LA County is Tabulating Votes with QR Codes. Security Experts Think It's a Bad Idea
Tami Abdollah is dot.LA's senior technology reporter. She was previously a national security and cybersecurity reporter for The Associated Press in Washington, D.C. She's been a reporter for the AP in Los Angeles, the Los Angeles Times and for L.A.'s NPR affiliate KPCC. Abdollah spent nearly a year in Iraq as a U.S. government contractor. A native Angeleno, she's traveled the world on $5 a day, taught trad climbing safety classes and is an avid mountaineer. Follow her on Twitter.
After $300-million and 11 years, the nation's largest county rolled out the first publicly-owned voting system earlier this year, promising "transparency, accessibility, usability, and security."
Los Angeles County's new voting system — dubbed "Voting Solutions for All People," or VSAP — has raised concerns from election security experts. Dozens of advocacy groups have warned California's top election official that the electronic touchscreen system used for in-person voting relies on QR codes to tabulate votes. QR codes are vulnerable to hackers and system malfunctions and cannot be easily verified by most voters, U.S. government and outside experts have found.
A coalition of 36 election-security experts and advocacy groups wrote in a letter last month to Secretary of State Alex Padilla that they were "gravely concerned that [L.A. County's recently certified system] uses QR codes for tabulation" and urged him to stop relying on QR codes to tally votes at least by the 2022 primary election.
After voters make their ballot selections on their screens, the machine spits out a printed-out ballot-like receipt to review, along with a QR code.
"Although voters can easily verify the selections that the [voting system] prints on their ballot in their own language, they cannot easily verify the QR codes that [it] will actually use to tally votes," the letter said.
After voters make their ballot selections on their screens, the machine spits out a printed-out ballot-like receipt to review, along with a QR code. Officials have said this gives voters an easy way to verify their selections. But what a voter sees in plain text on the receipt, is not what the tallying machine counts. The county's new system scans the QR code to unpack and count what a voter has selected. If the system is hacked or wrongly records a voter's selections while electronically encoding it into the QR, there's no quick and easy way to tell.
Election administrators expect record turnout for the November 3 presidential election, which has already seen high levels of mail-in ballot participation. Intelligence officials warned lawmakers earlier this year that Russia is again trying to meddle in the U.S. election process, as it did in 2016. On Thursday, U.S. officials announced that Russian hackers targeted dozens of state, local and tribal networks, successfully stealing data from at least two unnamed victim servers; as a result, "there may be some risk to elections information housed on" those government networks. But there is no evidence that the integrity of elections data has been compromised, the government alert said.
L.A. County's new voting system, manufactured by Smartmatic Corp., a voting technology company that has been scrutinized for ties to the Venezuelan government, was first used for the presidential primary in March. The voting process was mired with technical problems that led to lengthy wait times and multiple after-incident reviews. L.A. County has since said the issues with its roughly 30,000 voting-machine system have been addressed and the new system was officially certified, as long as county officials abide by certain security conditions, by Secretary of State Alex Padilla earlier this month.
But even for those who understand how to scan a QR code, trying to verify the accuracy of their vote can be confusing and time-consuming.
Here's an example of what shows up when you scan your QR code, according to a document buried on the Los Angeles County Registrar-Recorder/County Clerk's website:
VER:A.SEL:4N/4E/H/J/3C/3K/35/4S/45/3Z/4A/X/3Q/3S/3U/3W/3Y/N/Y. BMD:0000046.SIG:4R57D5C44QKEJRS3OBF33PL0Z6U9THBR74NTA1VVH K09E6NFDH4DWXPY8Q9ZF6VD0LAQ1E6IY6AGQC1S4TG095N8NEN3AFOET12."
The first line represents the selections a voter made, with each letter and number combination corresponding to a particular candidate or measure. For example, a vote for the Joe Biden ticket is coded as 3G8 while Donald Trump is 3G9. It is up to voters to decode and match each of alphanumeric values to the actual plain-language choices they made on their ballots.
