The truth about our computerized election systems; Recommendations and suggestions for effective advocacy

By Jennifer Cohn
May 4, 2018

Our elections are under attack. Intelligence officials concur that Russia plans to target the 2018 midterm elections.[1] One hundred experts in the fields of computer science and statistics have recommended paper ballots and post-election statistical audits to protect our democracy.[2] But some election officials have undermined efforts to implement these security measures with irresponsible and false assurances that it would be difficult for hackers to alter the outcome of a national election under our current system.[3]

This handout strives to break through this disinformation with sourced facts that expose the truth about our computerized voting systems. But it goes further than that, providing a list of recommended protocols for 2018 and beyond, as well as suggestions and resources for effective advocacy. We hope that concerned citizens will use this handout as a tool to persuade decision-makers of the urgent need for hand marked paper ballots, robust post-election audits, and other security measures.

The truth about our computerized election systems

As computer science professor Alex Halderman explained during a congressional briefing in July 2017, “[H]acking a national election in the United States would be, well, shockingly easy.”[4] Here are the facts:

All voting machines are at risk of internet hacking, even if they are not directly connected to it. “Over 9,000 jurisdictions (counties and states) in the U.S. run elections with a variety of voting machines: optical scanners for paper ballots, and direct-recording ‘touchscreen’ machines.”[5] Contrary to what some election officials have told us, all such voting machines can be hacked through the internet, even if they are not directly connected to it.[6] Before every election, all voting machines must accept programming to reflect the races on the ballot. They receive this programming via memory cards from computers that are themselves often connected to the internet.[7] All precinct results are sent to central tabulators, often via vulnerable local networks.[8] And central tabulators then transmit results to online Election Night Reporting Systems, providing easy access for internet hacking.[9]

Meanwhile, the New York Times recently published an explosive article revealing that vendor Election Systems & Software (“ES&S”), which accounts for more than 40% of U.S. election equipment, has been selling election management systems — used to tally election results and program voting machines before each election — with remote access software. [9a]

Corrupt insiders with direct access are also a major threat. Elected officials and the media often suggest that nefarious outsiders are the main thing we have to worry about when it comes to vote tally manipulation. But electronic tallies can also be altered by corrupt insiders with direct access to the voting machines or memory cards.[10] Computer Science professor Andrew Appel (Princeton) has shown that it takes only a screwdriver and about seven minutes to install a vote-stealing program into a direct recording electronic (“DRE,” usually touchscreen) machine. [11] As for optical scanners, they use memory cards that can be programmed without detection to add, subtract, or shift as many votes as a rigger chooses.[12] At the 2017 Def Con Hacking Conference, “every piece of equipment in the Voting Village was effectively breached in some manner. Participants with … only limited tools and resources were quite capable of undermining the confidentiality, integrity and availability of these systems.”[13]

Systems are not decentralized. Election officials sometimes claim that voting systems are “decentralized” so that widespread, systemic meddling is not possible. However, just two voting machine vendors account for more than 80 percent of U.S. voting equipment.[14] And the computers used to program the voting machines before each election are themselves centralized at the state or county level.[15] In some states, a single third-party vendor may perform the programming for most or all voting machines in the state.[16]

While paper ballots can be used to verify the legitimacy of electronic tallies, fourteen states use paperless machines. The only way to verify whether an election has been hacked is to compare the electronic tally to the paper ballots.[17] While electronic tallies from optical scanners can be verified (because optical scanners count paper ballots), tallies from paperless DREs are unverifiable. The following five states exclusively use such paperless machines: Georgia, New Jersey, Louisiana, South Carolina, and Delaware.[18] Another nine states — including the swing states of Florida and Pennsylvania — include at least some counties with paperless machines.[19] After the 2016 election, the state of Virginia made the decision to discard their DREs in favor of paper ballots.[20]

DREs with so-called “Voter Verifiable Paper Audit Trails” (VVPATs) are not “verifiable.” DREs with VVPATs — voting machine printouts that are supposed to reflect voter intent — are not in reality “voter verifiable,” as voters cannot confirm whether their vote as recorded inside the machine (where the counting occurs) matches the selections on the VVPAT. Hackers have repeatedly shown that the printed result can match the voter’s choices, while the internal memory records whatever choice the hacker wishes it to record.[21] Thus, when vendors and election officials refer to these things as “voter verifiable,” they lull the public into a false sense of security.

