September 22, 2021

It’s still practically impossible to secure your computer (or voting machine) against attackers who have 30 minutes of access

It has been understood for decades that it’s practically impossible to secure your computer (or computer-based device such as a voting machine) from attackers who have physical access. The basic principle is that someone with physical access doesn’t have to log in using the password, they can just unscrew your hard drive (or SSD, or other memory) and read the data, or overwrite it with modified data, modified application software, or modified operating system. This is an example of an “Evil Maid” attack, in the sense that if you leave your laptop alone in your hotel room while you’re out, the cleaning staff could, in principle, borrow your laptop for half an hour and perform such attacks. Other “Evil Maid” attacks may not require unscrewing anything, just plug into the USB port, for example.

And indeed, though it may take a lot of skill and time to design the attack, anyone can be trained to carry it out. Here’s how to do it on an unsophisticated 1990s-era voting machine (still in use in New Jersey):

Andrew Appel replacing a memory chip on an AVC Advantage voting machine, circa 2007. The sophisticated tool being used here is: a screwdriver

More than twenty years ago, computer companies started implementing protections against these attacks. Full-disk encryption means that the data on the disk isn’t readable without the encryption key. (But that key must be present somewhere in your computer, so that it can access the data!) Trusted platform modules (TPM) encapsulate the encryption key, so attackers (even Evil Maids) can’t get the key. So in principle, the attacker can’t “hack” the computer by installing unauthorized software on the disk. (TPMs can serve other functions as well, such as “attestation of the boot process,” but here I’m focusing on their use in protecting whole-disk encryption keys.)

So it’s worth asking, “how well do these protections work?” If you’re running a sophisticated company and you hire a well-informed and competent CIO to implement best practices, can you equip all your employees with laptops that resist evil-maid attacks? And the answer is: It’s still really hard to secure your computers against determined attackers.

In this article, “From stolen laptop to inside the company network,” the Dolos Group (a cybersecurity penetration-testing firm) documents an assessment they did for an unnamed corporate client. The client asked, “if a laptop is stolen, can someone use it to get into our internal network?” The fact that the client was willing to pay money to have this question answered, already indicates how serious this client is. And, in fact, Dolos starts their report by listing all the things the client got right: There are many potential entry points that the client’s cybersecurity configuration had successfully shut down.

Indeed, this laptop had full disk encryption (FDE); it had a TPM (trusted platform module) to secure the FDE encryption key; the BIOS was configured well, locked with a BIOS password, attack pathways via NetBIOS Name Service were shut down, and so on. But there was a vulnerability in the way that FDE talked to TPM over the SPI bus. And if that last sentence doesn’t speak to you, then how about this: They found one chip on the motherboard (labeled CMOS in the picture),

Photo from Dolos Group,

that was listening in on the conversation between the trusted platform module and the full-disk encryption. They built a piece of equipment; they could give their equipment to an Evil Maid who could clip one of these onto the CMOS chip:

and in a few seconds the Evil Maid could learn the secret key; then (in a few minutes) read the entire (decrypted) disk drive, or install a new operating system to run in Virtualized mode. FDE has been made irrelevant, so the TPM is also irrelevant.

Then, the attacker can get into the corporate network. Or, what Dolos doesn’t describe, is that the attacker could install spyware or malware into the hard drive, remove the blue clip, screw the cover back on, and return the laptop to the hotel room.

This vulnerability can be patched over; but computer systems are very complex these days; there will almost always be another security slip-up.

And what about voting machines? Are voting machines well protected by TPM and FDE, and can the protections in voting machines be bypassed? For voting machines, the Evil Maid is not a hotel employee, it may be a corrupt election warehouse worker, a corrupt pollworker at 6am, or anyone who has unattended access to the voting machine for half an hour. In many jurisdictions, voting machines are left unattended at polling places before and after elections.

We would like to know, “Is the legitimate vote-counting program installed in the voting machine, or has some hacker replaced it with a cheating program?”

One way the designer/vender of a voting machine could protect the firmware (operating system and vote-counting program) against hacking is, “store it in an whole-disk-encrypted drive, and lock the key inside the TPM.” This is supposed to work, but the Dolos report shows that in practice there tend to be slip-ups.

