December 9, 2021

Georgia’s election certification avoided an even worse nightmare that’s just waiting to happen next time

Voters in Georgia polling places, 2020, used Ballot-Marking Devices (BMDs), touchscreen computers that print out paper ballots; then voters fed those ballots into Precinct-Count Optical Scan (PCOS) voting machines for tabulation. There were many allegations about hacking of Georgia’s Presidential election. Based on the statewide audit, we can know that the PCOS machines were not cheating (in any way that changed the outcome). But can we know that the touchscreen BMDs were not cheating? And what about next time? There’s a nightmare scenario waiting to happen if Georgia (or other states) continue to use touchscreen BMDs on a large scale.

Dominion ICX ballot-marking device used in Georgia polling places 2020. Voters use the touchscreen to select candidates, then a paper ballot is printed out, which the voter then feeds into the scanner for tabulation and for retention in a ballot box.
Dominion ICP optical-scanner used in Georgia polling places 2020.
25% of Georgia voters in 2020 voted by mail; they marked their optical-scan ballot by hand, so they didn’t need to worry about whether the computer that marked their ballot was hacked–no computer marked their ballot! This is a high-speed central-count scanner that counts mail-in ballots; the screen on the right is not a touch-screen for the voter, it’s a control computer for the election administrators. It’s legitimate to worry about whether the optical scanners are hacked—but the hand audits of the paper ballots (by people, not computers) resolved that question in Georgia 2020.

Part 1: What happened in November 2020

There were many allegations about hacking of Georgia’s voting-machine computers in the November 2020 election—accusations about who owned the company that made the voting machines, accusations about who might have hacked into the computers. An important principle of election integrity is “software independence,” which I’ll paraphrase as saying that we should be able to verify the outcome of the election without having to know who wrote the software in the voting machines.

Indeed, the State of Georgia did a manual audit of all the paper ballots in the November 2020 Presidential election. The audit agreed with the outcome claimed by the optical-scan voting machines. This means,

  • The software in Georgia’s PCOS scanners is now irrelevant to the outcome of the 2020 Presidential election in Georgia, which has been confirmed by the audit.
  • Georgia’s PCOS scanners were not cheating in the 2020 Presidential election (certainly not by enough to change the outcome), which we know because the hand-count audits closely agreed with the PCOS counts.
  • The audit gave election officials the opportunity to notice that several batches of ballots hadn’t even been counted the first time; properly counting those ballots changed the vote totals but not the outcome. I’ll discuss that in a future post.

Suppose the polling-place optical scanners had been hacked (enough to change the outcome). Then this would have been detected in the audit, and (in principle) Georgia would have been able to recover by doing a full recount. That’s what we mean when we say optical-scan voting machines have “strong software independence”—you can obtain a trustworthy result even if you’re not sure about the software in the machine on election day.

If Georgia had still been using the paperless touchscreen DRE voting machines that they used from 2003 to 2019, then there would have been no paper ballots to recount, and no way to disprove the allegations that the election was hacked. That would have been a nightmare scenario. I’ll bet that Secretary of State Raffensperger now appreciates why the Federal Court forced him to stop using those DRE machines (Curling v. Raffensperger, Case 1:17-cv-02989-AT Document 579).

But optical scanners are not the only voting machines in Georgia’s polling places. Every in-person Georgia voter uses two machines: first, voters select candidates on a touch-screen ballot-marking device (BMD) that prints out a ballot paper; then, they feed that ballot paper into a precinct-count optical scanner (PCOS). The software independence of BMDs is much more problematic.

The audit confirmed that the PCOS was not cheating. How do we know that the BMD was not cheating, printing different votes onto the ballot paper than what the voter selected on the touch screen? This is a much more difficult question, and it can’t be answered by any audit or recount of the ballot papers.

You might think, “the voter would notice if the ballot paper differs from what they indicated on the touch screen.” But two different scientific studies have shown that most voters don’t notice. Only about 7% of voters speak up if a touchscreen BMD fraudulently prints a wrong vote. And that’s just one estimate from one study—it might actually be overoptimistic.***

Biden got about 50.125% of the votes in Georgia, and Trump got 49.875%. Suppose, hypothetically, that 50.125% of the voters chose Trump, but (hypothetically) hacked BMDs were changing votes on 0.25% of the ballots, in favor of Biden. Then the result we’d see would be Biden 50.125%, and the recount would confirm that—because that’s what’s printed on the paper.