VVPATs matter, if at all, only in the unlikely event of a manual recount or audit. But VVPATs are useless even for that purpose unless voters actually review them for accuracy, which most do not. [22] Studies show that voters are unlikely to notice computer vote flips even when they undertake such review, and that they are unwilling to start over even when told there is a problem.[Id.] It has also proven difficult or impossible to manually count or audit VVPATs.[23]

DREs were initially promoted as a means to accommodate voters with disabilities, but states bought them for all voters regardless of need, creating a 15 year election-integrity crisis.[24] Disability groups have since called for their elimination.[25]

Some states are now replacing unverifiable touchscreen DREs with equally unverifiable touchscreen ballot markers. Electronic ballot markers (“EBMs”) are touchscreen devices that generate computer-marked paper printouts, which are then counted on optical scanners like hand-marked ballots. As with DREs, voters may never actually review the printouts for accuracy. The use of EBMs has traditionally been limited to those voters who are unable to hand mark ballots. But vendors are now encouraging states to buy them for all voters, regardless of need,[26] adding an unnecessary extra layer of vulnerable electronics to our already vulnerable elections.

The ES&S ExpressVote and the Dominion ImageCast are the most popular EBMs on the market. They are especially dangerous because the computer marked printous that they produce include not only written text, but also bar codes or qr codes. The only portion of the printout actually counted as your vote is the barcode, which humans can’t read and thus can’t verify. Vendors and election officials, however, continue misleading the public by referring to these as “voter verifiable” or “voter marked.” Some further mislead by simply referring to these as “paper ballots,” without mentioning the barcode at all.

States rarely conduct manual recounts, even in close elections. Paper ballots make hand recounts possible, but states rarely allow hand recounts.[27] Most require a hand recount, if at all, only when the margin of victory is less than a small percent.[28] From a rigger’s standpoint, this simply serves as an invitation to shift enough votes to exceed the recount margin. As we saw in 2016, courts rarely allow a meaningful hand recount when that margin is exceeded.[29] The cost for elective recounts, where allowed, is often prohibitive.

Manual audit laws are absent and/or inadequate. States could address the manual recount problem by enacting laws requiring statistically meaningful manual audits after every election, with full hand recounts in the rare situations where audit results warrant them. But experts have determined that only a few states conduct audits that are anywhere close to sufficient to detect electronic tampering.[30]

Some election officials destroy ballot images. Most optical scanners used today produce digital images of the ballots as they count them.[31] These images are public records, but some election officials destroy them.[32]

Vendors are not transparent. Most voters are unaware that taxpayer money goes to election equipment vendors with close past and/or present ties to such eyebrow-raising individuals and entities as: a foreign dictator thought to have rigged his own election, a sophisticated cyber-felon, U.S. politicians, and the far-right Council for National Policy.[33] These vendors use the proprietary nature of their code and hardware to successfully block forensic examinations of their taxpayer-funded systems.[34] Thus, no memory card in any U.S. election has ever been subject to inspection for hacking or malicious programming.

Emergency security protocols for 2018 and beyond

Hand-marked paper ballots. The United States ambassador to the United Nations, Nikki Haley, recently told the Democratic Republic of Congo not to use electronic voting:

“These elections must be held by paper ballots so there is no question by the Congolese people about the results. The U.S. has no appetite to support an electronic voting system.”

[35] Americans also deserve trustworthy elections. Thus, hand marked paper ballots must be available to all voters in time for the 2018 midterm elections, with assistive ballot marking devices provided for those who are unable to hand mark their ballots.

A return to hand marked paper ballots means replacing DREs with optical scanners or hand counting. Jurisdictions may claim they can’t afford new scanners to count the paper ballots. If so, point out that some counties in Virginia leased scanners to ensure the integrity of Virginia’s last election.[36] Other jurisdictions can do the same.

If states still refuse to buy or lease optical scanners, then demand that they publicly hand count the paper ballots instead. This is not asking too much. Spurred by serious concerns about transparency and security, most Western democracies — including Germany, France, Canada (for federal elections), Norway, and the Netherlands — have rejected voting machines in favor of publicly hand-counted elections.[37] Although U.S. ballots tend to be more complex than in countries that hand count, most county election boards already have emergency hand-count protocols that can be implemented. Manual counting, if completed on Election Night, would not present the chain-of-custody problems that arise when we rely on next-day, or even-longer-delayed, manual audits to ensure the integrity of computerized election systems.

