LA County is Tabulating Votes with QR Codes. Security Experts Think It's a Bad Idea

Tami Abdollah

Tami Abdollah was dot.LA's senior technology reporter. She was previously a national security and cybersecurity reporter for The Associated Press in Washington, D.C. She's been a reporter for the AP in Los Angeles, the Los Angeles Times and for L.A.'s NPR affiliate KPCC. Abdollah spent nearly a year in Iraq as a U.S. government contractor. A native Angeleno, she's traveled the world on $5 a day, taught trad climbing safety classes and is an avid mountaineer. Follow her on Twitter.

LA County is Tabulating Votes with QR Codes. Security Experts Think It's a Bad Idea

After $300-million and 11 years, the nation's largest county rolled out the first publicly-owned voting system earlier this year, promising "transparency, accessibility, usability, and security."

Los Angeles County's new voting system — dubbed "Voting Solutions for All People," or VSAP — has raised concerns from election security experts. Dozens of advocacy groups have warned California's top election official that the electronic touchscreen system used for in-person voting relies on QR codes to tabulate votes. QR codes are vulnerable to hackers and system malfunctions and cannot be easily verified by most voters, U.S. government and outside experts have found.

A coalition of 36 election-security experts and advocacy groups wrote in a letter last month to Secretary of State Alex Padilla that they were "gravely concerned that [L.A. County's recently certified system] uses QR codes for tabulation" and urged him to stop relying on QR codes to tally votes at least by the 2022 primary election.

After voters make their ballot selections on their screens, the machine spits out a printed-out ballot-like receipt to review, along with a QR code.

"Although voters can easily verify the selections that the [voting system] prints on their ballot in their own language, they cannot easily verify the QR codes that [it] will actually use to tally votes," the letter said.

After voters make their ballot selections on their screens, the machine spits out a printed-out ballot-like receipt to review, along with a QR code. Officials have said this gives voters an easy way to verify their selections. But what a voter sees in plain text on the receipt, is not what the tallying machine counts. The county's new system scans the QR code to unpack and count what a voter has selected. If the system is hacked or wrongly records a voter's selections while electronically encoding it into the QR, there's no quick and easy way to tell.

Election administrators expect record turnout for the November 3 presidential election, which has already seen high levels of mail-in ballot participation. Intelligence officials warned lawmakers earlier this year that Russia is again trying to meddle in the U.S. election process, as it did in 2016. On Thursday, U.S. officials announced that Russian hackers targeted dozens of state, local and tribal networks, successfully stealing data from at least two unnamed victim servers; as a result, "there may be some risk to elections information housed on" those government networks. But there is no evidence that the integrity of elections data has been compromised, the government alert said.

L.A. County's new voting system, manufactured by Smartmatic Corp., a voting technology company that has been scrutinized for ties to the Venezuelan government, was first used for the presidential primary in March. The voting process was mired with technical problems that led to lengthy wait times and multiple after-incident reviews. L.A. County has since said the issues with its roughly 30,000 voting-machine system have been addressed and the new system was officially certified, as long as county officials abide by certain security conditions, by Secretary of State Alex Padilla earlier this month.

But even for those who understand how to scan a QR code, trying to verify the accuracy of their vote can be confusing and time-consuming.

Here's an example of what shows up when you scan your QR code, according to a document buried on the Los Angeles County Registrar-Recorder/County Clerk's website:


The first line represents the selections a voter made, with each letter and number combination corresponding to a particular candidate or measure. For example, a vote for the Joe Biden ticket is coded as 3G8 while Donald Trump is 3G9. It is up to voters to decode and match each of alphanumeric values to the actual plain-language choices they made on their ballots.

Michael Sanchez, a spokesman for the registrar's office, said that voters can go online to find a document for decoding their ballot. Sanchez later supplied the crucial direct link via email, which is otherwise difficult to find online.