In this scenario, if 7% (1 out of 15) of voters carefully review their paper ballot, and 0.25% (1 out of 400) of paper ballots had votes for Biden when the voter had really chosen Trump, then we might expect 1 out of 6000 (15×400) voters to complain to the pollworkers. And the pollworkers would supposedly tell those voters, “no problem, don’t put that ballot into the PCOS, we’ll void that for you and you can mark a fresh ballot.” But all those other voters who didn’t carefully check the printout would still be voting for a candidate they didn’t intend to, and the hack would be successful.

You might think (in this hypothetical scenario), “at least some voters caught the BMDs cheating”. But even if a voter catches the machine cheating, so what? Election officials can’t void an entire election, or “correct” the vote totals, based on the say-so of 0.017% (that is, 1/6000) of the voters.

Did the touchscreen BMDs cheat in the Georgia 2020 Presidential Election? We can guess that they did not cheat this time, and here’s a weak basis for that guess: If the BMDs had been shifting enough votes from Trump to Biden to make a difference, then at least 0.017% of voters would have noticed. There were 5 million votes cast, so that’s about 83 833 voters statewide**. If those voters complained, then presumably the local news media would have reported contemporaneous reports of such “BMD vote flipping.” But we didn’t hear any such reports.**** So probably the BMDs weren’t flipping any votes.

That’s a pretty weak basis to assert that the BMDs weren’t cheating. But it could be a lot worse . . .

Part 2: The nightmare scenario just waiting to happen next time.

But what about the next election? Suppose in Georgia’s 2022 Senate election between Raphael Warnock and his Republican challenger (whoever that will be), one of those candidates wins with 50.125% of the vote. And suppose 100 voters statewide claim that the BMDs flipped their vote. What should Secretary of State Raffensperger do? He cannot change the election results based on the say-so of 100 voters—those voters might be mistaken (or lying) about what they indicated on the touch screen. He cannot fix it by a recount, because (if the BMDs were really cheating) the paper ballots are fraudulent. He will be in a bind, and there will be no way out. And no way out for the people of Georgia, either.

You might argue, “More than 7% of voters would notice that their paper ballot was incorrectly marked.” Even if that were true (there’s no evidence for it), it just means 2000 or 3000 voters statewide (10 or 20 per county) would have noticed, instead of just 83 833. The problem is the same: even if they notice, there’s no way to correct the election.

The solution is simple.  Voters should mark their optical-scan bubble ballots with a pen.  That way, you know the recount is counting the ballots that the voter actually marked. Touchscreen BMDs (which also have audio interfaces for blind voters) should be reserved for those voters with disabilities who cannot mark a paper ballot by hand.

Georgia should continue using their PCOS (optical scan) voting machines, which will readily count hand-marked optical-scan “bubble” ballots. No major investment in new equipment is needed. This change can easily be implemented before the next election.

And other states and counties that are considering BMDs-for-all-voters—some counties in Pennsylvania and New Jersey have bought those, New York is considering them—should consider the nightmare scenario, and stick with hand-marked paper ballots.

Everything I’ve described here is consistent with the peer-reviewed scientific paper,  Ballot-Marking Devices Cannot Assure the Will of the Voters, by Andrew W. Appel, Richard A. DeMillo, and Philip B. Stark, in Election Law Journal, vol. 19 no. 3, pp. 432-450, September 2020. [non-paywall version here]

Georgia’s law doesn’t actually say what’s required if the audit detects a problem. The law doesn’t specify that audit results are binding on official results. This year that didn’t matter, because the audit agreed with the official outcome.

*Georgia’s audit was done by examining the ballots with human eyes. Later, at the request of the Trump campaign, Georgia also did a recount using their central-count optical scanners. If those optical scanners had been hacked to cheat consistently with (hypothetically) cheating precinct-count optical scanners, then the machine recount wouldn’t catch the fraud. For that reason, a hand-count is more effective protection than a machine recount. In any case, all three counts (the polling-place count using PCOS, the audit, and the machine recount) showed a Biden victory, although their actual numbers of votes differed.