Michael Sanchez, a spokesman for the registrar's office, said that voters can go online to find a document for decoding their ballot. Sanchez later supplied the crucial direct link via email, which is otherwise difficult to find online.
For voters who are older, disabled, simply not tech-savvy, or just unwilling to take the time, verifying your ballot selections in L.A. County is an incredibly "burdensome process," said Susan Greenhalgh, senior advisor on election security for Free Speech For People, a nonpartisan public interest group. "The person can't look at it and know what it says, they have to jump through all these hoops."
Kim Alexander, president of the nonprofit, nonpartisan California Voter Foundation noted that the difficulty with verifying the older punch-card ballot system is why post-election audits were done in the first place.
"We were using these ballots where people couldn't verify their choices," Alexander said. "Now we've come full circle. We have these QR codes that some tiny population of L.A. County has the wherewithal and ability and smarts to decode and verify (their) ballot. Even if you're able to do that, you're not done decoding the code. You have to then do another round of decoding."
QR Codes Stir Debate
The QR code has made a bit of a comeback to daily life during the pandemic, especially in place of restaurant menus.
But in the world of election security, the use of barcodes and QR codes is generally viewed as problematic by experts who say it inserts a machine — and its own code that's indecipherable to humans — between a voter and their vote. Because the QR code on the ballot cannot be easily verified for its accuracy, computer scientists say it makes them an easier target for hackers.
The county's YouTube video illustrating how to use the new voting machines skips over any explanation of how to check the QR code for accuracy. Instead, the county shows a voter quickly scanning their finger over the lines of plain text reflecting their votes. In reality, the QR code, not the text, is what is actually counted.
"It's really ugly, it is not usable at all," said Eddie Perez, an election administration and technology expert with the nonpartisan, nonprofit OSET Institute, about L.A.'s system. "If you're placing a very high value on accessibility and the idea that every single voter, regardless of their condition or disability, should be able to verify their ballot — if you really believe that, and are going to put $282 million behind those goals, then it's fair to ask: 'Is the process you're leaning on to check your QR code accessible?' I literally don't know [what happens] if someone is blind."
Sanchez, the registrar's office spokesman, said the county's ballot-marking device lets voters who are blind listen to a read-back of their on-screen selections. But that doesn't account for the encoded QR.
QR codes, which are a type of barcode, also have the potential to become legally thorny ground.
"There's an inherent problem with the use of barcodes or QR codes in voting systems because the ballot contains two records of voter intent, and one needs to be established as the legal record of voter intent," Greenhalgh said. "If the human-readable text is the legal vote of record, that means that something other than the legal vote of record is counted. If the QR code is the legal voter of record, that dissolves any pretense (that) this is a voter-verifiable ballot."
How to vote on the NEW Ballot Marking Device www.youtube.com
National Debate Leads to First Ban
Such barcode-based devices also "raise security and verifiability concerns," according to an election-security report released by the National Academies of Sciences, Engineering, and Medicine last year. And the U.S.'s National Institute of Standards and Technology noted that barcodes could result in a voter being presented with different ballot selections than what the machine reads.
"If barcodes are used for tabulation of cast ballots, any modification of a voter's ballot selections may go undetected and impact the election results," NIST wrote.
All of this is especially problematic, experts say, because a recent University of Michigan study on voter behavior found that few voters check or detect errors on their ballots.
The debate over barcodes has figured heavily in battleground states like Georgia, South Carolina, North Carolina and Pennsylvania where they are used by some jurisdictions, but it's received much less scrutiny in California. In September 2019, Colorado became the first state to ban the use of barcodes or QR codes on ballots due to security concerns after using a system similar to California's.
Colorado's Secretary of State Jena Griswold said in a news release at the time that "although voters can see their vote choices, they cannot verify that the QR code is correct" and the QR codes "could be among the next target of an attack and are potentially subject to manipulation."
Griswold said Colorado will stop using machines that use barcodes or QR codes to count votes after 2021. The state has been a national leader in adopting election security best practices, including practices like risk-limiting audits to verify election results.
