Electronic voting in the United States involves several types of machines: touchscreens for voters to mark choices, scanners to read paper ballots, scanners to verify signatures on envelopes of absentee ballots, adjudication machines to allow corrections to improperly filled in items, and web servers to display tallies to the public. Aside from voting, there are also computer systems to maintain voter registrations and display these electoral rolls to polling place staff.
Most election offices handle thousands of ballots, with an average of 17 contests per ballot,[1] so machine-counting can be faster and less expensive than hand-counting.
The Election Assistance Commission (EAC) is an independent agency of the United States government which developed the 2005 Voluntary Voting System Guidelines (VVSG).[2] These guidelines address some of the security and accessibility needs of elections. The EAC also accredits three test laboratories which manufacturers hire to review their equipment. Based on reports from these laboratories the EAC certifies when voting equipment complies with the voluntary guidelines.[3]
Twelve states require EAC certification for machines used in their states. Seventeen states require testing by an EAC-accredited lab, but not certification. Nine states and DC require testing to federal standards, by any lab. Four other states refer to federal standards but make their own decisions. The remaining eight states do not refer to federal standards.[4]
Certification takes two years, costs a million dollars, and is needed again for any equipment update, so election machines are a difficult market.[5]
A revision to the guidelines, known as the VVSG 1.1, was prepared in 2009 and approved in 2015.[2] Voting machine manufacturers can choose which guidelines they follow.[6] A new version has been written known as the VVSG 2.0 or the VVSG Next Iteration, which is being reviewed.[2]
In an optical scan voting system, each voter's choices are marked on one or more pieces of paper, which then go through a scanner. The scanner creates an electronic image of each ballot, interprets it, creates a tally for each candidate, and usually stores the image for later review.
The voter may mark the paper directly, usually in a specific location for each candidate, then mail it or put it in a ballot box.
Or the voter may select choices on an electronic screen, which then prints the chosen names, usually with a bar code or QR code summarizing all choices, on a sheet of paper to put in the scanner.[7] This screen and printer is called an electronic ballot marker (EBM) or ballot marking device (BMD), and voters with disabilities can communicate with it by headphones, large buttons, sip and puff, or paddles, if they cannot interact with the screen or paper directly. Typically the ballot marking device does not store or tally votes. The paper it prints is the official ballot, put into a scanning system which counts the barcodes, or the printed names can be hand-counted, as a check on the machines.[8]
Most voters do not look at the machine-printed paper to ensure it reflects their choices. When there is a mistake, an experiment found that 81% of registered voters do not report errors to poll workers.[9] No state requires central reporting of errors reported by voters, so the occasional report cannot lead to software correction. Hand-marked paper ballots more clearly have been reviewed by voters, but some places allow correction fluid and tape so ballots can be changed later.[10]
Two companies, Hart and Clear Ballot, have scanners which count the printed names, which voters had a chance to check, rather than bar codes and QR codes, which voters are unable to check.[11] When scanners use the bar code or QR code, the candidates are represented in the bar code or QR code as numbers, and the scanner counts those codes, not the names. If a bug or hack makes the numbering system in the ballot marking device different from the numbering system in the scanner, votes will be tallied for the wrong candidates.[11] This numbering mismatch has appeared with direct recording electronic machines (below).[12]
Errors in ballot marking devices
Ballot marking devices display contests and candidates on a screen where voters can make, change and check selections before printing the choices on paper to put in a ballot box. The election worker provides a code for each voter, to tell the machine what contests that voter may vote on. Contests presented to voters depend on the district boundaries they live in.
A common concern is picking one candidate and having the machine register another. Staff say that touching the touch screen near a boundary between candidates, or with a tremor can choose the wrong candidate, so voters need to check. If they discover a mistake after printing the ballot, they can spoil that ballot and start over.[13][14] Some places put a privacy screen over the BMD's display, so voters must be "aggressive" when pressing the touchscreen to register a vote.[15]
In a 2023 election in Northampton County, PA, misprogramming switched text on paper between two judge retention contests, so a vote to remove or retain the first was labeled with the name of the second, and vice versa. The county briefly changed to hand-marked paper ballots, but ran out, and went back to the mislabeled BMDs. The county and court changed instructions throughout the day.[16]
In a 2022 election in Marietta, GA, up to 157 voters were presented lists of contests which were partly in error, due to recent changes in district boundaries.[17]
In a 2019 election in Philadelphia, PA, 40% of polling locations had problems with BMDs, including "touchscreens that were hypersensitive or that froze; paper voting receipts getting jammed in the machines; and panels opening on some machines to expose the equipment's electronic controls."[18][19]
In a 2019 election in Northampton County, PA, BMD screens were hypersensitive or insensitive, from being "configured improperly in the factory" so voters had to keep trying to select their candidates. An instructional message was treated as a Republican candidate, so straight party votes omitted the real candidate.[20]
Errors in optical scans
Some scanners have a row of photo-sensors which the paper ballot passes by, and they record light and dark pixels from the ballot. Other scanners work by scanning the ballot to create an electronic image (i.e. a picture) of the ballot. Then the resulting image (picture) is analyzed by internal software to discern what votes were cast. In these types of vote tabulators, any defect in the scanning apparatus, such as dirt, scratches on the lens, or chads of paper, may mar the image of the ballot. These types of defects may produce long black lines, or white lines in the ballot image, which then may be misread by the software as an undervote (no votes for anyone), or as an overvote (a vote for every candidate).[21][22][23] Some offices blow compressed air over the scanners after every 200 ballots to remove dust.[24]
Software can miscount or fail to count. If it fails or miscounts drastically enough, people notice and check. Errors can happen in the scanner or at the ballot printer. Staff rarely identify the person who caused an error, and assume it was accidental, not a hack.
