By Patrick Colbeck
Should we trust our election results?
Before your answer that question, answer the following question.
Did you know that elections all across America are being certified on the basis of election results provided by vote tabulation machines which have never been tested?
Don’t get me wrong. There is plenty of testing of vote tabulation machines going on just not testing of the machines responsible for the final election results.
Did you know that are multiple gaps in the audit trail between the scanning of your ballot by electronic vote tabulators and the posting of election results?
The level of trust expected of citizens is much more significant than you may have been lead to believe. In this post, we will perform a deep dive into exactly how much trust you are expected to have in our election system.
Before we explore our required trust levels, it is important to review what is known about the processing of election results with today’s modern electronic voting systems.
Examination of Election Results Chain of Custody
No other election record is more important the the election results. Our elected officials and ballot measures are all certified on the basis of these records, yet how much do you really know about how these election results are generated?
It is time to explore how these results are generated in the era of electronic voting systems. The following diagram is an attempt to summarize the process by which our vote tallies proceed from precinct-specific vote tallies to final aggregation of these precinct-based results into the overall results for a given race or ballot measure. For the purpose of this discussion, I will focus upon election results transfers using the Dominion Voting System. In Michigan, this system is used in 65 out of 83 counties including large population centers such as Wayne County, the home of Detroit.
There can be significant variation in this process from community to community. Some communities do not have AVCB’s. Some communities have AVCB’s paired with a single precinct. Some communities have AVCB’s responsible for tabulating votes across multiple precincts. Some communities use electronic adjudication workstations to resolve errata on absentee ballots while others use a manual spoil and duplicate process. Some communities aggregate their results in an EMS Server before transferring their results to the county. Some communities rely upon the county to perform the election results aggregation with an EMS Server. Regardless of these variations, the starting point and the end point are the same. It all starts with precinct-based election results and ends with a summation of these precinct results that determines the winner of a given contest. What happens in between underscores the importance of the precinct-level results integrity and the importance of the chain of custody in the transfer of these results from machine to machine leading up to their final tally.
The integrity of precinct-level tabulation results are the fundamental building blocks for all downstream tabulation efforts. In counties that use Dominion Voting Systems, precinct-level tabulations are performed by both ImageCast Precinct (ICP) and ImageCast Central (ICC) tabulators. If these precinct-level records are compromised, so are the overall election results. These devices are not the only devices which tabulate votes, however. There are also Adjudication Workstations, Results Transfer Managers (RTM), and Election Management System (EMS) Servers which perform vote tabulation functions. As with any chain of custody discussion, the integrity of a chain is only as good as its weakest link. With this in mind, let’s take a closer look at all of these links in the election record chain of custody.
ICP vote tabulators are used in support of in-person voting. Each precinct is equipped with an ICP tabulator.
The key components of these tabulators are listed below.
Precinct-specific results are printed on the thermal printer included with the ICP. These printouts are provided in support of Public Accuracy Tests and Election Day Operations. Typically a “zero tape” is printed before tabulation and a “results tape” is printed out after the precinct tabulation has been closed. These tapes are important components of the vote tally audit trail. Printouts obtained by poll observers on election night can be checked against any precinct-specific election results reported at the municipal, county or even state level. There should be no deviation between what these downstream vote tallies show and what the precinct-results on election night show.
Absentee Voter Counting Board (AVCB) Tabulation
ICC vote tabulators are used in support of AVCB operations. Unlike ICP tabulators which scan one ballot at a time, ICC tabulators feature high speed scanners capable of scanning ballots typically in batches of 50 or more.
Unlike ICP tabulators, ICC tabulators are often configured to scan ballots across multiple precincts. The subsequent tabulations of votes resulting from these scans are captured in “Results” files.
Unlike ICP tabulators which print precinct-specific zero tapes and closing tapes that can be viewed by poll observers, ICC tabulators store this information in a Results file that is not visible to poll observers on election night.
During the 2022 general election, poll challengers at the Detroit Absentee Voter Counting Board (AVCB) asked to see the zero tapes and closing tapes for the 24 ICC tabulators used in support of the election. They were told that could not see them. The reason for this becomes apparent upon review of the following ICC component list.
Note the lack of a printer in the list of ICC components. Results must be transferred to a machine with EMS Server software before a report formatted to show election results by precinct can be printed. This means that there are no precinct-specific vote tallies available for ICC tabulators on election night to demonstrate the status of these vote tallies prior to the aggregation of these results by other electronic voting system components. The lack of precinct-specific vote tallies for each ICC tabulator removes a key reference point in the vote tally audit trail as it enables downstream voting systems to manipulate the precinct-specific results without any election night reference point.