As an alternative to FDE+TPM that I’ve described above, there are other ways to (try to) ensure that the right firmware is running; they have names such as “Secure Boot” and “Trusted Boot”, and use hardware such as UEFI and TPM. Again, ideally they are supposed to be secure; in practice they’re a lot more secure than doing nothing; but in the implementation there may be slip-ups.

The new VVSG 2.0, the “Voluntary Voting Systems Guidelines 2.0” in effect February 2021, requires cryptographic boot verification (see section 14.13.1-A) — that is, “cryptographically verify firmware and software integrity before the operating system is loaded into memory.” But the VVSG 2.0 doesn’t require anything as secure as (hardware-assisted) “Secure Boot” or “Trusted Boot”. They say, “This requirement does not mandate hardware support for cryptographic verification” and “Verifying the bootloader itself is excluded from this requirement.” That leaves voting machines open to the kind of security gap described in Voting Machine Hashcode Testing: Unsurprisingly insecure, and surprisingly insecure. That wasn’t just a slip-up, it was a really insecure policy and practice.

And by the way, no voting machines have yet been certified to VVSG 2.0, and there’s not even a testing lab that’s yet accredited to test voting machines to the 2.0 standard. Existing voting machines are certified to a much weaker VVSG 1.0 or 1.1 that doesn’t even consider these issues.

Even the most careful and sophisticated Chief Information Officers using state-of-the-art practices find it extremely difficult to secure their computers against Evil Maid attacks. And there has never been evidence that voting-machine manufacturers are among the most careful and sophisticated cyberdefense practitioners. Most voting machines are made to old standards that have zero protection against Evil Maid attacks; the new standards require Secure Boot but in a weaker form than TPMs; and no voting machines are even qualified to those new standards.

Here’s an actual voting-machine hacking device made by scientists studying India’s voting machines. Just turn the knob on top to program which candidate you want to win:

Voting-machine hacking device made by the authors of “Security Analysis of India’s Electronic Voting Machines”, by Hari K. Prasad et al., 17th ACM Conference on Computer and Communications Security, 2010.

Wholesale attacks on Election Management computers

And really, the biggest danger is not a “retail” attack on one machine by an Evil Maid; it’s a “wholesale” attack that penetrates a corporate network (of a voting-machine manufacturer) or a government network (of a state or county running an election) and “hacks” thousands of voting machines all at once. The Dolos report can reminds us again why it’s a bad idea for voting machines to “phone home” on a cell-phone network to connect themselves to the internet (or to a corporate or county network): it’s not only that this exposes the voting machine to hackers anywhere on the internet, it also allows the voting machine (hacked by an Evil Maid attack) to attack the county network it phones up.

Even more of a threat is that an attacker with physical access to an Election Management System (that is, state or county computer used to manage elections) can spread malware to all the voting machines that are programmed by the EMS. How hard is it to hack into an EMS? Just like the PC that Dolos hacked into, an EMS is just a laptop computer; but the county or state that owns it may not be as security-expert as Dolos’s client is. Likely enough, the EMS is not hard to hack into, with physical access.

Conclusion: Don’t let your security depend entirely on “an attacker with physical access still can’t hack me.”

So you can’t be sure what vote-counting (or vote-stealing) software is running in your voting machine. But we knew that already. Our protection, for accurate vote counts, is to vote on hand-marked paper ballots, counted by optical-scan voting machines. If those optical-scan voting machines are hacked, by an Evil Maid, by a corrupt election worker, or by anyone else who gains access for half an hour, then we can still be protected by the consistent use of Risk-Limiting Audits (RLAs) to detect when the computers claim results different from what’s actually marked on the ballots; and by recounting those paper ballots by hand, to correct the results. More states should consistently use RLAs.

The use of hand-marked paper ballots with routine RLAs can protect us from wholesale attacks. But it would be better to have, in addition, proper cybersecurity hygiene in election management computers and voting machines.

I thank Ars Technica for bringing the Dolos report to my attention. Their article concludes with many suggestions made by security experts for shutting down the particular vulnerability that Dolos found. But remember, even though you can (with expertise) shut down some particular loophole, you can’t know how many more are out there.

