By now, the American people have been alerted to many vulnerabilities in the country’s election systems, including the relative ease of voting machine hacking,7 threats to voter registration systems and voter privacy,8 and disinformation campaigns waged by foreign nation-states aimed at confusing voters and inciting conflict.9 If left unaddressed, these vulnerabilities threaten to undermine the stability of our democratic system.
Free and fair elections are a central pillar of our democracy. Through them, Americans make choices about the country’s future—what policies will be enacted and who will represent their interests in the states, Congress, and beyond. The right of Americans to choose their own political destiny is in danger of being overtaken by foreign nation-states bent on shifting the balance of power in their favor and undermining American’s confidence in election results. In our democracy, every vote counts, as evidenced by the race for Virginia’s House of Delegate’s 94th District, which was decided by lottery after being tied.10 That contest illustrates the inherent worth and power behind each vote as well as the necessity of protecting elections from tampering on even the smallest scale.11 Every vote must count, and every vote must be counted as cast.
Election security is not a partisan issue. As aptly noted by the chairman of the U.S. Senate Select Committee on Intelligence, Sen. Richard Burr (R-NC), “Russian activities during the 2016 election may have been aimed at one party’s candidate, but … in 2018 and 2020, it could be aimed at anyone, at home or abroad.”12 Failing to address existing vulnerabilities and prepare for future attacks puts the nation’s security at risk and is an affront to the rights and freedoms at the core of American democracy. Already, we are running out of time to prepare for the 2018 elections, while the 2020 presidential election is looming.13 Another attack on our elections by nation-states such as Russia is fast approaching.14 Leaders at every level must take immediate steps to secure elections by investing in election infrastructure and protocols that help prevent hacking and machine malfunction. In doing so, the United States will be well positioned to outsmart those seeking to undermine American elections and to protect the integrity of every vote.
To understand risks to our election systems and plan for the future, it is necessary to identify existing vulnerabilities in election infrastructure so we can properly assess where resources should be allocated and establish preventative measures and strategies. Only through understanding the terrain can the nation rise to the challenge of preventing voting machine malfunction and defending America’s elections from adversarial attempts to undermine our election infrastructure.
In August 2017, the Center for American Progress released a report entitled “9 Solutions for Securing America’s Elections,” laying out nine vulnerabilities in election infrastructure and solutions to help improve election security in time for the 2018 and 2020 elections.15 This report builds on that analysis to provide an overview of election security and preparedness in each state, looking specifically at state requirements and practices related to:
- Minimum cybersecurity standards for voter registration systems
- Voter-verified paper ballots
- Post-election audits that test election results
- Ballot accounting and reconciliation
- Return of voted paper absentee ballots
- Voting machine certification requirements
- Pre-election logic and accuracy testing
This report provides an overview of state compliance with baseline standards to protect their elections from hacking and machine malfunction. Some experts may contend that additional standards, beyond those mentioned here, should be required of states to improve election security. The chief purpose of this report is to provide information on how states are faring in meeting even the minimum standards necessary to help secure their elections.
It is important to note at the outset that this report is not meant to be comprehensive of all practices that touch on issues of election security. We recognize that local jurisdictions sometimes have different or supplemental requirements and procedures from those required by the state. However, this report only considers state requirements reflected in statutes and regulations and does not include the more granular—and voluminous—information on more localized practices. Furthermore, this report does not address specific information technology (IT) requirements for voting machine hardware, software, or the design of pre-election testing ballots and system programming. And while we consider some minimum cybersecurity best practices, we do not analyze specific cyberinfrastructure or system programming requirements. These technical standards and protocols deserve analysis by computer scientists and IT professionals16 who have the necessary expertise to adequately assess the sufficiency of state requirements in those specialized areas.17
This report is not an indictment of state and local election officials. Indeed, many of the procedures and requirements considered and contained within this report are created by statute and under the purview of state legislators instead of election officials. Election officials are tasked with protecting our elections, are the first to respond to problems on Election Day, and work diligently to defend the security of elections with the resources available to them. Unfortunately, funding, personnel, and technological constraints have limited what they have been able to do related to election security. We hope that by identifying potential threats to existing state law and practice, this report helps lead to the allocation of much needed funding and resources to election officials and systems in the states and at the local level.
It is within the purview of the states to administer elections.18 And although members of Congress may not have a direct hand in the processes and procedures for carrying out elections, they still have a role to play by ensuring elections are properly and adequately funded. Nearly three-quarters of states are estimated to have less than 10 percent of funding remaining from the Help America Vote Act, which allocated nearly $4 billion in 2002 to help states with elections.19 According to a 2017 report, 21 states support receiving more funding from the federal government to help secure elections.20
All 50 states have taken at least some steps to provide security in their election administration. In recent examples:
- Virginia overhauled its paperless direct recording electronic voting machines and switched to a statewide paper ballot voting system just weeks before the 2017 elections.
