May 24, 2024

Did Sean Hannity misquote me?

Mostly, I was quoted accurately, although the segment confuses a few different Dominion voting systems with each other. And vulnerabilities are not the same as rigged elections, especially when we have paper ballots in almost all the states.

On November 13, 2020, Fox News aired a segment by Sean Hannity, “A deep dive into the voting machines at center of controversy“, in which he pointed out problems with Dominion voting machines in Michigan and Georgia. He quoted from my 2018 Freedom-to-Tinker article Design flaw in Dominion ImageCast Evolution voting machine and from my 2018 testimony before the House Subcommitee on Information Technology.

The quotes are accurate, although slightly out of context. The Dominion systems in Michigan and Georgia are not the ImageCast Evolution that has that design flaw. My Congressional testimony is that all voting machines can be hacked, and that’s true. My testimony about replacing the software in 7 minutes with a screwdriver refers to an older Dominion voting machine, used in New Jersey (though not this year because of the pandemic), but not used in Michigan and Georgia. But it’s still true that, one way or another, the software in any voting machine can be (fraudulently) replaced — in any voting machine used in any of the 50 states.

Regarding Antrim County, Michigan: Dominion’s election-management software is badly designed: when uploading results from a voting machine to the central server, the software keeps track of votes by ballot position, with no check on candidate name. So if there’s a last-minute revision to the ballot design used in the voting machine, but the ballot-design file on the server is not updated, then votes for Trump may be mistakenly uploaded as votes for Biden. Dominion calls that “human error.” I call it, bad software design that fails to make consistency checks on its input. Fortunately, Antrim County has hand-marked paper ballots (counted by those Dominion optical-scan voting machines) that can be audited by hand, and other forms of paper trail, so Antrim County was able to correct its error and report accurate vote totals.

Mr. Hannity proposes a solution: “If we want to have as a country, election results with integrity, that the people of this country will have confidence in, we can easily and absolutely have a system forensically checked–and by the way, I’ll even argue, allowing both Republican and Democratic engineers to do the forensic check together.”

That’s a well-intentioned idea, but it does not really solve the problem. Yes, absolutely the source code and software of voting machines should be made public so that citizens of any party can examine it for design mistakes. But what happens if the voting machine is hacked after that examination?

The U.S. mostly uses paper ballots now, and that’s how we can trust the election results even though there are some computer vulnerabilities.

The best solution is to use paper ballots, marked by hand, counted by computers, and recountable by hand. Those computers might be hacked, but the ballots personally marked by the voters are the same pieces of paper that can be recounted by humans. That’s what Michigan does, along with more than 40 other states. That is the state-of-the-art most-secure-known way of conducting elections.

Georgia, on the other hand, uses touch-screen ballot-marking devices to mark the ballots, which are then counted by optical scanners and recountable by hand. If the optical scanners are hacked, then a recount will detect and correct the problem. But if the touch-screens are hacked, then (on a small fraction of the ballots) they can print the wrong vote on to the ballot. The recount can’t detect and correct that hack, because it can only see what’s printed on the ballots. Still, hacks and glitches in the election-management computers, in the optical scanners, and in other parts of the system have been detected and corrected by audits and examination of those paper ballots.


  1. Dale Mills says

    Can you explain this? Link at end of my comment! Strange an software update in Georgia also any comments thoughts on Eric Coomer have you disappeared like him?

  2. George Bush (not the ex-president) says

    Would we not have to go back to 2016 and check that that particular election was also not “hacked”? Apparently Scytl and Dominion have been used since 2008.

    So how can we be sure that any election results have not been tampered with?

  3. Hank Gillette says

    “Georgia, on the other hand, uses touch-screen ballot-marking devices to mark the ballots, which are then counted by optical scanners and recountable by hand. If the optical scanners are hacked, then a recount will detect and correct the problem. But if the touch-screens are hacked, then (on a small fraction of the ballots) they can print the wrong vote on to the ballot.”

    If the machine prints out a human readable ballot, isn’t it the voter’s responsibility to look at the printed ballot and verify that it is correct before turning it in?

