My intent here is to show how and why software (especially software, but there are also hardware issues) for conducting elections is both different from other kinds of software and why it is crucially important to get things right. This article could be considered the text of a guest lecture about election applications in a senior-level course on software.

In 15 years of analyzing election data, from multiple states and vendors, I have never seen anything from which I would infer fraud, malfeasance, or intent to produce results other than what they should be.

I have, however, seen errors and anomalies, and I have seen those errors repeated again and again from 2010 down through 2024, even though the vendors are aware that the errors occur. It is always the case that when such errors are discovered, they are attributed to "human error." This is, of course, correct, but it never seems that the attribution of the human error is focused where it should be focused, on the humans who made the error possible—namely, the vendor's humans who did the design and implementation of the software.

If the system cannot be used as intended by the intended users, then it is the system that is at fault, not the users.

I have never seen the source code. But some of the anomalies are so obvious to someone who writes code that it is apparent what shortcomings in the software have made the errors possible.

I intend for this article to be largely a discussion of the software problems that occur all the time, but should not occur, and would not occur, if the software were properly bulletproofed to make it hard to make the errors.

The reader could well view this as lessons learned from the real world about why design, development, testing, and bulletproofing really are necessary. Elections are too important an application for things not to be done carefully and properly.

Finally, it seems necessary to cite two of the more famous quotations regarding elections and technology. The first is about the technology; Rop Gonggrijp has said: "There is such a thing as too much technology." The second is about the use of the technology, and comes from Carolyn Crnich, former clerk of court of Humboldt County, California: "I don't ever want to have to tell my voters, 'Just trust me.'"

I will start by setting the stage (I hope) as to why this is both inherently difficult and why voting technology is different from any other application I have come across in my career.

  Setting the Stage

Voting is supposed to be a private affair. No one, not spouses, not employers, not anyone, is supposed to be able to determine how any one individual has voted. This took decades (centuries?) to become normal in the United States; in past times votes were public and could thus be coerced. The ability of a vote to be private has become central to the election process in this country.

We should start by remembering that in the United States, preparing for Election Day is something like preparing for going into battle. I grew up with a father who was part of the U.S. space program. He once commented that when the countdown gets to T-minus-five, and one hears "We have ignition," then something is about to happen, and one better be prepared for whatever that something happens to be.

Elections are quite similar. One cannot hit "pause" or ask for a do-over. And yet, Election Day is run as a process distributed in location and managed by volunteers. In my Richland County, South Carolina world, there were 275,000 voters, 150 polling places, 300 (or more) electronic pollbooks to check-in voters, roughly 2,000 volunteer workers, 170 ballot card scanners, and 1,100 ballot marking computers. (I will refer to these as "computers" and not as "machines." I think most people consider a "machine" to be something they can count on to work as expected, and they have a much more, and legitimately, jaundiced view of what to expect of a "computer.") By any count, that's a lot of "stuff." Somewhere in the county, power will fail, a ballot marking computer will not boot, the e-pollbooks won't be able to get to the database back at the mother ship, and a scanner will jam.

This argues for two things:

• Backups to backups to backups are necessary. (We in Richland County used direct recording electronic devices, and then ballot marking devices, and would have 15–20 trucks rolling around the county with replacement equipment on Election Day for when failures occurred.)
• The process needs to be as simple as possible.

I agree with Gonggrijp, sometimes there is such a thing as too much technology, if in fact one assumes all that technology will work perfectly under the expected stressful circumstances. But anyone who has written serious software knows that the more general purpose the code, the more complicated and prone to error the code will be. Going from hard-coded choices and constants to lookup tables invariably makes things more obscure. The United States is one of the very few countries that does not have a centralized standard for elections; across the 50 states, there are many different rules and regulations. If a vendor wants to market in all 50 states, the code must allow for these different rules. That automatically makes it harder to get right, harder to test, and harder to use.

We must remember that voting systems are different from virtually any other software system written. It is common to hear: "If I can bank online, why can't I vote online?" This would be a reasonable question if in fact the two applications were anywhere near similar, but they are not.

In financial transactions, there are records kept, and one can trace the movement of money from one place to another. Voted ballots, however, are supposed to be anonymous; in nearly all jurisdictions, it is supposed to be impossible to connect a voted ballot with the voter who cast the ballot. One could take the South Carolina State Constitution (Article II, Section 1) as appropriate: "All elections by the people shall be by secret ballot, but the ballots shall not be counted in secret."

The issue of secret, anonymous (once cast) ballots completely changes things. Once a ballot is cast, it could be intercepted on the internet (if sent over the internet), changed, deleted, or replaced anywhere from the casting to the final tallying, and there would be no way to determine the modification. (Actually, there is a way, using cryptography, but I am unaware of any online voting system that does that right.) Verified Voting published a detailed discussion on this more than 10 years ago [1].

Finally, with no disrespect intended, election workers start their Election Day at 5:30 or 6 a.m. and are not done until 8 p.m. or much later, with the media, candidates, and political parties breathing down their necks for instant results.

Again, this argues for the simplest and most verifiable system that can do the job. Using complicated systems is just asking for trouble.

  Some Details

I will continue with two of the anomalies/errors that have been observed and (to the practiced eye) almost certainly happen due to shortcomings in the software. I would hope any upper-level undergraduate would recognize that these anomalies/errors have happened in their code and that they would have to improve the code in order to remove the errors.

One error repeatedly seen, from 2010 through 2024, with software from the two largest U.S. vendors of election systems, is a failure to verify that critical configuration sheets are identical. The ballot marking device does not record the candidate and contest in the QR or bar code; it records the x-y coordinate of where the bubble would be for that candidate and contest on the paper version of the hand-marked paper ballot. There are thus at least two, if not three, "cheat-sheets" that match the x-y coordinate to candidates and contest.