- In 2017, Colorado became the first state to carry out mandatory risk-limiting post-election audits.
- In 2017, Rhode Island passed a bill requiring risk-limiting post-election audits for future elections.
- A new election vendor contract in Alabama requires election officials with access to the state’s voter registration system to undergo cybersecurity training prior to elections.
- In December 2017, New York Gov. Andrew Cuomo (D) announced a new election security initiative as part of his 2018 State of the State agenda, including creating a state Election Support Center, developing an Elections Cyber Security Support Toolkit, and providing Cyber Risk Vulnerability Assessments and Support for Local Boards of Elections, among other things.
- At least 36 states are coordinating with or have already enlisted some help from DHS or the National Guard in assessing and identifying potential threats to voter registration systems.
Additionally, states such as Delaware and Louisiana are considering replacing their paperless voting systems with technology that produces voter verified paper ballots, and Indiana is considering implementing risk-limiting post-election audits for the 2018 elections. Florida Gov. Rick Scott (R) has requested millions of dollars in funding aimed at protecting election systems and software from attack. And on February 9, Gov. Tom Wolf’s (D) administration in Pennsylvania—which still uses paperless voting machines in some jurisdictions—ordered counties looking to replace voting systems to purchase machines with paper records.
No state received a perfect score in this report. With few exceptions, most states fell in the middle of the spectrum: No state received an A; 11 states received a B; 23 states received a C; 12 states received a D; and five states received an F.
The main takeaway from the Center for American Progress’ research and analysis is that all states have room for improvement:
- Fourteen states use paperless DRE machines in at least some jurisdictions. Five states rely exclusively on paperless DRE machines for voting.
- Thirty-three states have post-election audit procedures that are unsatisfactory from an election security standpoint, due either to the state’s use of paperless DRE machines, which cannot be adequately audited, or other factors. At least 18 states do not legally require post-election audits or require jurisdictions to meet certain criteria before audits may be carried out.
- Thirty-two states allow regular absentee voters and/or U.S. citizens and service members living or stationed abroad to return voted ballots electronically, a practice deemed insecure by election and cybersecurity experts.
- At least 10 states do not provide cybersecurity training to election officials.
This point cannot be overemphasized: Even states that received a B or a C have significant vulnerabilities that leave them susceptible to hacking and infiltration by sophisticated nation-states. However, by making meaningful changes to how elections are carried out, states can improve their overall election security while supporting public confidence in election procedures and outcomes.
The election security factors considered in this report were selected based on their ability to evaluate election security and preparedness at the state level. They are:
- Minimum cybersecurity standards for voter registration systems
- Voter-verified paper audit trail
- Post-election audits that test election results
- Ballot accounting and reconciliation
- Return of voted paper absentee ballots
- Voting machine certification requirements
- Pre-election logic and accuracy testing
The information included in this report is derived primarily from state statutes and regulations, as well as interviews with state and local election officials. A debt of gratitude is owed to several organizations for the work they’ve conducted on the seven categories considered in this report, including the Brennan Center for Justice, Common Cause, Verified Voting, the Pew Charitable Trusts, and the National Conference of State Legislatures. We also drew from information supplied by the U.S. Election Assistance Commission.
As part of our research, we reached out to the offices of the top election official in all 50 states plus the District of Columbia, requesting phone interviews to verify research and provide election officials the opportunity to expand on state requirements. In addition to requesting phone conversations, we sent state election offices a survey covering our areas of interest, which we invited them to complete in the event that they were unable to speak over the phone. The authors requested a follow up phone interview with any state that opted to fill out the survey. Finally, each state was given the opportunity to review and comment on our assessments prior to the publication of this report.
For grading each state’s level of election security preparedness, we awarded points based on a state’s adherence to a set of best practices included within each category. Each of the seven categories was graded on either a 1-point or 3-point scale so that the highest total score a state could receive was 13 points. In four categories, if a state adheres to all the best practices included within a category it received a “fair” score, and 1 point for that category. If the state adheres to some standards, but not others, it received a score of 0, or “unsatisfactory.”
Three key categories were graded on a 3-point scale, those being voter-verified paper audit trail, post-election audits, and minimum cybersecurity standards for voter registration systems. The 3-point scale was assigned to categories that, if implemented correctly, are found to greatly improve election security and where the standards were numerous, so it made sense to supplement the category with the opportunities to earn additional points.
The point distribution varies slightly for these three categories. For example, states that carry out elections through the exclusive use of paper ballots received 3 points, or a “good” score, for that category. States that use VVPR-producing DRE machines statewide or in combination with paper ballots and/or ballot marking devices received a “fair” score. While recognizing that paper ballots are the most hack-proof way of conducting elections, we still wanted to recognize states using DRE machines that provide a paper record of votes cast. If a state uses paperless DRE machines in any of its jurisdictions, it received an “unsatisfactory” score for that category.
