Cyber agency's voting tech advice is weakening, activists say

A final version of a security advisory that the nation's leading cybersecurity agency sent to state officials about voting machine vulnerabilities in Georgia and other states has been released. Voting integrity activists say this weakens the recommendation of using barcodes in tally machines.

The advisory published by the U.S. CISA focuses on vulnerabilities identified in Dominion Voting Systems' ImageCast X touchscreen voting machines, which can record votes electronically as well as produce paper ballots.

Despite the need to mitigate the vulnerabilities quickly, the agency says that it has no evidence that the vulnerabilities have been exploited in any election.

Kingdom's systems have been unfairly attacked since the 2020 election by people that embrace the false belief that the election was stolen from former President Donald Trump. Due to inaccurate and outrageous claims made by high-profile Trump supporters, the company has filed defamation lawsuits.

According to CISA, its advisory is based on a report by University of Michigan computer scientist Alex Halderman, an expert witness in a long-running lawsuit that is unrelated to false allegations regarding the 2020 election.

A tracking tool maintained by watchdog Verified Voting shows that at least some voters use the machines in 16 states. These are usually used only by people who are unable to fill out a paper ballot by hand. However, in some places, including Georgia, almost all in-person voting is done with these machines.

The machines are defended by Dominion as 'accurate and secure.' In Georgia, the machines print a paper ballot with a barcode - a QR code - and a human-readable summary of a voter's choices. Scanners read barcodes to count the votes. QR codes could be manipulated to reflect different votes than the voter intended, according to security experts.

An advisory sent to election officials last week stated: 'When barcodes are used to tabulate votes, these machines may be vulnerable to attacks exploiting the listed vulnerabilities such that the barcode is inconsistent with the human-readable portion of the paper ballot.'

In order to reduce this risk, the advisory recommended that jurisdictions configure the machines to 'produce traditional, full-face ballots rather than summary ballots with QR codes.'

Full-face ballots look like hand-marked paper ballots, with each candidate's choices listed and a bubble next to the voter's choice filled in by the machine. On the other hand, a summary ballot lists only the voter's choices for each race.

The final version of the advisory released on Friday does not recommend using full-face ballots instead of summary ballots with QR codes. After noting that the vulnerabilities could be exploited to change the barcode to not match the voter's selection, it ends with a note in parentheses that says, 'If states or jurisdictions so desire, ImageCast X can be configured to not print barcodes on ballots for tabulation.'

'I am disappointed in this change,' Halderman said, adding that it undermines the security that would have been provided by the combination of mitigation measures in the advisory in Georgia and other jurisdictions that rely on QR codes for voting.

For more stories like this

Explore our website