Dear Philadelphia City Commissioners:

I am a member of the Philadelphia Election Board. I work as a Majority Inspector in the 2nd ward. As you know, that means that I work at the polling place and have a very good familiarity with our electoral process. I am also a software engineer with a Masters Degree in Software Engineering. I believe I am in a unique position to comment on our new voting machines.

This past Tuesday I spent 14 hours working very closely with the new ES&S machines that your office procured for the city. I think overall the voters adapted well to them and for the most part they worked as I’d expected them to. However, as someone who thinks about software, computers and human computer interaction pretty much every waking moment I couldn’t help but be extremely concerned at the fact that these new machines appear to be less secure than the ones they have replaced.

The issue lies in the paper ballot. It is now generally accepted by anyone who studies these things that having the voter be able to verify their ballot is one of the most important elements of having a secure election. The ES&S system as currently implemented does not allow voter verification.

The simple fact here is that humans can’t read barcodes! As it stands, there is no physical way a voter can verify that the thing that is counted represents their intentions.

The way it works now is that the voter uses the touch screen to select their choices, those choices are then printed on a paper ballot along with a set of barcodes at the top, the voter then ‘verifies’ that their selections are correct and then the ballot is submitted to be counted. However, as I understand it, the official vote count is done by scanning the barcodes and not the names that the voter verified.

This is a giant security flaw. If the machine is compromised in any way (by someone maintaining the machine before the election, by a poll worker, by a voter, etc.) one could easily see how the system could be altered so that the barcodes could be switched while the names stay the same. This would mean that the voter would see the name of the person they voted for but the barcode, the thing that is counted, could represent someone completely different. And nobody would ever know!

This is not just speculation on my part. I’ve read many articles quoting noted professors in the computer science field who share these exact scenarios. Professors like Richard DeMillo from Georgia Tech and J. Alex Halderman, a voting security expert who teaches at the University of Michigan.

The simple fact here is that humans can’t read barcodes! As it stands, there is no physical way a voter can verify that the thing that is counted represents their intentions.

All is not lost however. What I would suggest is that the barcodes were removed and instead that actual printed names were counted by an OCR scanner instead. I believe this simple change would improve the stability and verifiability of the system significantly.

I love the idea of using a computer to vote. There are so many possibilities to improve our voting process by using this technology (randomizing ballot position for each voter for example), but right now, if we can’t trust that our votes are counted correctly, none of this matters. I urge you to dig into this problem and fix it before the 2020 elections!

Thank you for your attention. 

Vincent E. Fumo II is a software engineer from Philadelphia. He is also a member of the Philadelphia Election Board.