For the category of post-election audits, this report identifies nine best practices for carrying out such audits. Because robust post-election audits are considered particularly important for improving election security, states must adhere to all nine of those best practices to receive a “good” score for this category. States that meet seven or eight standards received a “fair” score, and meeting three to six standards earned a state a “mixed” score. Failing to adhere to at least two “best practices” resulted in the state receiving 0 points for this category. Even if a state met a majority of the best practices included in this category, it could still receive an “unsatisfactory” score if it failed to meet the best practices of making audits mandatory or controlling for erroneous preliminary outcomes, as these are particularly important for carrying out meaningful post-election audits. A state also automatically earned an “unsatisfactory” score for this category if it uses paperless DRE machines in any jurisdictions, as these machines are impossible to adequately audit.
The category of minimum cybersecurity standards for voter registration systems is one of those where the recommended minimum standards are so numerous that it made sense to provide states with the opportunity to earn additional points for adhering to all or almost all of the recommendations. The scoring for this category differed slightly depending on whether the state uses electronic poll books. Because we did not want to penalize states for their decision to use or not to use electronic poll books, the two recommended standards relating to electronic poll books were not considered for scoring states that do not use them. Thus, states that use electronic poll books were measured against a total of eight standards, while states that do not use electronic poll books—or are only in the early piloting stages of using electronic poll books—were measured against a total of six standards, as detailed further below.
Each individual best practice standard within a given category was given equal weight, aside from the exceptions mentioned above.
In some cases, information on a state’s adherence to cybersecurity standards for voter registration systems was difficult to find. There are many reasons states may have for keeping information on specific cybersecurity requirements of state-run databases private and inaccessible to the public, including researchers. Throughout our research, we made numerous attempts to reach out to state officials about their states’ cybersecurity requirements and practices for voter registration. Unfortunately, some states failed to respond to our requests for information and comment, while others refused to do so, citing legal or security reasons in some cases. As a result, we were unable to award these states credit for certain cybersecurity standards due to missing pieces of information. This is not to say that these states do not in fact require these important security measures, but rather that we were unable to award credit to the state for information that was not provided. In such cases, states received an “incomplete” for the cybersecurity category with missing information, but were awarded credit where possible based on the information we did have. We felt that this was the fairest way to handle the point distribution, as we did not want to deter states from sharing information with us or punish those states that did share information on voter registration cybersecurity. To increase transparency and public confidence in U.S. elections, it is important that the public have access to information about the measures that states are taking to protect voter data. Notably, states with an “incomplete” score in the cybersecurity category may have a higher score overall if they are in fact carrying out the missing standards. However, at most, a state with an “incomplete” score in the cybersecurity category would raise its grade by only one letter grade if it adheres to all the missing best practices standards in that category. In most cases, a state’s grade would not change at all given the point distribution for other categories. We indicate that a state’s grade may be higher by way of a solidus or forward slash (Example: D/C) if there was information missing on a state’s voter registration cybersecurity requirements and if the state’s overall grade would change if it is carrying out the missing cybersecurity best practices.
The issue of election security is expansive and fast-moving. As such, it is always possible that certain data points may need updating as state laws and practices change or more information becomes available. Information contained in this report reflects research and analysis at the point of publication.
The grades for each state were assigned per the following point distribution:
- A = 13 points
- B = 10 points to 12 points
- C = 7 points to 9 points
- D = 4 points to 6 points
- F = 1 point to 3 points
A more comprehensive description of the standards and explanation of the best practices against which states were graded is below.
Category 1: Cybersecurity standards for voter registration systems
Some states still use voter registration databases that are more than a decade old, leaving them susceptible to modern-day cyberattacks.21 If successfully breached, hackers could alter or delete voter registration information, which in turn could result in eligible voters being turned away at the polls or prevented from casting ballots that count. Hackers could, for example, switch just a few letters in a registered voter’s name without detection.22 In states with strict voter ID laws, eligible voters could be prevented from voting because of discrepancies between the name listed in an official poll book and the individual’s ID. In addition, by changing or deleting a registered individual’s political affiliation, hackers could prevent would-be voters from participating in partisan primaries.
There are serious privacy implications associated with breaches to voter registration databases. Voter registration lists contain myriad personal information about eligible voters—including names, addresses, dates of birth, driver’s license numbers, political affiliations, and partial Social Security numbers—that could be used by foreign or domestic adversaries in any number of ways.23 Moreover, while electronic poll books have been shown to increase efficiency and reduce wait times at polling places, they are subject to tampering and malfunction, as is true with any electronic system.24 Guarding voter registration systems against hacking and manipulation is therefore critically important to protecting the right to vote and voter privacy.
It is worth noting that the recommendations listed below represent minimum cybersecurity standards that states should have in place to protect their voter registration systems. We sought to frame our inquiry into state voter registration systems broadly to avoid providing any kind of road map to potential malicious actors. We know that there are cybersecurity standards beyond those listed below that states should adopt in order to protect voter information, and we recommend that election officials work with cybersecurity experts in implementing them. For example, all states should have a backup voter registration database available in case emergencies arise.