Adjudication Tabulation (Optional)
One of these downstream components is often referred to as an Adjudication workstation. As alluded to earlier, not all communities perform electronic adjudication. Adjudication workstations are simply desktop computers featuring the installation of EMS Express software. They are typically connected to one or more ICC tabulators via ethernet connections as part of a Local Area Network (LAN). For the purpose of this analysis, please assume that these adjudication workstations have the same capabilities and functions as an EMS Server.
Results Transfer Manager (RTM) Tabulation
While election observers tend to focus upon the operation of the ICP and ICC tabulators. I would submit that Results Transfer Manager (RTM) workstations merit significant attention as well. An RTM workstations is simply a laptop featuring the installation of Dominion Results Transfer Manager (RTM) software.
RTM laptops are used in AVCB environments featuring multiple ICC tabulators. They aggregate election results data from multiple ICC Tabulators and transfer Results files to the Democracy Suite EMS Server as well as “shared folders on a network”.
It should be noted that in addition to transferring election results from ICC tabulators to an EMS Server, the RTM workstation is capable of transmitting “data to shared folders on a network”. The purpose of this capability is unclear but it suggests that the data from ICC tabulators is being shared with more entities than simply the EMS server.
Let’s take Dominion up on their recommendation to examine the EMS Results Transfer Manager User’s Guide in order to have a better understanding of the capabilities of the EMS Results Transfer Manager.
There are a couple of key takeaways from this section of the users guide:
- EMS only provides aggregate results
- RTR users have the ability to “manually enter results for any of the defined tabulators in the system“.
These features not only confirm that the RTM software does “aggregate” (i.e. tabulate) results, it also confirms the need for a public audit trail governing any modifications of these results. Since ballot images are also among the data sets imported by the RTM software, they should be able to provide at least some degree of an audit trail…or do they?
Please note that the RTR module enables users to “overwrite ballot images” and “overwrite log files“. Such capabilities destroy any audit trail.
Why would someone want to destroy an audit trail for election results? Perhaps because of this next capability.
This software feature would come in very handy if you already had the results files you like and wish to overwrite the ACTUAL results with your preferred results…all without an audit trail.
Despite providing “aggregate results” it is important to note that RTM laptops are NEVER subjected to public accuracy tests to ensure that these aggregations are accurate.
Election Management System (EMS) Server Tabulation
The EMS Server is used to aggregate election results from ICP and ICC tabulators in a given jurisdiction. As pointed out earlier, EMS servers could be deployed at the municipal, county or even state level.
Please note that “the EMS Results Tally and Reporting (RTR) Module is used on Election Night upon close of polls to accumulate results from tabulators and generate results reports”.
Once the results have been transferred to the EMS Server, precinct-specific reports such as the one highlighted below are possible.
In lieu of an ICC report of election results by precinct, this is an example of the EMS-generated report used by canvassers to certify the election results. Despite its role in “accumulating results” it is important to note that EMS servers are NEVER subjected to public accuracy tests to ensure that these aggregations are accurate.
I would love to delve into a detailed discussion of the election results communicated by the media on election night. Because this discussion will quickly lead down a rabbit hole that detracts from the core conclusions of this post, I will save a discussion of media election result reports for another post but I encourage you to investigate how media gets their election night information.
The general public deserves to know the sources of the data used by the media to project winners and losers. Publicly available data points to two sources for the media’s election night data – AP and Edison Research.
An examination of the chain of custody for media election night results data would likely shed some light on live vote flips, strange vote dumps and other vote tally anomalies worthy of investigation.
Missing Links Which Subvert Trust in Election Results
Unlike physical hand-counting of ballots, electronic tabulators do their counting hidden from public view. In fact most electronic voting system vendors have provisions within their contracts with the government that prohibit the public from seeing how they tabulate votes. This translates to a need for citizens to trust that the safeguards in place to secure our vote are effective. Is this trust warranted?
Let’s find out what level of trust is truly required in order for us to believe the results of our elections. Upon review of the concerns that I have, I’ll leave it to you to conclude whether or not trust in our election results is warranted.
Missing Link #1: Equipment certification
The first trust walk citizens must take in any election involving electronic voting systems pertains to equipment certification. Certification typically involves analysis, demonstration and testing of a voting system against some prescribed requirements standard.
Did you know that under Michigan law (MCL 168.795a), an electronic voting system vendor is allowed to certify that their system meets or exceeds the state performance and test standards?