Many counties in New Hampshire already conduct publicly hand-counted elections as a matter of course. According to the manual linked here,[38] the ballots include on average 15 races and yet are fully hand counted within several hours on Election Night.

Risk limiting audits (“RLAs”) or modified full hand-count audits. RLA’s or modified full hand-count audits must be mandated for every race in 2018.

RLA’s are a type of statistical audit endorsed by Verified Voting, Common Cause, the League of Women Voters, the American Statistical Association, and others.[39] Full hand-count audits are a kind of RLA where ballots are run through optical scanners and then hand counted under bi- or multi-partisan supervision.[40] A modified full hand-count audit — the type of audit already conducted in Columbia County, New York — is the same as a full hand-count audit, but it excludes uncontested races and it hand counts fewer ballots in races with very large victory margins.

All audits must be open to the media and the public. Elections must not be certified until the auditing process is complete and the audit results have either confirmed the accuracy of the initial vote count or led to a full manual count (the results of which will be dispositive).

The chain of custody must be transparent and demonstrably secure. Post-election audits and recounts depend on a demonstrably secure chain of custody between Election Night and the audit (or recount), the period in which the public loses sight of the ballots.[41] The chain of custody procedures must also be transparent or public confidence in the audit result will falter. During the 2004 presidential recount, ballots were “marked or altered, apparently to ensure that the hand recount would equal the machine count.”[42] And in 2016, paper ballots were destroyed before they could be recounted in the Wasserman-Schultz/Canova U.S. House race.[43] This can’t happen ever again in any election.

Ballot images must be preserved. States must also follow federal law and protect election transparency by preserving ballot images as public records.[44]

Precinct results must be posted. Where precinct counting is done, precincts must post results to the public before transmitting them to the tabulators. This transparency measure would allow citizens to detect and deter any tampering or error that might occur after the results leave the precincts.

Vendor transparency. To provide a measure of transparency, election equipment and software vendors and contractors must publicly (a) disclose the names of each of their officers, directors, and owners; (b) disclose the names of each of their parent companies, as well as the parent companies’ respective officers, directors, and owners; and (c) warrant that no one affiliated with the company or with a parent company (as officer, director, owner, employee, contractor, or consultant) has been convicted of a felony.

Advocating for change

Please contact your members of Congress and ask them to support the bipartisan federal Secure Elections Act, which would allocate federal funds for states to replace DREs with paper ballots and optical scanners. The Act, however, is not a panacea, as states would retain the right to decide whether and when to use these federal funds. Moreover, the Act would require statistical audits only for federal elections and not until 2022. Conditions and circumstances are such that this delay is unacceptable.

Thus, in addition to supporting the Act, please demand action from your state legislators and state and county Election Boards. If states can’t or won’t buy or lease optical scanners in time for the 2018 midterms, then they should conduct precinct-based hand counts, looking to New Hampshire for guidance. Consider sending them copies of one or more of the following documents in support of these demands:

Additional Resources

Secure Our Vote has organized a grass roots campaign to lobby state and local election boards for paper ballots and Risk Limiting Audits. Their website also has excellent written training materials.[45]

Verified Voting has a terrific website.[46] Its “Verifier” tool shows the type of voting equipment used in each state. Verified Voting also has a state audit law database.

Citizens for Election Integrity Minnesota has an excellent website where you can search for each state’s recount and audit laws.[47]

Center for American Progress posted an extremely helpful report grading each state on its voting and registration system security as of February 12, 2018.[48]

Bio and Acknowledgements

Background: Jennifer Cohn is an attorney and election integrity advocate in the San Francisco Bay Area who graduated from UCLA and Hastings College of the Law. As an attorney, her areas of practice included insurance coverage and appellate law. She practiced law for more than twenty years, including seven years as a partner with Nielsen Haley & Abbott, LLP in Marin County, California. Since 2016, she has devoted her professional efforts full time toward investigating our insecure election system and potential solutions. She can be contacted through her Twitter account, @jennycohn1.

