Activists say cyber agency weakens voting tech advisory

Jun 3, 2022, 3:25 PM | Updated: Jun 6, 2022, 6:42 am

ATLANTA (AP) — The nation’s leading cybersecurity agency released a final version Friday of an advisory it previously sent state officials on voting machine vulnerabilities in Georgia and other states that voting integrity activists say weakens a security recommendation on using barcodes to tally votes.

The advisory put out by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has to do with vulnerabilities identified in Dominion Voting Systems’ ImageCast X touchscreen voting machines, which produce a paper ballot or record votes electronically. The agency said that although the vulnerabilities should be quickly mitigated, the agency “has no evidence that these vulnerabilities have been exploited in any elections.”

Dominion’s systems have been unjustifiably attacked since the 2020 election by people who embraced the false belief that the election was stolen from former President Donald Trump. The company has filed defamation lawsuits in response to incorrect and outrageous claims made by high-profile Trump allies.

The advisory CISA released Friday is based on a report generated by University of Michigan computer scientist J. Alex Halderman, an expert witness in a long-running lawsuit that is unrelated to false allegations stemming from the 2020 election.

The machines are used by at least some voters in 16 states, according to a voting equipment tracker maintained by watchdog Verified Voting. In most of those places, they are used only for people who can’t physically fill out a paper ballot by hand. But in some places, including Georgia, almost all in-person voting is done on the affected machines.

Dominion has defended the machines as “accurate and secure.”

As they’re used in Georgia, the machines print a paper ballot that includes a barcode — known as a QR code — and a human-readable summary of the voter’s selections. The votes are tallied by a scanner that reads the barcode. Security experts have warned that the QR codes could be manipulated to reflect different votes than the voter intended.

A version of the advisory sent to election officials last week said, “When barcodes are used to tabulate votes, they may be subject to attacks exploiting the listed vulnerabilities such that the barcode is inconsistent with the human-readable portion of the paper ballot.” To reduce that risk, the advisory suggested that jurisdictions configure the machines, where possible, to “produce traditional, full-face ballots, rather than summary ballots with QR codes.”

A full-face ballot looks like a hand-marked paper ballot with all of the choices for each race listed and a bubble next to the voter’s choice filled in by the machine. A summary ballot, in contrast, lists only the voter’s selection for each race.

The recommendation to use full-face ballots rather than summary ballots with QR codes is not included in the final version of the advisory released Friday. Instead, after noting that the vulnerabilities could be exploited to change the barcode so it doesn’t match a voter’s selections, it includes a note in parentheses that says, “If states and jurisdictions so choose, the ImageCast X provides the configuration option to produce ballots that do not print barcodes for tabulation.”

Halderman expressed disappointment in the change, saying it “dramatically weakens” the security that would be provided by the combination of mitigation measures in the advisory in Georgia and other jurisdictions that rely on QR codes for counting votes.

Marilyn Marks, executive director of the Coalition for Good Governance, a plaintiff in the lawsuit that led to Halderman’s examination of the machines, said it appears that CISA bent to political pressure to dilute the recommendation.

“It’s gravely concerning that self-serving election officials can muscle their way through CISA to dilute the agency’s compelling essential security measure to remove barcode votes from ballots — a needless, severe vulnerability that puts millions of voters’ votes at risk,” she said.

A CISA spokesman said the change was not based on complaints from any party and said that when the agency is alerted to potential vulnerabilities, it’s common to update an advisory as it works with researchers, vendors and other partners to provide information on mitigation measures.

“We believe that the set of mitigations in the advisory, when used together, would allow jurisdictions, including those who use barcodes for tabulation, to prevent or detect exploitation of these vulnerabilities,” an agency statement says.

The Dominion machines are capable of printing a full-face ballot without a QR code because the company has updated their software for Colorado, said Matt Crane, the executive director of the state’s association of county clerks. He said that although Secretary of State Jena Griswold announced in 2019 that Colorado was doing away with QR codes for security reasons, the transition has only just started.

