CITP Blog - Formerly Freedom to Tinker

Ballot tabulation by uploading scanned images for OCR is quite insecure

– by

Comments

The Georgia legislature recently passed a law banning QR-code ballots in vote tabulation, which is a step in the right direction. But the Georgia Secretary of State’s response is a plan to continue using QR-code ballots, to “tabulate” or “verify” the election results based on uploading the digital ballot images for optical-character recognition. This plan is insecure and probably illegal.

For years now, Georgia has been conducting elections using touchscreen ballot-marking devices (BMDs). The touchscreen (Dominion ICX) prints out a ballot card that the voter then deposits into an optical-scan vote tabulator (Dominion ICP).  Some voters might actually inspect the ballot card before depositing it (about 7% of voters do carefully!) and they could, in principle, verify that the candidate names printed on the ballot are the ones they actually selected on the touchscreen. The 93% of voters that don’t check carefully are vulnerable to having their vote changed by a hacked BMD (and it turns out that the Dominion ICX, in the older software version used in Georgia, is quite vulnerable to hacking). But it’s worse than that: the votes are printed on the ballot card both in human-readable text and inside a QR code that the voter can’t read, and it’s the QR code that’s tabulated by the optical scanner. So actually it’s 100% of voters who are vulnerable to having their vote stolen by hacked BMDs.

To its credit, the Georgia Legislature now understands that encoding votes in barcodes or QR codes is bad policy, and they recently outlawed the tabulation of votes by QR codes, effective July 1, 2026.  Senate Bill 189 [local copy], passed in 2024, provides,

“(d) The text portion of the paper ballot marked and printed by the electronic ballot marker indicating the elector’s selection shall constitute the official ballot and shall constitute the official vote for purposes of vote tabulation, any recount conducted pursuant to Code Section 21-2-495, and any audit conducted pursuant to Code Section 21-2-498. The official tabulation count of any ballot scanner shall be based upon the text portion or the machine mark, provided that such mark clearly denotes the elector’s selection and does not use a code, bar code, or similar coding, of such ballots and not any machine coding that may be printed on such ballots.”

With or without a QR code, it’s still bad policy to make voters use touchscreens to mark their paper ballots—other than those voters with a disability who cannot mark a paper ballot with a pen—but this provision of SB 189 is a step in the right direction.

Unfortunately, Georgia Secretary of State Brad Raffensperger now proposes to sidestep this law by continuing to use the Dominion ICX touchscreens that produce QR-code ballots, continuing to use the Dominion ICP scanners to tabulate the QR-code ballots, and then using OCR (optical character recognition software) to “tabulate” or “verify” the ballot images.  There are many things wrong with this proposal.  Before I go into the problems with this plan, I’ll just mention that there’s a much simpler way that Georgia could (cheaply!) upgrade to a voting system on par with most other states:  just use their existing Dominion ICP (polling-place) scanners to count preprinted, hand-marked optical-scan “bubble ballots” that the voter has marked with a pen. This doesn’t even require a software upgrade of any kind. Although it would be a fine idea to install a software upgrade that addresses known security vulnerabilities in the ICX and ICP, the ICP can count hand-marked ballots with or without the upgrade.

The Secretary of State’s OCR plan is to do the same as in 2024 [local copy], when the OCR tabulation was an unofficial audit of the QR-code-tallied official results. It worked like this:   In addition to tabulating based on the QR code, the Dominion ICP scanners already produce “ballot image files” containing 200-dot-per-inch scans of the paper ballots.  When election results are transferred (on removable media) from the scanners to the county’s election-management computers, the digital images go with them.  Then (for OCR-based auditing) Georgia had each county upload those files from the election-management database to a company named Enhanced Voting, which ran OCR software to recount the ballots based on the human-readable text.

