www.VoteWell.net                Join and comment on Listserv        About/Contact/Copyright


Scanners can protect ballots from hackers!

Problem: Software to count ballots is complex, and companies which write it can be hacked.

Solution: Scan ballots to a file. Let multiple people use their own software to count the file. Compare their results to catch errors and hackers.









Low Risk: Scan Paper Ballots after Elections, to make Electronic Backup Copies. Then Anyone Can Count Them.


Election Computers Are High Risk at the Manufacturer

Paper Ballots after a Week in Storage: What Could Go Wrong? High Risk

·     Use commercial scanners, independent of election computers.

·     Anyone can count scanned images, no matter what happens to official computer counts and stored ballots.

·      Digital signature identifies true copies of the scanner software and the ballots (examples from GnuPG and San Francisco).

·     "Vendors represent an enticing target" ~US Senate Intelligence Committee

·     Phishing

·     Operating system updates

·     Driver updates

·     Loading candidate list for each election

·     Counting software

·     Insecure passwords

·     Zero-days which hackers sell to attackers

·     Election virus

·     Counterfeit software

·     Machines are also vulnerable to physical access if delivered to polling places the night before the election.

·     If bad software is installed in advance, any one ballot can tell the bad software what to do: For example a write-in for Alyx Brown can be an instruction to shift votes to or from candidate Brown.

·     Types of computerized voting in each state

·     "Election officials should re-examine current practices for securing the chain of custody of all paper ballots" ~US Senate Intelligence Committee

Storage risks:

·     Water damage

·     Fire

·     Lock picks

·     Security alarms and cameras are vulnerable computers

·     Single lock so one person can enter

·     Broken seals prevent trust in ballots

·     Replacing seals allows false ballots, but voters trust them

·     Precinct summary counts are usually even less secure than ballots

Hand-count risks:

·     Courts prevented complete recounts in 2016 (MI, PA, WI) and 2000 (FL).

·     Miscounts are easy, while tallying and while reporting totals

·     Public cannot see ballots in most large places; if they could, arguments over interpretation could delay counting

State rules: comparison and details



Join the discussion list

Ask your County Clerk/Recorder to scan ballots




Stories of Scanning Ballots


Humboldt County California has scanned ballots since 2008. They use a county scanner, count images with open-source software, and make copies of the images for candidates and the public to count independently. In 2008 the scan found 197 more ballots than the official machines. When they investigated, the scan was right and official machines were wrong. The County Clerk and Recorder "said that adopting open source software made her life easier and much more pleasant. She found that her constituents appreciated her transparency and commitment to democracy."


In California, six other counties scanned ballots in 2011 and five did in 2012 for a pilot study of auditing. They used their own or rented scanners. The scans sometimes found discrepancies of a vote from official machines. The number of ballots scanned ranged from 1,000 to 124,000. In Orange County they analyzed 294,000 scans created by the official election software.


Seven Florida counties hired a private company, ClearAudit to scan all their ballots in 2016 and will again in 2018.. The scans sometimes found discrepancies of 1-2 ballots from official machines.


The Secretary of State of Vermont hired ClearAudit to scan ballots in six towns, in 2014 and 2016 as a check on official counts, and will do the same in 2018. The scans found discrepancies of 1-6 ballots in each town.


The Secretary of State of Maryland (or here) hired ClearAudit in 2016, not to scan, but to analyze scans created by the state's official election machines. Thus it cannot find hacks of those images, but it can find hacks and other errors in the analysis of the images. Errors can be as simple as a scratched lens or dirt on a machine causing the machine to see marks where there are none. They found that the analysis of scans omitted 1,960 Baltimore ballots and 10 Harford ballots, and ignored write-ins where the oval was not marked, though Maryland law counts these.


This history of finding and fixing small discrepancies deters hackers from these locations, and show they can find and correct bigger mistakes when bugs or hackers strike in the future. The scans let officials issue correct results, and give confidence that future hacks can be deterred, and any problems can be corrected in the same way.


Researchers at the University of California in San Diego in 2010 tested another way to scan: a rack of video cameras filming a sheet feeder which displayed each ballot for 2 seconds. The rack can hold video cameras from multiple organizations for improved trust. They wrote software in two weeks which processed the video images into a single copy of each ballot, read the votes on each ballot, and issued counts. In 2013 they reported on software which self-adjusts to varying order and races on different ballots, by reading the title and candidates for each office, even if the candidate names rotate in different order on different ballots. They tested it in the 2011-12 California counties mentioned above, with up to 294,000 ballots.


Vulnerable Election Companies


August 24, 2016, hackers sent phishing emails to seven workers at VR Systems, which provides voter registration systems throughout Florida. "At least one of the employee accounts was likely compromised." Then on October 27 they used VR Systems credentials to send phishing emails to 122 local election officials. If they opened it, it installed malware which opened a persistent back door into the computer. At least 10 computers were harmed (¶77b). The government has not said and may not know what the hackers did with their back door. On average 4% of recipients open any particular phishing message, and 22% open at least one per year. Mueller's indictment July 13, 2018 confirms these events (¶73-77) and adds that the hackers targeted more than one election company (¶69).


Also in 2016 hackers sent emails pretending to be from another election vendor, offering "election-related products and services." The same hackers sent emails to election workers in American Samoa "mimicking a legitimate absentee ballot-related service provider." NSA does not know what they accomplished with any of these attacks.