Before any electronic voting system can be used in support of election operations in Michigan, it must be approved by the State Board of Canvassers. In this light, there is a theoretical safeguard against the risks inherent with allowing vendors to certify their own systems. In reality, however, most members of the State Board of Canvassers lack the technical knowledge to effectively evaluate compliance of electronic voting systems with state requirements. To compound matters, there is a notable lack of public information available on the standards used by the State Board of Canvassers as the basis of their electronic voting system approvals.
In contrast to state certification efforts, the Federal Election Assistance Commission (EAC) has posted their approved configurations and certification standards online. A cursory review of these standards indicates that even the federal government standards are of insufficient rigor to safeguard the security of what has been designed a Critical Infrastructure Component for our nation. As a minimum, a Failure Modes and Effects Analysis down to the microchip level should be conducted to mitigate any security risks and ensure the effective operation of our election system.
During its July 21, 2022 meeting the Michigan State Board of Canvassers approved what were conveyed as minor changes to Dominion Voting Systems v5.5/5.5S for use in Michigan elections. The scope of these minor changes and the testing that was performed in order to obtain this approval is not known to the general public. It is worth noting that MCL 168.795a allows for voting equipment manufacturers to certify their own systems. The version of Dominion voting system used in Michigan per documentation associated with public accuracy tests was v5.5.3. Nowhere is there any public documentation available as to what software or hardware is part of the v5.5.3 configuration.
Without transparent disclosure of the certification standards used as the basis for any approval of an electronic voting system, it is very difficult to have any confidence that it was sufficient to protect the integrity of our vote.
Missing Link #2: Logic and Accuracy Testing Rigor
Our next step in the election results trust walk gets to the core of our assessment of any election – Are the election results accurate?
In order to answer this question, we need to examine how electronic voting systems are tested for logic and accuracy testing before each election. Equipment certification ostensibly verifies that the system software and hardware is capable of providing accurate and secure election operations. Every election is unique, however. It has unique candidates and ballot measures requiring unique configuration of the software for each election. Therefore, prior to use in a specific election, logic and accuracy testing must be performed on all electronic voting systems.
To get a better understanding of the rigor applied to logic and accuracy testing before an election, let’s use the City of Detroit as an example. In Detroit, there were 502 precincts assigned to 149 counting boards. Each counting board featured between 1 and 6 precincts. Each precinct featured an in-person voting location. Each of these voting locations was equipped with a Dominion ImageCast Precinct (ICP) Tabulator. In order to process Absentee Ballots, the City of Detroit created a massive Absentee Voter Counting Board at a facility called the Huntington Center. This facility was broken down into 149 separate counting boards. The ballots from these Counting Boards were assigned to 24 Tabulator workstations for scanning and tabulation. Each tabulator workstation featured a Dominion ImageCast Central tabulator. This equates to an average of 21 precincts assigned to each tabulator. Detroit is one of those communities which use adjudication workstations. 12 Adjudication workstations were connected via LAN to the 24 tabulator workstations. These adjudication workstations also tabulate election results based upon adjudicated scanned images provided by varying counting board tabulator workstations. Each adjudicator workstation would have been responsible for an average of 42 precincts.
Under MCL 168.798, electronic tabulating equipment must be tested to determine if it will accurately count the votes. These test results for the 2022 general election have yet to be published. The test results for the 2022 primary election provide an indication of the level of rigor applied to this requirement for determining the accuracy of electronic tabulation equipment:
- Out of the 450 ICP tabulators in use during the primary, only 14 were tested during public accuracy test. According to Detroit election officials, 0 of the tabulators tested were actually in operation at the precincts.
- Out of the 24 ICC tabulators in used during the primary, only 1 was tested (See figure below) and that was only tested for one precinct. Each ICC tabulator at the Detroit AVCB was responsible for scanning ballots for at an average of 19 precincts. According to Detroit election officials, 0 of the tabulators tested were deployed in support of election operations.
- 0 adjudication workstations were tested.
Samples of the Public Accuracy Test results from the 2022 Primary Election in Detroit can be seen in the following figures:
It is difficult to conclude from this “rigor” that logic and accuracy tests in municipalities such as Detroit are anything but a haphazard dog and pony show.
Missing Link #3: Tabulators Never Tested for Accuracy
The next step in our trust walk that I would like to highlight pertains to whether or not all of the electronic voting system components which tabulate votes have been tested for accuracy. We have evidence to suggest that there is at least an attempt to test the accuracy of ICP and ICC tabulators, but are they the only electronic tabulators which merit the need for logic and accuracy testing? No.