New Hampshire Election Audit, part 2

In my previous post I explained the preliminary conclusions from the three experts engaged by New Hampshire to examine an election anomaly in the town of Windham, November 2020. Improperly folded ballots (which shouldn’t have happened) had folds that were interpreted as votes (which also shouldn’t have happened) and this wasn’t noticed by any routine procedures (where either overvote rejection or RLAs would have caught and corrected the problem)–except that one candidate happened to ask for a recount. At least in New Hampshire it’s easy to ask for a recount and the Secretary of State’s office has lots of experience doing recounts.

Let’s consider these issues one at a time.

Ballot folds interpreted as marks

National standards for voting machines say that creases should not be interpreted as votes. The “Voluntary Voting System Standards”, version 1.0 from 2005 and version 2.0 from 2021, say this:

1.1.6-I – Ignore extraneous marks inside voting targets.  The voting system must include a capability to recognize any imperfections in the ballot stock, folds, and similar insignificant marks appearing inside the voting targets and not record them as votes.

But Windham, New Hampshire bought its AccuVote OS machines in 1998, so let’s look at the 1990 Federal Election Commission standards:

Reading Accuracy:  This … Subsystem attribute refers to the inherent capability of the read heads to … discriminate between valid … marks and extraneous perforations, smudges, and folds.

Although New Hampshire does not consider itself bound by these “voluntary” standards, certainly the AccuVote OS was sold in states that asked for test reports against those 1990 standards. So presumably the AccuVote OS, when new and when properly calibrated, was supposed to ignore fold lines. However, it appears testing agencies don’t actually test for this, even if the standards call for it.

It is not clear whether these machines have been recalibrated to different settings than the manufacturer preset–sometimes there are reasons for doing that. And the careful testing by the New Hampshire audit team makes it clear that the AccuVote OS does not always ignore fold lines.

Fold lines through vote targets

Even though voting machines are not supposed to interpret creases as votes, experienced election administrators know that they should keep the fold lines away from the vote targets (ovals that the voter fills in).

Most ballots are printed by private companies that contract with local election officials. In western states, where many millions of voters routinely vote by mail, election administrators contract with their printers not only to print the ballots, but to fold them and insert them in envelopes as well, and often also to bulk-mail them directly to the voters. Those printing companies get trained (either by the election officials, or by the major voting machine companies) about how to set up their high-speed automatic equipment to fold the ballots, avoiding vote targets.

But in some eastern states where there have been relatively few absentee ballots, local election officials often mail out the ballots themselves. In 2020, as in previous years, the State of New Hampshire contracted with a printing company to print their ballots. The printer printed the absentee ballots with score lines, that is, indentations in the paper that show where it should be folded–so when you fold by hand, it ought to fold at the scores. And indeed, these score lines were indented in the right place, avoiding the vote targets. If only the ballots had been folded at the score lines, there would have been no problem.

Jennifer Morrell, who was a local election official in Utah and Colorado, writes,

We always worked with our mail ballot printing vendor to ensure the pre-scored fold lines did not hit a target area on the ballot. It was a bit tedious because we had 600+ ballot styles but I don’t recall it ever being a problem. 
   My recollection is that they were always able to find a single position for each fold mark (generally just two folds so the ballot was folded in thirds) that worked with all styles. One year was challenging because our ballot was so long we had three fold marks (ballot folded in half and then in half again) which put one of them squarely in the middle of the ballot.
   For flat ballots voted in-person at polling locations, we printed those “on demand” and purchased pre-scored ballot stock from the vendor (with the folds in the same position as they were on the mail ballots). This mitigated (but not alleviated completely) the risk of voters folding the ballots in a way that would create a problem. Mainly, if they folded a ballot that was not scored, there was a potential for the fold to damage the timing mark causing the ballot to be rejected by the scanning equipment as unreadable. Which then means it would need to be sent for duplication/remake.

In previous years, there weren’t many absentee ballots to be mailed out, so Windham employees would fold the (prescored) ballots by hand, put them in envelopes, and mail them. Likely enough, the creases would usually be on the score lines, avoiding the vote targets. But in 2020, during the pandemic, thousands of voters requested absentee ballots. The town improvised: they used a folder/inserter machine (normally used for DMV notices) to fold the ballots; then they “ironed” the folds with a coin or scissors-handle to make them fit in their envelopes.