In the 2024 General election in Cambria County, PA, software and printing errors prevented counting votes on election day. Polls stayed open late and ballots were counted later.[25]
In the 2024 general election in Centre County, PA, results from 13,000 scanned ballots did not upload to the central election computers, and were rescanned.[26]
In a 2024 primary in Utah, "adjudicated ballots were not reflected in the total results" in at least Tooele and Washington Counties, when more than a few adjudicated ballots were entered at once.[27]
In a 2024 primary throughout Puerto Rico, parties found over 1,000 errors. The elections commission said the voting machines "incorrectly calculate vote totals". The election commission then "conducted a full vote tally and audited paper receipts from hundreds of ballot-counting machines."[28] Dominion said the errors were in their software which exports counts from the voting system for public release.[29]
In a 2022 election in Monmouth County, NJ, software did not notice when staff uploaded six flashdrives of ballot images twice, which added more votes to candidates and switched a school board winner. It was caught by a council member who thought the numbers were too high, and made a public records request for detailed numbers, which showed more ballots than voters checked in. The part of the software designed to notice duplicates had not been installed, and there was no automated checking that the installation was right.[30]
In a 2022 election in DeKalb County, GA, a candidate who actually won appeared to lose, after votes were not counted for her in some precincts, because another candidate withdrew, and programming did not categorize votes correctly.[31][32]
in a 2022 election in Clackamas County, OR, scanners could not read more than 100,000 ballots on which the ballot printing company had printed a blurred bar code. The ballots needed to be hand-copied by teams of two onto correctly printed ballots. The problem was discovered May 3, for the May 17 election, and was not corrected until after the election.[33][34][35]
in a 2022 election in Lancaster County, PA, scanners could not read 22,000 ballots on which the ballot printing company had put the wrong identification code. The ballots were hand-copied by teams of three onto correctly printed ballots. The state does not let mailed ballots be scanned before election day, so the problem was only discovered on election day.[36][37]
in a 2021 election in Williamson, TN, precinct scanners had two errors: They misread QR codes, mistakenly classifying some ballots as provisional and not to be tallied, then kept that not-to-be tallied classification for later ballots, so large numbers of ballots were not included in precinct reports at some precincts. They were re-scanned correctly on a central scanner and checked by a hand-tally.[38] The county rented another brand for the 2022 elections.[39]
In a 2021 primary in New York City, 135,000 test ballots were not removed from the database and were included in preliminary counts for the mayoral primary. They were discovered because totals were higher than the number of voters, and corrected by removing them from the count.[40][41]
in a 2021 election in Lancaster County, PA, scanners could not read 12,300 ballots on which the ballot printing company had put the wrong identification code.[36][37]
in 2020 elections in Collier and Volusia Counties, FL, the election's optical scanners mis-interpreted voters' marks on 0.1% and 0.2% of ballot sheets respectively. These were not enough to change any outcomes, and involved voters' marks which barely touched the ovals intended to record votes. They were discovered by independent software re-examining all the ballot images.[42]
in a 2020 election in Antrim County, MI, last minute updates to some ballots were not applied to all scanners, so the scanners had inconsistent numeric codes for different candidates and styles of ballots, causing errors of thousands of votes. Corrections happened in stages, leading to less and less confidence in the results.[43] Results were eventually confirmed by a hand count.[44]
In a 2020 election in Windham, New Hampshire, fold lines in the wrong places and dust on scanner sensors caused many fold lines to count as votes.[45]
In a 2020 election in Baltimore, Maryland, the private company which printed ballots shifted the location of some candidates on some ballots up one line, so the scanner looked in the wrong places on the paper and reported the wrong numbers. It was caught because a popular incumbent got implausibly few votes, and corrected by hand-copying mailed ballots onto well-formatted ballots.[46]
In a 2019 election in Northampton county, Pennsylvania, the software under-counted one candidate by 99%, reporting 164 votes, compared to 26,142 found in a subsequent hand-count, which changed the candidate's loss to a win.[47]
In 2018 scanners in various states had problems from humidity, rejecting too many ballots, rejecting staff passwords, delivery to the wrong locations, broken machines, power outages, screen calibration shifting votes to other candidates, and broken cartridges to start machines.[48]
In a 2018 New York City election when the air was humid, ballots jammed in the scanner, or multiple ballots went through a scanner at once, hiding all but one.[49]
In a 2016 Maryland election, a comparison of two scanning systems on the same ballots revealed that (a) 1,972 ballot images were incorrectly left out of one system, (b) one system incorrectly ignored many votes for write-in candidates,[50] (c) shadows from paper folds were sometimes interpreted as names written in on the ballot, (d) the scanner sometimes pulled two ballots at once, scanning only the top one, (e) the ballot printers sometimes left off certain candidates, (f) voters often put a check or X instead of filling in an oval, which software has to adapt to, and (g) a scratch or dirt on a scanner sensor put a black line on many ballot images, causing the appearance of voting for more than the allowed number of candidates, so those votes were incorrectly ignored.[21][22]
In 2016 Wisconsin elections statewide, some voting machines did not detect some of the inks used by voters.[51][52]
In a 2016 Rhode Island election, machines were misprogrammed with only one ballot style, though there were two. Results were surprising enough so officials investigated and found the error.[53][52]
In a 2014 Stoughton, Wisconsin, election, all voters' choices on a referendum were ignored, because the scanner was programmed to look in the wrong spot on the ballot. It was corrected by a hand count.[24]
In a 2012 Palm Beach County, Florida, election, votes in four Wellington City contests were reported for a different contest, causing the wrong winners to be certified in two of the contests. The problem did not occur in the county's other 15 municipalities.[54][55]
In a 2010 New York election, 20,000 votes for governor and 30,000-40,000 votes for other offices were ignored, because the scanners overheated and disqualified the ballots by reading multiple votes in races where voters had properly only voted once.[56][57][58]
In a 2004 Yakima, Washington, election 24 voters' choices on 4 races were ignored by a faulty scanner which created a white streak down the ballot.[61]
In a 2004 Medford, Wisconsin, election, all 600 voters who voted a straight party ticket had all their votes ignored, because the manufacturer forgot to program the machines for a partisan election.[62] Election officials did not notice any problem. The consultant who found the lost 600 voters also reported a Michigan precinct with zero votes, since staff put ballots in the scanner upside down.