**Actually, this year a large proportion of Georgians voted by mail, on hand-marked paper ballots, so they didn’t use BMDs at all. Those votes are safe from BMD hacks. But it doesn’t change the “83 833 voters statewide” result of my analysis.

***That statistic (“7% of voters will notice if the BMD prints the wrong candidate on their ballot”) comes from a single study in Michigan. Here’s why it might be overoptimistic, as applied to this voting machine and these voters. First, look at the BMD ballot and how hard it is to read.***** In November, one observer watched a constant stream of voters during about 20 minutes in Cobb County: they voted without a glance at their paper ballots, but then they told the poll workers that they had checked them. It is just too much trouble to try to read and check them.  In the January 2021 Senate runoffs, another observer saw that only 6 of 46 voters even glanced at the paper—which is not the same as checking it carefully.

****We would like to think “there was no local news reporting of BMD-flipped votes” means that “BMDs didn’t flip votes”. But so much of Georgia is quite rural with very little local reporting, and certainly without the experience to know how to even report something like that. And (in other elections) it often happens that there are verified stories of discrepancies months after the election that never made it to any newspaper.

*****I mean, really! not easy to decode the paper printout. In the Senate race, this is what the ballot says:

For United States Senate (Loeffler) -
Special (Vote for One) (NP)
   Vote for Annette Davis Jackson
     (Rep)

Is that a vote for Kelly Loeffler, whose name appears on the first line? Apparently not, I’d guess it’s a vote for Annette Davis Jackson. And what does (NP) mean? And what does (I) mean attached to votes for many other candidates? Certainly (I) does not mean Independent. This ballot is a masterpiece of bad design, and it’s no wonder that real-life voters are discouraged from looking at it very carefully.

Edited 8 February 2021 to correct 83 to 833.

Comments

  1. The fact that we keep diving farther down the electronic voting rabbit hole is the overarching problem. It introduces to many points of vulnerability with fewer and fewer authenticity checks.

    Canada may have taken a pot shot at us over elections in that they still only do paper ballots; doesn’t mean we should ignore sound advice.

  2. Ballots could me marked with a bingo dauber.
    Many different colors, could add security features to the ink, e.g. micro-particles or DNA, penetrating ink etc.
    Can’t be erased like a pencil, and is very easy to scan.

    https://www.amazon.com/Dab-Ink-3oz-Bingo-Daubers/dp/B07H1HL3G3/ref=zg_bs_7427870011_3?_encoding=UTF8&psc=1&refRID=7ZC0E3ETF9ZM6BZM0536

  3. Melissa White says:

    So what about the adjudication process for ballots where the machines allow people to change/cancel ballot choices such as on the video here: https://m.youtube.com/watch?v=d2-PZ09X5xk and in Fulton co OVER 106,000 ballots out of 113,130 ballots were ADJUDICATED on election day?! Video statement here: https://www.c-span.org/video/?477819-1/fulton-county-georgia-election-update MEANING the scanning machine for some reason COULDN’T READ THE BALLOTS and they had to be manually adjudicated..why wouldn’t that be a HUGE red flag?!

    • Jacob MacDonald says:

      “So what about the adjudication process for ballots where the machines allow people to change/cancel ballot choices … ?!”

      As discussed in the article, those ballots were hand-counted during the recount. Since the adjudication process is done on the scanning machines, it would cause a discrepancy in the hand count if it was used to cheat.

      “why wouldn’t that be a HUGE red flag?!”

      It is a huge red flag. The article explicitly advocates less use of BMD’s. It is important, however, not to conflate the BMD’s with the scanning machines. Thanks to the recounts, we have significant evidence that the scanning machines were not used to cheat. There is a lack of evidence that the BMD’s were used to cheat, but if there was there is no good solution.

  4. Marilyn Marks says:

    I have watched Georgia adjudication process several times in the last year as an authorized monitor. There is a misunderstanding in what was presented in Melissa White’s post. While it is true that an adjudication panel can add votes or change votes, there is an adjudication log that is appended to the ballot image file, detailing what vote was changed and how it was changed. (I will look for a picture and post.) The process could be greatly improved by having a paper audit log signed by the panel, but there is currently a record of what was changed.

    Further the adjudication does not change the paper ballot itself. If votes were wrongly added to the electronic record in adjudication, an hand count audit would detect that discrepancy between the hand count and machine count.