MailMax Solutions DS-35 folder/inserter

This machine is probably wonderful for its intended purpose–folding business letters, electricity bills, DMV notices, etc. before mailing to customers. But it does not put creases in exactly the right places for ballots; either because it had not been adjusted for that, or because it does not put creases straight across (they’re slightly diagonal), or because even when adjusted it doesn’t always put the crease in exactly the same place.

In particular, the absentee ballots folded by the DS-35 were not folded at the score lines; many of them were folded through the vote target for Democratic candidate Kristi St. Laurent.

Dust and calibration

The fold line went through a vote target–but isn’t the voting machine supposed to ignore that? In principle, yes. But these creases are substantial ridges! Windham was using four AccuVote optical scanners on November 3rd, and the auditors found that some of these machines were much more likely than others to interpret folds as votes. The auditors also found that there was a substantial build-up of dust on the read heads of the scanners; and that these read heads were enclosed in such a way that it would be difficult to get in there and clean them, or even to notice that there was a dust build-up. And they found “dust is a major contributor to reading errors of folds;” cleaning out the dust reduced the error rate.

One can imagine different hypotheses for why dust could increase the sensitivity to fold marks. Perhaps dust on the read head blurs the image, making the fold appear wider. Perhaps dust reduces sensitivity overall, so that as dust built up over the years the technicians recalibrated the machine to increase its sensitivity (so that legitimate votes were not missed).

Could this be happening elsewhere?

Should we be worried that election results are wrong in other jurisdictions that use AccuVote optical scanners–or any kind of optical scanners? Let’s see what chain of circumstances caused this problem:

  • Ballots were folded improperly, in part because the COVID-19 pandemic caused a last-minute surge in absentee voters and the town had an unforeseen need to fold 3000 ballots. (In other times and places, jurisdictions that mail out thousands of folded ballots usually have them folded by printing companies that are experienced in the special requirements for ballots.)
  • The fold line, as produced by the automatic folding machine, happened to fall upon a vote target.
  • The AccuVote scanners had not been cleaned of a (perhaps years-long) dust buildup. Do election administrators in other places clean the read heads of their optical scanners? Are other models of voting machine susceptible to this problem?
  • Windham had disabled overvote notification on these scanners (following State policy). That is, reading the fold as a vote caused (in hundreds of cases) more votes to be cast in this contest than allowed, so the machine noticed an overvote and didn’t count any of the votes in that contest (on that ballot). If the machine were set to reject overvoted ballots on the spot, in the presence of the voter, that gives the voter a chance to get a fresh ballot and try again. You might think that doesn’t seem apply to absentee ballots; but in fact it can: there was a poll worker feeding those absentee ballots through the scanner, and overvote rejection would give the poll worker a chance to place overvoted ballots into a separate pile for hand counting. It’s a best practice, followed in many other jurisdictions, that all overvoted ballots are segregated for manual interpretation.
Results-report printout from Windham, November 3 2020, showing that overvote-return feature on AccuVote OS was disabled.
  • Windham had ignored overvote reporting. At the close of the polls, the AccuVote OS prints out a cash-register tape with results. The overvotes are reported as BLANKS (which also includes ballots in which the voter didn’t vote at all in this contest). It would have been better if the voting machine reported OVERVOTES separately from true BLANKS. But even so, the extremely high number of blanks could have been a warning sign to investigate further, by a hand recount (without waiting for a candidate to request it)–except that such a recount would not have been legal under State law.
  • New Hampshire does not have Risk-Limiting Audits. An RLA examines a random sample of the paper ballots, sampling just enough ballots to ensure that the outcome claimed by the voting machine is the same as you’d get by recounting the paper ballots by hand. One motivation of RLAs is to catch hacking, but they work just as well to catch any kind of systematic error. If New Hampshire had RLAs, then any problem like this that could have changed the outcome of an election would probably have been detected–and corrected by a recount.

