in-one unit that both marks and scans the ballot,  violates the principle.  But if used as a nonscanning, nontabulating ballot-marking device, and if the tabulating optical scanner cannot mark votes onto the ballot,  then the ExpressVote (and similar machines) can safely be used as a BMD.

“… whose physical hardware …”

I stated the principle as, “Any voting machine whose physical hardware can print votes onto the ballot after the last time…”  That’s quite different from “Any voting machine that can print votes onto the ballot after the last time…”

What’s the difference?  Those two statements might seem equivalent, but they’re not.

All-in-one voting machines such as the Dominion ImageCast Evolution and the ES&S ExpressVote have software that, to the best of our knowledge, doesn’t cheat.  Their software passes inspection by and EAC-certified laboratory, and we hope that such labs would notice if there were a part of the program that printed votes on an already-marked ballot.  So it’s fair to say, as it’s shipped from the manufacturer, neither of these machines can print votes onto an already-marked ballot.

But the problem is, the software can be replaced by unauthorized software that behaves differently.  That unauthorized replacement, we call “hacking.”  The unauthorized software can send instructions to the physical hardware of the machine: motors, scanners, printers, indicator lights, and so on.  Anything that the voting machine’s physical hardware can do, the fraudulent software can tell it to do.

Optical scanners that mark serial numbers on the ballot

I stated the principle as, “Any machine whose physical hardware can print votes onto the ballot after the last time…”  That’s quite differnt from, “Any machine whose physical hardware can print onto the ballot after the last time…”

What’s the difference?    Those two statements might seem equivalent, but they’re not.

Ballot-comparison audits are one form of risk-limiting audit (RLA) that can be particularly efficient.  The idea is: the optical-scan voting machine produces a file of Cast-Vote Records (CVRs) that contains a commitment to the contents and interpretation of each individual paper ballot.  It must be possible to link each CVR to one particular piece of paper, otherwise a ballot-comparison audit is not possible.  One cannot link CVRs to paper ballots unless the paper ballot has some sort of serial number, either preprinted (before it goes through the optical scanner) or printed afterward (perhaps as it goes through the optical scanner).   Because most voting equipment in use today does not have this capability, ballot-comparison audits cannot be used with that equipment, and other RLA methods are used, such as ballot-polling audits or batch-comparison audits.

There’s a problem with putting serial numbers on the ballot that the voter can see: it weakens the secret ballot, because now the voter can remember the serial number, and prove how she voted; thus she can be bribed or coerced to vote a certain way.  Therefore, some jurisdictions may be reluctant to use preprinted serial numbers.

So there are reasons that we might wish to allow optical-scanners to print serial numbers onto the ballot, but the optical scanner must not be physically able to print votes onto the ballot — that would violate the verifiability principle I stated at the beginning.

One solution to this problem  is to equip the optical scanner with a printer that is physically able to print only within 1 centimeter of the edge of the paper.  As long as no vote-marks are expected at the edge of the paper, then the scanner can print onto the ballot but cannot print votes onto the ballot.

Two widely used central-count optical scanners from major voting-machine manufacturers both have this capability: the Dominion ImageCast Central and the ES&S DS850.  Jennifer Morrell informs me, “So far, Dominion’s CVR is the only one I’ve seen where the imprinted ID can be formatted to indicate a specific scanner, batch, and sequence number within the batch.”  That is, the cast-vote record of Dominion’s central-count op-scanner has not just a serial number, but an identifier whose design is particularly helpful in ballot-comparison audits.

“… the voter inserts the ballot …”

Some voters have motor disabilities that make it difficult or impossible for them to physically handle a paper ballot.  Some voters have visual impairments, they can’t see a paper ballot.  For those voters, polling places that use optical-scan voting can (and do) provide ballot-marking devices (such as the ones shown in the pictures above) that have audio interfaces (for blind voters) or sip-and-puff interfaces (for quadriplegic voters).

But after they use the BMD to mark their ballot, some of these disabled voters are physically unable to take the ballot from the BMD and insert it into the optical scanner.  For those voters, an advantage of DRE+VVPAT or all-in-one voting machines is that they don’t have to handle a paper ballot.

