by

Summary: Voting machines can be hacked; risk-limiting audits of paper ballots can detect incorrect outcomes, whether from hacked voting machines or programming inaccuracies; recounts of paper ballots can correct those outcomes; but some methods for producing paper ballots are more auditable and recountable than others.

A now-standard principle of computer-counted public elections is, use a voter-verified paper ballot, so that in case the voting machine cheats in counting the votes, the human doing an audit or recount can see the paper that the voter marked. Why would the voting machine cheat? Well, they’re computers, and any computer may have security vulnerabilities that permits an attacker to modify or replace its software. We must presume that any voting machine might, at any time, be under the complete control of an attacker, an election thief.

There are several ways that voter-verified paper ballots can be implemented:

Voter marks an optical-scan ballot with a pen, deposits into optical-scan voting machine for counting (and for saving in sealed ballot box). Voter uses a ballot-marking device (BMD), a computer with touchscreen/audio/sip-and-puff interfaces, which prints an optical-scan ballot, deposits into optical-scan voting machine for counting (and saving). Voter uses a DRE+VVPAT voting machine, that is, a Direct-Recording Electronic “touchscreen” machine with a Voter-Verified Paper Audit Trail, which saves the VVPAT printouts in a ballot box. Voter uses an “all-in-one” voting machine: inserts blank paper into slot, voter uses touchscreen interface to mark ballot, machine ejects ballot from slot, voter inspects printed ballot, voter reinserts printed ballot into same slot, where it is scanned (or is it?) and deposited into ballot box.

There’s also 1a (hand-marked optical-scan ballots, dropped into a precinct ballot box to be centrally counted instead of counted immediately by a precinct-located scanner), 1b (hand-marked optical-scan ballots, sent by mail) and 2a (BMD-marked optical-scan ballots, centrally counted).

In this article I will put on my “adversarial thinking” hat, and try to design ways that the attacker might try to cheat (and get away with it). You might think that the voter-verified paper ballot will detect cheating, and therefore deter cheating or correct the result–but maybe that depends on which kind of technology is used!

How to cheat with hand-marked optical-scan ballots

Consider this election between the Federalist party candidate and the Whig party candidate:

How to cheat, method 1: Program the optical-scanner software to shift 20% of the votes from .

What happens during the audit? Because the voter’s original hand-marked choices are marked on the paper ballot, a good risk-limiting audit will detect this (depending on how strong the “risk limit” is), and a recount will correct the count.

What happens during a “digital” audit? Some election directors have proposed to save the time of handling paper ballots during an audit, by just examining the digital images of the paper ballots captured by the high-resolution optical scanners. The problem is that if the optical-scanners are hacked to cheat, then the cheating program can also provide fake high-res digital images. It is essential that audits and recounts be by human inspection of the human-readable portions of the paper ballots.

How to cheat, method 2: Program the software to always interpret “marginal” marks in favor of one party. For example, I show in red the hacked machine’s interpretation of these votes:

Whenever there’s an ambiguous vote, it’s interpreted for Weiford if possible, otherwise it’s interpreted as an undervote or overvote. If it’s a close race between the Federalist candidate and the Whig candidate, and the number of imperfectly marked ballots is more than the margin of victory, this cheating will determine the outcome.

What happens during the audit? A good risk-limiting audit will detect that the machine has been “inaccurate,” and will detect an “incorrect outcome” from the machine count. This RLA result should cause a full recount, and the human recount should interpret all the marks consistently. That is, if the state’s rules count row-1,column-2 as a vote for Weiford, then they’ll count row-2,column-2 as a vote for Gariss; or if one is counted as “overvote”, then so will the other.

Will cheating be detected? Maybe not. Although the audit and recount will detect that the machines were “inaccurate,” maybe nobody will notice, or nobody will have strong evidence, that the machines were “inaccurate on purpose.” Thus, the hacker might be foiled in his plan to change the election result, but his hacked software (in favor of the Federalist party) will remain in the voting machine to try another time.

How to cheat with Ballot-Marking Devices

Suppose the voter uses a BMD to print a paper ballot, and then feeds that paper ballot into an optical scanner.

How to cheat, method 3: Mark the wrong votes onto the ballot, and hope the voter doesn’t notice. Don’t cheat twice in the same 10-minute period.

Will cheating be detected? Many voters won’t notice, especially if you confine your cheating to the “downballot” races where the voter may not remember all the names of the people they voted for. If the voter does notice, they’re supposed to alert the pollworker, who will void their misprinted ballot, and allow them to try again. But in that case, how is the pollworker supposed to distinguish between “this voter can’t even remember what he marked onto the ballot” and “the machine cheated, ring the alarm bells?”

