Tags: Secure Voting
The covfefe of the last few months has been supposed election fraud due to mail-in voting. While Pres. Trump and his acolytes have spread huge lies about the 2020 election, time moves on and and there are other elections coming up. On August 6, 2021, a tweet by @ElectionWiz breathlessly warned us about California's "home ballot system" that lets folks print their own ballots, and obviously "what could go wrong" with the upcoming recall election? That warning, however, was probably 1000% bogus. If nothing else, RAVBM has been in use for several years, and they're only now raising an alarm? But, there's a bigger issue with ensuring the election system is so completely secure that naysayers have no room to cast doubts. A fairly simple technology is available, the QR Code and other forms of Matrix Barcodes, which could be embedded in ballots, and which would all but eliminate uncertainty about the validity of mailed in ballots, even ones printed at home.
Normally the Government prints ballots, even the ballots which are sent in by mail, a fact which is itself a security measure. When election officials receive the ballot, they'll be screening it for possible clues whether it's a valid or invalid ballot. For example, if the printing on the ballot is wrong, or the paper is wrong, then it's clearly not a Government-printed ballot.
Over the last couple years, in the USA, President Trump repeatedly claimed the election would be rigged against him, and then shifted to claiming it was rigged after he lost the election. Therefore, a large part of the electorate has been primed to believe that Democrats and mail-in voting is automatically fraudulent. To anyone following that line of thinking, a ballot printed on ones own printer seems even more flagrantly fraudulent.
The @ElectionWiz account seems to spread a lot of right-wing-oriented disinformation about the 2020 Election. Many postings repeat that nonsense about the election being rigged, and that the Presidency was stolen from Pres. Trump. This particular post talks about a real thing, namely California's Remote Accessible Vote by Mail (RAVBM) system, which is one of the ways voters can vote by mail. As the name implies it primarily targets voters with disabilities. The most recent voting information pamphlet I received from California says this:
This is the system ElectionWiz warned us about with the following tweet. A system helping disabled voters to more easily vote.
The recall election mentioned concerns Governor Newsom. Some believe he did bad things recently, and are hoping to do to him what was done to Gov. Gray Davis. But let's not get distracted by an analysis of the recall effort.
Instead we have an idea to discuss which is an interesting (and easy) technological solution that should make home-printed ballots safe. The idea relies on embedding barcodes (like QR Codes) into the printable ballot, so that election officials can quickly and easily validate the ballot. The warning issued by ElectionWiz is probably bogus. Instead, when examining the warning, what came to mind is embedding QR Codes into a home-printed ballot to validate it's an authentic ballot. It should be possible to use QR Codes to create an unspoofable digital identifier that can be used on any printout, such as a home-printed election ballot. That could eliminate a large swath of criticism of mail-in voting.
But before discussing that, let's go over the supposed risk of RAVBM.
Is California's Remote Accessible Vote by Mail (RAVBM) risky?
RAVBM itself seems to be benign, being part of California's mail-in voting system. It is used by California citizens who are members of the military stationed overseas, by some disabled voters, and some others who vote by mail.
The California Secretary of State website has information about the RAVBM program, including this nice video titled Accessible Vote by Mail for Voters with Disabilities going over how RAVBM works.
In other words, this is about helping folks with disabilities to cast votes. Surely this is a good thing, yes?
Since I live in Santa Clara County, I went to sccvote.org
and found the page for signing up with RAVBM. While I was able to easily get the system to recognize me, and offer a ballot, RAVBM doesn't look productive tool for election fraud. The fraudster would need to know enough addresses and dates of births to generate a sufficient number of ballots, then would have to forge signatures for those voters, before sending in the fraudulent ballots.
In Los Angeles County, RAVBM is implemented a little differently. The details are shown below, but their implementation does include a QR Code on the ballot printed at home.
Even though RAVBM doesn't look like much of a risk, it was enough to get my brain ticking. As a software engineer, my thinking immediately went to adding a QR Code as a bit of digital data to help validate ballots.
A potential solution for safe voting with ballots printed at home
The key idea is to include some kind of barcode containing encrypted identification data. The ubiquitous QR Code is often used for cheap marketing tricks - for example you'll see a poster on the street with a QR Code with which you can learn more information. Or, a product might include a QR Code that will send you to a documentation website.