Auditing to Ensure Voter Confidence
California's Secretary of State Padilla gave L.A. County's voting system conditional certification earlier this month. Among the additional security requirements is that the county must conduct one of two types of audits to ensure the QR codes match the human-readable section of the ballot.
L.A. County has elected to conduct a traditional manual tally of 1% of its votes, which election security experts say is a less comprehensive method for ensuring ballots have been tabulated correctly.
In recent years, so-called risk-limiting audits have been deemed best practice for providing confidence in an election result. California has an ongoing risk-limiting audit pilot program. Such audits rely on statistically-based techniques such as auditing more ballots if the margin in a race is narrow. Looking at a fixed percentage regardless of the margin of victory, however, can lead to missed problems.
Perez called L.A. County's decision to do a 1% fixed audit "cutting a corner, given the fact that L.A. County has claimed to set such a high bar on the voting experience."
Sanchez, the registrar's office spokesman, said he didn't immediately know the reasoning behind the decision to not conduct a risk-limiting audit on the presidential election. The California Secretary of State's Office did not respond to a request for comment.
In a news release touting the certified system this month, Padilla called the VSAP system a "historic milestone in election administration" and said that for in-person voters it will "provide an accessible, secure voting experience."
*This story was updated Thursday afternoon to reflect U.S. officials announcement that Russian hackers targeted dozens of state, local and tribal networks, successfully stealing data from at least two unnamed victim servers.
Hit me up if you have any other election and voting-related questions. My DMs are open on Twitter @latams You can also email me at tami(at)dot.la, or ask for my contact on Signal, for more secure and private communications.
- QR Codes Make a Comeback as Restaurants Go Contactless - dot.LA ›
- Why QR Codes Will Make it Harder to Verify LA Votes - dot.LA ›
Subscribe to our newsletter to catch every headline.
Los Angeles is home to around 5,000 startups, the majority of which are in their young, formative years.
Which of those thousands are poised for a breakout in 2021? We asked dozens of L.A.'s top VCs to weigh in. We wanted to know which companies they would have invested in if they could go back and do it all over again.
Boiling<img lazy-loadable="true" src="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vbWVkaWEucmJsLm1zL2ltYWdlP3U9JTJGaW1hZ2VzJTNGcSUzRHRibiUzQUFOZDlHY1EwRjdlRzlxY3JFd1lNVS12T2VTWng1NFd6VFdWUktaMFpyQSUyNnVzcXAlM0RDQVUmaG89aHR0cHMlM0ElMkYlMkZlbmNyeXB0ZWQtdGJuMC5nc3RhdGljLmNvbSZzPTEwMDImaD1jOGIyM2Y5YWNhNGNhNDY3NzZhNmUzNTU3MWI2YzAzNjcwOTU1Nzg0ODQxZDdiZGIyZjAxMzUxNjdkN2I5NWY2JnNpemU9OTgweCZjPTE2MDM4MjI5MTgiLCJleHBpcmVzX2F0IjoxNjY1MTY5NTcxfQ.iTVRhSe0UulUxSyMUZ4QA7_0njADdWe3QEJ28-xW6m0/img.jpg" id="a03b9" class="rm-shortcode" data-rm-shortcode-id="03faa4898896a9ce5be09d51dc104b73" alt="Pipe logo" />
Simmering<img lazy-loadable="true" src="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vbWVkaWEucmJsLm1zL2ltYWdlP3U9JTJGaW1hZ2VzJTNGcSUzRHRibiUzQUFOZDlHY1JlR3QzLWlHSmFtYVJnLXNwSXVYcDc5N0xOdnpTYWhYYVloQSUyNnVzcXAlM0RDQVUmaG89aHR0cHMlM0ElMkYlMkZlbmNyeXB0ZWQtdGJuMC5nc3RhdGljLmNvbSZzPTYwNiZoPWU3NzNhYTkwODZkNmE4OWQwMWU0ZjZkODk0ODU1ZWEyZDIzMmU3YTYyNzJjYTU3Mzk3MmI0NmQ0NjAxMDY3YzMmc2l6ZT05ODB4JmM9MjQ3NDg5MDE0MiIsImV4cGlyZXNfYXQiOjE2NzAzMzU0NjB9.iqCUfvVUI22AGAz-QYPiS7XFb26sw3mGaU8seorLqxQ/img.jpg" id="44f84" class="rm-shortcode" data-rm-shortcode-id="cbdc9b0cdf21d3873eef2a40647ae810" alt="Freck Beauty logo" />
- Meet 3 Early Stage Science Startups at First Look's Showcase - dot.LA ›
- What Early Stage Startups Should Be Thinking About COVID-19 ... ›
Though Silicon Valley is still very much the capital of venture capital, Los Angeles is home to plenty of VCs who have made their mark – investing in successful startups early and reaping colossal returns for their limited partners.
