Activists say cyber agency weakens voting tech advisory

Jun 3, 2022, 3:25 PM | Updated: Jun 6, 2022, 6:42 am
FILE - New state-issued voting machines used for the Georgia primary election on June 9, 2020, are ...

FILE - New state-issued voting machines used for the Georgia primary election on June 9, 2020, are seen at Park Tavern in Atlanta. The U.S. Cybersecurity and Infrastructure Security Agency released a final version Friday, June 3, 2022, of an advisory it previously sent state officials on voting machine vulnerabilities in Georgia and other states that voting integrity activists say weakens a security recommendation on using barcodes to tally votes. (AP Photo/Brynn Anderson, File)

(AP Photo/Brynn Anderson, File)

ATLANTA (AP) — The nation’s leading cybersecurity agency released a final version Friday of an advisory it previously sent state officials on voting machine vulnerabilities in Georgia and other states that voting integrity activists say weakens a security recommendation on using barcodes to tally votes.

The advisory put out by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has to do with vulnerabilities identified in Dominion Voting Systems’ ImageCast X touchscreen voting machines, which produce a paper ballot or record votes electronically. The agency said that although the vulnerabilities should be quickly mitigated, the agency “has no evidence that these vulnerabilities have been exploited in any elections.”

Dominion’s systems have been unjustifiably attacked since the 2020 election by people who embraced the false belief that the election was stolen from former President Donald Trump. The company has filed defamation lawsuits in response to incorrect and outrageous claims made by high-profile Trump allies.

The advisory CISA released Friday is based on a report generated by University of Michigan computer scientist J. Alex Halderman, an expert witness in a long-running lawsuit that is unrelated to false allegations stemming from the 2020 election.

The machines are used by at least some voters in 16 states, according to a voting equipment tracker maintained by watchdog Verified Voting. In most of those places, they are used only for people who can’t physically fill out a paper ballot by hand. But in some places, including Georgia, almost all in-person voting is done on the affected machines.

Dominion has defended the machines as “accurate and secure.”

As they’re used in Georgia, the machines print a paper ballot that includes a barcode — known as a QR code — and a human-readable summary of the voter’s selections. The votes are tallied by a scanner that reads the barcode. Security experts have warned that the QR codes could be manipulated to reflect different votes than the voter intended.

A version of the advisory sent to election officials last week said, “When barcodes are used to tabulate votes, they may be subject to attacks exploiting the listed vulnerabilities such that the barcode is inconsistent with the human-readable portion of the paper ballot.” To reduce that risk, the advisory suggested that jurisdictions configure the machines, where possible, to “produce traditional, full-face ballots, rather than summary ballots with QR codes.”

A full-face ballot looks like a hand-marked paper ballot with all of the choices for each race listed and a bubble next to the voter’s choice filled in by the machine. A summary ballot, in contrast, lists only the voter’s selection for each race.

The recommendation to use full-face ballots rather than summary ballots with QR codes is not included in the final version of the advisory released Friday. Instead, after noting that the vulnerabilities could be exploited to change the barcode so it doesn’t match a voter’s selections, it includes a note in parentheses that says, “If states and jurisdictions so choose, the ImageCast X provides the configuration option to produce ballots that do not print barcodes for tabulation.”

Halderman expressed disappointment in the change, saying it “dramatically weakens” the security that would be provided by the combination of mitigation measures in the advisory in Georgia and other jurisdictions that rely on QR codes for counting votes.

Marilyn Marks, executive director of the Coalition for Good Governance, a plaintiff in the lawsuit that led to Halderman’s examination of the machines, said it appears that CISA bent to political pressure to dilute the recommendation.

“It’s gravely concerning that self-serving election officials can muscle their way through CISA to dilute the agency’s compelling essential security measure to remove barcode votes from ballots — a needless, severe vulnerability that puts millions of voters’ votes at risk,” she said.

A CISA spokesman said the change was not based on complaints from any party and said that when the agency is alerted to potential vulnerabilities, it’s common to update an advisory as it works with researchers, vendors and other partners to provide information on mitigation measures.

“We believe that the set of mitigations in the advisory, when used together, would allow jurisdictions, including those who use barcodes for tabulation, to prevent or detect exploitation of these vulnerabilities,” an agency statement says.

The Dominion machines are capable of printing a full-face ballot without a QR code because the company has updated their software for Colorado, said Matt Crane, the executive director of the state’s association of county clerks. He said that although Secretary of State Jena Griswold announced in 2019 that Colorado was doing away with QR codes for security reasons, the transition has only just started.