When the ballot-marking device is separate from the optical scanner, those voters will need the assistance of a pollworker to insert their ballot into the optical scanner (or, when central-count optical scanning is used, insert it into the ballot box).  This seems necessary: the security hazards of all-in-one voting machines, the unverifiability of scanners that can print more votes onto the ballot, outweigh the convenience factor of an all-in-one voting machine.



Continuous-roll VVPAT under glass: an idea whose time has passed

States and counties should not adopt DRE+VVPAT voting machines such as the Dominion ImageCast X and the ES&S ExpressVote.  Here’s why.

Touchscreen voting machines (direct-recording electronic, DRE) cannot be trusted to count votes, because (like any voting computer) a hacker may have installed fraudulent software that steals votes from one candidate and gives them to another.  The best solution is to vote on hand-marked paper ballots, counted by optical scanners.  Those opscan computers can be hacked too, of course, but we can recount or random-sample (“risk-limiting audit”) the paper ballots, by human inspection of the paper that the voter marked, to make sure.

Fifteen years ago in the early 2000s, we computer scientists proposed another solution: equip the touchscreen DREs with a “voter verified paper audit trail” (VVPAT).  The voter would select candidates on a touchscreen, the DRE would print those choices on a cash-register tape under glass, the voter would inspect the paper to make sure the machine wasn’t cheating, the printed ballot would drop into a sealed ballot box, and the DRE would count the vote electronically.  If the DRE had been hacked to cheat, it could report fraudulent vote totals for the candidates, but a recount of the paper VVPAT ballots in the ballot box would detect (and correct) the fraud.

By the year 2009, this idea was already considered obsolete.  The problem is, no one has any confidence that the VVPAT is actually “voter verified,” for many reasons:

  1. The VVPAT is printed in small type on a narrow cash-register tape under glass, difficult for the voter to read.
  2. The voter is not well informed about the purpose of the VVPAT.  (For example, in 2016 an instructional video from Buncombe County, NC showed how to use the machine; the VVPAT-under-glass was clearly visible at times, but the narrator didn’t even mention that it was there, let alone explain what it’s for and why it’s important for the voter to look at it.)
  3. It’s not clear to the voter, or to the pollworker, what to do if the VVPAT shows the wrong selections.  Yes, the voter can alert the pollworker, the ballot will be voided, and the voter can start afresh.  But think about the “threat model.”  Suppose the hacked/cheating DRE changes a vote, and prints the changed vote in the VVPAT.  If the voter doesn’t notice, then the DRE has successfully stolen a vote, and this theft will survive the recount.  If the voter does notice, then the DRE is caught red-handed, except that nothing happens other than the voter tries again (and the DRE doesn’t cheat this time).   You might think, if the wrong candidate is printed on the VVPAT then this is strong evidence that the machine is hacked, alarm bells should ring– but what if the voter misremembers what he entered in the touch screen?  There’s no way to know whose fault it is.
  4. Voters are not very good at correlating their VVPAT-in-tiny-type-under-glass to the selections they made on the touch screen.  They can remember who they selected for president, but do they really remember the name of their selection for county commissioner?  And yet, historically in American elections, it’s as often the local and legislative offices where ballot-box-counting (insider) fraud has occurred.
  5. “Continuous-roll” VVPATs, which don’t cut the tape into individual ballots, compromise the secrecy of the ballot.  Since any of the political-party-designated pollwatchers can see (and write down) what order people vote on the machine, and know the names of all the voters who announce themselves when signing in, they can (during a recount) correlate voters to ballots.  (During a 2006 trial in the Superior Court of New Jersey, I was testifying about this issue; Judge Linda Feinberg saw this point immediately, she said it was obvious that continuous-roll VVPATs compromise the secret ballot and should not be acceptable under New Jersey law. )

For all these reasons, many states that adopted DRE+VVPAT in the period 2003-2008 have abandoned them, switching over to optical-scan voting with hand-marked (“fill in the opscan bubbles”) paper ballots, with Ballot-Marking Devices (BMDs) available for voters who can’t easily read or handle the paper.  Buncombe County switched to optical scan between 2016 and 2018, because the state of North Caroline outlawed continuous-roll VVPATs).