    Also the video takes Rick Barron’s statement completely out of context about the number of ballots adjudicated. He clearly meant that 106,000 ballots had been put through processing to flag the ones that required adjudication. It would have taken many days to really “adjudicate” 106,000 ballot images. There is no way that there were 106,000 ballot adjudicated.

  5. On a ballot, can there be a choice None of the Above?
    So there are no unmarked votes?
    Eliminating an election auditor deciphering the ‘intent of the voter’?

    • Andrew Appel says:

      The main issue for adjudication is not unmarked votes. It’s when the voter didn’t completely fill in the oval, or made some other nonstandard mark, and the (software in the) machine feels that the human election workers (one Dem and one Rep) should inspect this to say what was the intent of the voter.

  6. Isn’t 5,000,000/6,000 == 833? Not 83?

    • Andrew Appel says:

      Yes, you’re right. This is corrected now. The problem is still the same: Suppose 833 voters statewide notice, and 200 of them speak up, what then? Maybe they will have corrected their own ballots, but the other thousands of voters who didn’t notice, won’t have corrected theirs. So the hack will have changed the outcome of the election. Should the Secretary of State declare the election null-and-void, and have a do-over?

  7. As a Georgia voter, the main issue I have is that it is IMPOSSIBLE for a voter to confirm that the paper ballot correctly records what the voter selected on the screen. Yes, the text on the paper indicates what was voted, and voters can confirm that, but the paper also contains a QR code, which is apparently what the scanner uses to record the votes, and there is NO WAY a voter can confirm that the QR code matches what they voted for.

    • Yes, but a risk limiting audit of the marked human readable choices would detect both incorrect scan/count software or malformed BMD QR codes if the scanner only used QRs to count votes.

      Improved scan software could use the QR codes to match the scan of printed text, so the scanner is not using only the QR and ignoring the text. It would seem that OCR validation with a redundant QR code would be reasonably easy to implement.

      A QR code with a digital signature could be used to provide extra security to inhibit ballot alteration, but that of course also relies on the integrity of the BMD software. (Fake BMD software could use a fake private signature key.)

  8. Thank you, Professor Appel, for all of your guidance related to conducting modern, fair elections. I’ve read your papers, “Ballot-Marking Devices (BMDs) Cannot Assure the Will of the Voters” [2020] and “Securing the Vote: Protecting American Democracy (2018)” as well as your report/presentation “AD HOC COMMITTEE FOR 2020 ELECTION FAIRNESS AND LEGITIMACY” and I would like a voter system that is “contestable and defensible and strongly software independent” for my county.

    Given your expertise and position, I’m sure you are called upon by many in the country seeking your guidance on how to improve their existing voter systems. Can you offer any advice to a citizen who wants to persuade their county commissioners to examine their existing voter system, identify the weaknesses (i.e. reliance upon BMDs), and adopt a course of action that ends with a “contestable and defensible and strongly software independent” voter system? What has worked for you in the past? What has worked for citizens or organizations you have supported to get this implemented? Can you share success stories?

    Thank you again for all you do and continue to do in this space,
    Michael

  9. The bigger issue at hand imo are the mail in ballots. You have in the process of in person voting a mechanism of control. It is not impervious to cheating but difficult. The bigger issue is that there is not mechanism to prevent massive cheating, i.e.ballot harvesting. On the mail in side. Eliminate the BMDs but then put the rest of your efforts into solving fraud on the mail in side of things.

  10. The voter detection of mismarked BMD printouts could probably be improved with different instructions on the BMD. For example instead of “Confirm and Print” button to end a session, what if the “Confirm and Print” button lead to a screen that says, please verify your votes are marked properly on the ballot, then show “Correct” and “Incorrect” buttons. Then maybe you get 70% detection instead of 7%.

    Aside from assistive technology, I presume the main advantage of a BMD vs a pen is that overvotes and ambiguous marks are eliminated. I don’t specifically know the percentage and severity of ambiguous marks, but a PCOS can obviously check for these problems and reject the initial ballot submission.

    At my precinct (actually multi-precinct vote center) they had both privacy booths for pen voting, and a set of BMDs. Many people seemed to prefer the BMDs, but I don’t know why. I voted at home and dropped of my mail ballot.

