Ballad Of The Magical Ballot Fairies

Genya Coulter

Coulter is an election official and election security advocate in Florida. She is @ElectionBabe on Twitter.

Related Post Roulette

20 Responses

  1. Alan Cottrell says:


  2. Mike Siegel says:

    Very good post. No one ever wants to talk about the tradeoffs in election mechanisms.

    (And you guys on Twitter should follow Genya. I’ve followed her for years and she’s awesome.)Report

  3. Oscar Gordon says:

    Now take all of that, and apply the broad concepts to security in all domains.Report

  4. CJColucci says:

    I miss the big, green, curtained machines with toggles and big, noisy levers that NYers used to vote on. They worked — at least until some of them got very old and nobody was making replacements — couldn’t be hacked, and were easy to understand. If I had the money, I’d buy the rights to them, sell the idea of reviving them, and manufacture them again.Report

    • Michael Cain in reply to CJColucci says:

      We had these when I was a lad in Iowa. There were regular stories about unintentional mal-adjustments and undercounts. There were occasional stories about intentional mal-adjustments (hacking). Even when new, they failed basic statistical tests — vote totals ending in “9”, “99”, and “999” were much more common than they should have been. No audit trail whatsoever.Report

    • Oscar Gordon in reply to CJColucci says:

      The very first time I voted, in 1992, I voted on one of those. It was the last time I’ve ever seen one in use.Report

  5. Kolohe says:

    Great post.

    I’m a big fan of the scanned paper ballots; it’s what we use in the county in which I’m pollworker. We’ve never any problems with the print job on the paper ballots in any precinct I’ve been in. It’s also faster than voting machines, because the small number of voting machines create a much more significant bottleneck than even that caused by only having a single scanner. The only time we almost had a problem with paper ballots is when we almost ran out of GOP ballots in the 2016 Prez dual primary, due to underestimating how many Dem -> GOP crossover voters there would be (normally the ratio for those that chose Dem ballot over the GOP one is 4 or 5 to 1, that day was 2-1. Though also people weren’t feeling the bern yet at that point)

    There’s also another check that I think is generally underappreciated – when precincts call in their instant results right after the polls close. Anyone with the history of how a precinct did should have a good feel of whether these early numbers pass the smell test. Then, they can also go back and see that the official results are close enough to what the prelims were, and keep a warch out for shenanigans.Report

  6. dragonfrog says:

    This all makes me grateful for the simplicity of Canadian elections – I’ve voted in every provincial and federal for the last 22 years, and the only technological problem that could have stopped me would be if the lead in the pencil was broken. And I suspect there are pencil sharpeners on hand at polling places.

    But at these elections, we’re only answering one question – whom do we prefer for our single representative at the relevant level of government. I understand US elections often have a dozen or more questions to answer, since election authorities take advantage of everyone’s presence at the polls to cram municipal election questions onto the same ballot, as well as a lot of states allowing ballot initiatives.Report

  7. Michael Cain says:

    Nice piece. I live in a vote-by-mail state. I have noticed that neither the people who tell me that there must be huge amounts of fraud going on, we’re just not smart enough to find it, and the ones who simply declare security victory, are interested in actually understanding the large (and growing) set of audits that are run on the process.Report

  8. DavidTC says:

    Imagine a worm infecting a ballot printing press that shifts the bar code printed on a ballot, making it undetectable to the ballot scanner. Or ordering the candidates the wrong way on the ballot. Or printing incorrect addresses. Or a high speed scanner overheating to the point of incineration, melting the cartridges that hold the thermal ink. Or just eating every 15th ballot, making tabulation a nightmare.

    Yes, but every single one of those things is trivially detectable. And they do not alter the vote in any particular way as much as they are a denial-of-service attack against the voting process as a whole.

    And.DRE elections are as much, possibly _more_, vulnerable to public disruptions anyway, as far as I can see. The inability to easily move the vote to another room or deal with power outages, for example, presents some obvious problems. DDoS attacks against the internet-facing sites. Physically damaging the voting machines.

    I’m pretty certain that introducing a large, required electronic device into a process isn’t going to result in _less_ places the process can be disrupted. In fact, voting machines are often, by themselves, disruptive of the process because they tend to _slow it down_…as Kolohe pointed out above, they often end up being the bottleneck!

    Saying ‘There are a lot of unseen issues with making sure elections work smoothly.’ is not really any sort of argument in the ‘electronic voting vs. paper voting’ debate.

    Unless the point is just ‘We cannot switch instantly to paper, the system is more complicated to set up than you think.’. Which I think is where a bit of context is needed for what _I_ think this article is written in response to, although it weirdly doesn’t mention it:

    People in Georgia are currently pushing a lawsuit demanding that Georgia stop using insecure DRE systems. And it looks like they’re going to win. And the important thing is: The plaintiffs also tried to get an injunction against the state using the current machines for the 2018 election, except the state whined it couldn’t set up a new system for 2018 that quickly, and so the judge didn’t grant that.

    Now, I don’t know if this is actually where the article is coming from. That’s happening Georgia, the writer is in Florida.(1) But if that’s where it is coming from…election officials shouldn’t be annoyed at security experts for trying to force changes through. Security experts have been screaming and yelling about these machines for almost two decades. Hell, the state legislature had a bill to change this all last session, which would have given plenty of time to change things…and failed to pass it.

    Sometimes the people who’ve been screaming about how unsafe a building is, for years, give up trying to convince the people in charge, and just call the fire marshal. This will result in major hassles. Don’t blame the people who called the fire marshal. Blame the people in charge who were repeated presented with evidence of the problems but failed to do anything.