Who stands out? We thought there may be no better judge than their peers, so we asked 28 of L.A.'s top VCs who impresses them the most.
Mark Mullen, Bonfire Ventures<p>Mark Mullen is a founding partner of Bonfire Ventures. He is also founder and the largest investor in Mull Capital and Double M Partners, LP I and II. A common theme in these funds is a focus on business-to-business media and communications infrastructures.</p><p>In the past, Mullen has served as the chief operating officer at the city of Los Angeles' Economic Office and a senior advisor to former Mayor Villaraigosa, overseeing several of the city's assets including Los Angeles International Airport and the Los Angeles Convention Center. Prior to that, he was a partner at Daniels & Associates, a senior banker when the firm sold to RBC Capital Markets in 2007.</p>
Dana Settle, Greycroft<p>Dana Settle is a founding partner of Greycroft, heading the West Coast office in Los Angeles. She currently manages the firm's stakes in Anine Bing, AppAnnie, Bird, Clique, Comparably, Goop, Happiest Baby, Seed, Thrive Market, Versed and WideOrbit, and is known for backing female-founded companies.</p><p>"The real change takes place when female founders build bigger, independent companies, like Stitchfix, TheRealReal," she said this time last year in <a href="https://www.businessinsider.com/greycrofts-dana-settle-on-closing-funding-gap-for-female-founders-2019-12" target="_blank" rel="noopener noreferrer">an interview with Business Insider</a>. "They're creating more wealth across their cap tables and the cap tables tend to be more diverse, so that gives more people opportunity to become an angel investor." Prior to founding Greycroft, she was a venture capitalist and startup advisor in the Bay Area.</p>
Erik Rannala, Mucker Capital<p>Erik Rannala is a founding partner at Mucker Capital, which he created with William Hsu in 2011. Before founding Mucker, Rannala was vice president of global product strategy and development at TripAdvisor and a group manager at eBay, overseeing its premium features business.</p><p>"As an investor, I root for startups. It pains me to see great teams and ideas collapse under the pressure that sometimes follows fundraising. If you've raised money and you're not sure what comes next, that's fine – I don't always know either," Rannala wrote in <a href="https://www.mucker.com/more-funding-wont-magically-fix-your-startup/" target="_blank" rel="noopener noreferrer">a blog post for Mucker</a>. </p><p>Mucker has a portfolio of 61 companies, including Los Angeles-based Honey and Santa Monica-based HMBradley.</p>
William Hsu, Mucker Capital<p>William Hsu is a founding partner at the Santa Monica-based fund Mucker Capital. He started his career as a founder, creating BuildPoint, a provider of workflow management solutions for the commercial construction industry not long after graduating from Stanford. </p> <p><a href="https://www.fastcompany.com/3048173/the-unexpected-and-hard-earned-lessons-from-a-dot-com-flame-out" target="_blank" rel="noopener noreferrer">In an interview with Fast Company</a>, he shared what he learned in the years following, as he led product teams at eBay, Green Dot and Spot Runner, eventually becoming the SVP and Chief Product Officer of At&T Interactive: "Building a company is about hiring correctly, adhering to a timeline, and rigorously valuing opportunity. It's turning something from inspiration and creative movement into process and rigor."</p> <p>These are the values he looks for in founders in addition to creativity. "I like to see the possibility of each and every idea, and being imaginative makes me a passionate investor."</p>
Jim Andelman, Bonfire Ventures<p>Jim Andelman is a founding partner of Bonfire Ventures, a fund that focuses on seed rounds for business software founders. Andelman has been in venture capital for 20 years, previously founding Rincon Venture Partners and leading software investing at Broadview Capital Partners.<br><br>He's no stranger to enterprise software — he also was a member of the Technology Investment Banking Group at Alex. Brown & Sons and worked at Symmetrix, a consulting firm focusing on technology application for businesses.</p> <p><a href="https://dot.la/la-venture-podcast-jim-andelman-of-bonfire-ventures-2648143780.html" target="_self">In a podcast with LA Venture's Minnie Ingersoll</a> earlier this year, he spoke on the hesitations people have about choosing to start a company.</p>"It's two very different things: Should I coach someone to be a VC or should I coach someone to enter the startup ecosystem? On the latter question, my answer is 'hell yeah!'"