In a 2000 Bernalillo County (Albuquerque area), New Mexico, election, a programming error meant that straight-party votes on paper ballots were not counted for the individual candidates. The number of ballots was thus much larger than the number of votes in each contest. The software was fixed, and the ballots were re-scanned to get correct counts.[63][64]
In the 2000 Florida presidential race the most common optical scanning error was to treat as an overvote a ballot where the voter marked a candidate and wrote in the same candidate.[65]
Researchers find security flaws in all election computers, which let voters, staff members or outsiders disrupt or change results, often without detection.[66]
Recreated ballots are paper[67] or electronic[68] ballots created by election staff when originals cannot be counted for some reason. Reasons include tears, water damage, folds which prevent feeding through scanners and voters selecting candidates by circling them or other abnormal marks.[69] Reasons also include citizens abroad who use the Federal Write-In Absentee Ballot because of not receiving their regular ballot in time. As many as 8% of ballots in an election may be recreated.[68]
When auditing an election, audits are done with the original ballots, not the recreated ones, to catch mistakes in recreating them.
Cost of scanning systems
If most voters mark their own paper ballots and one marking device is available at each polling place for voters with disabilities, Georgia's total cost of machines and maintenance for 10 years, starting 2020, has been estimated at $12 per voter ($84 million total). Pre-printed ballots for voters to mark would cost $4 to $20 per voter ($113 million to $224 million total machines, maintenance and printing). The low estimate includes $0.40 to print each ballot, and more than enough ballots for historic turnout levels. The high estimate includes $0.55 to print each ballot, and enough ballots for every registered voter, including three ballots (of different parties) for each registered voter in primary elections with historically low turnout.[70][71] The estimate is $29 per voter ($203 million total) if all voters use ballot marking devices, including $0.10 per ballot for paper.
The capital cost of machines in 2019 in Pennsylvania is $11 per voter if most voters mark their own paper ballots and a marking device is available at each polling place for voters with disabilities, compared to $23 per voter if all voters use ballot marking devices.[72] This cost does not include printing ballots.
New York has an undated comparison of capital costs and a system where all voters use ballot marking devices costing over twice as much as a system where most do not. The authors say extra machine maintenance would exacerbate that difference, and printing cost would be comparable in both approaches.[73] Their assumption of equal printing costs differs from the Georgia estimates of $0.40 or $0.50 to print a ballot in advance, and $0.10 to print it in a ballot marking device.[70]
A touch screen displays choices to the voter, who selects choices, and can change their mind as often as needed, before casting the vote. Staff initialize each voter once on the machine, to avoid repeat voting. Voting data and ballot images are recorded in memory components, and can be copied out at the end of the election.
The system may also provide a means for communicating with a central location for reporting results and receiving updates,[74] which is an access point for hacks and bugs to arrive.
Some of these machines also print names of chosen candidates on paper for the voter to verify. These names on paper can be used for election audits and recounts if needed. The tally of the voting data is stored in a removable memory component and in bar codes on the paper tape. The paper tape is called a Voter-verified paper audit trail (VVPAT). The VVPATs can be counted at 20–43 seconds of staff time per vote (not per ballot).[75][76]
For machines without VVPAT, there is no record of individual votes to check.
Errors in direct-recording electronic voting
This approach can have software errors. It does not include scanners, so there are no scanner errors. When there is no paper record, it is hard to notice or research most errors.
The only forensic examination which has been done of direct-recording software files was in Georgia in 2020, and found that one or more unauthorized intruders had entered the files and erased records of what it did to them. In 2014–2017 an intruder had control of the state computer in Georgia which programmed vote-counting machines for all counties. The same computer also held voter registration records. The intrusion exposed all election files in Georgia since then to compromise and malware. Public disclosure came in 2020 from a court case.[77][78][79] Georgia did not have paper ballots to measure the amount of error in electronic tallies. The FBI studied that computer in 2017, and did not report the intrusion.[80][77]
A 2018 study of direct-recording voting machines (iVotronic) without VVPAT in South Carolina found that every election from 2010 to 2018 had some memory cards fail. The investigator also found that lists of candidates were different in the central and precinct machines, so 420 votes which were properly cast in the precinct were erroneously added to a different contest in the central official tally, and unknown numbers were added to other contests in the central official tallies. The investigator found the same had happened in 2010. There were also votes lost by garbled transmissions, which the state election commission saw but did not report as an issue. 49 machines reported that their three internal memory counts disagreed, an average of 240 errors per machine, but the machines stayed in use, and the state evaluation did not report the issue, and there were other error codes and time stamp errors.[12][81]
In a 2017 York County, Pennsylvania, election, a programming error in a county's machines without VVPAT let voters vote more than once for the same candidate. Some candidates had filed as both Democrat and Republican, so they were listed twice in races where voters could select up to three candidates, so voters could select both instances of the same name.[82] They recounted the DRE machines' electronic records of votes and found 2,904 pairs of double votes.[83]
In a 2015 Memphis, Tennessee, city election, the central processing system lost 1,001 votes which showed on poll tapes posted at precincts: "at Unity Christian... precinct's poll tape... 546 people had cast ballots... Shelby County's first breakdown of each precinct's voting... for Unity Christian showed only 330 votes. Forty percent of the votes had disappeared... At first it looked like votes were missing from not just one precinct but 20. After more investigation, he appeared to narrow that number to four... In all, 1,001 votes had been dropped from the election night count."[84][85]
In a 2012 Shelby County, Tennessee, (Memphis area) election 801 voters signed into a polling place, and only 293 votes were recorded. In another precinct 20 extra memory cards were uploaded before polls closed. The central election management system let the number of memory cards be changed by hand, and reducing it could erase memory cards which had been loaded.[85]
In a 2011 Fairfield Township, New Jersey, election a programming error in a machine without a VVPAT gave two candidates low counts. They collected more affidavits by voters who voted for them than the computer tally gave them, so a judge ordered a new election which they won.[86]
Email, fax, phone apps, modems, and web portals transmit information through the internet, between computers at both ends, so they are subject to errors and hacks at the origin, destination and in between.