For voters who are older, disabled, simply not tech-savvy, or just unwilling to take the time, verifying your ballot selections in L.A. County is an incredibly "burdensome process," said Susan Greenhalgh, senior advisor on election security for Free Speech For People, a nonpartisan public interest group. "The person can't look at it and know what it says, they have to jump through all these hoops."

Kim Alexander, president of the nonprofit, nonpartisan California Voter Foundation noted that the difficulty with verifying the older punch-card ballot system is why post-election audits were done in the first place.

"We were using these ballots where people couldn't verify their choices," Alexander said. "Now we've come full circle. We have these QR codes that some tiny population of L.A. County has the wherewithal and ability and smarts to decode and verify (their) ballot. Even if you're able to do that, you're not done decoding the code. You have to then do another round of decoding."

In the world of election security, the use of barcodes and QR codes is generally viewed as problematic by experts Photo by Markus Winkler on Unsplash

QR Codes Stir Debate

The QR code has made a bit of a comeback to daily life during the pandemic, especially in place of restaurant menus.

But in the world of election security, the use of barcodes and QR codes is generally viewed as problematic by experts who say it inserts a machine — and its own code that's indecipherable to humans — between a voter and their vote. Because the QR code on the ballot cannot be easily verified for its accuracy, computer scientists say it makes them an easier target for hackers.

The county's YouTube video illustrating how to use the new voting machines skips over any explanation of how to check the QR code for accuracy. Instead, the county shows a voter quickly scanning their finger over the lines of plain text reflecting their votes. In reality, the QR code, not the text, is what is actually counted.

"It's really ugly, it is not usable at all," said Eddie Perez, an election administration and technology expert with the nonpartisan, nonprofit OSET Institute, about L.A.'s system. "If you're placing a very high value on accessibility and the idea that every single voter, regardless of their condition or disability, should be able to verify their ballot — if you really believe that, and are going to put $282 million behind those goals, then it's fair to ask: 'Is the process you're leaning on to check your QR code accessible?' I literally don't know [what happens] if someone is blind."

Sanchez, the registrar's office spokesman, said the county's ballot-marking device lets voters who are blind listen to a read-back of their on-screen selections. But that doesn't account for the encoded QR.

QR codes, which are a type of barcode, also have the potential to become legally thorny ground.

"There's an inherent problem with the use of barcodes or QR codes in voting systems because the ballot contains two records of voter intent, and one needs to be established as the legal record of voter intent," Greenhalgh said. "If the human-readable text is the legal vote of record, that means that something other than the legal vote of record is counted. If the QR code is the legal voter of record, that dissolves any pretense (that) this is a voter-verifiable ballot."

How to vote on the NEW Ballot Marking

National Debate Leads to First Ban

Such barcode-based devices also "raise security and verifiability concerns," according to an election-security report released by the National Academies of Sciences, Engineering, and Medicine last year. And the U.S.'s National Institute of Standards and Technology noted that barcodes could result in a voter being presented with different ballot selections than what the machine reads.

"If barcodes are used for tabulation of cast ballots, any modification of a voter's ballot selections may go undetected and impact the election results," NIST wrote.

All of this is especially problematic, experts say, because a recent University of Michigan study on voter behavior found that few voters check or detect errors on their ballots.

The debate over barcodes has figured heavily in battleground states like Georgia, South Carolina, North Carolina and Pennsylvania where they are used by some jurisdictions, but it's received much less scrutiny in California. In September 2019, Colorado became the first state to ban the use of barcodes or QR codes on ballots due to security concerns after using a system similar to California's.

Colorado's Secretary of State Jena Griswold said in a news release at the time that "although voters can see their vote choices, they cannot verify that the QR code is correct" and the QR codes "could be among the next target of an attack and are potentially subject to manipulation."

Griswold said Colorado will stop using machines that use barcodes or QR codes to count votes after 2021. The state has been a national leader in adopting election security best practices, including practices like risk-limiting audits to verify election results.

