Election Security Separating Rumor from Reality

Election Security: Separating Rumor from Reality

Here is a Q&A that answers questions about spoofing the voter. The answers come from Chris Krebbs, CISA director.

Mis- and Disinformation can undermine public confidence in the electoral process, as well as in our democracy.  

A message from the CISA Director. This video is also available directly on YouTube

NEW

Reality: Election officials provide writing instruments that are approved for marking ballots to all in-person voters using hand-marked paper ballots.

Rumor: Poll workers gave specific writing instruments, such as Sharpies, only to specific voters to cause their ballots to be rejected.

Get the Facts: Election jurisdictions allow voters to mark ballots with varying types of writing instruments, based on state law and other considerations such as tabulation system requirements. Poll workers are required to provide approved writing devices to voters.  

Although felt-tip pens, like Sharpies, may bleed through ballots, some election officials have stated that ballot tabulation equipment in their jurisdictions can still read these ballots. Many jurisdictions even design their ballots with offset columns to prevent any potential bleed through from impacting the ability to easily scan both sides of ballots. 

If a ballot has issues that impact its ability to be scanned, it can be hand counted or duplicated, or adjudicated by election officials, who use defined procedures such as chain of custody to ensure protect ballot secrecy and integrity. Many states additionally have “voter intent” laws that allow for ballots to be counted even when issues such as bleed-throughs or stray marks are present, as long as the voter’s intent can still be determined.

POST-ELECTION

Reality: Robust safeguards including canvassing and auditing procedures help ensure the accuracy of official election results.

Rumor: A bad actor could change election results without detection.

Get the Facts: The systems and processes used by election officials to tabulate votes and certify official results are protected by various safeguards that help ensure the accuracy of election results. These safeguards include measures that help ensure tabulation systems function as intended, protect against malicious software, and enable the identification and correction of any irregularities. 

Every state has voting system safeguards to ensure each ballot cast in the election can be correctly counted. State procedures often include testing and certification of voting systems, required auditable logs, and software checks, such as logic and accuracy tests, to ensure that ballots are properly counted before election results are made official. With these security measures, election officials can check to determine that devices are running the certified software and functioning properly.

Every state also has laws and processes to verify vote tallies before results are officially certified. State processes include robust chain-of-custody procedures, auditable logs, and canvass processes. The vast majority of votes cast in this election will be cast on paper ballots or using machines that produce a paper audit trail, which allow for tabulation audits  to be conducted from the paper record in the event any issues emerge with the voting system software, audit logs, or tabulation. These canvass and certification procedures are also generally conducted in the public eye, as political party representatives and other observers are typically allowed to be present, to add an additional layer of verification.

Reality: Election results reporting may occur more slowly than prior years. This does not indicate there is any problem with the counting process or results. Official results are not certified until all validly cast ballots have been counted, including ballots that are counted after election night.

Rumor: If results as reported on election night change over the ensuing days or weeks, the process is hacked or compromised, so I can’t trust the results.

Get the Facts: Elections will look different this year amidst the COVID-19 pandemic. Although ballot processing in some states may take longer than in past years due to increases in mail-in ballot usage and process adaptations to make voting safer during the pandemic, this does not impact the accuracy of the counting process. Election results reported on election night are always unofficial and are provided solely for voters’ convenience. In fact, no state requires that official results be certified on election night itself. Fluctuations in unofficial results reporting will occur during and after election night as more ballots are processed and counted, often including military and overseas ballots, and validated provisional ballots. Variations in state processes may also mean ballots cast through different methods (e.g., early in-person voting, mail-in voting, and election-day voting) are counted and unofficially reported in different orders. Official results are released after rigorous canvassing (verification) and certification by local and state election officials.

Reality: Provisional ballots are counted in every election regardless of result margins.

Rumor: Provisional ballots are only counted if there’s a close race.

Get the Facts: All provisional ballots are reviewed by election officials in every election regardless of result margins. Provisional ballots cast by individuals whose eligibility can be verified are counted. Additionally, election officials are required to provide individuals who cast provisional ballots written information regarding how they can determine whether their vote was counted and, if it was not counted, the reason for its rejection.

Reality: In some circumstances, elections officials are permitted to “duplicate” or otherwise further mark cast ballots to ensure they can be properly counted.

Rumor: Witnessing election officials marking ballots means that fraudulent voting is taking place.

Get the Facts: Some ballots cannot be read by a ballot scanner due to issues such as damage or misprinting. Some jurisdictions hand count such ballots, while others create duplicate ballots so they can be read by a ballot scanner. Some jurisdictions permit election officials to enhance markings on ballots that are too faint to scan following a process to adjudicate the voter’s intent based on state law. In jurisdictions where duplication of unscannable ballots is permitted, election officials duplicate the ballot precisely to ensure all the voter’s choices are transferred correctly to the new ballot. Both the original and duplicate ballot are labeled and logged so that the two ballots can be tracked and audited. Many jurisdictions require bipartisan teams of two or four personnel to complete this process and verify that votes are accurately transferred to duplicated ballots. The process is often open to public observation.