The factors considered for grading in this category are:
- Whether the state’s voter registration system provides access control to ensure that only authorized personnel can access the voter registration database. Access control is perhaps the most basic cybersecurity requirement that all states should implement to prevent unauthorized access to voter registration databases and sensitive voter information.25 Access control measures can consist of anything from single or multifactor authentication to IP-recognition software, ensuring that only those with permission have access to the voter registration system.
- Whether the state’s voter registration system has logging capabilities to track modifications to the voter registration database. Logging capabilities allow cyberprofessionals to monitor activity—innocent and malicious—on databases containing sensitive information.26 When used, the software records all changes made to a database, oftentimes along with the name or IP address of the user responsible. A timestamp of when the change was made is also often provided.27 Logging capabilities assist with investigations into suspicious cyberactivity by allowing cyberanalysts to identify and track those responsible.
- Whether the state’s voter registration system includes an intrusion detection system that monitors a network of systems for irregularities. As the name suggests, intrusion detection systems monitor networks and computers for malicious or anomalous activity and alert relevant parties when potential problems arise.28 Intrusion detection systems can include firewalls, anti-virus software, and spyware detection programs, to name just a few.29 Given the increasing frequency and growing sophistication of modern-day cyberattacks, state officials must be alerted to potential breaches as soon as they occur so that they can respond accordingly to prevent the loss or alteration of sensitive information.
- Whether the state performs regular vulnerability analysis on its voter registration system. To understand the full extent of election-related risk, vulnerability assessments should be carried out continuously on voter registration databases. By conducting regular vulnerability assessments, the state can identify the existence and extent of potential weakness within its voter registration system. By doing so, election officials can better determine where government resources should be allocated and plan for preventative measures and strategies.
- Whether the state has enlisted DHS or the National Guard to help identify and assess potential threats to its voter registration system. While it is important for states to retain a level of autonomy over the administration of their elections, many states lack the personnel and resources necessary to thoroughly probe and analyze complex cybervulnerabilities in election databases and machines. Federal agencies and military personnel with expertise in cybersecurity and who may be privy to classified information on contemporaneous cyberthreats should be responsible for carrying out comprehensive threat assessments on election infrastructure.30 By combining their expertise on cyberthreats and insight into the unique qualities of localized election infrastructure, state and federal officials can better assess and deter attempts at electoral disruption.31 DHS services—which can include cyberhygiene scans, risk and vulnerability assessments, and incident response assistant, among other things32—come at no cost to the states.33
- Whether the state provides cybersecurity training to election officials. Election officials are on the front lines of guarding U.S. elections against attack by foreign and domestic actors, as well as a host of other potential Election Day problems. However, few election officials possess the kind of cybersecurity expertise necessary to detect and protect against potential attacks.34 Even basic training to identify spear-phishing attempts and respond to other suspicious cybernetwork activity can go a long way toward improving election security.
For states that use electronic poll books, additional considerations are:
- Whether the state requires that all electronic poll books undergo testing before Election Day. As with all voting machines, electronic poll books should be tested prior to Election Day to ensure that they are in good and proper working order. In doing so, election officials can avoid machine malfunctions on Election Day that result in long lines for voters, which can hinder voter participation.
- Whether backup paper voter registration lists are available at polling places using electronic poll books on Election Day. To ensure that voter registration lists are accessible during voting periods, states should establish paper-based contingency plans during early voting and on Election Day in case electronic poll books experience malfunctions or hacking. Each polling place that uses electronic poll books should be required to have paper copies of its voter registration lists available that can be consulted throughout the voting process in case of emergency.
Points were distributed for this category as follows, depending on whether the state uses electronic poll books:
States using electronic poll books:
State adheres to eight best practices: Good, 3 points
State adheres to six or seven best practices: Fair, 2 points
State adheres to three to five best practices: Mixed, 1 point
State adheres to zero to two best practices: Unsatisfactory, 0 points
States not using electronic poll books:
State adheres to six best practices: Good, 3 points
State adheres to four or five best practices: Fair, 2 points
State adheres to two or three best practices: Mixed, 1 point
State adheres to zero or one best practices: Unsatisfactory, 0 points
We also provide information on the estimated age of a state’s voter registration system. This information was not factored into the point distribution. However, we felt it was important to include in order to provide a fuller picture of voter registration system cybersecurity.
- Estimated age of a state’s voter registration system.35 One of the most important steps that a state can take to improve election security is updating its voter registration system to support software upgrades that guard against and prevent modern-day cyberattacks. Research has been done on the threat posed by outdated voting registration systems.36 Outdated voter registration systems often lack the specific hardware and software components necessary to adequately guard against modern-day cyberthreats, leaving states vulnerable to hacking and system crashes.37 Some state voter registration systems, for example, still run on outdated and unsupported software such as Windows XP or Windows 2000.38 However, even an updated voter registration system can be vulnerable to attack if the state fails to put into place other basic cybersecurity standards that monitor and protect the system.