    I see some decided advantages with using a touch-screen ballot-marking devices:

    • The touch screen would be much easier for many people to use rather than filling in ovals or squares by hand, especially for very long ballots, such as the ones I used to get in California.
    • If the machine does the marking, there should be no problem with the ballot being readable with the vote-counting machine or overvoting. Humans sometime don’t fill the ovals in completely, or accidently vote for multiple candidates for the same office.

    “Dominion’s election-management software is badly designed: when uploading results from a voting machine to the central server, the software keeps track of votes by ballot position, with no check on candidate name.”

    As a former computer programmer, I am sure that assigning a number to a candidate is much easier for machine counting. Off the top of my head, I am not sure how I would program the reader to use a name rather than a number, although I don’t doubt it could be done. I suspect that it might involve optical character recognition, which would mean that the ballot-counting would be much slower. Perhaps each candidate could have a bar code associated with his or her name, but then you would have people claiming that the bar codes were hacked or wrongly assigned.

    It seems to me that that voting officials have a responsibility to ensure that the position is verified to be correct before people start voting, just as voters should check the ballot the voting machine prints out.

  4. Kevin Byrnes says

    There have been some very good suggestions in this thread and I appreciate all of them as a layperson–it’s very instructive.

    To some extent, however, this reminds me of the facetious warnings about dihydrogen monoxide–it can kill you so many ways. Yes, every election system based on digital entry is hackable, but to extrapolate this, as many have taken Mr. Appel’s statements, to a firm belief that tens of millions of votes were in fact altered, is not supported just because it’s possible. Here are all sorts of other things that are possible: the design of heat exchangers in gas furnaces means they can crack and deadly fumes kill you as you sleep; the design of kitchen knives means that you can lose a finger while mincing an onion; the design of my car means I can have a blowout and careen into a bridge abutment; and so on. Many dire outcomes are possible given the design of so many of our systems. To say that the dire outcomes that are possible actually happened to the degree alleged requires well-established evidence. For those who dismiss this, you should read transcripts of product liability trials in civil cases. Courts don’t want to know what could have happened; they want to know what did happen, and they want it proven to the relevant standard.

  5. It is my opinion that there was fraud, is ongoing fraud, and there will always be fraud. If someone says that our voting machines are impossible to hack you are only giving a challenge to a hacker and may I remind you of the impossibility of the Titanic sinking. There are ways to verify the truth but they are labor intensive and the older I get the more I come to the realization that very few people desire those jobs. Our authorities are doing their best to ensure that the American public feels that we have faith in everything they do. So much so that I now question everything I am told especially fact-check. What happens next I would hope is that the truth no matter what it is comes out, the constitution is upheld, and we the American people stop our bickering, come together, and do whatever it takes to eliminate the problems of our nation and enjoy the freedoms we have not only for ourselves but our posterity.

  6. Peter Jordan says

    Hi Andrew, a question for you about a recent claim that the software would divide a vote for Trump assigning 1/4 of that vote to Biden which would help sway the total to Biden. However not only would this feature send alarm bells to all the state officials that accessed the software, surely even the assignment of a tallying variable as a non-integer would also raise eyebrows for the state certifiers. Would you agree that a variable used for whole number counting would be declared as integer based? Thus making such a claim about fractions impossible to pull off?

  7. Craig Everhart says

    Hi Andrew. Nicely argued positions about what’s possibly wrong with a design vs. actually wrong with a deployment instance.

    I had only a footnote to contribute. ES&S balloting uses the same kind of encoding of ballot choices: positions on the ballot paper, for its barcode representation that voters are expected to submit at the poll place. So I can add your exposed vulnerability (a changed poll question layout definition) to the other vulnerabilities, which include the use of person-unreadable barcodes in the first place. As you suggest, including the name (or even some text from it) in the record of the ballot choice would mitigate against the problem of changed ballot layout, but in the ES&S case would also help assure the voter that their ballot choice was correctly represented.

    Thanks for your attention towards this sadly-perennial issue.

  8. Why not require all voting machines to meet the FIPS140-2 standards?

    And it may sound like a good idea to publish source code but isn’t this an invitation for malicious actors to exploit vulnerabilities? I understand the argument that the more eyes looking for potential problems the better. But when it comes to voting machines (or bank fault design, nuclear warheads etc.) it’s not one that I agree with.