Election machines online
As of 2018–19, election machines are online, to transmit results between precinct scanners and central tabulators, in some counties in Florida, Illinois, Indiana, Iowa, Michigan, Minnesota, Rhode Island, Tennessee and Wisconsin.[90]
Receiving ballots online
In many states, voters with a computer and printer can download a ballot to their computer, fill it out on the computer, print it and mail it back. This "remote access vote by mail" (RAVBM) avoids transmitting votes online, while letting distant voters avoid waiting for a mailed ballot, and letting voters with disabilities use assistive technologies to fill in the ballot privately and independently, such as screen readers, paddles or sip and puff if they already have them on their computer.[91] The voter also receives a form with tracking numbers and a signature line, to mail back inside or outside the envelope with the ballot, so staff can review eligibility of the voter and prevent multiple votes from the same voter. Many states accept mailed ballots after election day, to allow time for mail from distant voters to arrive.[92] The printed ballot may show just the choices and a bar code or QR code, not all the candidates and unvoted contests.
The voter's choices are not put online, which is an advantage for the voter's privacy. However the system does not work for people who have no printer or no computer. For people, such as soldiers, with a shared computer or printer, votes can be divulged by keystroke logging, by the print queue, or by people seeing ballots on the printer. Alternatives for distant voters are to get a paper ballot from the election office or the Federal Write-In Absentee Ballot.[93] Alternatives for local voters with disabilities are to use a ballot marking device (BMD) at a polling place, if they can get there, or have election staff bring a BMD and ballot box to the voter.[94] The voter's printer does not necessarily use the weight and size of paper expected by the election scanners, so, after separating ballot from identifiers, staff copy the voter's choices onto a standard ballot for scanning.[95] This copying has scope for error.
In California people send a signed application by mail, email or fax and receive a code by email, so there are signature checks both on the application and when the ballot envelope arrives.[96] In Washington, people access the ballot electronically with name and birth date, so signature checks when the ballot envelope arrive are the method to authenticate ballots.[97]
Individuals voting online
States which allow individual voters to submit completed ballots electronically in the United States are:[98]
Hawaii allows email voting by any permanent absentee voter who has not received a ballot by five days before an election
Idaho allows email and fax voting in declared emergencies
Louisiana allows fax voting for voters with a disability
Utah allows email and fax voting for those with disabilities
Other states have tried or considered software, with problems discussed below.
The Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) lets overseas citizens and all military and merchant marine voters get ballots electronically (email, fax, or web site). They then submit ballots by mail to 19 states. Seven states allow submission through secure web sites: AL, AZ, CO (if needed), MA, MI,[99] NC, ND, and WV. These seven and the remaining 25 states have a mix of rules allowing email or fax:[98] AK, CA, DE, DC, FL, HI, IN, IA, KS, LA, ME, MS, MO, MT, NE, NV, NJ, NM, OK, OR, RI, SC, TX (for danger, combat zones or space[100][101]), UT, and WA.[98] The Federal Voting Assistance Program converts emails to fax at voter request, so states which require fax receive ballots which started as emails.[102]
in 2019-2020 researchers found insecurities in online voting systems from Voatz,[114][116][117] and Democracy Live.[103][118]
In 2010, graduate students from the University of Michigan hacked into the District of Columbia online voting systems during an online voting mock test run and changed all the cast ballots to cater to their preferred candidates. This voting system was being tested for military voters and overseas citizens, allowing them to vote on the Web, and was scheduled to run later that year. It only took the hackers, a team of computer scientists, thirty-six hours to find the list of the government's passwords and break into the system.[119]
In March 2000 the 2000 Arizona Democratic presidential primary internet election was conducted over the internet using the private company votation.com.[120] Each registered member of the party received a personal identification number in the mail. They could vote in person or over the internet, using their PIN and answering two questions such as date and place of birth. During the election older browsers failed, but no hacks were identified.[121]
Electronic processing of postal and absentee ballots
Checking signatures on envelopes of absentee ballots is hard, and is often computerized in jurisdictions with many absentee ballots. The envelope is scanned, and the voter's signature on the outside of the envelope is instantly compared with one or more signatures on file. The machine sets aside non-matches in a separate bin. Temporary staff then double-check the rejections, and in some places check the accepted envelopes too.[122]
Error rates of computerized signature reviews are not published. "A wide range of algorithms and standards, each particular to that machine's manufacturer, are used to verify signatures. In addition, counties have discretion in managing the settings and implementing manufacturers' guidelines… there are no statewide standards for automatic signature verification… most counties do not have a publicly available, written explanation of the signature verification criteria and processes they use"[122]
Handwriting experts agree "it is extremely difficult for anyone to be able to figure out if a signature or other very limited writing sample has been forged".[123] The National Vote at Home Institute reports that 17 states do not mandate a signature verification process.[124] The Election Assistance Commission says that machines should be set only to accept nearly perfect signature matches, and humans should doublecheck a sample, but EAC does not discuss acceptable error rates or sample sizes.[125]
In the November 2016 general election, rejections ranged from none in Alabama and Puerto Rico, to 6% of ballots returned in Arkansas, Georgia, Kentucky and New York.[126][127] Where reasons for rejection were known, in 2018, 114,000 ballots arrived late, 67,000 failed signature verification, 55,000 lacked voter signatures, and 11,000 lacked witness signatures in states which require them.[128] The intent of the signature verification step was to catch and reject forged signatures on ballot envelopes.[129][130]
The highest error rates in signature verification are found among lay people, higher than for computers, which in turn make more errors than experts.[131] Researchers have published error rates for computerized signature verification. They compare different systems on a common database of true and false signatures. The best system falsely rejects 10% of true signatures, while it accepts 10% of forgeries. Another system has error rates on both of 14%, and the third-best has error rates of 17%.[132][133] It is possible to be less stringent and reject fewer true signatures, at the cost of also rejecting fewer forgeries, which means erroneously accepting more forgeries.[134] Vendors of automated signature verification claim accuracy, and do not publish their error rates.[135][136][137][138]
Voters with short names are at a disadvantage, since even experts make more mistakes on signatures with fewer "turning points and intersections".[139]
An electronic pollbook, also known as an e-pollbook, is a combination of hardware and software which maintains voter register information at a polling place to check if each voter is registered and has not already voted in the election. When voters have a choice of multiple vote centers where they may vote, e-pollbooks communicating over the internet can prevent a voter from voting more than once.[140]
In 2023 a contractor, WSD Digital, developing a voter registration and e-pollbook system for New Hampshire put in code to link to websites in Russia and used open source software managed by a Russian. New Hampshire found those issues by hiring another company, ReversingLabs, to review the code of the first company.[141]
In 2022 Williamson County TX found two problems: that its use of e-poll books sometimes assigned the wrong ballot style to voters, so they voted on contests outside their area, and did not vote on contests in their own area; and that some ballots did not display the voters' precincts.[142]
State and local websites for election results
Election offices display election results on the web by transferring USB drives between offline election computers, and online computers which display results to the public. USB drives can take infections from the online computers to the election computers.[143][144] Local governments communicate electronically with their state governments so the state can display results, with the result that problems at the state level can affect all or many local offices.