    1) People in states who do not have to worry about DRE machines undetectably changing their votes sound like men dismissing the physical safety concerns of women. ‘What do you mean, the parking lot isn’t safe? Sure, I’d never be attacked walking to my car, I’m a man…but I think you’re worried about nothing!’/’What do you mean, your vote could be trivially altered in the computer with a line of code? Sure, I live in a state where election observers, including me if I want to, sit and watch the ballot box I put my paper ballot in until the ballots are all dumped out and votes counted…but I think you’re worried about nothing!’Report

    • Oscar Gordon in reply to DavidTC says:

      I don’t think the OP was trying to make an argument one way or another, but rather just saying that there is not perfect voting system that can not be ‘hacked’ or otherwise compromised in some fashion or another. And that the security of such systems, regardless of what they are, involve balancing security and access. If someone is telling you they’ve got the perfect system (best security, best access), they are probably trying to sell you something, or they haven’t thought the problem out fully.

      Just like in every other domain where security is a going concern.Report

      • DavidTC in reply to Oscar Gordon says:

        I don’t think the OP was trying to make an argument one way or another, but rather just saying that there is not perfect voting system that can not be ‘hacked’ or otherwise compromised in some fashion or another.

        There is a large difference between things being disrupted to the level they clearly are broken, and things being completely subverted but appearing normal.

        In a general sense, literally, no security is perfect. There’s not a bank people can’t break into with enough explosives, or a person that cannot be kidnapped with enough firepower, or a website that cannot be taken offline if enough bandwidth is available to attack it.

        Security is not making sure those things can’t happen. Not at that level. It’s making sure those attacks are very very noticeable.

        I would much prefer the attacks on the voting system end up causing some places not to be able to vote, or causing machine to misread printed ballots (which would obviously be caught with spot testing), things everyone knows about and can see and has to deal with, than to have secret attacks that secretly alter votes.

        And that the security of such systems, regardless of what they are, involve balancing security and access.

        In physical security, yes, but elections don’t really have physical security during them. People just…walk in. There is a slight level of physical security to part of the process in that you have to be a registered voter to interact with the machines or ballot boxes or whatever, but…that’s easy enough.

        Unless by ‘access’ you mean ‘ease of voting’, but not only are there obvious ways to do that beside DRE, electronic voting machines aren’t particularly good at that anyway. They solve some problems, but introduce others. For the most obvious one, they require people to stand in line longer. And require people with bad gross motor skills to push computer screens. (And, yes, people can be bad at that and still able to write.) They can even cause problems because they often are set up as to require people to stand instead of sit down.

        Even the _exact people_ that electronic voting systems are supposed to help with, blind voters, often run into problems because workers often don’t really know how to get the audio system working and headphones located for the sole blind person that comes into their precinct. And meanwhile, in this example, there are two elderly people who had to leave because the line was too long thanks to the voting machine bottleneck and they can’t stand that long, and two other people who didn’t really understand the machine instructions (One a non-native speaker, the other has a reading disability.) and never confirmed their ballot.

        It is pretty unclear if computers actually made the system better, numerically speaking.

        If someone is telling you they’ve got the perfect system (best security, best access), they are probably trying to sell you something, or they haven’t thought the problem out fully.

        Yeah. Like the people who sold everyone DRE voting machines two decades ago, replacing a paper-based system that had slowly been almost perfected over 100s of years to near untamperability with one that…literally anyone could tamper with. (Including, for the suspicious among us, the sellers.)Report

  9. Jaybird says:

    I like paper ballots for one reason only: if you want to add an additional 10,000 votes, you need a team of people to do it. Like, even in theory, you’d need multiple people.

    If you want to introduce a worm that hacks an election, you only need one person (it might help to have more, but, in theory, you’d only need the one).

    The issue is not whether there is one perfect election method. Hey, the perfect is the enemy of the good and the tradeoffs for one are going to be weighed more heavily in this part of town and the tradeoffs for the other are going to be weighed more heavily in that part of town and who can say which is better?

    But *I* like paper ballots because if you’re going to swing an election, it requires a team of people and it requires them to collude with each other and that introduces a hell of a lot more risk than would be introduced with a single guy with a single thumbstick with access to a particular USB port.

    Is it foolproof? Of course not. But my argument is not that we should do this because it is foolproof.Report

  10. Aaron David says:


    I own a small business (just me) that does graphics designed specialty marketing. Every time I go to press I have nightmares that there is going to be something, something that I miss in proofs. Fortunately, I have the option of pulling my product if that happens, granted at a significant cost to me. That is not an option for you guys and I am very impressed.Report

  11. Maribou says:

    This was a really interesting post. As someone who has never voted in a US election, only in a relatively simple Canadian one, I continue to be fascinated by the intricacies of the system.Report

  12. George Turner says:

    I’m not worried about election security because our Kentucky Secretary of State gave our raw voter database (which even candidates can’t access) to a bunch of hackers in Finland who drink vodka with Russian generals. One of the SOS’s primary campaign donors sits on the board of the Finnish hacking company, so it’s all good.Report

  13. Rob Hansen says:

    If there was one way I could wave a magic wand and change the national debate about DRE-versus-paper, it would be to get everyone to stop thinking paper solves all the problems. Switching (whether from paper to DRE or vice-versa) means you need to change how you think about risks, exposures, mitigations, and so on — not that everything’s fixed. A great number of national pundits miss this.Report

  14. Mr.JoeM says:

    XKCD had an great take regarding the maturity of software engineering in election systems vs. other engineering disciplines. (also, read the alt-text)