Auditing to Ensure Voter Confidence

California's Secretary of State Padilla gave L.A. County's voting system conditional certification earlier this month. Among the additional security requirements is that the county must conduct one of two types of audits to ensure the QR codes match the human-readable section of the ballot.

L.A. County has elected to conduct a traditional manual tally of 1% of its votes, which election security experts say is a less comprehensive method for ensuring ballots have been tabulated correctly.

In recent years, so-called risk-limiting audits have been deemed best practice for providing confidence in an election result. California has an ongoing risk-limiting audit pilot program. Such audits rely on statistically-based techniques such as auditing more ballots if the margin in a race is narrow. Looking at a fixed percentage regardless of the margin of victory, however, can lead to missed problems.

Perez called L.A. County's decision to do a 1% fixed audit "cutting a corner, given the fact that L.A. County has claimed to set such a high bar on the voting experience."

Sanchez, the registrar's office spokesman, said he didn't immediately know the reasoning behind the decision to not conduct a risk-limiting audit on the presidential election. The California Secretary of State's Office did not respond to a request for comment.

In a news release touting the certified system this month, Padilla called the VSAP system a "historic milestone in election administration" and said that for in-person voters it will "provide an accessible, secure voting experience."

*This story was updated Thursday afternoon to reflect U.S. officials announcement that Russian hackers targeted dozens of state, local and tribal networks, successfully stealing data from at least two unnamed victim servers.


Hit me up if you have any other election and voting-related questions. My DMs are open on Twitter @latams You can also email me at tami(at), or ask for my contact on Signal, for more secure and private communications.

Subscribe to our newsletter to catch every headline.

ComplYant Founder and CEO Shiloh Johnson on Why Tax Knowledge Is Her ‘Superpower’

Yasmin Nouri

Yasmin is the host of the "Behind Her Empire" podcast, focused on highlighting self-made women leaders and entrepreneurs and how they tackle their career, money, family and life.

Each episode covers their unique hero's journey and what it really takes to build an empire with key lessons learned along the way. The goal of the series is to empower you to see what's possible & inspire you to create financial freedom in your own life.

ComplYant Founder and CEO Shiloh Johnson on Why Tax Knowledge Is Her ‘Superpower’

On this episode of Behind Her Empire, ComplYant founder and CEO Shiloh Johnson discusses her journey to building a multimillion dollar business and making knowledge of taxes more accessible.

Read moreShow less

‘Expand Past the Stage’: How These LA-based Ticketing Platforms are Using The Metaverse to Take On Ticketmaster

Andria Moore

Andria is the Social and Engagement Editor for dot.LA. She previously covered internet trends and pop culture for BuzzFeed, and has written for Insider, The Washington Post and the Motion Picture Association. She obtained her bachelor's in journalism from Auburn University and an M.S. in digital audience strategy from Arizona State University. In her free time, Andria can be found roaming LA's incredible food scene or lounging at the beach.

‘Expand Past the Stage’: How These LA-based Ticketing Platforms are Using The Metaverse to Take On Ticketmaster
Evan Xie

When Taylor Swift announced her ‘Eras’ tour back in November, all hell broke loose.

Hundreds of thousands of dedicated Swifties — many of whom were verified for the presale — were disappointed when Ticketmaster failed to secure them tickets, or even allow them to peruse ticketing options.

But the Taylor Swift fiasco is just one of the latest in a long line of complaints against the ticketing behemoth. Ticketmaster has dominated the event and concert space since its merger with Live Nation in 2010 with very few challengers — until now.

Adam Jones, founder and CEO of Token, a fan-first commerce platform for events, said he has the platform and the tech ready to take it on. First and foremost, with Token, Jones is creating a system where there are no queues. In other words, fans know immediately which events are sold out and where.

“We come in very fortunate to have a modern, scalable tech stack that's not going to have all these outages or things being down,” Jones said. “That's step one. The other thing is we’re being aggressively transparent about what we’re doing and how we’re doing it. So with the Taylor Swift thing…you would know in real time if you actually have a chance of getting the tickets.”