What happens during the audit? For those few voters who noticed that their ballot was incorrect, and who marked a fresh ballot, the audit will record their choices correctly. For those voters who didn’t notice that the BMD cheated, the paper ballot, the ballot of record, contains the fraudulent, cheating vote, and it can never be detected or corrected.

How to cheat, method 4: Take a look at these two BMD-marked ballots — who wins the election?

On the ballot at right, the BMD has cleverly swapped the names as well as the marks. When the optical scanner reads this, both the marks are in the position for Weiford. So Weiford wins 2-0, according to the optical scanner!

What happens during the audit? Human inspection of the human-readable paper ballot will interpret the ballot at right as a vote for Gariss, and the audit will (up to the risk limit) detect the incorrect outcome and call for a recount.

Will cheating be detected? It depends! Probably someone will notice that the ballot at right is in the wrong order. But not necessarily! In some states, the order of candidates is randomized, and different ballot styles will list different candidates first. The machine interpretation of the marks depends on a bar code elsewhere on the ballot. In that case, it would be “normal” that the names are printed in different order.

How to cheat with bar codes

Some BMDs don’t print an optical-scan form, they print bar codes plus human-readable text. In that case, the optical scanner reads the bar codes, and the human reads the lines of text.

How to cheat, method 5: Print the voter’s selection into the human-readable text, and print the other candidate in the bar code. The voter can’t possibly notice.

What happens during the audit? Human inspection of the human-readable paper ballot will interpret the ballot according the voter’s selection; the audit will (up to the risk limit) detect the incorrect outcome and call for a recount.

What happens during a “digital” audit? Some election directors have proposed to save the time of having actual humans inspect ballots, by scanning the ballots electronically. In such a case, the cheating will not be discovered, because the scanners will see the same fraudulent bar codes they saw the first time. It is essential that audits and recounts be by human inspection of the human-readable portions of the paper ballots.

Will cheating be detected? It depends! A ballot-polling audit will not identify which ballot was incorrectly interpreted. A ballot-comparison audit will identify which ballot was incorrectly interpreted, and will probably be able to detect that fraud (or at least, something seriously wrong) took place.

How to cheat, method 6: Change the vote, both in the bar code and in the human-readable list. The voter might not notice, especially in the downballot races. (Actually, we don’t have good user-study data to test whether the voter will notice. There are some user studies that have tested this question, but only in mock elections where the voter is artificially given a list of candidates to vote for.)

Will cheating be detected? The answer is, even if the voter notices, what happens then? See the analysis of method 3.

What happens during the audit? The fraudulent votes are printed onto the ballot, both in human-readable form and in bar-code form. The audit will not detect the incorrect outcome, and a recount will not correct it.

How to cheat with DRE+VVPAT

I have elsewhere described DRE+VVPAT machines, and explained a bit of how to cheat.

How to cheat, method 7: Print the right votes onto the VVPAT, but record the cheating votes in memory (and the reported vote totals). The voter can’t notice anything wrong.

What happens during the audit? Human inspection of the VVPAT will (up to the risk limit) detect the incorrect outcome and call for a recount. Recount of the VVPAT will get the correct outcome.

How to cheat, method 8: Print the wrong votes onto the VVPAT (and record them in memory, and in the vote count). If the voter notices, proceed as in methods 3 and 6: the voter will void the ballot and try again (but the machine won’t cheat the second time).

How to cheat, method 9: Print the right votes onto the VVPAT-behind-glass, but record the wrong votes in memory (and in the vote count). After the voter presses “OK” to accept the printed VVPAT, print “VOID” onto the VVPAT (as if the voter had detected an error and asked to try again). Then, when the voter isn’t present (in between voters), print a fresh VVPAT with the wrong votes.

Will cheating be detected? No.

What happens during the audit? The fraudulent votes are printed onto the VVPAT and recorded in memory. The audit will not detect the incorrect outcome, and a recount will not correct it.

How to cheat with an all-in-one voting machine

Here and here I described all-in-one machines, that are a combination of BMD + optical scanner, all in a single paper path.

How to cheat, method 5b: Same as method 5.

How to cheat, method 6b: Same as method 6.