In August 2017 the biggest manufacturer of voting machines, Election Systems & Software, created a public file on Amazon Web Services with "encrypted versions of passwords for ES&S employee accounts. The encryption was strong enough to keep out a casual hacker but by no means impenetrable...The worse-case scenario is that they could be completely infiltrated right now".


In March 2018 the security site CSO found on the dark web over 100 emails of ES&S workers and smaller numbers at smaller voting machine companies. They also found passwords for the accounts, though the companies said these passwords did not meet their current standards, so would have been changed. Nevertheless with valid emails, attackers can spray password variations until they log in on at least one of the accounts and install malware.


In July 2018 the FBI told Maryland officials that a local web hosting company they used for voter registration, candidacy, online ballot delivery, and election results had been owned since 2015 by a company financed by Vladimir Potanin, a Russian oligarch close to Putin. The manager is a Russian millionaire, Guerman Aliev, who took an American name, Gerald T. Banks. Maryland's Senate President said the FBI "weren't really anxious for us to come forward" (at 6:54) to tell the public.


What the FBI said about hacking emails also has to apply to voting machines:

·      "we don’t have direct evidence that the server was successfully hacked. We wouldn’t, though, expect to see that evidence from sophisticated adversaries, given the nature of the adversary and given the nature of the system."

The government believes that in 2016 all states' election systems were scanned for vulnerabilities by foreigners:

·      "We can assume that the majority of states were probably a target... I want to make clear today on the record, it's likely that all 50 states were likely affected... Every organization is scanned a lot, sometimes thousands of times a day. What we were trying to differentiate between: we saw very concerning activity from known suspicious servers in this case... They were targeting to look for vulnerabilities... Probably tried all the states. These are the states we could see they were trying. That's right." ~US Department of Homeland Security, in a senate hearing at 41 minutes


State-wide Recounts

A list of recounts since 2000 is at FairVote. Rules for recounts are at Citizens for Election Integrity and Ohio State University (less detail).

Minnesota is the 21st biggest state, and is the largest state which has hand-counted statewide elections.

It hand-counted a Senate race with 2.9 million ballots from Nov. 19 to Dec. 5, 2008 at 120 locations. Incumbent Norm Coleman had a 215-vote lead over Al Franken in the initial count. One precinct lost 133 ballots, which were never found, so it used election day results.

Each candidate challenged about 3,300 ballots, which the State Canvassing Board resolved by Dec. 30, changing the lead to Franken by 49 votes.

The candidates also argued about including 2,000 absentee ballots, and the Board found 933 eligible on Jan. 3, raising Franken's lead to 225. Coleman went to court, which approved more absentee ballots on April 7, raising Franken's lead to 312. The state supreme court denied an appeal, and Franken was sworn in.


Minnesota also hand-counted the Governor's election in 2010, 2.1 million ballots, from November 29 to December 8, confirming the original winner, while reducing his margin from 8,856 to 8,770.


North Carolina recounted the Governor's election in 2016, a Supreme Court election in 2014, and Court of Appeals judges in 2006 and 2010, by machine, and confirmed the original winners.


Virginia recounted Attorney General elections in 2013 and 2005, largely by machine, and confirmed the original winners.


Pennsylvania recounted a Superior Court election in 2009, by machine, and confirmed the winner.


Washington recounted the Governor's election in 2004, by machine, and overturned the original winner. It also recounted the Senator and Secretary of State in 2000, by machine, and confirmed the original winners.


Florida recounted the state-wide Presidential race in 2000 by machine, and Gore requested hand-counts in four counties, which were interrupted by court challenges, culminating in the US Supreme Court ruling for Bush on December 12.


Georgia tested hand counts in 2006, and decided they took too much time and space, so they do not require hand counts.


Holland hand-counts 10.6 million ballots in a national election, and had expected to use software to collate the regional and national totals. It decided to collate by hand in March 2017, because they realized their software could be hacked.



We can deter, and recover from, these and other Attackers:

  • Old-fashioned dishonest political bosses
  • Criminal groups who want to choose sheriff, prosecutor or judge
  • Thieves who want to benefit from contracts, land use decisions or other regulations
  • Foreigners who want to support one side, or destabilize government by defeating incumbents


Individual ballots are easy to scan. But some voting machines print votes on long rolls of paper (82 feet), which a few scanners can handle:

·       Fujitsu fi7600 can process up to 200 meters of paper tape without cutting it, and can divide the image into sections of any length up to 34". Normal speed is 100 pages per minute, or 850 inches per minute, so 82 feet in 1.2 minutes, $4,155

·       Contex IQ 2490 can pull paper through at 14 inches per second, so 82 feet in 1.2 minutes, $3,895

·       HP T830 can process 4.5 inches per second, so 82 feet in 3.6 minutes, $3,245

Save money by rental, if possible, or by re-selling scanner after the election, or by transferring it to an office which would otherwise buy a new one.


Other basic steps to secure elections include, for example:

·       Publicly showing each ballot box starts empty

·       Convoy to take ballot box securely to central counting/scanning station

·       Copies of eligible voter lists, with appeals of errors

·       Care with indelible ink


Maryland spent 6 cents per ballot ($275,000, p.10) to analyze scans created by their election machines. They did not use independent scans, which would have added cost.


Issues with open source software

Other election reform activities


When international observers monitor elections, they can scan ballots and do their own counts.