Here’s how it works: Users register for Token’s app and then purchase tickets to either an in-person event, or an event in the metaverse through Animal Concerts. The purchased ticket automatically shows up in the form of a mintable NFT, which can then be used toward merchandise purchases, other ticketed events or, Adams’s hope for the future — external rewards like airline travel. The more active a user is on the site, the more valuable their NFT becomes.

Ticketmaster has dominated the music industry for so long because of its association with big name artists. To compete, Token is working on gaining access to their own slew of popular artists. They recently entered into a partnership with Animal Concerts, a live and non-live event experiences platform that houses artists like Alicia Keys, Snoop Dogg and Robin Thicke.

“You'll see they do all the metaverse side of the house,” Jones said. “And we're going to be the [real-life] web3 sides of the house.”

In addition, Token prides itself on working with the artists selling on their platform to set up the best system for their fanbase, devoid of hefty prices and additional fees — something Ticketmaster users have often complained about. Jones believes where Ticketmaster fails, Token thrives. The app incentivizes users to share more data about their interests, venues and artists by operating on a kind of points system in the form of mintable NFTs.

“We can actually take the dataset and say there’s 100 million people in the globe that love Taylor Swift, so imagine she’s going on tour and we ask [the user], ‘Would you go to see her in Detroit?’ And imagine this place has 30,000 seats, but 100,000 people clicked ‘yes,’” he explained. “So you can actually inform the user before anything even happens, right? About what their options are and where to get it.”

Tixr, a Santa-Monica based ticketing app, was founded on the idea that modern ticketing platforms were “living in the legacy of the past.” They plan to attract users by offering them exclusive access to ticketed events that aren’t in Ticketmaster’s registry.

“It melts commerce that's beyond ticketing…to allow fans to experience and purchase things that don't necessarily have to do with tickets,” said Tixr CEO and Founder Robert Davari. “So merchandise, and experiences, and hospitality and stuff like that are all elegantly melded into this one, content driven interface.”

Tixr sells tickets to exclusive concerts like a Tyga performance at a night club in Arizona, general in-person festivals like ComplexCon, and partners with local vendors like The Acura Grand Prix of Long Beach to sell tickets to the races. Plus, Davari said it’s equipped to handle high-demand, so customers aren’t spending hours waiting in digital queues.

Like Token, Tixr has also found success with a rewards program — in the form of fan marketing.

“There's nothing more powerful in the core of any event, brand, any live entertainment, [than] the community behind it,” Davari said. “So we build technology to empower those fans and to reward them for bringing their friends and spreading the word.”

Basically, if a user gets a friend to purchase tickets to an event, then the original user gets rewarded in the form of discounts or upgrades.

Coupled with their platforms’ ability to handle high-demand events, both Jones and Davari believe their platforms have what it takes to take on Ticketmaster. Expansion into the metaverse, they think, will also help even the playing field.

“So imagine you can't go to Taylor Swift,” Jones said. “What if you could purchase an exclusive to actually go to that exact same show over the metaverse? An artist’s whole world can expand past the stage itself.”

With the way ticketing for events works now, obviously not everyone always gets the exact price, venue or date they want. There are “winners and losers.” Jones’s hope is that by expanding beyond in-person events, there can be more winners.

“If there’s 100,000 people who want to go to one show and there's 37,000 seats, 70,000 are out,” he said. “You can't fight that. But what we can do is start to give them other opportunities to do things in a different way and actually still participate.”

Jones and Davari both teased that their platforms have some exciting developments in the works, but for now both Token and Tixr are set on making their own space within the industry.

“We simply want to advance this industry and make it more efficient and more pleasurable for fans to buy,” Davari said. “That's it.”

