CDT:

Bogus conspiracy theories about the 2020 election have been repeatedly debunked. But that hasn’t stopped election conspiracy theorists from attempting to gain influence in election administration, either as low level poll workers or as top state election officials. The infiltration of election deniers into positions of power in administering elections poses a grave danger to American democracy: the possibility that an insider will manipulate election systems in order to bring about a desired election outcome. This elevated insider threat makes it more important than ever that our voting systems are resilient to attack and manipulation.

Many 2020 conspiracy theories concerned the voting systems in Georgia, where President Trump focused intensely on discrediting the results. That year, Georgia used ballot marking devices (BMDs) for the first time, for all in-person voters. BMDs are touch screen computers that print out a paper ballot—a major improvement over the paperless machines Georgia had previously been using. Now, voters could physically inspect the record of their vote, rather than be forced to trust the machines to record the votes accurately.

BMDs are widely used in U.S. elections and offer several benefits over hand-marked paper ballots (HMPBs). For instance, because they have a variety of user interface options, BMDs enable voters with visual or motor disabilities to vote independently and privately when they might otherwise be unable to do so with a HMPB. But all computerized systems are susceptible to attack. Therefore, the use of BMDs—particularly by large numbers of voters who do not require them for accessibility reasons—has been criticized as posing a serious security threat to elections. The balance between these benefits and risks should be carefully considered.

The “inconsistent barcode” / “text swap” attack

An upcoming CDT report will take a close look at some of the arguments made about the security of BMDs. But, in this post, we want to examine one particular characteristic of most BMDs: the barcodes on the paper ballots that they produce. After a voter has finished making their selections on the machine’s touch screen, the BMD will print out their selections in human-readable text for them to review. Most BMDs, such as the Dominion ImageCast X used in Georgia, will additionally encode those selections in a 1- or 2-dimensional barcode (i.e., QR code).

The benefit of encoding selections in a barcode is that ballot scanners can read them quickly and accurately. But some have said that encoding voter selection in a barcode is problematic—a ballot from the ImageCast X, for example, contains two records: the human-readable record and the machine-readable record. This lends itself to an attack called the inconsistent barcode attack, in which a hacked BMD alters the vote encoded in the barcode—and therefore the vote recorded by scanners—but leaves the human-readable portion intact. A voter could not detect this attack, because the ballots would appear correct to them. An advisory published today by the federal Cybersecurity and Infrastructure Security Agency recommends mitigating specific vulnerabilities that could lead to this kind of attack. It then notes that the ImageCast X can be configured to print ballots that do not have barcodes—presumably instead printing a filled-in bubble ballot. The Clear Ballot ClearAccess BMD, for example, produces this kind of ballot.