Category 2: Voter-verified paper audit trail
Confirmation that votes were correctly counted cannot be provided unless a reliable auditable paper trail exists that can be checked against the official election outcome. Paper ballots that are tabulated by optical scanning machines and voter-verified paper records produced by DRE machines offer a record of voter intent, which will exist even if voting machines are attacked and data are altered. Admittedly, paper ballots and records can only help detect malicious activity after votes are cast, and only if robust post-election audits are conducted with the ability to detect and remedy erroneous preliminary outcomes. However, conducting elections with paper-based voting systems is one of the most important steps states can take to improve election security. They are necessary both to conduct meaningful post-election audits that can confirm the election outcomes and to enable post hoc correction in the event of malfunction or security breaches.
Given the importance of having a voter-verified paper audit trail, states received “good” scores—a full 3 points—if they carry out elections using paper ballots statewide. Because evidence has shown that all electronic voting machines are vulnerable to manipulation, voting on paper is the most hack-proof way of conducting elections. Of course, even electronic tabulating equipment such as optical scan machines can be hacked. However, at least with a paper ballot, election officials have a hard copy to go back to in order to verify the voter’s selection. As such, paper ballots are preferable from an election security standpoint even to DRE machines with VVPR, which allow voters to review the machine’s reading of their vote prior to casting, although it is uncertain that all voters do so.
However, because DRE machines with VVPR leave a paper record that can be used in post-election audits, we awarded states that use such machines exclusively or in combination with paper ballots some points for this category. States that use VVPR-producing DRE voting machines statewide or in combination with paper ballots and/or ballot marking devices received a “satisfactory” score. If a state uses paperless DRE machines in any of its jurisdictions, it automatically received an “unsatisfactory” score for this category.
Federal law requires all states to have a minimum number of electronic voting machines available for accessibility purposes. Because those machines are necessary in order to accommodate and facilitate voting among people with disabilities and comply with requirements set out in the Help America Vote Act of 2002, their use in states for this limited purpose was not considered for grading purposes.
Points were distributed for this category as follows:
State only uses paper ballots statewide: Good, 3 points
State uses VVPR-producing DRE machines statewide or in combination with paper ballots and/or ballot marking devices: Fair, 2 points
State uses paperless DRE machines in any of its jurisdictions: Unsatisfactory, 0 points
*States that allow voting by mail were awarded a full 3 points for this category given that the overwhelming majority of voters in those states use paper ballots. This is true even though most vote-by-mail states make some DRE machines with VVPR available at vote centers, though mostly for accessibility purposes.
Category 3: Post-election audits
Because all voting machines are vulnerable to hacking, misprogramming, and even to using the wrong kind of pen to mark ballots, it is of the utmost importance that election officials conduct robust post-election audits that have a large chance of catching and correcting wrong outcomes. Even jurisdictions that hand-count all ballots should carry out post-election audits, as the counting process can be mired in human error. Importantly, an audit is only as good as the reliability of the ballots it tests. Therefore, meaningful post-election audits can only be conducted in states with strong voter-verified paper audit trails.
After an election, many states carry out vote tabulations audits, which tests vote tabulation machines to ensure they have been properly aggregated on a fixed-percentage or fixed-number of audit units. Risk-limiting audits—considered the “gold standard” of post-election audits—increase the efficiency of the auditing process by testing only the number of ballots needed to determine the accuracy of election outcomes. Risk-limiting audits include an initial sample of ballots, based on the margin of victory, which are interpreted by hand. Depending on the results of the initial manual count, the audit may expand. As a result, risk-limiting audits offer election administrators an effective and efficient way to test the accuracy of an election without breaking the bank. Risk-limiting audits are the only kind of audit that can determine with a high degree of confidence that election outcomes are correct and have not been manipulated. However, as risk-limiting audits are a relatively new proposal and are just being adopted by states, we graded states for the existence of the audit practices they do have that function to confirm that ballots have been counted as cast.
The factors considered for grading in this category include:
- Whether post-election audits are mandatory. Post-election audits must be carried out after every election to confirm the accuracy of election outcomes. By only conducting audits after certain elections, states leave themselves vulnerable to hackers who can target unaudited races and election years. Moreover, tabulating machines can malfunction at any time and during any election. Audits must be carried out any time election results matter, meaning after every single election.