Here’s Why Streaming Looks More and More Like Cable

Lon Harris
Lon Harris is a contributor to dot.LA. His work has also appeared on ScreenJunkies, RottenTomatoes and Inside Streaming.
Here’s Why Streaming Looks More and More Like Cable
Evan Xie

The original dream of streaming was all of the content you love, easily accessible on your TV or computer at any time, at a reasonable price. Sadly, Hollywood and Silicon Valley have come together over the last decade or so to recognize that this isn’t really economically viable. Instead, the streaming marketplace is slowly transforming into something approximating Cable Television But Online.

It’s very expensive to make the kinds of shows that generate the kind of enthusiasm and excitement from global audiences that drives the growth of streaming platforms. For every international hit like “Squid Game” or “Money Heist,” Netflix produced dozens of other shows whose titles you have definitely forgotten about.

The marketplace for new TV has become so massively competitive, and the streaming landscape so oversaturated, even relatively popular shows with passionate fanbases that generate real enthusiasm and acclaim from critics often struggle to survive. Disney+ canceled Luscasfilm’s “Willow” after just one season this week, despite being based on a hit Ron Howard film and receiving an 83% critics score on Rotten Tomatoes. Amazon dropped the mystery drama “Three Pines” after one season as well this week, which starred Alfred Molina, also received positive reviews, and is based on a popular series of detective novels.

Even the new season of “The Mandalorian” is off to a sluggish start compared to its previous two Disney+ seasons, and Pedro Pascal is basically the most popular person in America right now.

Now that major players like Netflix, Disney+, and WB Discovery’s HBO Max have entered most of the big international markets, and bombarded consumers there with marketing and promotional efforts, onboarding of new subscribers inevitably has slowed. Combine that with inflation and other economic concerns, and you have a recipe for austerity and belt-tightening among the big streamers that’s virtually guaranteed to turn the smorgasbord of Peak TV into a more conservative a la carte offering. Lots of stuff you like, sure, but in smaller portions.

While Netflix once made its famed billion-dollar mega-deals with top-name creators, now it balks when writer/director Nancy Meyers (“It’s Complicated,” “The Holiday”) asks for $150 million to pay her cast of A-list actors. Her latest romantic comedy will likely move over to Warner Bros., which can open the film in theaters and hopefully recoup Scarlett Johansson and Michael Fassbender’s salaries rather than just spending the money and hoping it lingers longer in the public consciousness than “The Gray Man.”

CNET did the math last month and determined that it’s still cheaper to choose a few subscription streaming services like Netflix and Amazon Prime over a conventional cable TV package by an average of about $30 per month (provided you don’t include the cost of internet service itself). But that means picking and choosing your favorite platforms, as once you start adding all the major offerings out there, the prices add up quickly. (And those are just the biggest services from major Hollywood studios and media companies, let alone smaller, more specialized offerings.) Any kind of cable replacement or live TV streaming platform makes the cost essentially comparable to an old-school cable TV package, around $100 a month or more.

So called FAST, or Free Ad-supported Streaming TV services, have become a popular alternative to paid streaming platforms, with Fox’s Tubi making its first-ever appearance on Nielsen’s monthly platform rankings just last month. (It’s now more popular than the first FAST service to appear on the chart, Paramount Global’s Pluto TV.) According to Nielsen, Tubi now accounts for around 1% of all TV viewing in the US, and its model of 24/7 themed channels supported by semi-frequent ad breaks couldn’t resemble cable television anymore if it tried.

Services like Tubi and Pluto stand to benefit significantly from the new streaming paradigm, and not just from fatigued consumers tired of paying for more content. Cast-off shows and films from bigger streamers like HBO Max often find their way to ad-supported platforms, where they can start bringing in revenue for their original studios and producers. The infamous HBO Max shows like “The Nevers” and “Westworld” that WBD controversially pulled from the HBO Max service can now be found on Tubi or The Roku Channel.

HBO Max’s recently-canceled reality dating series “FBoy Island” has also found a new home, but it’s not on any streaming platform. Season 3 will air on TV’s The CW, along with a new spinoff series called (wait for it) “FGirl Island.” So in at least some ways, “30 Rock” was right: technology really IS cyclical.