How to cheat, method 9b: Actually, this is one way in which an all-in-one machine is more secure than a DRE+VVPAT. The ES&S ExpressVote, or the Dominion IC Evolution, does not have its own paper supply. The voter must insert a blank ballot into the machine, the machine marks that piece of paper. The all-in-one can void a ballot after the last time the voter sees it (that’s very bad!), but it cannot, all on its own, print a fresh ballot because it doesn’t have another sheet of paper handy!

How to cheat, method 10: First, ask the voter whether they want to inspect the printed ballot before depositing it. If the voter says “no”, then print the wrong votes and deposit it in the ballot box. This is described in my previous post.

Will cheating be detected? No.

What happens during the audit? The fraudulent votes are printed onto the paper ballot and recorded in memory. The audit will not detect the incorrect outcome, and a recount will not correct it.

But really, the “permission to cheat” button is such a terrible idea, we might expect most jurisdictions to disable it. So let’s suppose the voter must reinsert the ballot into the slot, after supposedly inspecting it carefully.

How to cheat, method 11: Print some of the voter’s selections onto the ballot, especially the high-profile races such as President, but leave out “state senator” and “county commissioner” and “boondoggle bond issue #3”. Even those alert voters who might notice a vote for a wrong candidate, might not notice that some races are entirely missing. Then, after the voter reinserts the marked ballot into the voting machine, print the cheatin’ choices (not the voter’s selections) in those races.

Will cheating be detected? Perhaps not.

What happens during the audit? The fraudulent votes are printed onto the paper ballot and recorded in memory. The audit will not detect the incorrect outcome, and a recount will not correct it.

Conclusion: what can we learn from all this?

No method is perfect. Any way you mark a paper ballot for optical scan, there’s a way to cheat.

But the attempted cheating on hand-marked optical scan ballots is detected and corrected by risk-limiting audits and recounts.

Many of these ways to cheat cannot be detected by so-called “digital” audits, that is, audits that don’t actually examine, by human inspection, the same pieces of paper that the voters saw. You cannot check whether a computer is cheating, if you’re relying on the computer to tell you what’s on the paper.

the problem with ballot-marking devices and DRE+VVPAT is, even with true audits of the actual paper ballots, some of the ways to cheat cannot be detected in the audit. That is, once the fraudulent votes get onto the paper ballot, once that ballot gets into the ballot box, the fraud can no longer be detected. In any system where the computer marks the votes, we have to rely on the voter to make sure the marks match what they entered on the touch-screen; and

There’s no evidence that voters are good at that, especially when the on-screen layout looks quite different from the on-paper layout. There’s no clear procedure what the voters and pollworkers should do if the fraud is detected. Well, yes, the ballot should be voided and the voter can try again. But this alone will not deter cheating, it just permits the voting machine to cheat again on the next voter who doesn’t look very carefully.

For these reasons, I recommend hand-marked optical scan ballots, and many voting-machine experts agree.

Postscript: Optical scanners that print onto the ballot

In a previous post I explained,

We might wish to allow optical-scanners to print serial numbers onto the ballot, but the optical scanner must not be physically able to print votes onto the ballot. … One solution to this problem is to equip the optical scanner with a printer that is physically able to print only within 1 centimeter of the edge of the paper. As long as no vote-marks are expected at the edge of the paper, then the scanner can print onto the ballot but cannot print votes onto the ballot. Two widely used central-count optical scanners from major voting-machine manufacturers both have this capability: the Dominion ImageCast Central and the ES&S DS850.

The reason for this is to enable efficient ballot comparison audits, which require serial numbers that can link paper ballots to specific cast-vote records.

In a conference call on October 16, 2018 about piloting risk-limiting audits in Rhode Island, Lynn Garland of Maryland was discussing this with the representative of a major voting-machine vendor and with Miguel Nunez, Deputy Director of Elections of Rhode Island. Mr. Nunez showed that the high-speed central-count optical scanner prints these serial numbers on the margin of the ballot, as shown at right. In some ways, that’s a good design: the tiny dot-matrix printer can print only on a 3-millimeter-wide strip of the paper, so it cannot mark votes.

But the serial number is printed in very light ink. Mr. Nunez explained that this makes it difficult to read during a risk-limiting audit. Ms. Garland suggested that the serial number should be printed in some color, such as red ink, that is (1) easily human readable, (2) not sensed by the optical scanner, (3) cannot be interpreted as a vote. The vendor representative seemed quite interested in this proposal and he said he would find out what inks would work. I’ll reserve judgment on this particular suggestion (visible ink not detectable by scanner), but it does show that the design of voting machines for auditability is still evolving, and that major vendors are on board with that concept. I think that’s a good thing.