The quantitative effect of voting machine vulnerabilities in the US

TL;DR Democrats can’t win the presidency in 2020 without flipping deep red (R+15 or more in 2016) states or at least one, and probably two states that Rs won in 2016 that have multiple severe election security vulnerabilities.


Election security has been a hot-button topic lately, but I have yet to see any articles about how much these vulnerabilities allow the 2020 election to be manipulated.  As an introduction to election security issues, I highly recommend watching why electronic voting is a bad idea (short and entertaining, trust me), and if you want a more academic take, this recent paper discusses the issues with ballot-marking devices (BMD).  This blog is in complete agreement with the paper that the only legitimate use for ballot-marking devices is for those who are physically incapable of hand-marking a paper ballot by themselves, but still doesn’t consider them a necessity for that purpose (states can have voter-assistance protocols and only use hand marked paper ballots).  BMDs and other voting machines are technologies that have absolutely no reason to exist for the general population, but thanks to ignorance and good old-fashioned corruption, we’ve given corporate handouts of hundreds of millions of dollars in return for machines that are worse than worthless and compromise the very ability of a fair and verifiable election to exist in many jurisdictions.

This post only covers threats that result in the final vote count not reflecting the votes that were cast.  Compromising the list of eligible voters, engaging in a variety of forms of voter suppression, and packed courts simply refusing to accept the results even after a recount are also dangers, but they’re beyond the scope of this post.  This post would not be possible without the resources at Verified Voting, and unless sourced otherwise, information about voting methods in use are from there.  Electoral college maps are from  Links to recount statutes were mostly found on Ballotpedia.

There are three major types of voting equipment in use.

The hand-marked paper ballot, generally read by an optical scanning machine.  While the video above is correct that the scanning machine is vulnerable to attacks, the defense to these attacks is the ability to hand-count ballots, and having a candidate-funded recount always available by law is the ultimate backstop against scanner attacks.  The robustness of various recount schemes will be discussed in the state-by-state section later.

Ballot-marking devices are extremely expensive pencils that fill out a ballot that a scanner then reads.  While useful for the small number of physically impaired voters, as the paper above notes, in practice it’s difficult to make sure that they’re working properly on election day.  Quoting from the paper, “half of voters don’t look at their ballot printout at all, and those who do look for an average of 4 seconds”.  They’re brutally vulnerable for down-ballot races, and even for the top race (e.g. President), attacks to change the overall margin by 1-2% are close to undetectable under optimistic assumptions and possibly even 5% or more under real-world conditions.  The defense to BMD attacks is simply to not use them, or at worst for only the physically impaired to use them.  Because they create a ballot that then has to be scanned, scanner attacks from the previous section are also still in play.  These are bad- really bad- but at least they aren’t…

Direct recording electronic systems (DRE) record votes directly on the machine itself.  This is obviously a complete security disaster.  Some machines also create a paper ballot, which would make them similar to the BMD group- if they work properly.  The ES&S ExpressVote XL and Dominion ImageCast Evolution have a ridiculous security flaw that allows users to irrevocably decline to review their ballot, AND THE MACHINE ONLY PRINTS THE BALLOT AFTER THAT- whatever ballot it feels like printing because the voter can’t detect it anymore.  The Dominion ImageCast X can’t do that, but it can print on the ballot after it has been “verified” for the last time. Because the ImageCast X can only fill in races where the voter didn’t record a vote, that flaw is much more limited in scope, especially for top-of-the-ballot races, but it, and all other DREs with a paper trail, are at *least* as bad as BMDs above.  The defense to DREs is to dump them all in the bottom of the sea.


This post is going to focus on these weakness, but if you really feel like being depressed, there are a lot of security weaknesses that we’re not addressing here.  It’s really difficult to overstate the attack surface all of these electronics allow, and none of them would be more than mere annoyances if hand-marked paper ballots with a hand recount always available were adopted everywhere.  But alas..

This is a map of the 2016 election (deep red (e.g. OK, LA) = Trump crushed, pink (e.g. FL, PA) = Trump won small, etc).


Deep blue and deep red states aren’t going to be examined- if any are flipped legitimately, the election is almost certainly over, and hacking them is unnecessary and too obvious.  Looking at the competitive states, some are pretty boring from a security perspective.

These states all have hand-marked paper ballots and hand recounts always available (if the candidate is willing to pay for it, of course).

Oregon (D+11).