The typical use for a QR Code is to whip out your smart phone, then use a QR Scanner application. The application will then cause the web browser on our phone to visit the corresponding website. However, QR Codes are a way to encode digital information using a matrix of black dots on a white background. As we'll see, a QR Code containing encrypted information is already in use on paper ballots printed by Electronic Voting Machines (EVM) at in-person voting places.
The way this works is that a QR Code contains data encoded as a pattern of pixels. For those marketing tricks, it will contain a website URL. But, these things can contain any kind of data.
Here's an example of a QR Code:
QR Codes like this contain data that can be read when it is scanned. For example, the QR Code shown here does not contain a website URL, but instead authentication data for joining a WiFi network. An office or coffee shop or other place could have plaques on the wall like this, then visitors could easily join the local WiFi without having to bother anyone.
QR Codes are an example of a Matrix Barcode, and there are several types of such barcodes. The QR Code format can contain up to about 3 kiloBytes of ISO8859-1 encoded data. With a well designed payload, this could easily identify the time the ballot was generated, the location, which website it was downloaded from, and possibly even the voter for whom the ballot was generated.
Because there are several kinds of barcodes, it's possible a different barcode format might be more suitable to this use than QR Codes. The idea here isn't dependent specifically on using QR Codes, and any other barcode format could easily be substituted.
But what does this have to do with ballots and voting security?
Clearly a QR Code, or other barcode, can be included in the printed ballot. Or, there could more than one barcode, such as a barcode on each page to validate every page. Therefore, when voting officials process mailed-in ballots, the QR Code can be scanned. It must, therefore, contain data for validating the ballot.
If we back up a bit, how will this printable ballot be generated? For voting security, what's needed is to generate a fresh ballot for each person who requests one. That means the voter identifies themselves to a Government-run website, and then the website generates a ballot specifically for them. The idea requires that each ballot must be freshly generated when requested, and contain a unique QR Code containing the authentication required to specifically identify that ballot.
The precise data contained in the QR Code is to be determined. At the minimum it should contain a timestamp, an identification code that's used for database lookups, and the number of pages in the ballot. The QR Code payload should be encrypted to increase the difficulty of forging these digitally signed ballots. Other data to be associated with the QR Code is the voter identity.
Once the ballot is generated, the voter could print it, and then using a pen mark their choices by filling in the bubbles. Afterward, the voter puts it in an envelope, signs the outside of the envelope, and drops it in the mail, or drops it in a ballot collection box. Signing the envelope is part of California's mail-in ballot process.
The fear of printing ballots at home, versus relying on government-printed ballots, is that obviously a fraudster could print a few thousand duplicate ballots. They'd then mark some choices and send in the ballots. Well, it's not so simple, because they'd still have to forge some signatures.
But... Having a QR Code on the ballot containing encrypted identification information. To successfully skew the election the fraudster would have to forge those QR Codes. To understand why, let's talk about how incoming ballots should be processed.
Processing incoming ballots must involve scrutinizing various clues to determine if it's a valid ballot. The signature on the envelope would be checked against the voter information database, for example. Another check would be to scan the QR Code(s) on the ballot pages. The voting official can immediately validate the ballot, because scanning the QR Code tells them the voter for whom the ballot was generated, but this could easily be programmed to know if this voter has already submitted a ballot.
If someone photocopies a few thousand duplicate ballots, this step would immediately detect the voting fraud attempt. Again, because each ballot has a unique QR Code, the scanning software can look for other uses of this QR Code, or other ballots submitted by the same voter.
Having received a duplicate ballot, voting officials should then reject all ballots with the same QR Code. Because the QR Code records data about when and where the ballot was generated, and possibly even the identity of the voter who generated the ballot, voting officials should be able to catch the perpetrator.
While this is a simple and fairly foolproof scheme, there's a couple issues to consider.
- Adoption hurdle - Not everyone owns a computer and printer capable of downloading and printing out such ballots. Therefore, election officials can operate centers where people can go to print their ballots.
- Inkjet printouts can be destroyed if they get wet - Not all home printers are high quality, producing prints that will stay stable if mistreated.