Could folds have changed votes elsewhere in New Hampshire? Possibly. Did other towns use nonstandard equipment to fold their absentee ballots? The town clerks might know. And if so, which vote target (if any) would the fold line have fallen upon? Unknown. Do other towns have AccuVote OS machines that have not been cleaned for 22 years? Probably. Do other towns disable overvote rejection? Almost certainly. Do other towns ignore high numbers of BLANKS on results printouts? Probably. Do other towns do Risk-Limiting Audits that would have caught this? No, state law prohibits that.


Optical-scan voting can be extremely accurate when best practices are followed. New Hampshire should adopt these practices immediately:

  1. Enable overvote rejection on the AccuVote OS. That means, the voting machine returns the overvoted ballot to the voter or pollworker for correction. When the voter is not present (as for an absentee ballot) the overvoted ballot should be segregated for manual counting, because often a human can readily determine the voter’s intent. When the voter is present, the voter can be given the choice of either voiding their ballot and casting a new one, or having their ballot segregated for manual counting.
  2. Clean the read heads of all their optical-scan voting machines as often as necessary, which might be every year or every four years, to be determined. This will require some disassembly of the machines.
  3. Set the voting machines to report (in each contest) the number of overvotes separately from the number of blanks. In principle there should be few reported overvotes if recommendation #1 is followed. Even so: if the number of overvotes is more than half the margin of victory in any race, examine all overvoted ballots; or if overvoted ballots cannot be segregated, recount the whole contest.
  4. Have absentee ballots folded automatically by the election-services contractor, rather than folded ad-hoc in town offices. Town Clerks should inspect a sample of absentee ballots before they are mailed to make sure the folds avoid all vote targets. If absentee ballots are mailed directly to voters by the services company, then Town Clerks should inspect a sample of the returned absentee ballots to make sure the folds are in the right place. (If not, count those ballots by hand.)
  5. Determine whether the procedures and software used for the layout of optical-scan ballots properly keep all vote targets away from any portion of the paper where folds might be made. (See “lesson” below.)
  6. Adopt Risk-Limiting Audits statewide. All the recommendations 1-5 above are reactive to the specific unforeseen problem that occurred last time. But what different problem will come up next time? The purpose of mandatory, every-election RLAs is to detect any kind of problem that might cause machine-reported results to be different from what you’d get in a correct manual recount. And these mandatory RLAs should be done before results are certified, so that if the RLA does detect a problem, then it can be immediately corrected by a recount. And one thing we learned from this is that the Secretary of State’s office can do recounts accurately.

Lessons for voting machine design

Humans have no difficulty understanding that a fold line is not a vote; we don’t look only within the oval, but at a more holistic context. One might think that modern algorithms, running on the more powerful CPUs that voting-machine makers put in their contemporary products, might interpret marks much more accurately than the AccuVote OS from the 1990s. I haven’t seen any evidence of this, one way or the other. It might be worth subjecting newer products to independent testing; or doing research on vote-mark recognition algorithms, or both.

Furthermore, there are good standards for the design of ballots so that voters are less likely to make mistakes: Effective Designs for the Administration of Federal Elections, Section 3: Optical scan ballots. But that guide says nothing about absentee ballots; the only instructions it gives are “do not fold the ballot”, which is not useful advice for mail-in ballots. Updated design guidelines would be useful, saying vote targets shoud not be placed anywhere near the point in the paper were the fold will most naturally go.

Ballot-layout software should be improved to take fold-line positions into account when placing vote targets. As it is now, it seems that the targets go where they go, and then the election administrator and printing company have to scramble to find a place where the fold can go.

Finally, even though the Federal standards require optical-scan voting machines to ignore fold marks, it appears that this is not tested in the “certification test plan” for a voting machine like the AccuVote OS. If the standards say that voting machine should ignore folds, then that should be tested for.

New Hampshire Election Audit, part 1

Based on preliminary reports published by the team of experts that New Hampshire engaged to examine an election discrepancy, it appears that a buildup of dust in the read heads of optical-scan voting machines (possibly over several years of use) can cause paper-fold lines in absentee ballots to be interpreted as votes. In a local contest in one town, preliminary reports suggest this caused four Republican candidates for State Representative to be deprived of about 300 votes each. That didn’t change the outcome of the election–the Republicans won anyway–but it shows that New Hampshire (and other states) may need to maintain the accuracy of their optical-scan voting machines by paying attention to three issues:

  • Routine risk-limiting audits to detect inaccuracies if/when they occur.
  • Clean the dust out of optical-scan read heads regularly; pay attention to the calibration of the optical-scan machines.
  • Make sure that the machines that automatically fold absentee ballots (before mailing them to voters) don’t put the fold lines over vote-target ovals. (Same for election workers who fold ballots by hand.)

