December 9, 2021

Expert analysis of Antrim County, Michigan

Preliminary unofficial election results posted at 4am after the November 3rd 2020 election, by election administrators in Antrim County Michigan, were incorrect by thousands of votes–in the Presidential race and in local races. Within days, Antrim County election administrators corrected the error, as confirmed by a full hand recount of the ballots, but everyone wondered: what went wrong? Were the voting machines hacked?

The Michigan Secretary of State and the Michigan Attorney General commissioned an expert to conduct a forensic examination. Fortunately for Michigan, one of the world’s leading experts on voting machines and election cybersecurity is a professor at the University of Michigan: J. Alex Halderman. Professor Halderman submitted his report to the State on March 26, 2021 and the State has released the report.

Analysis of the Antrim County, Michigan
November 2020 Election Incident

J. Alex Halderman
March 26, 2021

And here’s what Professor Halderman found: “In October, Antrim changed three ballot designs to correct local contests after the initial designs had already been loaded onto the memory cards that configure the ballot scanners. … [A]ll memory cards should have been updated following the changes. Antrim used the new designs in its election management system and updated the memory cards for one affected township, but it did not update the memory cards for any other scanners.”

Here’s what that means: Optical-scan voting machines don’t (generally) read the text of the candidates’ names, they look for an oval filled in at a specific position on the page. The Ballot Definition File tells the voting machine what name corresponds to what position. And also informs the election-management system (EMS) that runs on the county’s election management computers how to interpret the memory cards that transfer results from the voting machines to the central computers.

Shown here at left is the original ballot layout, and at right is the new ballot layout. I have added the blue rectangles to explain Professor Halderman’s report.

Original (at left) and updated-October-2020 (at right) ballot layout for Village of Central Lake, MI. From Halderman’s report, Figure 1, page 12.

Now, if the voting machine is loaded with a memory card with the ballot definition at left, but fed ballots in the format at right, what will happen?

A voter’s mark next to the name “Melanie Eckhart” will be interpreted as a vote for “Mark Edward Groenink”. That is, in the first blue rectangle, you can see that the oval at that same ballot position is interpreted differently, in the two different ballot layouts.

A voter’s mark next to “Yes” in Proposal 20-1 will be interpreted as “No” (as you can see by looking at the second blue rectangle).

We’d expect that problem with any bubble-ballot voting system (though there are ways of preventing it, see below). But the Dominion’s results-file format makes the problem far worse.

In Dominion’s file format for storing the results, every subsequent oval on the paper is given a sequential ID number, cumulative across all ballot styles used in the county. Now look at the figure above, just below the first blue rectangle. You’ll see that in the original “Local School District” race (at left) there are two write-in bubbles, but in the revised “Local School District” race (at right), there are three write-in bubbles. That means the ID number of every subsequent bubble, on this ballot and in all the ballot styles that come after it in this county, the ID numbers will be off by one. Figure 2 of the report illustrates:

Figure 2 from Halderman report: D-Suite automatically assigns sequential ID numbers to voting targets across every ballot style. Correcting the ballot design for Central Lake Village required adding a write-in blank, which increased the ID number of every subsequent voting target by 1, including all targets in alphabetically later townships. Scanners in most precincts used the initial election definition (from before the change) and recorded votes under the old ID numbers. The EMS interpreted these ID numbers using the revised election definition, causing it to assign the votes to the wrong candidates.

Within three days, Antrim County officials had basically figured out what went wrong, and corrected most of the errors before publishing and certifying official election results on November 6th. By November 21, Antrim County had corrected almost all of the errors in its official restatement of its election results.

How do we know that the original results were wrong and the new results are right? That is, how do we know that the “corrected” results are true, and not fraudulent? We have two ways of knowing:

  • Hand-marked paper ballots speak for themselves. The contest for President of the U.S. was recounted by hand in Antrim County. Those results–from what bipartisan workers and witnesses could see with their own eyes–matched the results from scanning the paper ballots using the ballot-definition file that matches the layout of the paper ballot.
  • A careful forensic examination by a qualified expert can explain what happened, and that is why Professor Halderman’s report is so valuable–it explains things step by step.

But not every contest was recounted by hand. The expert analysis finds a few contests where the reported vote totals are still incorrect; and in one of those contests (a marijuana ballot question) the outcome of the election was affected.

In the court case of Bailey v. Antrim, plaintiffs had submitted a report (December 13, 2020) from one Russell J. Ramsland making many claims about the Dominion voting machines and their use in Antrim County: adjudication, error rates, log entries, software updates, Venezuela. Section 5 of Professor Halderman’s report addresses all of these claims and finds them unsupported by the evidence.

What can we learn from all of this?

  • Although the unofficial reports posted at 4am on November 4th showed Joseph R. Biden getting more votes in Antrim County than Donald J. Trump, the results posted November 6th show correctly that, in Antrim County, Mr. Trump got more votes.
  • Regarding the presidential contest, election administrators figured this out for themselves without needing any experts.
  • In other contests, where no recount was done, most of the errors got corrected, but not all.
  • There is no evidence that Dominion voting systems used in Antrim County were hacked.

And what can we learn about election administration in general?