Josh Diamond, Walkabout Ventures<p>Josh Diamond founded Walkabout Ventures, a seed fund that primarily focuses on financial service startups. The firm raised a $10 million fund in 2019 and is preparing for its second fund. Among its 19 portfolio companies is HMBradley, which Diamond helped seed and recently <a href="https://dot.la/hm-bradley-2649022900.html" target="_self">raised $18 in a Series A</a> round.</p><p>"The whole reason I started this is that I saw there was a gap in the funding for early stage, financial service startups," he said. As consumers demand more digital access and transparency, he said the market for financial services is transforming — and Los Angeles is quickly becoming a hub for fintech companies. Before founding Walkabout, he was a principal for Clocktower Technology Ventures, another Los Angeles-based fund with a similar focus.</p>
Kara Nortman, Upfront Ventures<p>Kara Nortman was recently promoted to managing partner at Upfront Ventures, making her one of the few women – along with Settle – to ascend to the highest ranks of a major VC firm.</p><p>Though<a href="https://upfront.com/thoughts/announcing-upfronts-new-co-managing-partner" target="_blank" rel="noopener noreferrer"> Upfront had attempted to recruit her</a> before she joined in 2014, she had declined in order to start her own company, Moonfrye, a children's ecommerce company that rebranded to P.S. XO and merged with Seedling. Upfront invested in the combination, and shortly after, Nortman joined the Upfront team.</p><p>Before founding Moonfrye, she was the SVP and General Manager of Urbanspoon and Citysearch at IAC after co-heading IAC's M&A group.</p><p><a href="https://dot.la/moving-from-the-passenger-seat-to-the-drivers-seat-upfronts-kara-nortman-named-managing-partner-2648493740.html" target="_self">In an interview with dot.LA earlier this year</a>, she spoke on how a focus for her as a VC is to continue to open doors for founders and funders of diverse backgrounds.<br></p><p>"Once you're a woman or a person of color in a VC firm, it is making sure other talented people like you get hired, but also hiring people who are not totally like you. You have to make room for different kinds of people. And how do you empower those people?"<br></p>
Brett Brewer, Crosscut Ventures<p>Brett Brewer is a co-founder and managing director of Crosscut Ventures. He has a long history in entrepreneurship, starting a "pencil selling business in 4th grade." In 1998, he co-founded Intermix Media. Under their umbrella were online businesses like Myspace.com and Skilljam.com. After selling Intermix in 2005, he became president of Adknowledge.com.</p><p>Brewer founded Santa Monica-based Crosscut in 2008 alongside Rick Smith and Brian Garrett. His advice to founders <a href="https://crosscut.vc/team/" target="_blank">on Crosscut's website</a> reflects his experience: "Founders have to be prepared to pivot, restart, expect the unexpected, and make tough choices quickly... all in the same week! It's not for the faint of heart, but after doing this for 20 years, you can spot the fire (and desire) from a mile away (or not)."</p>
Eva Ho, Fika Ventures<p>Eva Ho is a founding partner of Fika Ventures, a boutique seed fund, which focuses on data and artificial intelligence-enabled technologies. Prior to founding Fika, she was a founding partner at San Francisco-based Susa Ventures, another seed-stage fund with a similar focus. She is also a serial entrepreneur, most recently co-founding an L.A. location data provider, Factual. She also co-founded Navigating Cancer, a health startup, and is a founding member of All Raise, a nonprofit that supports and provides resources to female founders and funders.</p><p><a href="https://medium.com/@John_Livesay/when-google-bought-my-startup-81f1ee21488c" target="_blank" rel="noopener noreferrer">In an interview with John Livesay</a> shortly before founding Fika, Ho spoke to how her experience at Factual helped focus what she looks for in founders. "I always look for the why. A lot of people have the skills and the confidence and the experience, but they can't convince me that they're truly passionate about this. That's the hard part — you can't fake passion."</p>