Election-reporting websites run software to aggregate and display results. These have had programming errors which showed erroneous partial results during the evening,[145] and the wrong winner.[146] Local officials can change results. A Virginia official was charged with changing results by herself in the state's VERIS system. All charges were dropped when witnesses changed their stories, since computer logs did not prove whether changes were or were not made.[147]
Before the 2016 general election, Russians gained access to at least one employee's account[148] at a vendor which manages election-reporting websites.[149] During the 2018 general election, a hacker in India gained administrative access to the Alaska election-reporting website.[150][151]
Studies by McAfee and ProPublica in 2020 found that most election websites have inadequate security. McAfee analyzed swing states.[152] ProPublica analyzed Super Tuesday states.[153] They found many offices using outdated, insecure, dangerous and inappropriate software, including unsupported operating systems, and using the same few web hosts, which they said is dangerous for critical infrastructure, since finding a flaw in one can lead to access to them all.[153] They criticized offices for not using https encryption, and for public sitenames ending in .com or .org, since it leads voters to trust sites which are not .gov, and voters can easily be tricked by a similar name.[154]
In 2016 Homeland Security and the Director of National Intelligence said that United States elections are hard to hack, because they are decentralized, with many types of machines and thousands of separate election offices operating under 51 sets of state laws.[155][156] Others have made similar statements.[157]
An official at the Center for Strategic and International Studies said a nation state would target hacks in key counties.[158] A McAfee expert said decentralization makes defense hard and for "a very determined group, trying to compromise this system, I think it ends up playing more into their favor than against them."[158] Each city or county election is run by one office, and a few large offices affect state elections. County staff cannot in practice defend against foreign governments.[159]
Security reviews
The Brennan Center summarized almost 200 errors in election machines from 2002 to 2008, many of which happened repeatedly in different jurisdictions, which had no clearinghouse to learn from each other.[59] More errors have happened since then. Cleveland State University listed formal studies of voting systems done by several groups through 2008.[160]
Machines in use are not examined to determine if they have been hacked, so no hacks of machines in use have been documented. Researchers have hacked all machines they have tried, and have shown how they can be undetectably hacked by manufacturers, election office staff, pollworkers, voters and outsiders and by the public.[66] Vulnerabilities identified at the 2019 DEFCON Las Vegas hackers convention had been previously noted and "included poor physical security protections that could allow undetected tampering; easily guessable hard-coded system credentials; potential for operating system manipulations; and remote attacks that could compromise memory or integrity checks or cause denial of service."[161] The public can access unattended machines in polling places the night before elections.[162] Some of the hacks can spread among machines on the removable memory cards which tell the machines which races to display, and carry results back to the central tally location.
The CEO of Free and Fair, an open source vendor, said the cheapest way to improve security is for each election office to hire a computer student as a white hat hacker to conduct penetration tests.[163]
Security reviews of election machines
State
Year
Products reviewed
Findings
Texas
2020
ES&S
Texas annually reviews software.[164] In 2020 the review noted that procedures did not ensure the ES&S software in use was the same as the software approved by the Election Assistance Commission.[165]
California
2020
Many
State and contractor evaluations of all election machines used in the state[166]
California
2007
"top-to-bottom review" of security of all electronic voting systems in the state, including Diebold Election Systems, Hart InterCivic, Sequoia Voting Systems and Elections Systems and Software.[167]
August 2 report by computer security experts from the University of California found flaws in voting system source code. On July 27 "red teams" reported on "worst case" Election Day scenarios, where they identified vulnerabilities to tampering or error. The Top to Bottom review also included a comprehensive review of manufacturer documentation as well as a review of accessibility features and alternative language requirements.
The California security experts found significant security flaws in all of the manufacturers' voting systems, flaws that could allow a single non-expert to compromise an entire election.[168] The July and August reports found that three of the tested systems fell far short of the minimum requirements specified in the EAC 2005 Voluntary Voting System Guidelines (VVSG). On August 3, 2007, Bowen decertified machines that were tested, and also the ES&S InkaVote machine, which was not included in the review because the company submitted it past the deadline for testing. Some of the systems tested were conditionally recertified with new stringent security requirements imposed.[169] The companies in question had until the February 2008 California Presidential Primaries to fix their security issues and ensure that election results could be closely audited.