This method of OCR tabulation is inherently insecure. Here are the problems:

  1. What’s printed on the paper is totally up to a hackable BMD (Dominion ICX), and we have solid evidence that only a tiny proportion of voters review it carefully.
  2. What’s recorded in the digital ballot image is totally up to a hackable scanner (Dominion ICP)—either it’s a faithful picture of the paper or it’s just “made up” by hacked software.
  3. Dominion’s election-database software (installed in county election-management computers) has extremely weak security, so it would be fairly easy for an unsophisticated attacker to alter ballot-image files–just replace the ballots they don’t like with copies of the ones they do like.
  4. Then the zip file of ballot images is uploaded to Enhanced Voting’s web server.  What are the controls on that process?
  5. Once the ballots are uploaded, anyone at the company could change the inputs (ballot images) or outputs (tabulations).  

The Secretary of State sometimes calls the OCR a “verification” instead of “tabulation”, perhaps because this software and system hasn’t been examined and certified by any of the usual statutory procedures required for vote tabulation systems. It hasn’t been certified by the U.S. Election Assistance Commission, as required for tabulators by the Georgia election code. On the other hand, if the OCR is a “verification”, then the “tabulation” is the one done by the ICP scanners reading the QR codes, which is contrary to the new law. I am not a lawyer, but to me it seems illegal either way, whether the Secretary claims that the scanners do the tabulation or the OCR does the tabulation. But even more to the point, it’s vulnerable to manipulation or alteration at many points between the voter and the end result.

Additional notes:

  1. In a legislative hearing on January 21, 2026, Senator Burns asked whether the OCR software is going to be used “for tabulation, or for verification?”  [5:38:00-5:40:29, and more at 5:42:15-5:44:40] Secretary Raffensperger answered, “that’s actually used for verification.”  But the written materials provided in advance of that meeting said “tabulation”, and more recent statements by Georgia elections officials have also referred to it as “tabulation”.
  2. One might ask, “Can’t we just tabulate all the ballots by hand?” (Senator Dolezal’s question at 5:44:40.)  Secretary Raffensperger’s answer to this question is reasonable, and consistent with the opinions of most election cybersecurity experts: “No, because you have 16 to about 20 races on each ballot.  . . . It’s not like France or Germany or any of these other democracies, that just have one race. We actually have, say, 15 different races on a ballot.”  And therefore, he went on to explain, counting all the contests on all the ballot by hand would cost much more than the $5 million that the legislature allocated for just counting two statewide contests that way. However, that doesn’t mean we should count ballots by uploading pictures for optical scan! The consensus of election cybersecurity experts is that, when hand-counting ballots is too expensive or impractical, the solution is to have hand-marked paper ballots, counted by optical scanners (efficient and accurate when they’re not hacked!), and then audited by human inspection of an adequate sample of paper ballots to determine that the outcome is correct (these are called “risk-limiting audits”). The OCR of uploaded digital ballot images is nothing like that.
  3. The OCR-based audit was actually useful in detecting some mistakes made in Barrow County, Peach County, and Wilkinson County, where test ballots were incorrectly included in certified election results (see page 10 of the Ballot Image Audit Report). But in fact it was not the optical character recognition that detected this, it was basic reconciliation that could have, and should have, been done locally in the county.
  4. The plan for “text-based ballot scanning technology for vote tabulation” is item 311.2 on page 180 of Georgia’s budget signed into law on March 3, 2026. If there’s a budget line-item for it, passed by the legislature, but there’s no statute supporting it, does that make it legal? I’m a technologist, not a lawyer. What I can say is that the budget line-item doesn’t make it secure. And it still doesn’t seem to comply with Georgia’s laws regarding the certification of voting systems.

Comments

9 responses to “Ballot tabulation by uploading scanned images for OCR is quite insecure”

  1. david lamy

    I remember hand marked ballots counted at the precinct when voting concluded. Counting was serious business. Those counting were among your neighbors. I see this system as far superior to involving computing devices in tallying election results.
    I view with skepticism those who claim we need results right away in lieu of a fair election where a voter can be confident that their vote was counted accurately.