Brian Lee, BAM Ventures<p>Brian Lee is a co-founder and managing director of BAM Ventures, an early-stage consumer-focused fund. <a href="https://dot.la/brian-lee-los-angeles-venture-capital-2645125301.html" target="_self">In an interview with dot.LA earlier this year</a>, Lee shared that he ended up being the first investor in Honey, which was bought by PayPal for $4 billion, through investing in founders and understanding their "vibe."</p> <p>"There's certain criteria that we look for in founders, a proprietary kind of checklist that we go through to determine whether or not these are the founders that we want to back…. [Honey's founders] knew exactly what they were building, and how they were going to get there."</p> <p>His eye for the right vibe in a founder is one gleaned from experience. Lee is a serial entrepreneur, founding LegalZoom.com, ShoeDazzle.com and The Honest Company.</p>
Alex Rubalcava, Stage Venture Partners<p>Alex Rubalcava is a founding partner of Stage Venture Partners, a seed venture capital firm that invests in emerging software technology for B2B markets. Prior to joining, he was an analyst at Santa Monica-based Anthem Venture Partners, an investor in early stage technology companies. It was his first job after graduating from Harvard, and during his time at Anthem the fund was part of Series A in companies like MySpace, TrueCar and Android.</p><p>He has served as a board member in several Los Angeles nonprofits and organizations like KIPP LA Schools and South Central Scholars.</p> <p>"Warren Buffett says that he's a better businessman because he's an investor, and he's a better investor because he's a businessman. I feel the same way about VC and value investing. Being good at value investing can make you good at venture capital, and vice versa," Rubalcava said in <a href="https://moiglobal.com/alex-rubalcava-interview/" target="_blank" rel="noopener noreferrer">an interview with Shai Dardashti of MOI Global</a>.</p>
Mark Suster, Upfront Ventures<p>Mark Suster, managing partner at Upfront Ventures, is arguably L.A.'s most visible VC, frequently posting on Twitter and on his <a href="https://bothsidesofthetable.com/" target="_blank" rel="noopener noreferrer">blog</a>, not only about investing but also more personal topics like weight loss. In more normal years, he presides over LA's biggest gathering of tech titans, the Upfront Summit. Before Upfront, he was the founder and chief executive officer of two software companies, BuildOnline and Koral, which was acquired by Salesforce. Upfront backed both of his companies, and eventually he joined their team in 2007.</p><p>In a piece for his blog, "Both Sides of the Table," <a href="https://bothsidesofthetable.com/finding-an-investor-who-is-in-love-with-you-d0badf1a3998" target="_blank" rel="noopener noreferrer">Suster wrote about the importance of passion</a> — not just for entrepreneurs and their businesses, but for the VCs that fund them as well.<br></p><p>"On reflection of the role that I want to play as a VC it is clearly in the camp of passion. I really want to start my journeys only with people with whom I want to work closely with for the next 5–7 years or more. I only want to work on projects in which I believe can produce truly amazing change in an industry or in the world."</p>
- Ten Venture Capital Firms Commit to 'Diversity' Rider' - dot.LA ›
- Navigating the Venture Capital World as a Black Person - dot.LA ›
- The Largest Venture Capital Raises in Los Angeles in 2020 - dot.LA ›