Everything I write in this series will be based on public information, from the State of New Hampshire, the Town of Windham, and the tweets of the WindhamNHAuditors.

In the November 3, 2020 general election in Windham, New Hampshire, the race for State Representative was very close–24 votes difference–so one candidate asked for a recount. The recount showed that she lost by hundreds of votes–not just 24. The hand recount of the optical-scan paper ballots disagreed with the numbers claimed by the optical-scan voting machines to an extent that was shocking. The citizens of New Hampshire demanded to know: were the op-scan machines hacked? Were the machines misconfigured and reading marks from the wrong place in the paper? Did creases in absentee ballots cause the op-scan machines to misread votes? Was the recount itself erroneous?

The Secretary of State said that there was no provision in New Hampshire law that permitted him to do a re-recount, or to examine the voting machines for hacking. So a Republican legislator introduced a bill for a forensic audit to find out what had happened. That bill passed the legislature unanimously:

… [T]his act authorizes and directs an audit of the ballot counting machines and their memory cards and the hand tabulations of ballots regarding the general election on November 3, 2020 in Windham, New Hampshire of Rockingham County district 7 house of representatives for the purpose of determining the accuracy of the ballot counting devices, the process of hand tallying, and the process of vote tabulation and certification of races.  

A forensic election audit team shall be formed to complete the audit described in section 3 and it shall be comprised of:  one person designated by town of Windham,  one person designated jointly by the … secretary of state and attorney general, [and one person to be chosen by those two auditors]. … The results of the audit shall not alter the official results of the Rockingham County district 7 house of representatives race as determined by the ruling of the ballot law commission on November 25, 2020, upholding the recount of that race.

Governor Sununu signed bill SB43 into law on April 12, 2021. On April 26 the town of Windham chose Mark Lindeman of the Verified Voting Foundation as its auditor, and the Attorney General (upon the advice of the Secretary of State) chose Harri Hursti, a well known expert on the cybersecurity of voting machines and bank ATM machines. Those two then selected Philip Stark, of the University of California at Berkeley, as the third auditor.

This is truly a “dream team” of experts. They know what they’re doing, they’re experienced with election audits and the forensic examination of voting machines, and they know how elections work. New Hampshire could not have found anyone better prepared to get to the heart of the matter.

What happened in Windham

The town of Windham has a single polling place, in which 10,006 ballots were cast: 6697 in-person and 2949 absentee scanned by machine, and 80 absentee counted by hand (because overseas “UOCAVA” ballots are in a different format that the machines didn’t accept).

In New Hampshire, absentee ballots are processed in the polling place, on election day. That is, there’s a preprinted voter list. When registered voter shows up to vote in person, their name is found on the list, and crossed out. An absentee ballot envelope is processed by checking the voter’s name (from the envelope) against the same preprinted voter list, and crossing it out; then the absentee ballot is removed from the envelope, and scanned into the same voting machines that are used for in-person ballots.

That procedure is a way of checking that the same person doesn’t vote absentee more than once, or doesn’t vote both absentee and in person: their name appears only once on the list, and can be crossed off only once.

In Windham on November 3rd, there were four optical-scan voting machines, Global Election Systems model “AccuVote OS”, purchased in 1998 and 2000. The 6697 in-person and 2949 scannable absentee ballots were fed into those four machines during the day. That’s something like one ballot every 10 or 15 seconds into each machine, all day long!

At the close of the polls, each machine printed its result out onto a “results tape”–thermal cash-register paper listing how many votes each candidate got. There were four “results tapes”, one per machine; here’s a small portion of just one of them, for the State-Rep contest:

In this race, there were 8 candidates running for 4 seats, and every voter got to vote for four out of 8.

Election administrators aggregated the four voting-machine results tapes by hand (along with the 80 hand-counted ballots) onto a paper worksheet to produce an official “Return of Votes” form, signed by the Town Clerk.