    Reply
  2. John R Brakey

    On Ballot Images, OCR, and the Role of Verification
    Recent discussions about the risks of OCR-based ballot tabulation raise important and valid concerns about election security and the reliability of digital systems.
    We agree with a core principle emphasized by many election security experts:
    The foundation of a trustworthy election system must be the hand-marked paper ballot.
    That principle is essential. It ensures that voter intent is captured in a durable, human-readable form that can serve as the ultimate reference.
    Where concerns arise—and rightly so—is when systems rely on:
    • machine-generated ballots that voters may not fully verify
    • barcodes or QR codes that are not human-readable
    • OCR or digital reinterpretation of ballot images as a substitute for the original ballot
    These approaches can introduce risk by disconnecting the reported result from the voter’s intent.
    Where Our Approach Differs
    The system we advocate does not rely on OCR, nor does it replace or reinterpret the ballot.
    Instead, it is based on redundancy and verification:
    • The hand-marked paper ballot remains the authoritative record
    • Optical scanners produce a ballot image and a Cast Vote Record (CVR)
    • These records are independently generated and can be compared
    • The original ballot remains available for audit and confirmation
    This creates a system where no single layer is trusted blindly.
    Instead:
    Each layer checks the others.
    Why Redundancy Matters
    Even hand-marked paper ballots, while essential, are not immune to error or mishandling over time.
    History has shown that:
    • ballots can be misplaced
    • chain-of-custody issues can arise
    • human counting errors can occur
    For this reason, a resilient system benefits from redundancy:
    • Paper ballots
    • Digital images
    • Tabulated records
    When these are properly linked and preserved, they allow for meaningful verification.
    Verification Is the Missing Piece
    The key issue is not whether digital records exist—it is whether they are used appropriately.
    We do not advocate replacing the ballot with digital interpretation.
    We advocate:
    Verifying election outcomes by comparing independently generated records back to the original ballot.
    This aligns with established principles of election auditing, including risk-limiting audits, while adding a layer of transparency and traceability.
    Common Ground
    There is broad agreement on several essential points:
    • Hand-marked paper ballots are the gold standard
    • Systems that obscure voter intent should be avoided
    • Verification is necessary to ensure trust
    Where innovation is possible is in how verification is implemented.
    Conclusion
    The goal is not to replace traditional safeguards, but to strengthen them.
    You can find out more about ballot images on my sub stack site https://johnrbrakey.substack.com/
    Trust in elections should not depend on assumption.
    It should be grounded in the ability to verify.
    John R Brakey
    Executive Director AUDIT USA
    JohnBrakey@gmail.com

    Reply
  3. Ray Lutz

    Your analysis correctly identifies the fundamental risk of ballot-marking devices, particularly the use of QR codes that are not voter-verifiable. We agree that hand-marked paper ballots provide a stronger foundation for election integrity and should be the default wherever feasible.

    However, the characterization of ballot image review as insecure or without value does not fully distinguish between tabulation and verification. Ballot image auditing is not proposed as a primary tabulation method. It is a secondary, independent verification process applied after the official tabulation has already occurred. This distinction is critical. A verification audit does not need to meet the same certification criteria as a tabulator, but it must be transparent, reproducible, and independently checkable.

    The concern that ballot images could be altered is valid in principle, but it is not an inherent limitation of image-based auditing. Modern cryptographic controls can secure ballot images at the point of capture and throughout their lifecycle. Hash chains, digital signatures, and public audit logs can provide strong guarantees that images have not been modified. When properly implemented, these controls allow third parties to independently verify the integrity of the dataset being audited.

    Ballot image auditing also provides a scalable mechanism to detect discrepancies that may arise from configuration errors, software faults, or upstream system issues. For example, mismatches between encoded selections and human-readable text can be identified through systematic review. These are not hypothetical concerns. They are practical failure modes that require independent detection mechanisms beyond the original tabulation process.

    It is important to recognize that no single layer of the system should be treated as inherently trustworthy. Optical scanners, ballot-marking devices, and election management systems all introduce potential points of failure. Independent verification using ballot images adds a complementary layer of scrutiny that can increase overall system confidence when combined with other safeguards such as risk-limiting audits.

    In summary, we agree on the risks associated with BMDs and QR-based tabulation. Where we differ is on the role of ballot image auditing. When properly secured and clearly defined as a verification process, it is not only useful but necessary as part of a layered approach to election integrity.

