The nation’s leading cybersecurity agency released a final version Friday of an advisory it previously sent state officials on voting machine vulnerabilities in Georgia and other states that voting integrity activists say weakens a security recommendation on using barcodes to tally votes.
The advisory put out by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has to do with vulnerabilities identified in Dominion Voting Systems’ ImageCast X touchscreen voting machines, which produce a paper ballot or record votes electronically. The agency said that although the vulnerabilities should be quickly mitigated, the agency “has no evidence that these vulnerabilities have been exploited in any elections.”
Dominion’s systems have been unjustifiably attacked since the 2020 election by people who embraced the false belief that the election was stolen from former President Donald Trump. The company has filed defamation lawsuits in response to incorrect and outrageous claims made by high-profile Trump allies.
The advisory CISA released Friday is based on a report generated by University of Michigan computer scientist J. Alex Halderman, an expert witness in a long-running lawsuit that is unrelated to false allegations stemming from the 2020 election.
The machines are used by at least some voters in 16 states, according to a voting equipment tracker maintained by watchdog Verified Voting. In most of those places, they are used only for people who can’t physically fill out a paper ballot by hand. But in some places, including Georgia, almost all in-person voting is done on the affected machines.
Dominion has defended the machines as “accurate and secure.”
As they’re used in Georgia, the machines print a paper ballot that includes a barcode — known as a QR code — and a human-readable summary of the voter’s selections. The votes are tallied by a scanner that reads the barcode. Security experts have warned that the QR codes could be manipulated to reflect different votes than the voter intended.
A version of the advisory sent to election officials last week said, “When barcodes are used to tabulate votes, they may be subject to attacks exploiting the listed vulnerabilities such that the barcode is inconsistent with the human-readable portion of the paper ballot.” To reduce that risk, the advisory suggested that jurisdictions configure the machines, where possible, to “produce traditional, full-face ballots, rather than summary ballots with QR codes.”
A full-face ballot looks like a hand-marked paper ballot with all of the choices for each race listed and a bubble next to the voter’s choice filled in by the machine. A summary ballot, in contrast, lists only the voter’s selection for each race.
The recommendation to use full-face ballots rather than summary ballots with QR codes is not included in the final version of the advisory released Friday. Instead, after noting that the vulnerabilities could be exploited to change the barcode so it doesn’t match a voter’s selections, it includes a note in parentheses that says, “If states and jurisdictions so choose, the ImageCast X provides the configuration option to produce ballots that do not print barcodes for tabulation.”
Halderman expressed disappointment in the change, saying it “dramatically weakens” the security that would be provided by the combination of mitigation measures in the advisory in Georgia and other jurisdictions that rely on QR codes for counting votes.
Marilyn Marks, executive director of the Coalition for Good Governance, a plaintiff in the lawsuit that led to Halderman’s examination of the machines, said it appears that CISA bent to political pressure to dilute the recommendation.
“It’s gravely concerning that self-serving election officials can muscle their way through CISA to dilute the agency’s compelling essential security measure to remove barcode votes from ballots — a needless, severe vulnerability that puts millions of voters’ votes at risk,” she said.
A CISA spokesman said the change was not based on complaints from any party and said that when the agency is alerted to potential vulnerabilities, it’s common to update an advisory as it works with researchers, vendors and other partners to provide information on mitigation measures.
“We believe that the set of mitigations in the advisory, when used together, would allow jurisdictions, including those who use barcodes for tabulation, to prevent or detect exploitation of these vulnerabilities,” an agency statement says.
The Dominion machines are capable of printing a full-face ballot without a QR code because the company has updated their software for Colorado, said Matt Crane, the executive director of the state’s association of county clerks. He said that although Secretary of State Jena Griswold announced in 2019 that Colorado was doing away with QR codes for security reasons, the transition has only just started.
Crane said he believed less than 2.5% of Colorado voters used the Dominion ballot-marking machines in the 2020 general elections. Most use hand-marked paper ballots.
The advisory is based on a report by Halderman, who examined voting equipment used in Georgia as an expert witness engaged by the plaintiffs in a lawsuit that challenges the machines. Originally filed in 2017, the lawsuit targeted the outdated voting machines Georgia used at the time. The state bought the Dominion system in 2019, but the plaintiffs contend the new system is also insecure.
Halderman has long argued that using electronic machines to record voters’ selections is dangerous because computers are inherently vulnerable to hacking and thus require multiple safeguards that aren’t uniformly followed. He and many other election security experts have insisted that using hand-marked paper ballots is the most secure method of voting and the only option that allows for meaningful post-election audits.
Rigorous post-election audits could detect fraud because they would be done by hand and would verify that the human-readable portion of the ballot matches the results tallied by scanners. But if the results were tampered with in a contest that wasn’t checked, that could go undetected.