- Sufficiently clear instructions for all voters - For example, we can expect that even if the instructions clearly say to use black ink, that some voters will write with pencils, or other colors than black. Just look around at your fellow humans, and realize that's the truth. The solution here is for the scanning software to be accepting of all ink colors.
- Voters using sharpies - Some printers handle printing on both sides of the paper. A voter could decide to decrease the sheets of paper used by printing on both sides. Then, if that voter uses a pen that bleeds through, like a Sharpie, the ballot marks would show on both sides of the paper, and confuse the scanning software as to voter intent.
- Denial of Voting attack - What if a fraudster doesn't care about injecting fraudulent votes into the election, but instead cancelling legitimately cast ballots? It's not clear if this scheme is practical, but what if it were possible to generate a ballot corresponding to one cast by a legitimate voter. Going by the rules we discussed earlier, when the duplicate ballot arrives the voting officials must reject all duplicate ballots. The scheme hinges on fraudsters being able to generate such a ballot. Therefore the solution is for voting officials to make sure there's a high degree of difficulty.
Most of these issues are easily resolved by being careful with the precise design.
QR Codes on voter identification cards
SAFE, CLEAN AND UNBIASED ELECTIONS WITH ENCRYPTED QR CODE VOTER CARDS is a proposal to use QR Codes on voter identification cards. The author of the study recognizes many of the problems named here. It seems that author wishes to see electronic voter machines (EVM's) to continue to be used, for example to avoid the "waste" of paper from printing paper ballots.
The study suggests creating a secure voter identification card incorporating a QR Code.
This is a standard voter identification card as used in India, but with the existing simple barcode replaced by a QR Code. The paper describes the algorithms required to quickly validate the voter, detect fraudulent voter ID cards, and to detect repeated usage of a given voter ID card.
QR Codes are used on some Georgia paper ballots
Fact check: QR codes on Georgia ballots record votes as cast concerns a claim in two social media postings (on Parler and on Facebook) that QR Codes on paper ballots in the Senate Runoff Election in Georgia in late December 2020 showed that votes had been flipped. According to the MSN Factcheck article, both postings contained the claim: “Here’s my Georgia Runoff Ballot. The Ballot says I voted for Loeffler and Perdue BUT the QR Code says I voted for Democrats. Scanned it into a Dominion Voting Machine. The SCAM is Real!”
The two postings are no longer available. In the case of Parler, that site was shut down after the January 6 insurrection, and the resurrected Parler probably does not have the old postings. The Facebook posting is simply no longer available.
According to MSN, the document shown in the postings appeared to be a Georgia runoff election ballot printed by a Georgia voting machine. In Georgia, in-person voters use an electronic voting machine (EVM) to make selections, and then the machine prints a paper ballot containing a QR Code with encrypted data recording the vote. The voter then puts the ballot into a scanning machine, the vote is recorded, and the paper ballot is kept in a locked box.
Mail-in voters use a traditional paper ballot with bubbles they fill in using a pen.
The QR Code records the bubbles that would have been filled in had this been a regular paper ballot.
A security feature is that the ballots printed on site have "security fibers" enabling quick identification.
According to the election official interviewed by MSN: “She had a ballot — a picture of a ballot, which is illegal to have — saying that it’s telling her things that it has an inability to do." It's illegal to take a picture of a ballot, and in any case it's impossible for someone (other than election officials) to have decoded the QR Code to determine what the vote was. Therefore the claims above are false.
On the Secure Vote Georgia website is a page describing the process. The image here comes from a video on that page.
The in-person voting process starts with handing a government-issued ID card to a poll worker. The poll worker validates the ID card -- NOTE that on the back of the ID card is a digital security code similar to a QR Code. That code is read by a standardized scanner, and a tablet computer is used for verifying the identity. The voter uses a pen on this tablet computer to give their signature. Once validated, the voter is given a card with which to activate an electronic voting machine (EVM).
At the EVM, the voter makes their selections by tapping them on the screen. Once their selections are made, the paper ballot is printed.
We see here that the ballot contains a QR Code along with some text. The voter is instructed to review the text, and when the ballot is scanned to review what was scanned.