In the 2018 election, approximately* 42 states will use optical-scan, 3 states will use DRE+VVPAT, and 5 states will use paperless DREs (touchscreens).  Between 2002 and 2018, many states switched from DRE to opscan, from mechanical lever machines to opscan, from punchcard to opscan, from DRE+VVPAT to opscan; but not one state that I know of switched to DRE+VVPAT.  It’s not a good technology; it’s too easy for the computer (if hacked) to manipulate what appears on the paper record.

New Jersey is one of those 5 states that use paperless DREs.  There’s no excuse for that; if the DREs are hacked, elections can be stolen with no detection and no recourse.  (Or if the DREs “make a mistake“, no recount is possible.)  New Jersey should switch to voter-marked optical-scan ballots, like the rest of the country.

But I am informed** that three New Jersey counties (Gloucester, Essex, and Union) are considering the purchase of new voting machines, and they’re considering only the ES&S ExpressVote and the Dominion ImageCast X.  I’ve already explained why the ExpressVote is a bad idea.

New Jersey (or any state) should not adopt Dominion ImageCast X DRE+VVPAT voting machine.  The ImageCast X comes in several configurations, and one of them is basically a DRE+VVPAT, with a continuous-roll cash-register tape under glass.  Kevin Skoglund, a software engineer in Pennsylvania, had an opportunity to examine one at a demonstration in Harrisburg, PA.  He reports that it’s quite difficult to read the VVPAT-under-glass:  the printing was gray (not black) on the thermal paper, the font was small, the glass window in the machine was small.  Even though he has 20/20 vision, he had difficulty reading it.

The ImageCast X is advertised as an optical scanner, not a DRE, because, technically, this configuration prints a QR barcode onto the VVPAT tape, then an integrated scanner immediately reads this QR code before counting the vote.  This is a distinction without a difference.  All the disadvantages 1,2,3,4,5 (above) apply to this format.  Sure, a DRE+VVPAT is marginally better than a DRE; but that’s not the technology to adopt in 2018.

New Jersey should buy optical-scan voting machines for hand-marked optical-scan ballots.  Dominion makes reasonable optical-scan voting machines:  the ImageCast Precinct and the ImageCast Central.  ES&S makes reasonable optical-scan voting machines: the DS200, the DS450, and the DS850.   Three other companies make EAC-certified optical-scan voting machines: Clearballot, Hart, and Unisyn.  New Jersey (and the few other states still using paperless DREs)  should buy optical-scan voting machines from any of these 5 companies.

*I say “approximately” because some states use different machines in different counties.

**e-mail from Robert Giles, Director of the NJ Division of Elections, to Stephanie Harris, October 11, 2018.

Photo of ImageCast X VVPAT window:  Kevin Skoglund, June 2018.

CITP to Launch Tech Policy Clinic; Hiring Clinic Lead

We’re excited to announce the CITP technology policy clinic, a first-of-its-kind interdisciplinary project to engage students and scholars directly in the policy process. The clinic will be supported by a generous alumni gift.

The technology policy clinic will adapt the law school clinic model to involve scholars at all levels in real-world policy activities related to technology—preparing written comments and briefs, working with startup companies, and collaborating with public-interest law groups. As an outgrowth of this work, CITP could provide federal, state and local policy makers with briefings on emerging technologies and could also create simple non-partisan guides to action for citizens and small businesses.

We’re looking to hire a Clinic Lead, an experienced policy professional to lead the clinic. For more information, go to

CITP was founded as Princeton’s initiative to support research and education on technology policy issues. Over the years, CITP’s voice grew stronger as it uniquely leveraged its strength of world class computer scientists and engineers, to work alongside leading policy experts at the Woodrow Wilson School of Public Policy. The center has now established a recognized national voice in areas including AI policy, privacy and security, technology for governance and civil liberties, broadband policy, big data, cryptocurrencies, and the internet of things. As the national debate over technology and its impact on democracy has come to the forefront in recent times, the demand for technology policy experts has surged. CITP recognizes a need to take on a larger role in tackling some of these technology policy problems by providing on-the-ground training to Princeton’s extraordinary students. We’re eager to hire a Clinic Lead and get started!