In the race for State Rep, in 5th place out of 4 seats, Kristi St. Laurent was only 24 votes behind the 4th-place candidate Julius Soti. So she asked for a recount. By state law, those are done by hand, by the office of the Secretary of State, in Concord (the state capital).

The results of the recount were:

Kristi St. Laurent (D)4,4564,357-99
Henri Azibert (D)2,7872,808+21
Valerie Roman (D)3,4153,443+28
Ioana Singureanu (D)2,7642,782+18
Julius Soti (R)4,4804,777+297
Mary Griffin (R)5,2925,591+299
Bob Lynn (R)4,7865,089+303
Charles McMahon (R)5,2565,554+298

As you can see, something is grossly wrong–either with the machine counts, or the hand counts, or both. The people of New Hampshire, and their legislators, wanted to understand how this happened–and how to prevent it in the future.

The audit team looked at,

  • the voting machines (and their ballot programming, and their performance under the kind of heavy usage they saw last November);
  • the paper ballots (and associated records), as preserved by the Secretary of State from the November recount
  • and the context, learning from election administrators in Windham and other New Hampshire towns about polling-place procedures.

What caused the discrepancy

The audit team has not yet written their official report, so everything I’ll describe here is only their preliminary findings as described in their tweets.

The auditors supervised a careful recount by teams of 5 people (caller, checker, 2 tallyers, flagger). Members of each team included Democrats, Republicans, and independents. The hand count was within 0.05% of the official state recount, for every State Rep candidate (the State did not recount the races for President, Senator, etc.). So, basically, the official state recount was right, the voting machines were wrong; why?

There is zero evidence that the voting machines were hacked. Forensic exams show that the software in these machine matches the reference machine provided by the Secretary of State’s office (the audit team will continue to examine that software to make sure the SoS’s copy is right), and there was nothing unexpected in the memory cards.

Folds in ballot papers. Ballot papers marked by voters in the polling place were (generally) not folded. Absentee ballots have identical printing; they were folded in thirds before they were mailed to the voters; marked by the voters at home, refolded and mailed back to the Town Clerk, and then (on election day) scanned through the same voting machines as the in-the-polling-place ballots.

What happens if a fold goes through one of the “vote targets” (the ovals that voters are supposed to fill in with a pen to indicate their choice)? The voting machine is not supposed to interpret a fold as a mark. But the audit team found that in many cases, a fold would be read as a mark:

Microscopic photo of fold through a vote target. From @WindhamNHAuditors

The fold lines in absentee ballots weren’t always in exactly the same place, but in hundreds of ballots they crossed through the target for Democratic candidate Kristi St. Laurent. Now, consider what happens if an voter marks all 4 Republican candidates (and none of the 4 Democratic candidates), by blackening their ovals with a pen. If the optical-scanner also interprets the fold line through one Democratic candidate as a mark, then the machine “thinks” there are 5 votes in a vote-for-4 contest; and that’s an overvote, so all of those votes won’t be counted.

Many voters voted straight-party: all R, or all D. The effect of this was that hundreds of votes for the Republican candidates were not counted. An all-Democratic vote, with a fold line through a blackened target, would not be affected.

In the recount, with humans looking at the votes, the votes were counted accurately. Humans are not likely to interpret a fold line as a vote! So the official Windham results (after the recount) are trustworthy.

But many towns in New Hampshire use the same AccuVote optical-scan voting machines. We can legitimately wonder whether some elections in other towns (that were not recounted by hand) got the wrong result. I’ll discuss that question in my next post.

In my next article I’ll examine:

  • What do the national voting-machine standards say about how voting machines should distinguish fold-lines from intentional vote-marks?
  • Could a build-up of dust make the voting machine more likely to misinterpret folds as marks?
  • What do election administrators in other states do to avoid this problem?
  • Should New Hampshire throw away its voting machines and buy new ones, or throw away its voting machines and count votes by hand? Or are there measures they could take to use these same machines in a trustworthy way?
  • What series of circumstances led to this problem in Windham 2020, and how could those corrective measures prevent anything like this from happening again?
  • Could improved technology in optical-scan voting machines be less susceptible to this problem?