- Whether the audit is conducted by a manual hand count. Some states use the term “audit” to describe the process of simply rescanning batches of ballots after an election. Relying on these electronic scans—which are as vulnerable as any other computer data—limits the kinds of problems these reviews can detect. The scans aren’t like photographs; they can differ due to machine error, tampering, or human error.39 To trust that audit results are correct, auditing procedures must be software-independent. As long as an audit depends on electronic tabulators or devices, it can be hacked or manipulated. We recognize that manual audits can require resources—funding and personnel—that some localities may lack. However, in this day and age, where cyberintrusions by nation-states are an ever-growing threat, post-election audits—which are vitally important to election security—must be carried out by hand. The threat is simply too great to leave audits in the control of hackable machines and devices.
- Whether the audit includes a minimum number of ballots based on a statistically significant number tied to the specific margin of victory in one or more ballot contests. Tying the number of ballots included in a post-election audit to the margin of victory in one of more ballot contests—rather than a fixed-percentage or number—ensures that enough ballots are examined to create convincing evidence that the outcome is correct, and it also saves resources. For example, if the margin of victory between the winner and loser of a ballot contest is quite large, there is a high likelihood that the auditing of even a small batch of ballots will confirm the accuracy of the election outcome, which saves election officials time and resources. Alternatively, if the margin of victory is small, more ballots need to be audited because there is less room for error. While a more expansive audit requires expending more time and resources on the auditing process, doing so results in greater certainty that the election outcome is correct.
- Whether the ballots, machines, or jurisdictions selected for the audit are chosen at random. Random selection of the election components included in a post-election audit is necessary in order to prevent hackers from putting in place plans and procedures to rig the post-election audit process or from targeting specific machines or ballot categories that they know will not be included in the audit.
- Whether all categories of ballots—regular, early voting, absentee, provisional, and UOCAVA—are eligible for auditing. All ballot types should be eligible for inclusion in post-election audits. By only auditing certain categories of ballots, election officials may fail to detect anomalies in the tabulation of other ballot types. This is particularly important in states where absentee, early voting, or provisional voting is popular among voters. For example, in North Carolina, at least 56,000 provisional and absentee ballots were cast during the 2016 election.40 By failing to include all ballot types in the auditing process, states can exclude from testing and analysis ballots that have the potential to alter election outcomes.
- Whether the audit can escalates to include more ballots. If an audit fails to find strong enough evidence that the preliminary outcome is right, it should escalate to include more ballots to ensure confidence in election results. Escalation should lead to a full recount if necessary.
- Whether the audits are conducted in a public forum or the results made immediately available for public review. Post-election audits should either be open to public observance or the results made publicly available in order to increase transparency and public confidence in the accuracy of election outcomes.
- Whether audits are conducted in a timely manner before certification of official election results. Post-election audits should be carried out after preliminary outcomes are announced, but before official certification of election results. This gives election officials enough time for escalation and correction of preliminary results if preliminary election outcomes are found to be incorrect. That said, post-election audits conducted after certification can still be useful if they have the ability to overturn the certified results if the audit finds they are wrong.
- Whether the audit can correct the preliminary result of an audited contest if it discovers that the preliminary result was wrong. In other words, do audits control the overall results? To be meaningful, post-election audit results must be able to reverse preliminary outcomes if the audit determines they are incorrect. The utility of post-election audits depends on their ability to correct incorrect election results.
Points were distributed for this category as follows:
State adheres to nine best practices: Good, 3 points
State adheres to seven or eight best practices: Fair, 2 points
State adheres to three to six best practices: Mixed, 1 point
State adheres to zero to two best practices: Unsatisfactory, 0 points
*A state received an “unsatisfactory” score for this category if (1) the state’s post-election audits are not mandatory, (2) the results are not binding on official election outcomes, or (3) the state uses paperless DRE machines—which are not auditable—in any jurisdiction. This was true even if the state adheres to a majority of the other best practices included within this category. The added weight does not work in reverse. For example, if a state met only six of the standards—including that the audit is mandatory and binding—its score would not be raised from “mixed” to “fair.”
Category 4: Ballot accounting and reconciliation
A paper-based voting system must be combined with strong ballot accounting and reconciliation requirements and procedures. Ensuring that all ballots—used and unused—are accounted for at the close of Election Day and that all votes are included in the final vote tally is one of the most basic and important ways that election officials can improve the security of their elections. By doing so, election officials can protect against voted ballots being lost, causing incomplete vote counts, or invalid ballots being added, causing incorrect vote counts. A great deal of the research on state ballot accounting and reconciliation included in this section is derived from a comprehensive 2012 report from Common Cause, Verified Voting, and Rutgers School of Law entitled “Counting Votes 2012: A State by State Look at Voting Technology Preparedness.”41 While we relied on the research by the authors of that report, we conducted a thorough review to update the research where there had been changes in the law.
The factors considered for grading in this category include:
- Whether all ballots are accounted for at the precinct level. Before vote totals can be accumulated by the state, local election officials must tally and account for all ballots—used and unused—at individual polling places or at vote centers. Precinct officials are best positioned to account for the ballots they received and ballots that have been cast, spoiled, or unused, or that were submitted provisionally. As such, this process should be completed at the local level.