    The security of any system is a combination of both physical and logical security. Some of the most damaging hacks have occurred because of poor physical security. Having access physical access to any system lends itself vulnerable. That’s why FIPS140-2 is a combination of physical and logical defense. And voting machines need robust physical security. And the question of firmware changes can be addressed by checksum validation.

    No system is perfectly secure. But a combination of physical security, FIPS140-2 standards and all data encrypted should give everyone high confidence in the accuracy of the voting system. And any system that is not part of a network requires physical access to each machine. Something that, along with in-person voter fraud, is too consumptive of resources to make it a practical proposition.

    Plus we still have all those wonderful paper ballots as a backup.

  9. Steve Sahihara says

    A concise relevant discussion of the various voting technologies and best practices is Appel and Stark’s “Evidence-Based Elections: Create a Meaningful Paper Trail, Then Audit” in the Georgia Law Tech Review [4 GEO. L. TECH. REV. 523 (2020)]

  10. It seems to me that the greatest vulnerability lies in an interested party with access “losing” a large number of ballots from districts known to support the opposition candidate.

    It also makes sense that large numbers of mail-in ballots increase the opportunity for such attacks (e.g. post-office personnel have a greater opportunity).

    The question then is what precise mitigations are in place to prevent this form of attack? Do audits include contacting a sampling of voters who were sent ballots that were not submitted, if in fact they were not submitted?

    • Steve Sashihara says

      A concise relevant discussion of the various voting technologies and best practices is Appel and Stark’s “Evidence-Based Elections: Create a Meaningful Paper Trail, Then Audit” in the Georgia Law Tech Review [4 GEO. L. TECH. REV. 523 (2020)]

  11. Michael Pakaluk says

    Can you post an update now as to whether the Wall Street Journal Editorial Board misquoted your blog, that is, cited this page but in a misleading way?

  12. Andrew Appel says

    This happened in one county, Antrim County Michigan, and it was this one county that had a last-minute change to the ballot definition that caused the problem. You are right about some of the scenarios, and indeed in some of those scenarios the results would look impossible and an alert election official would notice the problem, and investigate. They caught (and corrected) the problem before certifying final results, and (to the best of my knowledge) the final results they certified are correct; and (to the best of my knowledge) this did not happen in other counties.

    • Colby Blasenak says

      ummm…you are wrong. According to Dr shiva the most republican counties in michigan voted heavily for Biden. The algorithm for the republican counties are manufactured.

      • That’s not what he said, exactly. He compared the voting results with the straight ticket percentages. The plot tended toward Biden on the GOP side and toward Trump on the DEM side. For ANY nonzero percentage of Democrats voting for Trump or GOP voting for Biden, you will see that trend. What is perfectly normal is evidence of fraud in Dr. Shiva’s mind.

  13. If the software keeps tract of vote by ballot position, then shouldn’t the votes be wrong for all the candidates? For example, if the positions are like this (it could be in any order but here I used alphabetical order):
    1. Biden
    2. Jorgenson
    3. Trump
    Now assuming that in the new ballot design something got inserted before Biden and all the positions got bumped down by one row, then at the server level, position 1 would be some garbage so Biden would get nothing or something ridiculous, his actual vote would be assigned to Jorgenson, and Jorgenson’s vote in turn would be assigned to Trump, and Trump’s vote would simply disappear.

    Or, everything got bumped up by one row, then Biden’s vote would disappear, Jorgenson’s vote would count toward Biden, and Trump’s vote to Jorgenson, and Trump would get nothing or something ridiculous.

    The principle is the same if the positions are spread out horizontally.

    Even If this is not the way it worked, then the question still is: If Trump’s vote were counted toward Biden, what happened to Biden’s vote?

    Another possibility is that they simply switched the position of Trump and Biden, then in this case Biden’s vote would count toward Trump and Trump’s vote toward Biden.

    But the news reports we have been hearing is that Trump’s vote were counted as Biden’s. No mention of what happened to Biden’s vote.

    Can you shed some light into this please?

    • Sure. So if republicans took all of the seats or the majority of the seats that were up for re-election, it would have been a vote down ballot meaning Trump should have easily won the election. But if someone was able to steal a laptop and several key to Dominion, the numbers could have been easily fudged.