New Mexico (D+8)

Colorado (D+4)

Maine (D+3) / Maine District 2 (R+10)

Minnesota (D+1.5)

Michigan (R+0.2)

Nebraska District 2 (R+2)

These states use all or predominantly hand-marked paper ballots, but have issues with their recount protocol (ranging from likely inconsequential to extremely vulnerable)

New Hampshire (D+0.3) All paper ballots, hand recount available if the margin of victory is within 20%.  This is a stupid rule, but cheating blatantly enough in 2020 to produce R or D +20 in a competitive national election would be even more stupid.

Connecticut (D+13) All paper ballots, hand recount mandatory in very close races *or* if the election moderators suspect shenanigans.  Any R win outside the margin of error would qualify as shenanigans unless the national election is a bloodbath in Trump’s favor.  This is a horrible system that just isn’t likely to be exploited here.  Discretion on whether or not a recount is ever performed shouldn’t exist and certainly shouldn’t belong to one party.

Iowa (R+9) All paper ballots, recount always available, but the election officials have the discretion to recount ballots with machines again instead of by hand.. which removes the ability to correct machine attacks.  As in Connecticut, this discretion shouldn’t exist.

Virginia (D+5) All paper ballots, recount only available in very close elections.  Furthermore, recounts for optically scanned ballots are *rescanned by machine only*.  The machines are supposedly tested before the recount, but that obviously doesn’t defend against certain attacks.  This statute is completely insane in two ways.  If one side simply cheats *a lot*, there’s no recount available at all, and never doing a hand recount, when a major purpose of a recount is to fix machine screwups and defend against machine cheats, is inexcusable.

Arizona (R+3) Mostly paper ballots by mail (~80% of votes) and a mix of paper and BMDs at precincts.  The only recount available is if the vote tally is within 0.1%.  There’s a mandated pre-count check on some machines that compares machine and hand counts for 1-2% of ballots before counting all the ballots.  That’s trivially defeated by telling the machines to be honest for the first X ballots, and the centralized locations of vote-by-mail counting makes it possible to change *a lot* of votes by compromising a very small number of machines in one place, and the lack of a recount allows it to work.  This is effectively the exact system that the video was warning against re: blindly trusting scanning machines.

These states use significant numbers of BMDs or BMD-equivalent DREs, but have hand recounts always available.

Once the electronics are introduced for the act of marking a ballot, they become an attack surface along with the scanners used to count those ballots.  In this group, the scanner vulnerabilities are mitigated by the hand recount availability, but the BMD vulnerabilities discussed above remain.  And for those who trust in machines and state election officials and all, these machines were already a disaster without being maliciously attacked.

Nevada (D+2) Almost entirely Dominion ImageCast X (one that can still print on ballots after voter verification) with no plans that I can find to dump this before 2020. Amusingly, a quirk in Nevada law dating to the 1970s requires an option for “None of the above candidates” in every race, allowing voters to affirmatively mark a ballot for “Nobody” instead of simply leaving the contest blank…. which mitigates the ImageCast X design flaw of being able to print votes in contests the voter left blank, making it effectively a BMD.

Ohio (R+8) has a mix of paper and BMD/DREs now, but it’s pushing towards paper ballots and simple BMDs.  No DREs are certified so far for 2020, and hopefully that will continue to be true.

These states use significant numbers of BMDs or BMD-equivalent DREs and have no hand recount always available, making them doubly vulnerable

North Carolina (R+3) Mix of paper ballots, BMDs, and DREs with a paper trail in 2016.  The main current DRE (iVotronic) is getting decertified for 2020.  Counties appear to be individually responsible for selecting new systems that either use hand-marked paper ballots or mark a paper ballot, and that leaves the possibility of a significant number of ExpressVote XLs and ImageCasts appearing on the scene, which would warrant an even worse grouping.  Even if it’s “just” a lot of new BMDs, recounts are only available for races within 1%, leaving the scanners vulnerable as well.

These states will have no ability to conduct a verifiable close election in a statewide race, either because they use enough machines with no paper trail or use enough ExpressVote XLs and/or ImageCast Evolutions to render the paper trail meaningless.

Wisconsin (R+0.7%) Mix of paper ballots and a wide variety of BMDs, and DREs with a paper trail, including 10.7% of municipalities using ImageCast Evolutions. Furthermore, Wisconsin only allows recounts in very close races, so all three avenues are vulnerable- the scanners, the BMDs, and the ImageCast Evolutions.