California
2007
Hart eSlate voting system
Researchers at UC Davis, and Yolo County reported on security flaws.[170]
California
2004
Diebold
Researchers evaluated software because of Harri Hursti's discovery of their hackability in Leon County FL.[171]
Provide results to election officials in Excel without hash values, so malware (or unsupervised staff) can change results before publication. Michigan requires election systems to provide results in spreadsheet format; it neither requires nor forbids hash values.[172]
Three teams of security researchers, based at the Pennsylvania State University, the University of Pennsylvania, and WebWise Security, Inc., conducted the security reviews. The teams had access to voting machines and software source code from the three vendors and performed source code analysis and security penetration testing with the aim of identifying security problems that might affect the integrity of elections that use the equipment. The 2007 Ohio report noted that all
election systems rely heavily on third party software that implement interfaces to the operating systems, local databases, and devices such as optical scanners... the construction and features of this software is unknown, and may contain undisclosed vulnerabilities such trojan horses or other malware.[178]
Thus election machines are subject to "class breaks", which are attacks, deliverable by annual updates, against the underlying operating systems and drivers.[179] The 2016 federal certification of ES&S notes that it uses Windows 7, Windows Server 2008, Excel 2007, Adobe Acrobat version 9.0 (support ended 2013), WSUS Offline Update Utility 8.8 (issued 2013[180]) and other off the shelf software.[181]
Princeton University computer scientists studied security of the voting system for a group of New Jersey counties. Their results showed that the AccuVote-TSx was insecure and could be "installed with vote-stealing software in under a minute". The scientists also said that machines can transmit computer viruses from one to another "during normal pre- and post-election activity".[186]
Arizona
2005
ES&S Optech 4C scanner/tabulators
A state Senator had a consultant do an evaluation[187]
Five states check all contests by hand tallies in a small percent of locations, AK, CA, PA, UT, WV, though California excludes about half the ballots, the ones counted after election day, and Alaska excludes small precincts. Two states check all contests by machines independent of the election machines, in a small percent of locations, NY, VT. Seventeen states check one or a few contests by hand, usually federal races and the governor; most local contests are not checked. Four states reuse the same machines or ballot images as the election, so errors can persist, CT, IL, MD, NV. Sixteen states do not require audits, or only in special circumstances. In seven states many voters still lack paper ballots, so audits are not possible. IN, KY, LA, MS, NJ, TN, TX.[189]
Even where audits are done, no state has adequate security on the paper ballots, so they can be damaged to impede audits, or altered to match erroneous machine tallies.[190] Even insiders have breached security.[191][192]
Public attitudes
The Pew Research Center found in October 2018 wide mistrust of election security in both parties, especially among Democrats
8% of voters were "very confident that election systems are secure from hacking and other technological threats".
37% were "somewhat confident", and the remaining 55% were not confident
13% of Republicans were very confident, and 41% were not confident
4% of Democrats were very confident, and 66%% were not confident[193]
An MIT professor's survey found that Republicans think domestic hackers are more likely than foreigners; Democrats think the opposite.[194]
Stanford and Wisconsin researchers in 2019 found that only 89% of voters disapprove if a foreign country would "hack into voting machines and change the official vote count to give [a] candidate extra votes" and the candidate wins. This 89% disapproval is not much more than the 88% who disapprove of a foreign country making campaign contributions and 78-84% against them spreading lies. Only 73-79% disapprove if their party got help, while 94-95% disapprove of the other party getting help. If a foreign country thought about interfering, but did not, 21% distrust the results anyway. This rises only to 84% distrusting final results after a foreign country hacked and changed results.[195][196]
For any of the foreign actions (hacks, contributions or lies), 72% of voters support economic sanctions, 59% support cutting diplomatic relations, 25% support a military threat, and 15% support a military strike. There was less support for action, by 4-20 percentage points, if the foreign country helped one's own party win, so the researchers point out that retaliation is unlikely, since there is little support for it in a winning party. Deep investigation creates more certainty about who is to blame, which they find raises support for retaliation very little. They randomly listed China, Pakistan or Turkey as the interfering country, and do not report any different reactions to them.[196]
A Monmouth University poll in May 2019 found that 73% thought Russia interfered in the 2016 election (not necessarily by hacking), 49% thought it damaged American democracy a lot, 57% thought Russia interfered in the 2018 election, and 60% thought the U.S. government is not doing enough to stop it. Margin of error is ±3.5%.[197]
Three vendors sell most of the machines used for voting and for counting votes. As of September 2016, the American Election Systems & Software (ES&S) served 80 million registered voters, Canadian Dominion Voting Systems 70 million, American Hart InterCivic 20 million, and smaller companies less than 4 million each.[5]
Three companies sell mail sorting and signature verification machines: ES&S, Runbeck and a merged company, Olympus/Vantage/Pitney Bowes/Bell & Howell.[122] In 2018 BlueCrest acquired the Pitney Bowes election business,[199] and in 2021 BlueCrest acquired Fluence,[200] which had obtained the Bell & Howell election business in 2017.[201] In 2022 the BlueCrest printing and sorting business was acquired by Corum Group.[202] Olympus[203] and Vantage[204] machines are sold by BlueCrest. Runbeck uses Vantage sorters from BlueCrest.[205] Runbeck also processes envelopes under contract.[206]
The signature-matching software most used is from Parascript,[207] spun off from Paragraph, a Soviet-American joint venture though there are other companies.[208] Parascript had fewer errors than other software in 2010: Parascript rejected 14% of genuine signatures and accepted 8% of forgeries if they were modeled on a genuine signature.[209]
Amazon provides election websites in 40 states, including election-reporting sites in some of them.[210] A Spanish company, Scytl, manages election-reporting websites statewide in 12 U.S. states, and in another 980 local jurisdictions in 28 states.[211] Another website management company is VR Systems, active in 8 states.[212] Maryland's election website is managed by a company owned by an associate of Russian President Putin.[213]
1974: The Video Voter, the first DRE voting machine used in a government election, developed by the Frank Thornber Company in Chicago, Illinois, saw its first trial use in 1974 near Chicago.[215]
Mar. 1975:The U.S. Government is given a report by Roy G. Saltman, a consultant in developing election technology and policies,[216] in which the certification of voting machines is analyzed for the first time.
August 28, 1986: The Uniformed and Overseas Citizen Absentee Voting Act of 1986 (UOCAVA) requires that U.S. states allow certain groups of citizens to register and vote absentee in elections for federal offices.[217]
1996: The Reform Party uses I-Voting (Internet Voting) to select their presidential candidate. This election is the first governmental election to use this method in the U.S.[218]
May 2002:The FEC revised the standards established for electronic voting from 1990.
Nov 2004: 4,438 of votes in the general election is lost by North Carolina's electronic voting machines. The machines continued to count electronic votes past the device's memory capacity and the votes were irretrievably lost.
Dec 2005: Black Box Voting showed how easy it is to hack an electronic voting system. Computer experts in Leon County, Fl lead a simulation where they changed the outcome of a mock election by tampering with the tabulator without leaving evidence of their actions.
