Ballot tabulation by uploading scanned images for OCR is quite insecure

The Georgia legislature recently passed a law banning QR-code ballots in vote tabulation, which is a step in the right direction.  But the Georgia Secretary of State’s response is a plan to continue using QR-code ballots, to “tabulate” or “verify” the election results based on uploading the digital ballot images for optical-character recognition.  This plan is insecure and probably illegal.

For years now, Georgia has been conducting elections using touchscreen ballot-marking devices (BMDs).  The touchscreen (Dominion ICX) prints out a ballot card that the voter then deposits into an optical-scan vote tabulator (Dominion ICP).  Some voters might actually inspect the ballot card before depositing it (about 7% of voters do carefully!) and they could, in principle, verify that the candidate names printed on the ballot are the ones they actually selected on the touchscreen.  The 93% of voters that don’t check carefully are vulnerable to having their vote changed by a hacked BMD (and it turns out that the Dominion ICX, in the older software version used in Georgia, is quite vulnerable to hacking).  But it’s worse than that: the votes are printed on the ballot card both in human-readable text and inside a QR code that the voter can’t read, and it’s the QR code that’s tabulated by the optical scanner.  So actually it’s 100% of voters who are vulnerable to having their vote stolen by hacked BMDs.

To its credit, the Georgia Legislature now understands that encoding votes in barcodes or QR codes is bad policy, and they recently outlawed the tabulation of votes by QR codes, effective July 1, 2026.  Senate Bill 189 [local copy], passed in 2024, provides,

“(d) The text portion of the paper ballot marked and printed by the electronic ballot marker indicating the elector’s selection shall constitute the official ballot and shall constitute the official vote for purposes of vote tabulation, any recount conducted pursuant to Code Section 21-2-495, and any audit conducted pursuant to Code Section 21-2-498. The official tabulation count of any ballot scanner shall be based upon the text portion or the machine mark, provided that such mark clearly denotes the elector’s selection and does not use a code, bar code, or similar coding, of such ballots and not any machine coding that may be printed on such ballots.”

With or without a QR code, it’s still bad policy to make voters use touchscreens to mark their paper ballots—other than those voters with a disability who cannot mark a paper ballot with a pen—but this provision of SB 189 is a step in the right direction.

Unfortunately, Georgia Secretary of State Brad Raffensperger now proposes to sidestep this law by continuing to use the Dominion ICX touchscreens that produce QR-code ballots, continuing to use the Dominion ICP scanners to tabulate the QR-code ballots, and then using OCR (optical character recognition software) to “tabulate” or “verify” the ballot images.  There are many things wrong with this proposal.  Before I go into the problems with this plan, I’ll just mention that there’s a much simpler way that Georgia could (cheaply!) upgrade to a voting system on par with most other states:  just use their existing Dominion ICP (polling-place) scanners to count preprinted, hand-marked optical-scan “bubble ballots” that the voter has marked with a pen.  This doesn’t even require a software upgrade of any kind. Although it would be a fine idea to install a software upgrade that addresses known security vulnerabilities in the ICX and ICP, the ICP can count hand-marked ballots with or without the upgrade.

The Secretary of State’s OCR plan is to do the same as in 2024 [local copy], when the OCR tabulation was an unofficial audit of the QR-code-tallied official results. It worked like this:   In addition to tabulating based on the QR code, the Dominion ICP scanners already produce “ballot image files” containing 200-dot-per-inch scans of the paper ballots.  When election results are transferred (on removable media) from the scanners to the county’s election-management computers, the digital images go with them.  Then (for OCR-based auditing) Georgia had each county upload those files from the election-management database to a company named Enhanced Voting, which ran OCR software to recount the ballots based on the human-readable text.

This method of OCR tabulation is inherently insecure.  Here are the problems:

1. What’s printed on the paper is totally up to a hackable BMD (Dominion ICX), and we have solid evidence that only a tiny proportion of voters review it carefully.
2. What’s recorded in the digital ballot image is totally up to a hackable scanner (Dominion ICP)—either it’s a faithful picture of the paper or it’s just “made up” by hacked software.
3. Dominion’s election-database software (installed in county election-management computers) has extremely weak security, so it would be fairly easy for an unsophisticated attacker to alter ballot-image files–just replace the ballots they don’t like with copies of the ones they do like.
4. Then the zip file of ballot images is uploaded to Enhanced Voting’s web server.  What are the controls on that process?
5. Once the ballots are uploaded, anyone at the company could change the inputs (ballot images) or outputs (tabulations).  

The Secretary of State sometimes calls the OCR a “verification” instead of “tabulation”, perhaps because this software and system hasn’t been examined and certified by any of the usual statutory procedures required for vote tabulation systems.  It hasn’t been certified by the U.S. Election Assistance Commission, as required for tabulators by the Georgia election code. On the other hand, if the OCR is a “verification”, then the “tabulation” is the one done by the ICP scanners reading the QR codes, which is contrary to the new law.  I am not a lawyer, but to me it seems illegal either way, whether the Secretary claims that the scanners do the tabulation or the OCR does the tabulation.  But even more to the point, it’s vulnerable to manipulation or alteration at many points between the voter and the end result.

---

Additional notes:

1. In a legislative hearing on January 21, 2026, Senator Burns asked whether the OCR software is going to be used “for tabulation, or for verification?”  [5:38:00-5:40:29, and more at 5:42:15-5:44:40] Secretary Raffensperger answered, “that’s actually used for verification.”  But the written materials provided in advance of that meeting said “tabulation”, and more recent statements by Georgia elections officials have also referred to it as “tabulation”.
2. One might ask, “Can’t we just tabulate all the ballots by hand?” (Senator Dolezal’s question at 5:44:40.)  Secretary Raffensperger’s answer to this question is reasonable, and consistent with the opinions of most election cybersecurity experts: “No, because you have 16 to about 20 races on each ballot.  . . . It’s not like France or Germany or any of these other democracies, that just have one race.  We actually have, say, 15 different races on a ballot.”  And therefore, he went on to explain, counting all the contests on all the ballot by hand would cost much more than the $5 million that the legislature allocated for just counting two statewide contests that way.  However, that doesn’t mean we should count ballots by uploading pictures for optical scan! The consensus of election cybersecurity experts is that, when hand-counting ballots is too expensive or impractical, the solution is to have hand-marked paper ballots, counted by optical scanners (efficient and accurate when they’re not hacked!), and then audited by human inspection of an adequate sample of paper ballots to determine that the outcome is correct (these are called “risk-limiting audits”).  The OCR of uploaded digital ballot images is nothing like that.
3. The OCR-based audit was actually useful in detecting some mistakes made in Barrow County, Peach County, and Wilkinson County, where test ballots were incorrectly included in certified election results (see page 10 of the Ballot Image Audit Report).  But in fact it was not the optical character recognition that detected this, it was basic reconciliation that could have, and should have, been done locally in the county.
4. The plan for “text-based ballot scanning technology for vote tabulation” is item 311.2 on page 180 of Georgia’s budget signed into law on March 3, 2026. If there’s a budget line-item for it, passed by the legislature, but there’s no statute supporting it, does that make it legal? I’m a technologist, not a lawyer. What I can say is that the budget line-item doesn’t make it secure. And it still doesn’t seem to comply with Georgia’s laws regarding the certification of voting systems.