We know from our review of the election results chain of custody that the Results Transfer Manager (RTM) workstation and Election Management System (EMS) server both perform tabulation functions yet there are never any election-specific tests performed to ensure that their tabulation calculations are accurate.
Why should this concern you? Two reasons come to mind.
Reason #1: Antrim County
EMS tabulation errors were at the heart of the 7,060 vote flip experienced in Antrim County, MI during the 2020 election.
Reason #2: Certification of Election Results
Because there are no precinct-level ICC reports of election results, EMS servers actually provide the precinct-level election results reports used by canvassers when they certify the results of any election. Remember, this data passes through the RTM workstation before reaching the EMS Server.
In this light, is it reasonable to trust the certification of our election results to reports provided by tabulation equipment which has not been tested for accuracy?
Missing Link #4: Precinct-Level Results
Our next step in our election results trust walk focuses upon the fundamental building block of all election results reporting – precinct-level election results. If the precinct-level election results have been compromised, the election results for all ballot measures based upon these results are compromised. That’s why it is critical to have an audit trail that validates the integrity of precinct-level election results. The most important facet of this audit trail is to obtain copies of the precinct-level tabulator results before those results are transferred to other electronic devices.
We’ve already seen examples of the election results reports that can be generated by ICP and ICC tabulators. Here is a closer look at what one could expect from an ICP precinct results report. It provides a timestamp and clear indication of the election results for each race for the pertinent precinct.
The ICC precinct results report is a different matter. A closer examination of these reports reveals something very concerning to anyone seeking to know the precinct-level election results from each tabulator on election night. Most ICC tabulators tabulate the results for multiple precincts. The report below clearly delineates the number of ballots scanned by precinct. That’s good.
What it doesn’t show, however, is the election results broken out by precinct. It only provides an aggregate of the election results across all of the precincts. That makes it impossible to know the total votes by precinct for a given race for each election on election night. Since MCL 168.807 requires election officials to provide election results by precinct to anyone who asks for them upon closing of the precinct, any AVCB which features ICC tabulators responsible for tabulating votes for multiple precincts not only makes it difficult to know the complete election results by precinct on election night, it stands in violation of Michigan election law.
Missing Link #5: No Audit Trail
Our last excursion in our election results trust walk addresses whether or not there is a reasonable audit trail at all in the electronic voting systems used in Michigan. Under MCL 168.795, electronic voting equipment used to support elections in Michigan must provide an audit trail. As you may have guessed upon examination of the components involved in the transfer of election results, there are significant issues with audit trails in Michigan’s election system.
RTM workstations provide the explicit ability to overwrite ballot images and log files.
Election results are transferred via internet connections that compromise the integrity of data transfers and expose other components of the electronic voting system to malware. The Michigan Election Security Advisory Commission has recommended banning the transmission of unofficial election results. This recommendation has been given lip service but that’s about it. There is no apparent audit trail for unofficial reporting.
Illusory provisions in electronic voting system vendor contracts with the State of Michigan have been used to prohibit examination of audit trail records under the premise that system logs and data files are proprietary data.
The Michigan Secretary of State has issued orders to destroy poll book data and tabulator flash drives immediately upon certification of election results. This information covers what is probably the most important data needed for any professional audit of the election. Why order its destruction?
Furthermore, the Michigan Secretary of State has defined audit standards of insufficient rigor to perform a meaningful audit of the election record chain of custody.
Overall, not a very satisfactory state of affairs when it comes to trusting our election results.
What Are Risks?
The core risk is that the integrity of our election results has been compromised.
During the 2022 election, 4,485,779 ballots were cast. The tabulation of the votes on each of these ballots is at risk of manipulation due to the equipment certification as well as logic and accuracy testing shortfalls identified. Due to the audit trail risks identified, absentee ballots are subject to elevated risks of manipulation due to the missing links in the audit trail. There were approximately 2,000,000 absentee ballots cast that are subject to this elevated risk…more than enough to impact the results of every single 2022 statewide ballot measure. And because these risks pertain to the operation of electronic voting systems not subject to meaningful observation, even the most honest clerks and poll workers could preside over a fraudulent election without even knowing it.
Sadly, there is a significant body of evidence including several court rulings that indicate that the Michigan Secretary of State has taken measures to deliberately create and expand weaknesses in our election system.
As demonstrated in this post, the Secretary of State is in a unique position to subvert the integrity of our election systems.