We have known for decades how to verify that two documents were the same document (using hash codes and digital signatures), or else we could not do electronic commerce or sign documents over the web, and yet neither of the two major vendors seems to check that all the cheatsheets are the same. I have taught hash codes and signatures in my third-semester undergraduate class, "How to Program Like an Adult," and even just a byte-by-byte comparison would catch these inconsistencies.

This "glitch" has been the source of much of the 2020 "Stop The Steal" complaints, and the glitch continues. In November 2024, this is the glitch that caused two results in an Ohio county to be reversed. This is an error I first saw in 2010 in South Carolina, and then in every South Carolina biennial election through 2018. I would argue, for a software person, that preventing this error from being possible is a no-brainer.

A similar "glitch" occurs with counting ballots more than once. The ballots are delivered on flash drives, one per scanner for the two major vendors. But it must be remembered that election night is going to be chaotic, with tired officials and with the media and candidates demanding instant gratification.

It has happened, repeatedly, that the flash drive totals from the scanners have been uploaded twice into the central database.

How could this happen? Why would it not be the case that the serial numbers of flash drives already loaded are kept as "we already did this" data, and a pop-up "Are you sure?" window appears if there is an attempt to upload again?

We must remember individual votes are anonymous, and there could certainly be multiple votes that are actually the same. But the votes that come back on flash drives almost certainly have file names and serial numbers, and the file could be hashed to provide a signature. A flash drive used twice, with two different file names and hashes, could have both files uploaded, but if a record was kept in the central EMS (election management system) of the file names and hashes, then one could reasonably expect to recognize the attempt to upload the same file twice. This would seem to be routine bulletproofing of the software, but it doesn't seem to be part of the systems, at least not from the two major vendors.

  A Disclaimer on Hacking

With the 2020 U.S. election, we saw a large number of claims of fraud and hacking. None were ever shown to have any real merit.

On the other hand, it is known that both Election Systems & Software and the Dominion Voting Systems were vulnerable and voting information had been exported in their entirety and have been available to any and all, including "bad actors," since 2021 [2, 3]. It's therefore entirely possible, although very unlikely, that the 2024 election was hacked.

But given who would do the hacking, it is unlikely they would have been so incompetent as not to leave the field and leave no trace. One cannot conclude there was no hacking, but one also has to admit that if it were done by sophisticated bad actors, it almost certainly would not be detectable. That's not the best position to be in, but it is where we are, and we have to work further in spite of any questions.

---

Elections are too important an application for things not to be done carefully and properly

---

For my part, I have been much more concerned about the fact that the systems seem to make it much too easy to make mistakes. Those things can and should be fixed.

And although there has never been any proof, there have been issues going back to 2004 where a credible suggestion could be made that the system was hacked. Almost none of these have been investigated, so we have no evidence.

  Conclusions

Elections are very different from other applications. The need for the ballots as cast to be anonymous means one cannot do the usual tracing of transactions that would be done in, say, a financial system. This argues that everything is a process, and the process needs to be written in detail and followed precisely.

And an election, or at least Election Day, is a process distributed in location, run by large numbers of volunteers, under strict time constraints, and with several parties constantly asking for instant gratification of the results once the polls have closed. This argues for using the simplest possible system. Complicated systems are almost guaranteed to break down somewhere.

The process needs to be as simple as possible because the vendors' election systems do not seem to have sufficient bulletproofing in the software. It seems much too easy to make mistakes.

Finally, no credible evidence of hacking has been seen. We have seen anomalies, but because what we have seen has affected a small number of ballots, in different locations in different elections, with no obvious patterns, and because what we have seen certainly seems like the result of less-than-high-quality programming, we believe these are mistakes.

On the other hand, given the stakes in U.S. biennial and quadrennial elections, and given that the entire election system from the two major vendors is available to sophisticated bad actors, it is unlikely there would be evidence left behind of a hack in the system. This makes bulletproofing the software and the process even more important.

A final comment on my preferences for conducting elections. I believe in using hand-marked paper at the polling place. This eliminates the question of whether the bar codes match the choices made by the voter and the text that is printed on the ballot cards. (There are instances in which these don't match, but they seem to be errors and not intentional.) With this paper, one can always do a statistical test to determine with a very high degree of confidence that the scanned results match the paper.

I also believe in scanning at the polling place. This produces small tallies of who got how many votes. It would therefore be very hard to add or drop a box of ballots on the way to the county headquarters; a central count by polling place would have to be the same as all the local counts before the ballots were sent back to the county.

  References

[1] Jefferson, D. If I can shop and bank online, why can't I vote online? Verified Voting. 2014; https://verifiedvoting.org/publication/if-i-can-shop-and-bank-online-why-cant-i-vote-online

[2] Oosting, J. Who are the Trump loyalists investigated, charged in vote machine tampering case. Bridge Michigan. August 4, 2023; https://www.bridgemi.com/michigan-government/who-are-trump-loyalists-investigated-charged-vote-machine-tampering-case

[3] Georgia Voting Machines Challenge. Curling v. Raffensperger. Democracy Docket. 2025; https://www.democracydocket.com/cases/georgia-voting-machines-challenge/

  Author

Duncan A. Buell served on the Board of Voter Registration and Elections for Richland County, South Carolina, from spring 2019 to spring 2021, when he moved out of state. He continues to work on election integrity and argues that the best system would be hand-marked paper (so voters really can verify their choices) scanned at the polling place (to make it harder to add or delete boxes of ballots on the way to county headquarters).

 

Copyright is held by the owner/author(s). Publication rights licensed to ACM.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2025 ACM, Inc.