  • Hand marked paper ballots are extremely useful as a source of “ground truth”.
  • If the ballot definition doesn’t match the paper ballot, results reported by the optical-scan voting machine can be nonsense. This has happened before–see my report describing a 2011 incident in New Jersey.
  • “Unforced error:” Dominion’s election-management system (EMS) software doesn’t check candidate names. The EMS computer has a file mapping ballot-position numbers to candidate names; and the memory card uploaded from the voting machine has its own file mapping ballot-position numbers to candidate names. If only the EMS software had checked that these files agreed, then the problem would have been detected on election night, during the upload process.
  • Even without that built-in checking, to catch mistakes like this before the election, officials should do the kind of end-to-end pre-election logic-and-accuracy testing described in Professor Halderman’s report.
  • Risk-Limiting Audits (RLAs) could have detected and corrected this error, if they had been used systematically in the State of Michigan. RLAs are good protection not only against hacking, but also against mistakes and bugs.

Comments

  1. _”If only the EMS software had checked that these files agreed, then the problem would have been detected on election night, during the upload process.”_ — Granted. But really, even that is too much opportunity for error.

    There are at least two obvious technical changes that could (and should) be made that would eliminate this risk altogether.

    #1: ballot’s should be designed by a single piece of software that handles layout, defining positions of names and bubbles. This software should generate the configuration file used by the counting machine as well as to print the ballots, and should generate a unique ID that is printed (e.g. human-readable, QR code, whatever) on the ballot and is also stored with the configuration file. The ballot counting machine should refuse to count a ballot fed to it where the ID on the ballot does not match the configuration.

    #2: OCR is a well-understood problem today. I personally think the #1 solution is fine, but if it’s really too much trouble to provide vertical integration of the ballot printing and counting, then the counting machines should validate the configuration file against the printing ballot by using optical character recognition to actually _read_ the ballot just as a human would when filling it out, to confirm that the configuration file matches how the ballot is actually laid out.

    Why, in this day and age, we still have computer systems so prone to human error is beyond me. As a software developer myself, I find it incredibly frustrating to hear about computer-based “solutions” that make things _harder_ in many ways than easier. Software is supposed to make things easier and more reliable, not the other way around, and yet the industry continues to produce inferior products that lead to some of the dumbest types of human errors. In many cases, this causes no more than immense frustration on the part of the user. But for something as critical as a voting system, this should not be tolerated at all. Manufacturers should be held responsible for eliminating easily-avoided errors, and should be penalized with product liability lawsuits to recover damages related to inferior software.

  2. Edwin Schwank says:

    There is no evidence that Dominion voting systems used in Antrim County were hacked—–while this is TECHNICALLY TRUE…..no evidence was NOT because the machine was NOT hacked…only that the machines were wiped removing all evidences of the election. Can’t know if the election was hacked or not if that happens. Also there was clear evidence someone accessed the system after the election who was NOT authorized to do so….mem cards were tossed around like paper clips with no regard for the law which mandates preserving all data under lock and key. If this second audit proves anything, it proves that these machines are easily hacked with written software to be uploaded just prior to elections and….that the only real way to be sure of a voted ballot is by counting the “old fashioned way” on paper and hand counted…..I know that is sooooo very much work! Pay those poor workers extra. Send the machines back to Bangladesh.

  3. Edwin Schwank says:

    Also NO machine should be hooked to the internet at all. Against the law, and way too easily hacked….and wiped and there is a reason many states turned down using these machines. NOT reliable at all.

  4. Edwin Schwank says:

    While this professor did his best to minimize the findings from the previous audit, it falls short on so many fronts.

    Future ballot counting needs to be far more scrutinized by:
    Counting ballots with ever single counting station manned by two observers from each party and more even better.
    Observers can challenge and thus making the ballot provisional and put aside. Arbitrated by committee if necessary.
    Cameras to observe and record the counting…every station multiple angles…with data stored under lock and key.
    No midnight counting….anywhere in the state….if more time is needed then so be it.
    Issue free voter I.D. to every single registered voter in advance of any election to be shown as proof of eligibility to vote.
    Zero adjudication ballots….if the ballot can’t be agreed to by all parties observing…..ballot is provisional or tossed out!
    Authenticate all absentee ballots with voter I.D. copy made available by secretary of state copy only…water mark etc.
    Get rid of voting machines…send them to Venezuela or Russia at deep discount.

  5. scott s. says:

    That sample ballot seems hideously complex. I doubt more than a couple precincts would have the same ballot. So I find that complexity to greatly increase the probability of error and difficulty in validating results.

    I get the idea that combining so many races and questions on a single ballot reduces administrative costs and increases turnout for “down ballot” issues (and maybe as important, may allow for “straight party” voting) but the cost in terms of difficulty in validation may be too high.

  6. Ok… First Michigan uses stubbed and numbered ballots! The machines only count the votes… they can not change the actual physical ballot. Michigan and in Antrim (especially) was counted by hand after the election. the totals matched the machine totals. That takes away every single argument above… for example, connected to the internet… count the ballots. Adjudication – Count the ballots. See we have paper ballots for a reason – So we can check the machines – and in every (yes every) incident in Michigan where audits, hand counts, retabs, and risk-limiting audits the totals matched the machines. Every branch of protection has also looked into it and agrees the machines are 100% accurate. CISA, Homeland, FBI, DOJ, Bill Barr, Christopher Krebs, and the list goes on and on.

    Let’s also deep dive all the other protections in place. Logic and Accuracy Testing, Public Testing (who has gone to one?). Physical Seals, Two-party affiliations running the elections, Canvassing, Post Election Audits, Risk limiting audits. Machines (tabulators) are tested by accredited labs, Vetted and approved by the EAC and then Vetted and approved by the State. The Feds hold the source codes. And then back to physical paper ballots that the voter marks that can be hand-counted.

    Our system is very solid in Michigan – only those with agendas to make money off the sheep taught otherwise.

  7. The main take-away from this would seem to be that people do not understand and are not competent enough to use electronic voting, and it should not.