September 13, 2006: It was demonstrated that Diebold Electronic Voting Machine can be hacked in less than a minute. Princeton's Professor of Computer Science, Edward Felten who installed a malware which could steal votes and replace them with fraudulent numbers without physically coming in contact with the voting machine or its memory card. The malware can also program a virus that can spread from machine to machine.
September 21, 2006: The governor of Maryland, Bob Ehrlich (R), advised against casting electronic votes as an alternative method for casting paper absentee ballots. This was a complete turn around since Maryland became one of the first states to accept electronic voting systems statewide during his term.
September 3, 2009: Diebold, responsible for much of the technology in the election-systems business, sells their hold to Election Systems & Software, Inc for $5 Million, less than 1/5 of its price seven years earlier.[219]
October 28, 2009: The federal Military and Overseas Voters Empowerment Act (MOVE) requires U.S. states to provide ballots to UOCAVA voters in at least one electronic format (email, fax, or an online delivery system).[220]
January 3, 2013: Voter Empowerment Act of 2013 – This act requires each U.S. state to make available public websites for online voter registration.[221]
Spring 2019: Department of Defense DARPA announces $10 million contract for secure, open-source election system prototypes based on the agency's SSITH secure hardware platform work: a touch screen ballot-marking device to demo at the annual DEF CON hacker conference in summer 2019 and an optical scan system to read hand-marked paper ballots targeted for DEF CON 2020.[222][223][224]
Legislation
In the summer of 2004, the Legislative Affairs Committee of the Association of Information Technology Professionals issued a nine-point proposal for national standards for electronic voting.[225] In an accompanying article, the committee's chair, Charles Oriez, described some of the problems that had arisen around the country.[226][227]
Legislation has been introduced in the United States Congress regarding electronic voting, including the Nelson-Whitehouse bill. This bill would appropriate as much as 1 billion dollars to fund states' replacement of touch screen systems with optical scan voting system. The legislation also addresses requiring audits of 3% of precincts in all federal elections. It also mandates some form of paper trail audits for all electronic voting machines by the year 2012 on any type of voting technology.[228]
Another bill, HR.811 (The Voter Confidence and Increased Accessibility Act of 2003), proposed by Representative Rush D. Holt, Jr., a Democrat from New Jersey, would act as an amendment to the Help America Vote Act of 2002 and require electronic voting machines to produce a paper audit trail for every vote. The U.S. Senate companion bill version introduced by Senator Bill Nelson from Florida on November 1, 2007, necessitates the Director of the National Institute of Standards and Technology to continue researching and to provide methods of paper ballot voting for those with disabilities, those who do not primarily speak English, and those who do not have a high literacy rating. Also, it requires states to provide the federal office with audit reports from the hand counting of the voter verified paper ballots. Currently, this bill has been turned over to the United States Senate Committee on Rules and Administration and a vote date has not been set.[229]
During 2008, Congressman Holt, because of an increasing concern regarding the insecurities surrounding the use of electronic voting technology, submitted additional bills to Congress regarding the future of electronic voting. One, called the "Emergency Assistance for Secure Elections Act of 2008" (HR5036), states that the General Services Administration will reimburse states for the extra costs of providing paper ballots to citizens, and the costs needed to hire people to count them.[230] This bill was introduced to the House on January 17, 2008.[231] This bill estimates that $500 million will be given to cover costs of the reconversion to paper ballots; $100 million given to pay the voting auditors; and $30 million given to pay the hand counters. This bill provides the public with the choice to vote manually if they do not trust the electronic voting machines.[230] A voting date has not yet been determined.
The Secure America's Future Elections Act or the SAFE Act (HR 1562) was among the relevant legislation introduced in the 115th Congress. The bill's provisions include designation of the infrastructure used to administer elections as critical infrastructure; funding for states to upgrade the security of the information technology and cybersecurity elements of election-related IT systems; and requirements for durable, readable paper ballots and manual audits of results of elections.
A ballot is a device used to cast votes in an election and may be found as a piece of paper or a small ball used in voting. It was originally a small ball used to record decisions made by voters in Italy around the 16th century.
Premier Election Solutions, formerly Diebold Election Systems, Inc. (DESI), was a subsidiary of Diebold that made and sold voting machines.
A voting machine is a machine used to record votes in an election without paper. The first voting machines were mechanical but it is increasingly more common to use electronic voting machines. Traditionally, a voting machine has been defined by its mechanism, and whether the system tallies votes at each voting location, or centrally. Voting machines should not be confused with tabulating machines, which count votes done by paper ballot.
Electronic voting is voting that uses electronic means to either aid or take care of casting and counting ballots including voting country
Electoral fraud, sometimes referred to as election manipulation, voter fraud, or vote rigging, involves illegal interference with the process of an election, either by increasing the vote share of a favored candidate, depressing the vote share of rival candidates, or both. It differs from but often goes hand-in-hand with voter suppression. What exactly constitutes electoral fraud varies from country to country, though the goal is often election subversion.
Electronic voting is the standard means of conducting elections using Electronic Voting Machines (EVMs) in India. The system was developed for the Election Commission of India by state-owned Electronics Corporation of India and Bharat Electronics. Starting in the late 1990s, they were introduced in Indian elections in a phased manner.
An electronic voting machine is a voting machine based on electronics. Two main technologies exist: optical scanning and direct recording (DRE).
Vote counting is the process of counting votes in an election. It can be done manually or by machines. In the United States, the compilation of election returns and validation of the outcome that forms the basis of the official results is called canvassing.
Voter verifiable paper audit trail (VVPAT) or verified paper record (VPR) is a method of providing feedback to voters who use an electronic voting system. A VVPAT allows voters to verify that their vote was cast correctly, to detect possible election fraud or malfunction, and to provide a means to audit the stored electronic results. It contains the name and party affiliation of candidates for whom the vote has been cast. While VVPAT has gained in use in the United States compared with ballotless voting systems without it, hand-marked ballots are used by a greater proportion of jurisdictions.
Election Systems & Software is an Omaha, Nebraska-based company that manufactures and sells voting machine equipment and services. The company's offerings include vote tabulators, DRE voting machines, voter registration and election management systems, ballot-marking devices, electronic poll books, ballot on demand printing services, and absentee voting-by-mail services.