Los Angeles County interactive sample ballot uses QR Codes to speed up in-person voting
How to Use the Interactive Sample Ballot demonstrates part of the voting system in Los Angeles County. The voter goes to the lavote.net
website, goes through the Interactive Sample Ballot on the website, and it generates a QR Code that can be downloaded to a smart phone. At the polling place, they scan the QR Code into a voting machine, and the voting machine automatically picks up the vote. That enables the voter to spend less time at the polling location.
How to Use and Return an Accessible Vote by Mail Ballot demonstrates how Los Angeles County voters use the RAVBM ballot. The resulting ballot is:
Notice that it includes a QR Code, but only on the first page. The voter then folds the printed ballot, putting it into the official envelope provided by the election board.
In other words, the RAVBM voter doesn't just go to the LA Vote website, fill a few things out, then print out a ballot. The voter first receives an information packet, including the official envelope, which is then used for sending in the ballot.
The Cybersecurity and Infrastructure Security Agency (CISA) ballot recommendations includes QR Code guidance
CISA is the lead US Agency on cybersecurity, and has extensive information about securely running elections. However, in the USA elections are run by a combination of the Secretary of State in each state, and the Election Board in each County. Therefore the Federal Government can only issue guidance.
In July 2020, CISA issued this guideline: MAIL-IN VOTING: ELECTION INTEGRITY SAFEGUARDS
This document describes what is generally done to secure mail-in voting across the USA. This guidance is for a paper ballot provided by the Election Board, mailed to the voter, who then mails the completed vote back to the election board. It describes several levels of security in the mail-in voting system, one of which is the potential for QR Codes to validate identity.
Colorado removes use of QR Codes on paper ballots
On September 16, 2019, the Colorado Secretary of State issued a press release claiming that removing QR Codes from printed ballots will improve election security. This is the opposite of what's suggested in this article.
This quote attributed to the Secretary of State is included: "I am proud that Colorado continues to lead the nation in election cybersecurity," said Secretary of State Jena Griswold. "Voters should have the utmost confidence that their vote will count. Removing QR codes from ballots will enable voters to see for themselves that their ballots are correct and helps guard against cyber meddling."
The issue discussed is, when an electronic voting machine is used, Coloradans desire to visually verify the vote purely with human-readable information. The QR Code is not human-readable, and therefore not trustable, it seems.
The press release describes the situation this way:
Currently, when a Coloradan votes at a polling location, they may use a ballot marking device that prints a paper ballot that displays both the voter's choices and a QR code embedded with the voter's choices. Although voters can see their vote choices, they cannot verify that the QR code is correct. These ballots are tabulated by machines that decode the votes contained in the QR code. QR codes could be among the next target of an attack and are potentially subject to manipulation. Colorado will be the first state to require ballots from ballot marking devices to be tabulated using only human-verifiable information and not QR codes.
This is an understandable point of view, and I see in it a question whether humans will eventually be controlled by machines. In any case, to take this route also requires ensuring that ballots are printed in a rigidly defined format. If everything on the ballot is precisely located, it can be quickly scanned by software which knows the format.
But the risk is whether the lack of digitized codes (like QR Codes) makes it easier for election fraudsters to generate fraudulent votes with which to stuff the ballot boxes.
Summary
We started this by pondering a probably bogus claim about California's Remote Accessible Vote by Mail (RAVBM) system. As a software engineer my thinking leaped to using QR Codes to validate paper ballots, even ones printed at home by the voter.
It turns out that some localities do use QR Codes on printed ballots. Several use electronic voting machines (EVM's) that produce printed ballots containing QR Codes that in turn contain an encrypted record of the selections. As for RAVBM, the ballots generated in Los Angeles County contain a QR Code.
In other words, this idea has validity, and there are several similar efforts in development or already implemented.
As this is written, there is a pressing issue in American politics about reliably auditing election results. The 2020 USA Presidential Election ended with Pres. Trump launching the "Stop the Steal" effort claiming the election was stolen from him. While he is almost certainly 1000% wrong in this claim, great damage is being done. A method for clearly, simply, and easily auditing election results would limit the ability for the loser of an election to cry foul.