- Whether precincts are required to compare and reconcile the number of ballots cast with the number of voters who signed in at the polling place. Part of the ballot accounting and reconciliation process involves comparing the number of ballots to the number of voters who showed up to the polls to participate in the electoral process. Only through comparing the number of votes to the number of voters can election officials be confident that ballots have not been removed or brought into the polling place from elsewhere. In reconciling these numbers, poll workers should be prohibited from randomly discarding any excess ballots. As the authors of “Counting Votes 2012” found, and as our independent review confirmed, some states still allow this ill-advised practice and lost a point for this category as a result.42
- Whether county officials are required to compare and reconcile precinct totals with countywide results to ensure that they add up to the correct number. Once they receive and conglomerate vote totals, county officials should examine and compare the countywide results to tallies submitted by the precincts to make sure that they add up to the correct number. Doing so provides election officials with some assurance that the results are correct and can help to detect a computing error if one exists.
Points were distributed for this category as follows:
State adheres to three best practices: Fair, 1 point
State adheres to zero to two best practices: Unsatisfactory, 0 points
We provide additional information on state ballot accounting and reconciliation procedures that was not factored into the point distribution as wide variation and lack of visibility make them difficult to evaluate; however, we felt it was important to include the information in order to provide a fuller picture of state practices in this area.
- Whether counties are required to review and account for all voting machine memory cards and flash drives to ensure that they have been properly loaded onto the tally server. Our democracy depends on every valid vote being counted on Election Day. As such, it is critically important that election officials review status reports from electronic tally servers in states that use them in order to ensure that all voting machine memory cards and flash drives are properly uploaded and counted. In some states, the electronic management software that tabulates results provides a warning if all memory cards or flash drives that were created for an election are not properly uploaded. Electronic systems are more convenient, but they are prone to hacking or manipulation by sophisticated actors. As such, any review process should ideally be software-independent.
- Whether the state requires that vote tallies and any ballot reconciliation information be made public. Transparency is necessary for all election processes—especially those involving vote totals—in order to establish public confidence in the electoral system and election outcomes. By making information available on election results for each candidate and ballot issue, as well as the ballot reconciliation processes that were used to reach those results, states can improve public confidence in their elections.
Category 5: Return of voted paper absentee ballots
Electronic absentee voting—or the return of voted absentee ballots electronically via email, fax, or web portal—is risky because there is no way for absentee voters to know whether the votes they cast are being accurately recorded. While 29 states only allow electronic submission for UOCAVA voters, three states allow any absentee voter to return completed ballots electronically.43
Most experts agree that returning voted ballots electronically is not safe. An official from DHS’s Cyber Security Division warned that “online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accounting and security of their votes and provides an avenue for malicious actors to manipulate the voting results.”44 The National Institute of Standards and Technology has also warned against online voting.45 Furthermore, it is impossible to carry out meaningful post-election audits on voted ballots submitted electronically because there is no reliable paper record that can be referenced during the auditing process.
Of course, it is of utmost importance that military personnel and U.S. citizens stationed and living overseas are provided opportunities to vote and have their voices heard in our democracy. It is equally important, however, that their votes be delivered securely and their privacy protected. Currently, that means returning a hard copy paper ballot via U.S. mail. Requiring UOCAVA voters to return ballots by mail does not appear to have a significant impact on ballot return rates. If we base projections of UOCAVA ballot return rates on information contained in Pew surveys of unreturned UOCAVA ballots in the states in 2012 and 2014,46 we see that see that states requiring UOCAVA voters to return voted ballots via mail actually had a slightly higher return rate those years than states that permit voted ballots to be returned electronically.47
For this category, states were graded simply on whether they require voted absentee ballots to be returned by mail (or in person). If so, a state received a “fair” score—or 1 point—for that category. If the state allows any voters, including regular absentee or UOCAVA voters, to return ballots electronically—via email, fax, or web portal—it received an “unsatisfactory” score, or 0 points.
Some feel that the return of voted ballots electronically constitutes a significant threat to election security, on par with use of paperless DRE machines, lack of minimum cybersecurity standards for voter registration systems, and inadequate auditing procedures.48 While we share concerns over electronic absentee voting, we reserved the weighted point distribution for those three categories listed above.