Delaware (D+11)  Wasting tens of millions of dollars to replace everything with ExpressVote XLs for 2020. This is completely insane. Recounts are only available in close races (as useless as recounting fabricated ballots would be).

New Jersey (D+14) mishmash of different DREs with no paper trail and no coherent plan to not be quite vulnerable in 2020.  A couple of counties might move to something less awful, but not enough to matter.  Candidates can pay for a recount… except there aren’t any ballots to count again.

Texas (R+9) Has tons of DREs with no paper trail and no plan to change that for 2020.

Florida (R+1) Mostly paper, but enough DREs with no paper trail to flip any legitimately close election.  If this is somehow remedied by 2020, the recount law is terribly deficient- only races within 0.25% get hand recounts and races within 0.25%-0.50% get a machine recount, which would put Florida in the Arizona group.

Georgia (R+5) currently uses all DREs with no paper trail.  There is talk of replacing these machines by 2020, but given the entanglements between Georgia politicians and ES&S, it would almost certainly be with ES&S ExpressVote XLs, which means replacing no paper trail with a potentially fake paper trail.

And then there’s Pennsylvania..

Pennsylvania is currently a dumpster fire like Georgia or Texas, overrun by DREs with no paper trail.  The governor is making a hard push to replace these by 2020, which may or may not work.  And when it does “work”, places like Philadelphia can just buy ExpressVote XLs and not really make progress on the security problem.  It’s not clear exactly how bad election vulnerability in PA will be, but it’s horrible now and it seems unlikely that what needs to happen to secure it- almost all current DREs removed and almost no ExpressVote XLs and ImageCasts installed- will actually happen, or probably even come close to happening.

What does this all mean?

Under the hypothetical 2020 scenarios where Democrats do a bit better across the board (if Rs do, voting security doesn’t matter since they’re winning in a landslide), let’s look at what happens with a little malfeasance that benefits Republicans.  Under the following rules:

Democrats hold every state they won in 2016 (Rs don’t try to rig NJ or DE because it’s too obvious and leave NV alone since it’s a bit risky to flip, say, 5% off BMD deficiencies on the top-ballot race)

Republicans or Republican-aligned interests take the low-hanging fruit and rig the horribly vulnerable elections in states they control (TX/GA/AZ/FL/IA) as well as holding all the deep red states.

We get this map, marking “decided” states in deep color, states/districts with R>=+5 in 2016 in pink, and everything else a tossup


Democrats need 38 more (269-269 is a R win), which is not a simple ask.  Ohio (R+8) was significantly red and will be BMD-infested at best.  Michigan,Nebraska District 2, and Maine District 2 are fair, but WI and likely PA are both dumpster fires in terms of security, and NC is a real mess as well.

It’s *literally impossible*, unless D’s flip one or more deep red states somehow, to win in 2020 without taking a state that has serious-to-extreme election security flaws, and most likely more than one.  Breaking this down a little further, if D’s lose Michigan (a fair state), they’re also almost guaranteed to lose OH that they lost by 8% more in 2016, meaning they have to sweep WI/PA/NC, all of which have major security issues.  I wouldn’t want to be the Ds there even if those elections were fairly counted.  Assuming the Ds win MI, which they likely do in a legitimate win, gives this map


which clarifies things considerably.  Ds have 2 paths, winning PA, NE 2 (R+2), and ME 2 (R+10), which is a really tough ask, or winning any 2 of OH, WI, PA, NC.  That’s a 2016 R+8 state and 3 states that Rs won in 2016 with disaster-level election security problems.  If you take election fairness seriously at all, this has to be terrifying.

There is a path out for Ds here, but it requires strong leadership and decisive action on something that’s still a fringe issue to most people in and out of government, and it goes against entrenched corporate interests, so I know damn well it’s never going to happen, but the proper course of action security-wise is for WI and NC to immediately decertify all electronics, including scanners, and for PA to decertify all electronics except for scanners.  PA can allow scanners because it has a solid recount statute, but WI and NC don’t (unless their Republican-controlled legislatures decide to pass one), so the only safe method for them for now is good old hand-counting.


And don’t forget the various forms of attacks on the voter rolls that are already happening that weren’t discussed here……..


P.S. Comments are moderated.  Corrections or additions are welcome. Legitimate questions and interesting content are welcome.  JAQing off and random partisan hackery won’t be approved.








Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.