    Bottom line is that GA should just use hand-marked ballots immediately as the scanners they now have can handle them. The fact that this option is being neglected is frankly astounding, so we agree completely on that point.

    Doing a ballot image audit of BMD ballots CAN detect a difference between the QRcode (computer result) and human readable,so some types of errors are indeed detectable. But not all such hacks can be detected, such as changing the sense of a measure, like “Make cannabis legal” vs. “Make Cannibis Illegal”. A BMD touchscreen establishes a private session with the voter and there is no way to track what the voter was shown. This is in contrast with the hand-marked paper ballot which shows exactly what the voter was shown, including the text of the ballot and also whether all the candidates are shown. We must get away from the touch-screen machines. That is the most important part of your post. However, ballot image auditing DOES have merit and the weaknesses can be improved with cryptographic mechanisms. Perfect? No, but nothing is.

    Reply
  4. Victoria K

    Hey Andrew! I’ve been engaged with trying to sort out the real from the hysteric in another State with some high stakes arguments about this stuff.

    Something that sticks out to me here:
    When on the spot about how you would hack this proposed system, you said you’d insert new or replace ballot images.

    I want to dig in to that. Let’s forget about the OCR “cross check” being proposed for a minute.

    You claim here that the precinct level optical scanner can be hacked in such a way as to store fabricated ballot images. It would not only need to store them, though, for this to go undetected. It would need to have the capability and be told to tabulate from those images. Correct me if I’m wrong, but that’s just not possible given the software and hardware limitations of these machines.

    This seems like a major lynchpin in the argument of vulnerability when there is a cross check of any variety between the tabulated count of the QR codes (or any other counting method of the optical scanner) and a tabulated count of the ballot images.

    What am I missing from your argument here? Again, just isolating the ballot image issue.

    Reply
    1. Andrew Appel

      To answer your question, these machines have all the power of late-model laptop computers. They use the same kinds of CPUs (processor chips), similar amounts of RAM and solid-state flash drives, the same operating systems (Windows or Linux). There is no significant software or hardware limitation that prevents them from synthesizing fraudulent bitmap images of ballots that were never cast, or from keeping copies of some of the ballot images that were cast and repeating them to substitute for ballots voted for “the other guy”. And there is no sigificant difficulty, when preparing a fraudulent vote-counting app for installing in one of these machines, to design the software to keep the fraudulent bitmap images correlated with the fraudulent QR codes.

      Reply
      1. Victoria K

        For starters, are you absolutely sure that that the Dominion ICP’s have Windows or any other PC like operating system?

        Reply
        1. Victoria K

          Alright, I’ve verified the ICP runs on Linux. There is no reason that part of the system needs to. Seems there’s a market hungry for a PLC based scanner!

          Reply
          1. Victoria K

            Serious apologies for spamming your comment section here. I’ve had to do a bit of a crash course on election specific security these past months.

            I can’t help but think that the biggest reason no security assessment has ever been done on the “hackability” of the tabulator short of physically stuffing ballots (when these assessments have been done ad nauseum on every other part of the system and process) is that any researcher worth their salt understands it’s a waste of time. Any audit of the preserved paper ballots would expose the ruse.

            High difficulty, nearly zero chance of success.

            And yet, again, this seems like a sort of lynchpin to your argument especially that the OCR cross check adds an extra layer of vulnerability. If hacking the images on the tabulator would not be worth the trouble, hacking them on the second count would be even less so.

  5. hair types​​‍‍​‍

    This is a really insightful breakdown of the vulnerabilities inherent in OCR-based ballot tabulation. The point about potential manipulation of image data before upload is particularly concerning, and highlights how difficult it is to secure the entire process from end to end. It seems like truly robust security would require a far more complex and expensive system than many jurisdictions are currently equipped to handle.‍​

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

About

The CITP Blog is hosted by Princeton University’s Center for Information Technology Policy, a research center that studies digital technologies in public life. Here you’ll find comment and analysis from the digital frontier, written by the Center’s faculty, students, and friends.

Categories