A DRE voting machine, or direct-recording electronic voting machine, records votes by means of a ballot display provided with mechanical or electro-optical components that can be activated by the voter. These are typically buttons or a touchscreen; and they process data using a computer program to record voting data and ballot images in memory components. After the election, it produces a tabulation of the voting data stored in a removable memory component and as printed copy. The system may also provide a means for transmitting individual ballots or vote totals to a central location for consolidating and reporting results from precincts at the central location. The device started to be massively used in 1996 in Brazil where 100% of the elections voting system is carried out using machines.
End-to-end auditable or end-to-end voter verifiable (E2E) systems are voting systems with stringent integrity properties and strong tamper resistance. E2E systems use cryptographic techniques to provide voters with receipts that allow them to verify their votes were counted as cast, without revealing which candidates a voter supported to an external party. As such, these systems are sometimes called receipt-based systems.
An optical scan voting system is an electronic voting system and uses an optical scanner to read marked paper ballots and tally the results.
Electronic voting by country varies and may include voting machines in polling places, centralized tallying of paper ballots, and internet voting. Many countries use centralized tallying. Some also use electronic voting machines in polling places. Very few use internet voting. Several countries have tried electronic approaches and stopped because of difficulties or concerns about security and reliability.
Scantegrity is a security enhancement for optical scan voting systems, providing such systems with end-to-end (E2E) verifiability of election results. It uses confirmation codes to allow a voter to prove to themselves that their ballot is included unmodified in the final tally. The codes are privacy-preserving and offer no proof of which candidate a voter voted for. Receipts can be safely shown without compromising ballot secrecy.
A risk-limiting audit (RLA) is a post-election tabulation auditing procedure which can limit the risk that the reported outcome in an election contest is incorrect. It generally involves (1) storing voter-verified paper ballots securely until they can be checked, and (2) manually examining a statistical sample of the paper ballots until enough evidence is gathered to meet the risk limit.
An election audit is any review conducted after polls close for the purpose of determining whether the votes were counted accurately or whether proper procedures were followed, or both.
The Verified Voting Foundation is a non-governmental, nonpartisan organization founded in 2004 by David L. Dill, a computer scientist from Stanford University, focused on how technology impacts the administration of US elections. The organization's mission is to "strengthen democracy for all voters by promoting the responsible use of technology in elections." Verified Voting works with election officials, elected leaders, and other policymakers who are responsible for managing local and state election systems to mitigate the risks associated with novel voting technologies.
Election cybersecurity or election security refers to the protection of elections and voting infrastructure from cyberattack or cyber threat – including the tampering with or infiltration of voting machines and equipment, election office networks and practices, and voter registration databases.
Postal voting in the United States, also referred to as mail-in voting or vote by mail, is a form of absentee ballot in the United States. A ballot is mailed to the home of a registered voter, who fills it out and returns it by postal mail or drops it off in-person at a secure drop box or voting center. Postal voting reduces staff requirements at polling centers during an election. All-mail elections can save money, while a mix of voting options can cost more. In some states, ballots may be sent by the Postal Service without prepayment of postage.
↑ "observers from both political parties there... ballots have to be recreated in every election for a number of reasons, ranging from damaged mail-in ballots, to early voters who use pencils which can't be read by ballot tabulators." Jordan, Ben (November 7, 2018). "MKE Election Commission responds to criticism". WTMJ TV Milwaukee. Retrieved May 17, 2020.
1 2 "With the new digital procedure, staff will be able to fix whatever race couldn't be counted, instead of duplicating a voter's entire ballot." White, Rebecca (November 18, 2019). "One Washington County Plans to Speed Vote Counting with Tech". Government Technology. Retrieved May 17, 2020.
↑ "Electronic ballot return faces significant security risks to the confidentiality, integrity, and availability of voted ballots. These risks can ultimately affect the tabulation and results and, can occur at scale... Even with... technical security considerations, electronic ballot return remains a high-risk activity." "Risk Management for Electronic Ballot Delivery, Marking, and Return"(PDF). Election Assistance Commission, National Institute of Standards and Technology, FBI, Cybersecurity & Infrastructure Security Agency. May 11, 2020. Retrieved June 23, 2020.
↑ Halderman, J. Alex; Vanessa Teague (August 13, 2015). The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election. International Conference on E-Voting and Identity. arXiv:1504.05646. doi:10.1007/978-3-319-22270-7_3.
↑ Springall, Drew; Finkenauer, Travis; Durumeric, Zakir; Kitcat, Jason; Hursti, Harri; MacAlpine, Margaret; Halderman, Alex (2014), "Security Analysis of the Estonian Internet Voting System", Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp.703–715, doi:10.1145/2660267.2660315, ISBN978-1-4503-2957-6, S2CID1985090
↑ "The OSCE/ODIHR EAM was made aware of a program that could, if it was running on a voter's computer, change the vote without the possibility for the voter to detect it. The case was brought to the attention of the project manager who assessed this threat to be theoretically plausible but nearly impossible to implement in reality." "Estonia Parliamentary Elections OSCE/ODIHR Election Assessment Mission Report"(PDF). OSCE. March 6, 2011. Retrieved June 20, 2020.
↑ These systems handle scanned ("offline") signatures from multiple people ("WI, writer-independent"). Hafemann, Luiz G.; Robert Sabourin; Luiz S. Oliveira (October 16, 2017). "Offline handwritten signature verification — Literature review". 2017 Seventh International Conference on Image Processing Theory, Tools and Applications (IPTA). pp.1–8. arXiv:1507.07909. doi:10.1109/IPTA.2017.8310112. ISBN978-1-5386-1842-4. S2CID206932295.
↑ Bibi, Kiran; Naz, Saeeda; Rehman, Arshia (January 1, 2020). "Biometric signature authentication using machine learning techniques: Current trends, challenges and opportunities". Multimedia Tools and Applications. 79 (1): 289–340. doi:10.1007/s11042-019-08022-0. ISSN1573-7721. S2CID199576552.
This page is based on this Wikipedia article Text is available under the CC BY-SA 4.0 license; additional terms may apply. Images, videos and audio are available under their respective licenses.