Crane said he believed less than 2.5% of Colorado voters used the Dominion ballot-marking machines in the 2020 general elections. Most use hand-marked paper ballots.

The advisory is based on a report by Halderman, who examined voting equipment used in Georgia as an expert witness engaged by the plaintiffs in a lawsuit that challenges the machines. Originally filed in 2017, the lawsuit targeted the outdated voting machines Georgia used at the time. The state bought the Dominion system in 2019, but the plaintiffs contend the new system is also insecure.

Halderman has long argued that using electronic machines to record voters’ selections is dangerous because computers are inherently vulnerable to hacking and thus require multiple safeguards that aren’t uniformly followed. He and many other election security experts have insisted that using hand-marked paper ballots is the most secure method of voting and the only option that allows for meaningful post-election audits.

Rigorous post-election audits could detect fraud because they would be done by hand and would verify that the human-readable portion of the ballot matches the results tallied by scanners. But if the results were tampered with in a contest that wasn’t checked, that could go undetected.


Associated Press writer Frank Bajak contributed to this report.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


FILE - Protesters stand outside of the Senate chamber at the Indiana Statehouse on Feb. 22, 2023, i...

Associated Press

LGBTQ+ Americans are under attack, Human Rights Campaign declares in state of emergency warning

The Human Rights Campaign declared a state of emergency for LGBTQ+ people in the U.S. on Tuesday.

1 day ago

FILE - People wait in line outside the Supreme Court in Washington to listen to oral arguments in a...

Associated Press

Supreme Court opened the door to states’ voting restrictions. Now a new ruling could widen them.

Within hours of a U.S. Supreme Court decision dismantling a key provision of the Voting Rights Act, Texas lawmakers announced plans to implement a strict voter ID law that had been blocked by a federal court. Lawmakers in Alabama said they would press forward with a similar law that had been on hold.

1 day ago

Gavel (Pexels Photo)...

Associated Press

Ex-teacher sentenced to prison for making death threat against Arizona legislator

A former Tucson middle school teacher was sentenced Tuesday to 2 ½ years in prison after pleading guilty to making a death threat against Arizona state Sen. Wendy Rogers.

1 day ago

FILE - Police officers stand outside a Target store as a group of people protest across the street,...

Associated Press

Pride becomes a minefield for big companies, but many continue their support

Many big companies, including Target and Bud Light's parent, are still backing Pride events in June despite the minefield that the monthlong celebration has become for some of them.

2 days ago

FILE - Then-Democratic presidential candidate Joe Biden plays music on a phone as he arrives to spe...

Associated Press

Biden, looking to shore up Hispanic support, faces pressure to get 2024 outreach details right

Joe Biden vowed in 2020 to work “like the devil” to energize Hispanic voters, and flew to Florida seven weeks before Election Day to do just that.

2 days ago

Editorial members of the Austin American-Statesman's Austin NewsGuild picket along the Congress Ave...

Associated Press

Correction: US-Gannett Walkout story

Journalists at two dozen local newspapers across the U.S. walked off the job Monday to demand an end to painful cost-cutting measures and a change of leadership at Gannett, the country's biggest newspaper chain.

2 days ago

Sponsored Articles


OCD & Anxiety Treatment Center

5 mental health myths you didn’t know were made up

Helping individuals understand mental health diagnoses like obsessive compulsive spectrum disorder or generalized anxiety disorder isn’t always an easy undertaking. After all, our society tends to spread misconceptions about mental health like wildfire. This is why being mindful about how we talk about mental health is so important. We can either perpetuate misinformation about already […]



Thank you to Al McCoy for 51 years as voice of the Phoenix Suns

Sanderson Ford wants to share its thanks to Al McCoy for the impact he made in the Valley for more than a half-decade.

(Photo: OCD & Anxiety Treatment Center)...

OCD & Anxiety Treatment Center

Here’s what you need to know about OCD and where to find help

It's fair to say that most people know what obsessive-compulsive spectrum disorders generally are, but there's a lot more information than meets the eye about a mental health diagnosis that affects about one in every 100 adults in the United States.

Activists say cyber agency weakens voting tech advisory