  11. Mike Appel says:

    Hi Professor Appel,

    Could you clarify if your analysis about the inability to detect hacking of BMD machines applies to all audits?

    Some county recorders right now that use BMD machines are doing audits of their voting equipment and software. For example, in Maricopa County, they just concluded a software audit, with the report concluding that there was no evidence that votes were switched from one candidate to another, equipment was using modified software, voting machines were connected to the internet, and malicious software had been installed on tabulators or the system.

    Is this kind of ‘audit’ thorough? Is it able to detect if there was no wrongdoing because they actually examined the software, beyond just checking the paper ballot selections in typical audits?

    Thank you.
    Michael

    • Andrew Appel says:

      In reply to Mike (no relation), here’s a good analysis by John Sebes, CTO of the Open Source Election Technology Institute:

      There were really significant limits to the “audit” of Dominion voting systems that Maricopa County commissioned, so much so that very little assurance was delivered to support the conclusions. In fact, the test lab’s detailed results really don’t support the top level conclusions at all. (I say “audit” here to distinguish this activity from the very important ballot audit, and from a true forensic examination of computing system, which this was not.) On each of the 4 points:

      1. Good to know that all the executable files on the PC, that the EAC certification report says should be there, are there, and not modified. But that says very little about whether the software when *running* is in the certified configuration. Any extraneous software that was also running, could interfere with the legit software. So next step, look for extraneous software.

      2. Running a bunch of PC anti virus tools is prudent, but doesn’t prove that there is no extraneous software outside the certified configuration. It just means that known malware executables are not present.

      3. Looking at data on the PC can’t prove that the PC wasn’t connected to the Internet. It only proves that there is no data that indicates an Internet connection. If the PC had been connected to the Internet, and was infected with malware, the malware could remove log data about Internet connections. Or a person could have removed the data.

      4. Physical inspection of the hardware is good idea, but the report did not say that they had an exact manifest of all and only the hardware components in the certified configuration, and that they ensured that all the hardware found was on the manifest. Instead, “unexpected hardware” is pretty vague. Also, checking the hardware is of limited value if they didn’t check the firmware in each hardware component.

      All this adds up to “didn’t find anything bad, but weren’t able to look very hard either.”

      It’s not the lab’s fault really.

      The basic problem is that PCs are not made to make an inspection like the easy, in fact the reverse. A sensible VS vendor would use a different system design to makevery simple to ensure that all present software is supposed to be there is there, unmodified. But the VVSG doesn’t require that, and hence we got PC based voting system components that are very difficult to inspect for conformance to certified configurations.

      John Sebes / CTO, OSET Inst.

  12. Selmer Bringsjord says:

    There are two reasons why much of this can strike an expert in related computational domains as painfully naïve: The first is that a sizable contract given to a professional, high-end red-teaming group would fast make a mockery of the systems here used, from maliciously sourcing mail-in ballots to maliciously rigging scanning machines themselves. (You might want to keep in mind that any human scan subsequent to machine scan is by definition scanning an artifact processed by a machine: the human checker is not checking ground truth.) Second, anyone who works in red teaming for financial institutions knows that how voting is handled is by comparison laughably vulnerable at every juncture. Until how we handle money is wisely isomorphic to how we handle votes (which are as good as money for many), the comedy will, alas, continue.

  13. Melissa White says:

    Marilyn this is how they can “adjudicate” ballots in GA. There is a part 2 to this video below.
    Were you also aware that during the Jan runoff they left 4 of the drives in the machines the night of voting and didnt update until 2 weeks later? I suggest EVERYONE watching all of the GA Fulton County election committee meetings from Oct until just as recent as last week. Chain of custody for ballots was noj existent and everyone should also look into Dominion hiring 3000 staff prior to general election, even had adds out hiring and numerous poll managers saying Dominion was running their warehouse. Also look into “happy faces” the whole election WREAKS of fraud like it or not. Also considering Dominion hired Runbeck in AZ to print all ballots and also mailed all absentee ballots out for GA and 5 other states. Odd that Runbeck was “reeled in” by Dominion for this. Let alone the ballots had a copyright for Dominion on them but purchased with our tax dollars.

    https://m.youtube.com/watch?v=ijjwS6h-PyU