Crane said he believed less than 2.5% of Colorado voters used the Dominion ballot-marking machines in the 2020 general elections. Most use hand-marked paper ballots.

The advisory is based on a report by Halderman, who examined voting equipment used in Georgia as an expert witness engaged by the plaintiffs in a lawsuit that challenges the machines. Originally filed in 2017, the lawsuit targeted the outdated voting machines Georgia used at the time. The state bought the Dominion system in 2019, but the plaintiffs contend the new system is also insecure.

Halderman has long argued that using electronic machines to record voters’ selections is dangerous because computers are inherently vulnerable to hacking and thus require multiple safeguards that aren’t uniformly followed. He and many other election security experts have insisted that using hand-marked paper ballots is the most secure method of voting and the only option that allows for meaningful post-election audits.

Rigorous post-election audits could detect fraud because they would be done by hand and would verify that the human-readable portion of the ballot matches the results tallied by scanners. But if the results were tampered with in a contest that wasn’t checked, that could go undetected.


Associated Press writer Frank Bajak contributed to this report.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


Cassidy Hutchinson, former aide to Trump White House chief of staff Mark Meadows, testifies as the ...
Associated Press

The story behind AP report that caused Trump to throw lunch

NEW YORK (AP) — The news story that reportedly caused former President Donald Trump to throw his lunch against a White House wall came because of an interview that former Attorney General William Barr had arranged with The Associated Press. The story, which was published on Dec. 1, 2020, quoted Barr as saying that the […]
14 hours ago
Associated Press

Museum of Fine Arts employees, management, reach labor deal

BOSTON (AP) — Employees at Boston’s Museum of Fine Arts ratified their first labor deal Tuesday, becoming the latest prestigious art institution to protect workers with a union contract. The collective bargaining agreement is the first since museum workers voted to join the United Auto Workers Local 2110 in November 2020, the union and management […]
14 hours ago
Cassidy Hutchinson, former aide to Trump White House chief of staff Mark Meadows, testifies as the ...
Associated Press

1/6 Takeaways: Angry Trump, dire legal warnings and ketchup

WASHINGTON (AP) — The House Jan. 6 committee held a surprise hearing Tuesday delivering alarming new testimony about Donald Trump’s angry, defiant and vulgar actions as he ignored repeated warnings against summoning the mob to the Capitol and then refused to intervene to stop the deadly violence as rioters laid siege. Witness Cassidy Hutchinson, a […]
14 hours ago
Associated Press

How major US stock indexes fared Tuesday 6/28/2022

Stocks slid on Wall Street Tuesday as the market remains gripped by uncertainty over pervasive inflation, rising interest rates and the potential for a recession. The S&P 500, the Dow Jones Industrial Average and the Nasdaq fell. The Conference Board reported that consumer confidence fell in June to its lowest level in more than a […]
14 hours ago
Associated Press, Wynn Resorts rise; Nike, Enerpac fall

NEW YORK (AP) — Stocks that traded heavily or had substantial price changes Tuesday: Nike Inc., down $7.72 to $102.78. The athletic footwear and apparel company warned that ongoing COVID-19 disruptions in China could hurt revenue. JetBlue Airways Corp., down 3 cents to $8.73. The airline again sweetened its buyout offer for Spirit Airlines as […]
14 hours ago
Associated Press

Oklahoma reaches opioid settlement with 3 drug companies

OKLAHOMA CITY (AP) — Oklahoma officials have reached an opioid settlement with three drug companies that would bring more than $250 million to finance efforts to battle opioid addiction, state Attorney General John O’Connor has announced. The deal with McKesson, Cardinal and AmerisourceBergen settled a lawsuit in which Oklahoma accused the companies of fostering a […]
14 hours ago

Sponsored Articles

Day & Night Air Conditioning, Heating and Plumbing

Most plumbing problems can be fixed with regular maintenance

Instead of waiting for a problem to happen, experts suggest getting a head start on your plumbing maintenance.

Best retirement savings rates hit 4.30%

Maximize your retirement savings with guaranteed fixed rates up to 4.30%. Did you know there is a financial product that can give you great interest rates as you build your retirement savings and provide you with a paycheck for life once you retire? It might sound too good to be true but it is not; this product is called an annuity.
Carla Berg, MHS, Deputy Director, Public Health Services, Arizona Department of Health Services

Update your child’s vaccines before kindergarten

So, your little one starts kindergarten soon. How exciting! You still have a few months before the school year starts, so now’s the time to make sure students-to-be have the vaccines needed to stay safe as they head into a new chapter of life.
Activists say cyber agency weakens voting tech advisory