Verified Voting Blog: Continuous-roll VVPAT under glass: an idea whose time has passed | Andrew Appel

This article was originally posted at Freedom to Tinker on October 19, 2018.

States and counties should not adopt DRE+VVPAT voting machines such as the Dominion ImageCast X and the ES&S ExpressVote. Here’s why.

Touchscreen voting machines (direct-recording electronic, DRE) cannot be trusted to count votes, because (like any voting computer) a hacker may have installed fraudulent software that steals votes from one candidate and gives them to another. The best solution is to vote on hand-marked paper ballots, counted by optical scanners. Those opscan computers can be hacked too, of course, but we can recount or random-sample (“risk-limiting audit”) the paper ballots, by human inspection of the paper that the voter marked, to make sure.

Fifteen years ago in the early 2000s, we computer scientists proposed another solution: equip the touchscreen DREs with a “voter verified paper audit trail” (VVPAT). The voter would select candidates on a touchscreen, the DRE would print those choices on a cash-register tape under glass, the voter would inspect the paper to make sure the machine wasn’t cheating, the printed ballot would drop into a sealed ballot box, and the DRE would count the vote electronically. If the DRE had been hacked to cheat, it could report fraudulent vote totals for the candidates, but a recount of the paper VVPAT ballots in the ballot box would detect (and correct) the fraud.

By the year 2009, this idea was already considered obsolete. The problem is, no one has any confidence that the VVPAT is actually “voter verified,” for many reasons:

  1. The VVPAT is printed in small type on a narrow cash-register tape under glass, difficult for the voter to read.
  2. The voter is not well informed about the purpose of the VVPAT. (For example, in 2016 an instructional video from Buncombe County, NC showed how to use the machine; the VVPAT-under-glass was clearly visible at times, but the narrator didn’t even mention that it was there, let alone explain what it’s for and why it’s important for the voter to look at it.)
  3. It’s not clear to the voter, or to the pollworker, what to do if the VVPAT shows the wrong selections. Yes, the voter can alert the pollworker, the ballot will be voided, and the voter can start afresh. But think about the “threat model.”  Suppose the hacked/cheating DRE changes a vote, and prints the changed vote in the VVPAT. If the voter doesn’t notice, then the DRE has successfully stolen a vote, and this theft will survive the recount.  If the voter does notice, then the DRE is caught red-handed, except that nothing happens other than the voter tries again (and the DRE doesn’t cheat this time). You might think, if the wrong candidate is printed on the VVPAT then this is strong evidence that the machine is hacked, alarm bells should ring– but what if the voter misremembers what he entered in the touch screen?  There’s no way to know whose fault it is.
  4. Voters are not very good at correlating their VVPAT-in-tiny-type-under-glass to the selections they made on the touch screen. They can remember who they selected for president, but do they really remember the name of their selection for county commissioner? And yet, historically in American elections, it’s as often the local and legislative offices where ballot-box-counting (insider) fraud has occurred.
  5. “Continuous-roll” VVPATs, which don’t cut the tape into individual ballots, compromise the secrecy of the ballot.  Since any of the political-party-designated pollwatchers can see (and write down) what order people vote on the machine, and know the names of all the voters who announce themselves when signing in, they can (during a recount) correlate voters to ballots. (During a 2006 trial in the Superior Court of New Jersey, I was testifying about this issue; Judge Linda Feinberg saw this point immediately, she said it was obvious that continuous-roll VVPATs compromise the secret ballot and should not be acceptable under New Jersey law. )

For all these reasons, many states that adopted DRE+VVPAT in the period 2003-2008 have abandoned them, switching over to optical-scan voting with hand-marked (“fill in the opscan bubbles”) paper ballots, with Ballot-Marking Devices (BMDs) available for voters who can’t easily read or handle the paper. Buncombe County switched to optical scan between 2016 and 2018, because the state of North Caroline outlawed continuous-roll VVPATs).

In the 2018 election, approximately* 42 states will use optical-scan, 3 states will use DRE+VVPAT, and 5 states will use paperless DREs (touchscreens).  Between 2002 and 2018, many states switched from DRE to opscan, from mechanical lever machines to opscan, from punchcard to opscan, from DRE+VVPAT to opscan; but not one state that I know of switched to DRE+VVPAT.  It’s not a good technology; it’s too easy for the computer (if hacked) to manipulate what appears on the paper record.

New Jersey is one of those 5 states that use paperless DREs.  There’s no excuse for that; if the DREs are hacked, elections can be stolen with no detection and no recourse. (Or if the DREs “make a mistake“, no recount is possible.)  New Jersey should switch to voter-marked optical-scan ballots, like the rest of the country.

But I am informed** that three New Jersey counties (Gloucester, Essex, and Union) are considering the purchase of new voting machines, and they’re considering only the ES&S ExpressVote and the Dominion ImageCast X.  I’ve already explained why the ExpressVote is a bad idea.

New Jersey (or any state) should not adopt Dominion ImageCast X DRE+VVPAT voting machine. The ImageCast X comes in several configurations, and one of them is basically a DRE+VVPAT, with a continuous-roll cash-register tape under glass. Kevin Skoglund, a software engineer in Pennsylvania, had an opportunity to examine one at a demonstration in Harrisburg, PA.  He reports that it’s quite difficult to read the VVPAT-under-glass:  the printing was gray (not black) on the thermal paper, the font was small, the glass window in the machine was small. Even though he has 20/20 vision, he had difficulty reading it.

The ImageCast X is advertised as an optical scanner, not a DRE, because, technically, this configuration prints a QR barcode onto the VVPAT tape, then an integrated scanner immediately reads this QR code before counting the vote.  This is a distinction without a difference. All the disadvantages 1,2,3,4,5 (above) apply to this format.  Sure, a DRE+VVPAT is marginally better than a DRE; but that’s not the technology to adopt in 2018.

New Jersey should buy optical-scan voting machines for hand-marked optical-scan ballots. Dominion makes reasonable optical-scan voting machines: the ImageCast Precinct and the ImageCast Central.  ES&S makes reasonable optical-scan voting machines: the DS200, the DS450, and the DS850. Three other companies make EAC-certified optical-scan voting machines: ClearBallot, Hart, and Unisyn. New Jersey (and the few other states still using paperless DREs) should buy optical-scan voting machines from any of these 5 companies.

*I say “approximately” because some states use different machines in different counties.

**e-mail from Robert Giles, Director of the NJ Division of Elections, to Stephanie Harris, October 11, 2018.

Photo of ImageCast X VVPAT window:  Kevin Skoglund, June 2018.

Comments are closed.