Category 6: Voting machine certification requirements
This category is concerned more with preventing machine malfunction than hacking. Even new machines that are certified and tested to federal requirements are vulnerable to hacking and manipulation by sophisticated actors. Even so, for the purposes of preventing Election Day disruptions, the basic technological requirements that voting machines must adhere to before being purchased and used in a state are worth consideration.49
States should ensure that any machine they purchase adheres to the Election Assistance Commission’s Voluntary Voting System Guidelines. The EAC’s guidelines require voting machines and components to meet minimum security, functionality, and accessibility standards. Some states have their own certification requirements that either substitute or supplement the EAC’s voluntary guidelines, and indeed some experts feel the federal certification process as a whole needs updating. However, we feel that adherence to a uniform set of standards helps to ensure basic functioning and efficiency for voting machinery and equipment. The EAC anticipates finalizing a new set of voting system guidelines in 2018, which will take into account advances in technology and emphasizes auditable voting systems and evidence-based elections.50 Leaving the standard-setting process to the states can be an overwhelming task for state officials and can result in a mishmash of voting machine requirements across the country with varying degrees of thoroughness and stringency. Indeed, in speaking about federal voting machine standards, Rhode Island Secretary of State Nellie Gorbea said, “We in Rhode Island could not come up with as good and as fast a process for what the EAC already had with regards to general voting equipment guidelines.”51 As an alternative to requiring that all voting machines be EAC-certified, states may require that voting machines undergo review by a federally accredited laboratory or have statutory requirements that all voting machines must meet or exceed the federal standards.
Abiding by the EAC’s Voluntary Voting System Guidelines is not foolproof against hacking or malfunction. Even EAC-certified voting machines can be hacked or experience problems. Therefore, it is again important to emphasize the importance of paper-based voting systems with voter-verified paper audit trails, which can be referred to if complications arise.
For this category, a state was graded on whether it requires its voting machines to be EAC certified, adhere to federal standards, or undergo testing by an EAC accredited laboratory. If so, a state received a “fair” score—or 1 point—for this category. If not, a state received an “unsatisfactory” score—or 0 points—for this category.
While not graded, we also provided information on whether the state still uses voting machines that are at least a decade old.52 Old voting machines pose serious security risks and are susceptible to system crashes, “vote flipping,” and hacking, as many rely on outdated computer operating systems that do not accommodate modern-day cybersecurity protections.53 Moreover, upkeep for outdated machines is becoming increasingly difficult, because many parts are no longer manufactured. According to experts, the predicted lifespan for most voting machine models is around 10 years.54 Adding to this, experiments conducted by computer scientists on electronic voting machines have shown that they are easily hacked, can be reprogrammed to predetermine electoral outcomes, and are susceptible to malicious vote-stealing software.55 While more long-term solutions to fixing flaws in voting machine architecture may be required,56 one thing states can do right now to better protect against machine malfunction and Election Day disruptions is to invest in replacing all outdated voting machines. This would include switching to a paper ballot system with new optical scan machines.
As stated previously, just because a voting machine is new does not mean that it is safe from hacking and malfunction. While newer machines may include updated software components that lend some protection against system failure, all electronic voting machines are potentially vulnerable to problems and disruption. It is for this reason that any new voting machine must be accompanied by a paper ballot component or voter-verified paper trail that can be referred to in case problems arise.
We recognize that in many states new voting machines are purchased by the counties rather than at the state level. Even when this is the case, however, states and the federal government should assist localities in purchasing new machines by providing adequate funding.
Category 7: Pre-election logic and accuracy testing
As with the previous section, this category is concerned more with preventing machine malfunction than hacking. Logic and accuracy testing is not foolproof. Indeed, sophisticated hackers can manipulate pre-election testing procedures by installing malware that remains inactive during pre-election tests but activates during voting periods. Even so, pre-election testing remains a basic step that election officials can take to help detect possible machine errors and address machine-related problems prior to Election Day.
The purpose of pre-election logic and accuracy testing is to examine, before a single vote is cast, whether the machines that will be used on Election Day or during early voting will function correctly when voters show up to vote. Pre-election logic and accuracy testing should be mandatory and should be conducted on all machines that will be used for voting or to tabulate ballots during an election. Most states already have laws in place requiring state officials to test voting machines and equipment in the weeks and months leading up to an election, although their scope varies depending on the jurisdiction.57 Some states require that all voting machines be tested, while others limit testing to only a small sample.
It is important that all voting machines that will be used in an upcoming election be tested prior to Election Day to ensure that they will accurately read and tabulate votes during voting periods. By testing only a small number or percentage of machines, states may allow other machines with potential problems to slip through the cracks.
For this category, states were graded on whether election officials are required to perform pre-election logic and accuracy testing on all voting machines that will be used in an election. If so, the state received a “fair” score—or 1 point—for this category. If not, the state received an “unsatisfactory” score—or 0 points—for this category.
We also provide information on some specific pre-election logic and accuracy testing procedures. This information was not factored into the point distribution; however, we felt it was important to include it in order to provide a fuller picture of state practices related to pre-election machine testing.
- Whether the testing is open to the public.58 Pre-election logic and accuracy testing should take place in a public forum with appropriate public notice, thereby increasing transparency and public confidence in the election process.
- Whether testing is conducted close to the election, but with enough time to allow for effective remediation. Testing should be carried out close enough to an election to ensure that the machines are in a similar condition to Election Day as they were at the time of testing, but with enough time for election officials to reprogram or replace voting machines that exhibit problems during testing.