In some jurisdictions, ballot duplication is referred to as ballot remaking, ballot replication, or ballot transcription.

Reality: Election night results are not official results.

Rumor: If election night reporting sites experience an outage, vote counts will be lost or manipulated.

Get the Facts: Election night results are not official results. These sites may experience outages due to a variety of issues including too many people trying to view the site or cyberattacks. Such disruptions do not impact the integrity of votes or the official certified results. Election results made available on election night are always unofficial. Official results are rigorously canvassed (reviewed), and certified by local and state election officials. Most states have requirements for post-election audits as well.

Reality: A defaced or manipulated election night reporting webpage would not impact counting and certification of official results.

Rumor: If the election night reporting webpage is defaced or displays incorrect results, the integrity of the election is compromised.

Get the Facts: If a webpage has been defaced or is displaying incorrect results, it would not impact the integrity of votes or the official certified results. Election results made available on election night are always unofficial.

Reality: Malicious actors can use fake personas and impersonate real accounts.

Rumor: If a social media account claims an identity, the account must be run by that person or organization.

Get the Facts: Malicious actors often use fake personas and impersonate real accounts to trick the public into believing disinformation, including election-related disinformation.
Popular social media platforms such as Facebook, Instagram, Twitter, Snapchat, and others provide an indication, such as a checkmark that is either blue or grey, to indicate that an account is verified by the platform.  If an account claims to be a well-known person or official organization but is not verified, they may be an imposter.

There are multiple things to look for if you think an account is fake or spoofed. Is the account brand new? Do they create content or merely re-share? Do they have a coherent profile description and does it match what they are sharing? Do they have a real profile photo?  A best practice when looking for election-related information is to go to trusted sources, like your local election official.

If you find a suspicious social media post or account, consider reporting the activity to the platform so others don’t get duped. Most platforms have a “report” function built into posts, so it’s easy to report suspicious items, such as misinformation about election infrastructure. If an account is posting election disinformation, consider reporting to your state or local election official.

Reality: Cyber actors can "spoof" or forge email sender addresses to look like they come from someone else.

Rumor: I received an election-related email that looks like it came from a certain organization, so the organization must have sent it.

Get the Facts: Cyber actors can forge emails to look like they came from someone else. This common tactic is called email spoofing, where attackers send an email pretending to be from a specific domain or organization in an attempt to harvest personal data or spread malware. Such spoofed emails can also be used to disseminate false or inflammatory information. To send realistic-looking emails, cyber actors may forge the sender address to hide the origin of an email or set up spoofed domains that have a slightly different name from the real domain. Always be wary of out of the ordinary emails and look to trusted sources, such as the organization’s official website, in order to verify. Never provide personal information or download files from suspicious emails. If you receive a suspicious election-related email, consider reporting it to your local election official or local FBI field office.

PRE-ELECTION

Reality: Some voter registration data is publicly available.

Rumor: Someone possessing or posting voter registration data means voter registration databases have been hacked.

Get the Facts: Some voter registration information is public information and is available to political campaigns, researchers, and often members of the public, frequently for purchase. According to a recent FBI and CISA public alert, cyber actors may make false claims of “hacked” voter information to undermine confidence in U.S. democratic institutions.

Reality: Online voter registration websites can experience outages for non-malicious reasons.

Rumor: An online voter registration website experiences an outage and claims are made the election has been compromised.

Get the Facts: Outages in online voter registration systems occur for a variety of reasons, including configuration errors, hardware issues, natural disasters, communications infrastructure issues, and distributed denial of service (DDoS) attacks. As CISA and FBI warned in a recent public alert, a system outage does not necessarily mean the integrity of voter registration information or any other election system has been impacted. When an outage occurs, election officials work to verify the integrity of voter registration information.

Reality: A compromise of a state or local government system does not necessarily mean election infrastructure or the integrity of your vote has been compromised.

Rumor: If state or local jurisdiction information technology (IT) has been compromised, the election results cannot be trusted.

Get the Facts: Hacks of state and local IT systems should not be minimized; however, a compromise of state or local IT systems does not mean those systems are election-related. Even if an election-related system is compromised, a compromise of a system does not necessarily mean the integrity of the vote has been affected. Election officials have multiple safeguards and contingencies in place, including provisional ballots or backup paper poll books that limit the impact from a cyber incident with minimal disruption to voting.  Additionally, having an auditable paper record ensures that the vote count can be verified and validated.

Reality: Malicious actors can fake manipulation of voter registration data to spread disinformation.