Acknowledgements: Thank you to election integrity advocates Jonathan Simon (author of Code Red, Computerized Election Theft and The New American Century and blogger at, Brad Friedman (host of the BradCast with Brad Friedman radio show and a blogger at, Lulu Friesdat (Emmy Award winning journalist and documentarian), and Philip B. Stark (Professor of Statistics at U.C. Berkeley) for their substantial time and effort helping produce this handout.

End Notes


[2] [letter from 100 experts];

See also [Professor Appel congressional testimony, 9/28/16]; [Professor Blaze congressional testimony, 11/29/17]

[3] [C-span interview of EAC Commissioner Thomas Hicks and Computer Science Professor Alex Halderman, via Marilyn Marks]

[4] [video of Computer Science Professor Alex Halderman’s July 2017 Congressional debriefing; Halderman is a “professor of computer Science and Engineering at the University of Michigan” and is “part of a small community of computer experts who have spent the better part of the last ten years focused on the security of our election machinery.”]

[5] [1b] [Article by IT Professor Andrew Appel: “Which voting machines can be hacked through the internet? …The answer: all of them.”]

[6] Ibid.

[7] … [Article by IT Professor Andrew Appel: “Which voting machines can be hacked through the internet? …The answer: all of them.”]; … [Professor Dan Wallach, manager of Rice University’s Computer Security Lab, agrees that “When you dig down, [many vendors] often have election management systems connected to the Internet, albeit behind firewalls, VPNs, or other such devices. It’s incorrect to call such systems ‘never connected.’”] [video of Computer Science Professor Alex Halderman’s July 2017 Congressional debriefing: “Somehow, before the election, the machines have to receive their programming: who’s on the ballot. And this comes from a computer called an Election Management System. Often, these Election Management System computers are connected to the internet. And if the Election Management System computer is targeted by attackers and infected, that infection can spread to the memory cards that are going to program all of the voting machines in that entire area.”]

[8] …

[9] [“While Merle King, Executive Director of CES, claims that the election system is ‘air-gapped,’ he fails to disclose that the system, including vote tabulation databases, is exposed to cyber attack through counties’ repeated use of the same flash drive to move election night tabulation interim iterations to the election night reporting application on the web.”]

[9a] [Univ. Penn. Wharton report, Appendix A — ES&S accounts for more than 40% of U.S. election equipment]

[10] [“The greater threat to most systems comes not from external hackers, but from insiders who have direct access to the machines,” the report noted. “There is no reason to trust insiders in the election industry any more than in other industries, such as gambling, where sophisticated insider fraud has occurred despite extraordinary measures to prevent it.”] [Professor Appel congressional testimony, 9/28/16]


[12], pp. 137–38 [describing how optical scanner memory cards can be hacked] …[describing Harri Hursti hacking demonstration of optical scanner memory cards]

[13] [Report from Def Con Hacking Village]

[14], p. 28 [Election Systems & Software and Dominion Voting account for 81% of U.S. voting equipment; Hart Intercivic accounts for another 11%]

[15] [IT Professor Halderman: “[E]ven though voting machines themselves are not connected to the internet, the voting machines have to receive the data about the ballot design and about the software that’s running on them from somewhere. And they get that data from central systems in the counties or states. These are called Election Management Systems.”]

[16]; [“Command Central,” a two-person company, does all election system programming for Wisconsin] [Triad responsible for programming tabulators in 41 Ohio counties]

[17] [“Want to know if an election was hacked? Look at the ballots”]

[18] [article re: states that use paperless machines]

[19] Id.


[21] …

[22][Sourced article re: VVPATs and Ballot Marking Devices]

A Nevada study “showed that only 31% of voters actually compared the audit trail to the screen upon which they voted.” [Nevada study “showed that only 31% of voters actually compared the audit trail to the screen upon which they voted.”] [“[o]ut of 108 elections that contained errors, … no errors were reported in the VVPAT audit.”] [“Study: Two-Thirds of Voters Fail to Notice Vote-Flipping on Touch-screen DRE Voting Systems,” which are easier to review than VVPATs] [Professor Ted Selker of MIT, who has studied VVPATs extensively, reports that, “In watching 500 voters casting ballots, I saw less than one in 10 people who, when they were told they had a problem with their ballot, were actually willing to take a new ballot and vote again.”]