- SoS defines certification standards and procurement requirements for electronic voting systems.
- SoS defines the logic and accuracy test standards for electronic voting systems.
- SoS defines the audit standards for elections.
What happens when the goal of the SoS is to create and expand weaknesses in our election system in order to rig the system?
- Certification standards do not identify and mitigate key risks to the accuracy and integrity of an election.
- Procurement contracts feature provisions that prevent meaningful investigations into the operation of electronic voting equipment.
- Logic and accuracy tests feature insufficient testing to ensure the accuracy of ballot tabulations.
- Audit standards have insufficient rigor to demonstrate the integrity of records used to certify election results
How could these weaknesses be exploited?
- Voting system vendors:
- Tabulator equipment could be configured by vendors to flip votes
- Many contracts prohibit any analysis of these configurations by anyone other a carefully selected set of organizations that may in turn be compromised
- Remote actors:
- Despite the recommendation of a 2020 report by the Michigan Election Security Advisory Commission to eliminate internet-based reported of election results, election results continue to be reported via the internet to this day.
- Tabulator equipment connected to the internet or connected to devices on a local network that are in turn connected to the internet are vulnerable to the insertion of malware
- Malware could be used to flip votes, change ballot images, provide early results in support of ballot trafficking activities, or even add/subtract votes.
- Internet connections do not need to be active during the election to be of concern. Active internet connections before or after the election can be used to compromise the integrity of election records.
- Connecting precinct-level equipment to the internet is of particular concern as it compromises the integrity of the fundamental building block of our elections – precinct-level election results. If the precinct-level results are secured, subsequent aggregations of election results can be communicated via the internet without concern due to the ability to always check those results against the sum of the pertinent precinct-based results.
Whenever these electronic voting system concerns are raised, detractors immediately respond by citing the ability of recounts to eliminate these concerns. Recounts are indeed a valid method of testing the accuracy of the tabulation of electronic voting systems. It is important to note, though, that recounts are only meaningful if the chain of custody for paper ballots has been demonstrated and secured. In Maricopa County, AZ for example, there is evidence to suggest that the ballots subjected to recount were swapped out prior to public recount. Recounts also do not address the risk that the ballots being recounted were not cast by an eligible voter.
What Should Be Done?
The public needs to call for the following actions by state government officials:
- Revise electronic voting system contracts to enable the public to monitor the tabulation of the vote by electronic tabulators.
- Publish the certification standards used by each state to certify electronic voting systems. Ensure that ALL system components which tabulate election results in any way are subject to testing and rigorous configuration control.
- Prohibit the use of internet connections for any precinct-based vote tabulation equipment.
- Eliminate the ability of voting system vendors to certify their own equipment.
- Ensure the certifications standards for electronic voting systems reflect the fact that our election system is a Critical Infrastructure Component of our nation.
- Revise logic and accuracy tests to require a test deck spectrum sufficient to ensure the accuracy of tabulations for all precincts and races.
- Preserve election records needed to support a full forensic audit of the election especially poll book data and tabulation flash drives
- Revise audit standards to ensure that the physical and digital chain of custody for key election records (statewide voter registration file, poll books, ballots and vote tallies) are examined.
- Conduct a full forensic audit of the 2022 election immediately before any records needed for an audit are destroyed.
There is significant justification for a lack of trust in our certified election results. There are at least five significant missing links in the audit trail needed to have confidence in our election results. These missing links are summarized below.
Perhaps one of the most concerning “missing links” pertains to the fact that elections are being certified on the basis of election results provided by electronic tabulators which have never been tested for accuracy. An estimated 2,000,000 votes in the 2022 election were “certified” on the basis of records that were missing significant links in their audit trail. The lack of an audit trail for the results used to certify the 2022 election provides significant justification for the launch of a full forensic audit of the election results.
If election officials want so-called “election deniers” like me to have confidence in the accuracy of the election results, we need to see a professional, transparent audit of the entire election record chain of custody including the full chain of custody for our election results.
My Math 116 professor once gave me an “F” on a Trig exam despite having all of the correct answers. When I visited him during office hours to ask why he did this, he said “you didn’t show your work”. I proceeded to show him the math that I did in my head during the exam and he begrudgingly gave me an “A”. It is about time for election officials who claim that our elections are secure to “show us your work”.
- Election Certification Overview
- Beware of “Just Count the Ballots” Narrative
- Let’s Audit the MI Auditor General Report on Elections
- Election System “Air Gap” Myths
- How Do Counties Roll-up Votes from Precincts?