Rumor: Videos, images or emails suggesting voter registration information is being manipulated means voters will not be able to vote.

Get the Facts: Claims are easy to fake and can be used for disinformation purposes. If voter registration data were to be manipulated, states have several safeguards in place to enable voters to vote, including offline backups of registration data, provisional ballots, and in several states, same-day registration.

Reality: Safeguards are in place to prevent home-printed or photocopied mail-in ballots from being counted.

Rumor: A malicious actor can easily defraud an election by printing and sending in extra mail-in ballots.

Get the Facts: This is false. Committing fraud through photocopied or home-printed ballots would be highly difficult to do successfully. This is because each local election office has security measures in place to detect such malicious activity. While the specific measures vary, in accordance with state and local election laws and practices, such security measures include signature matching, information checks, barcodes, watermarks, and precise paper weights.

Reality: Safeguards are in place to protect against fraudulent voting using the Federal Write-In Absentee Ballot (FWAB).

Rumor: A malicious actor can easily defraud an election using the Federal Write-In Absentee Ballot (FWAB).

Get the Facts: Changing an election using fraudulently submitted FWABs would be highly difficult to do. This is because election offices have security measures in place to detect such activity.
The FWAB is primarily used as a backup ballot for military and overseas voters who requested but did not yet receive their absentee ballot. FWAB users must provide their signature and meet varying state voter registration and absentee ballot request requirements, which can include provision of full or partial social security number, state identification number, proof of identification, and/or witness signature.
Since only military and overseas voters are eligible to use the FWAB, relatively few of them are submitted each election. In 2016, states reported that only 23,291 total FWABs were submitted nationwide, with all but six states receiving less than 1,000 FWABs statewide. Since use is relatively rare, spikes in FWAB usage would be detected as anomalous.

ELECTION DAY

Reality: Voters are protected by state and federal law from threats or intimidation at the polls, including from election observers.

Rumor: Observers in the polling place are permitted to intimidate voters, campaign, and interfere with voting.

Get the Facts: While most states have a process to permit a limited number of credentialed or registered observers at in-person voting locations to observe the voting process, state and federal laws offer voters general protection from threats and intimidation, including from observers. States use varying terms for observers, including “poll watchers,” “challengers,” and “poll agents.” In general, observers are prohibited from violating ballot secrecy, campaigning, collecting private voter information, and obstructing or interfering with the voting process. Observers in some states may report potential issues to election officials, such as questioned eligibility of a voter, suspicious behavior, or suspected rule violations. Intimidation or threatening behavior is never permissible.

Under certain circumstances, the U.S. Department of Justice (DOJ) Civil Rights Division may monitor polling place procedures for the protection of voters under federal voting rights laws. International observers, including delegations from the Organization for Security and Cooperation in Europe or the Organization for American States, who have been invited by the U.S. Department of State, may also observe in-person voting processes in some states.

If you feel that you’ve been a victim of, or witnessed, voter intimidation or threats, please report the experience to the DOJ Civil Rights Division’s Voting Section by phone 800-253-3931 or through its complaint portal at https://civilrights.justice.gov/. If you experience an emergency, please call 911.

Reality: Safeguards are in place to protect ballot secrecy.

Rumor: Someone is claiming to know who I voted for.

Get the Facts: Ballot secrecy is guaranteed by law in all states. Election officials implement various safeguards to protect voters’ choices from being viewable or knowable by others, including the election officials themselves. With few exceptions, these security measures ensure that individual ballots, once cast, cannot be traced back to the voters who cast them. For in-person voting, privacy measures include dividers between voting stations and requirements that poll workers maintain distance from voters while they are casting their ballots. For mail-in and provisional voting, election officials follow strict procedures to ensure ballot secrecy when ballots are retrieved from mail-in and provisional ballot envelopes. 

Ballot secrecy rights may be voluntarily waived by voters in certain circumstances, and waiver may be required in some of these, such as military and overseas voters that vote by fax or e-mail. 

While ballot choices are secret in almost all circumstances, a voter’s party affiliation and history of voting generally are not. Information contained in voter registration records, such as name, address, phone number, and political party affiliation (in states with party-based voter registration), is generally available to political parties and others. This data also regularly contains information on whether a voter voted in a particular election, but not their ballot choices. 

Reality: Polling place lookup sites can experience outages for non-malicious reasons.

Rumor: If polling place lookup sites experience an outage, election infrastructure must have been compromised.

Get the Facts: Polling place lookup sites, like all websites, may experience outages for a variety of reasons, impacting their availability to voters. Polling place lookup sites are not connected to infrastructure that counts votes and are typically segmented from infrastructure that enables voting, such as the voter registration database. Election officials will point potential voters to alternate tools and resources for this information in the event of an issue.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3