[23] [“Election Science Institute Study of DRE VVPAT for Cuyahoga County showed a ten percent error rate for VVPAT printouts, rendering these votes unreadable and unusable for hand counts in an audit or recount situation.”] [“Voter marked paper ballots are the best form of VVPR. Thermal paper print of the kind typically generated by direct-recording electronic voting machines (DREs) is particularly fragile and subject to spoilage.”] [A study conducted by CalTech/MIT found that “[o]ut of 108 elections that contained errors, … no errors were reported in the VVPAT audit.”] [A study by Rice University found that only 57.5% of participants’ counts using VVPATs provided the correct results.] [“An election official in North Carolina reported that there were hundreds of [VVPAT] printer failures in that state during the 2006 election. He cited a Georgia study about the logistical challenges of storing, tracking, and manually counting thousands of votes recorded on unwieldy rolls of paper tape.”]

[24] [“In the controversy over electronic voting machines, activists for disability groups have been at the forefront of campaigns to convince counties and states to purchase touch-screen voting systems.”] [“The California Association of Clerks and Election Officials, or CACEO, led by Shasta County Clerk Ann Reed, called the decision [to require a paper audit trail] “a major defeat for the disabled community, as well as the minority-language communities.”]; [“Advocates for visually impaired voters are concerned that the paper trail requirement will strip them of their right to a secret ballot…”] , p. 161 [initially, 70% of the machines bought under HAVA were DREs]


[26] [Georgia looking into EBMs]; [“Touchscreen ballots … could be the future of voting in L.A. County.”]


See also [state recount law and state audit law databases]

[28] Id.


[30] Id.

[31] [John Brakey video — Ballot images create a paradigm shift in verifying elections]

[32] [Husted in Ohio allows election workers to turn off ballot image audit function] [Merrill in Alabama allows election officials to turn off ballot image “save” function] [court treats ballot images as public records]

[33] [article compiling sources re: disturbing voting machine vendor ownership and connections]

[34] [“Plus, much of this voting technology is proprietary, so forensic auditors couldn’t independently scrub for and detect malicious software, especially given such code might delete itself after Election Day, Scott said.”] [“[T]he public can’t examine the very software they use to vote. In fact, such scrutiny is illegal. The voting software that runs on the electronic machines is considered ‘proprietary information’ by the companies that produce it, therefore no one, not even election officials, can access it.”] [“Auditing the operation of this code is difficult because the formats of the flash cards [which hold voter selections recorded by the iVotronic machines] and of Unity’s internal database are both proprietary,” Eckhardt explains in his report. “[S]ince no one of them can be audited without access to proprietary data, the behaviors of the three bodies of code, as a group, cannot readily be audited.”]


[36] [some Virginia counties leased scanners]

[37] [Germany] [Canada] [France] [The Netherlands] [Norway] [compilation of sources re: countries that hand count their elections]

[38] [Election Defense Alliance Manual re: Hand Counted Paper Ballots — New Hampshire counties as an example]

[39] [“The risk limiting audit is the gold standard of audits”; [In 2010, “the American Statistical Association issued a statement endorsing risk-limiting post-election audits.”];, p. 3 [Risk Limiting Audits are endorsed by Common Cause, the American Statistical Association, the League of Women Voters, and others].

For more information about RLAs, please contact computer scientist Barbara Simons and U.C. Berkeley Professor of Statistics Philip B. Stark.

[40] For more information about full hand count audits, please contact Virginia Martin, Commissioner on the Columbia County, New York, Board of Elections. [article by election integrity advocate Lulu Friesdat describing full hand count audits conducted in Columbia County, New York; includes comments by Virginia Martin, commissioner on the Columbia County Board of Elections]. [article re: full hand count audits including comments by Virginia Martin] [Virginia Martin presentation to the California Election Integrity Coalition re: full hand count audits]

[41], p. 3 [Academic report re: the importance of “compliance audits” to maintain a secure chain of custody between Election Night and any post-election audit]

[42] …


[44] [“A Colorado citizen named Marilyn Marks filed, and won, a succession of lawsuits establishing that both ballots and ballot images must be treated as public records in Colorado.”]
 For more information about ballot images, please contact John Brakey of Audit AZ and Bev Harris, author of Black Box Voting: Ballot Tampering in the 21st Century.



[47] [state recount law and state audit law databases]

[48] [discusses and “grades” each state’s election equipment, voter registration equipment, and auditing laws]