The nation’s top cybersecurity agency released a final version June 3 of an advisory it previously sent to state officials about voting machine vulnerabilities in Georgia and other states that election integrity activists say weakens a recommendation on the use of barcodes to count votes.
The advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, concerns vulnerabilities identified in Dominion Voting Systems’ ImageCast X touchscreen voting machines, which produce a paper ballot or Votes are recorded electronically. The agency said that while the vulnerabilities need to be mitigated quickly, the agency “has no evidence that these vulnerabilities have been exploited in any election.”
Dominion’s systems have come under unwarranted attack since the 2020 election by people who espoused the false belief that the election was stolen from former President Donald Trump. The company has filed defamation lawsuits in response to inaccurate and outrageous claims made by high-profile Trump allies.
The CISA notice released Friday is based on a report generated by University of Michigan computer scientist J. Alex Halderman, an expert witness in a long-running lawsuit unrelated to false allegations stemming from the 2020 election.
The machines are used by at least some voters in 16 states, according to a voting equipment tracker maintained by watchdog Verified Voting. In most of those places, they are used only for people who cannot physically fill out a paper ballot by hand. But in some places, including Georgia, almost all in-person voting is done on the affected machines.
Dominion has defended the machines as “accurate and secure”.
As used in Georgia, the machines print a paper ballot that includes a barcode, known as a QR code, and a human-readable summary of the voter’s selections. The votes are counted by a scanner that reads the barcode. Security experts warned that QR codes could be manipulated to reflect different votes than the voter intended.
A version of the advisory sent to election officials last week said: “When barcodes are used to tabulate votes, they may be subject to attacks that exploit the vulnerabilities listed so that the barcode is not consistent with the part human readable version of the paper ballot”. To reduce that risk, the advisory suggested that jurisdictions set up machines, where possible, to “produce traditional full-face ballots, rather than QR-coded summary ballots.”
A full-face ballot looks like a hand-marked paper ballot with all the options for each race listed and a bubble next to the voter’s choice filled in by machine. A summary ballot, by contrast, lists only the voter’s selection for each race.
The recommendation to use full-face ballots instead of summary ballots with QR codes is not included in the final version of the advisory released Friday. Instead, after noting that the vulnerabilities could be exploited to change the barcode so that it does not match a voter’s selections, it includes a parenthetical note that reads: “If states and jurisdictions so choose, ImageCast X provides the configuration option to produce tickets that do not print barcodes for tabulation”.
Halderman expressed disappointment with the change, saying it “drastically weakens” the security that the combination of mitigation measures in the notice would provide in Georgia and other jurisdictions that rely on QR codes to count votes.
Marilyn Marks, executive director of the Coalition for Good Governance, the plaintiff in the lawsuit that led to Halderman’s examination of the machines, said CISA appears to have bowed to political pressure to water down the recommendation.
“It is deeply concerning that self-serving election officials could work their way through CISA to dilute the agency’s essential and compelling security measure to remove barcoded votes from ballots, a serious and unnecessary vulnerability that puts voters at risk. votes of millions of voters,” he said.
A CISA spokesman said the change was not based on complaints from either party, saying that when the agency is alerted to potential vulnerabilities, it’s common to update an advisory while working with researchers, vendors and other partners to provide information on remedial action. of mitigation.
“We believe that the set of mitigations in the advisory, when used together, would enable jurisdictions, including those that use barcodes for tabulation, to prevent or detect the exploitation of these vulnerabilities,” an agency statement said.
Dominion machines are capable of printing a full-face ballot without a QR code because the company has updated its software for Colorado, said Matt Crane, executive director of the state association of county clerks. He said that while Secretary of State Jena Griswold announced in 2019 that Colorado would phase out QR codes for security reasons, the transition has only just begun.
Crane said he believed fewer than 2.5% of Colorado voters used Dominion’s ballot-marking machines in the 2020 general election. Most use hand-marked paper ballots.
The notice is based on a report by Halderman, who examined voting equipment used in Georgia as an expert witness hired by plaintiffs in a lawsuit challenging the machines. Originally filed in 2017, the lawsuit focused on outdated voting machines in use by Georgia at the time. The state purchased the Dominion system in 2019, but the plaintiffs contend the new system is also unsafe.
Halderman has long argued that the use of electronic machines to record voter selections is dangerous because computers are inherently vulnerable to hacking and therefore require multiple security measures that are not uniformly followed. He and many other election security experts have insisted that the use of hand-marked paper ballots is the most secure method of voting and the only option that allows for meaningful post-election audits.
Rigorous post-election audits could detect fraud because they would be done by hand and verify that the human-readable portion of the ballot matches the results counted by the scanners. But if the results were rigged in a contest that was not verified, that could go unnoticed.
Associated Press writer Frank Bajak contributed to this report.