In brief
- A former voting machine auditor says U.S. election systems still lack basic cryptographic safeguards to detect ballot tampering or duplication.
- He proposes adding end-to-end cryptographic proofs—without blockchain—to secure future elections and restore public trust.
- Despite identifying vulnerabilities as early as 2006, he says vendors won’t act without legal pressure or updated election laws.
In 2006, software engineer Michal Pospieszalski uncovered dangerous flaws in U.S. voting machines—flaws he says still threaten American elections today.
Hired by the Election Science Institute, where he served as Chief Technology Officer, Pospieszalski was flown to the headquarters of election vendor Election Systems & Software (ES&S) in Omaha, Nebraska. His task was to analyze the company’s iVotronic voting system.
For over a week, Pospieszalski uncovered a wide range of issues, including “bad code practices, backdoors, static passwords,” and most importantly, what he described as a complete lack of “end-to-end cryptographic proofs.”
“The biggest thing that wasn’t there was end-to-end cryptographic proofs,” Pospieszalski told Decrypt in an interview. “Meaning there’s no way the machine, even with perfect external security, could know if a ballot is legitimate, or if it’s been counted twice, three times, 10 times, or 1,000 times.”
What’s missing from today’s voting machines
The CEO of blockchain security and identity software company MatterFi, Pospieszalski, said that vulnerability isn’t hypothetical; it’s easily exploitable by anyone with access to voting machines and voter registration systems.
“You could just run the same ballot through 10 times—and that’s still true today—and it’ll just count as 10 votes,” he explained. “And the scanner doesn’t know any better, and neither does the tabulator. The tabulator in the central precinct is like, ‘Oh, it was 10 votes.’”
Pospieszalski said the separation of ballot and voter record systems often makes reconciliation impossible without referring to original paper records.
“There’s no anonymous serialization of each ballot that would allow the system to know that each serialized ballot has to be counted only once,” he said.
The solution, according to Pospieszalski, involves software—not hardware—and builds on cryptographic techniques first developed in the 1980s by David Chaum, a cryptographer who pioneered digital cash and introduced blind signatures, allowing transactions to be verified without revealing their contents.
Chaum later founded DigiCash, an early digital currency, and proposed cryptographic voting systems that preserve anonymity while enabling public verification. His work laid key foundations for both secure e-voting and modern cryptocurrencies like Bitcoin.
“What you want is the machine at the end—the central count tabulator or election management system—gets a vote definition, and you have a Chaumian-blinded serialization on every ballot,” Pospieszalski said. “So, like in LA County, that output ballot that’s printed has a serial number. That serial number doesn’t identify the voter, but it tells the tabulator in the central precinct, ‘Hey, this is a unique ballot.’”
“If I see two of them, then somebody cheated,” he added. “Especially if I see 50 of them.”
In Pospieszalski's proposed model, there would be three counts: the paper ballots, the conventional digital tally, and a third cryptographic count.
“The way you see cheating is the digital count says there are 100 votes, and the cryptographic count says there should only be 90,” Pospieszalski said. “Now you know someone injected 10 votes.”
Lessons from Antrim County
In 2020, Pospieszalski was hired to conduct forensic analysis in Antrim County, Michigan, after a brief vote-counting error triggered widespread speculation.
“There was a vote flip in Antrim County by, like, roughly 2,000 votes, where, like, one day it was 2,000 for Biden, and the next day it was 2,000 for Trump,” he recalled. “What really happened is the ballot definition was misconfigured so that the system thought that the votes for Trump were for Biden.”
He said that when the ballots were rescanned with the corrected definition file, “Everything went back to normal.”
Pospieszalski emphasized that while the error was technical, the optics of the situation fed public suspicion.
“There wasn’t a huge, hostile attack. But as a voter being riled up by the media—particularly right-wing media—people are going to want answers,” he said, adding that such confusion is exactly what end-to-end, off-chain cryptographic proofs are designed to prevent.
But while he found no evidence of remote hacking or software backdoors, Pospieszalski did say he encountered signs of possible ballot injection during his analysis.
“If you have a ballot with 42 choices, and in the analysis you see 100 ballots with all 42 filled out the exact same way, you’re like: Um, probably not real,” he said. “That’s the stuff I found some evidence of in Antrim County.”
Asked why cryptographic ballot serialization hasn’t been implemented, Pospieszalski pointed to entrenched systems and corporate reluctance to make changes, adding that proposals for secure voting often failed to gain traction because they were too complicated.
“They’re suggesting all sorts of really, really difficult-to-use schemes... stuff that people are just like, if you’re a voting machine manufacturer, this isn’t going to make any sense," he said.
Several technologies aim to improve election security and trust. In April, New York Assemblyman Clyde Vanel introduced a bill that would use blockchain technology to secure voter records and election results. While blockchain has been promoted as a solution for secure voting, Pospieszalski argued that the core issue doesn’t require that level of complexity.
“All you're trying to do is solve a simple problem: get an accurate count of legitimate votes,” he said. “Extra complexity is unnecessary. A lot of people push blockchain because it's popular, but you don't actually need it.”
By contrast, Pospieszalski says his solution works with current machines.
“I’m just saying: Look, make it a software upgrade to the existing system and work with Dominion, work with ES&S, and you can just turn it on or off," he said.
Asked how adoption might happen, Pospieszalski suggested legislation or mandates from jurisdictions that oversee elections.
“Voting manufacturers and their customers—counties—need big precincts to push for change,” he explained. “If a law said that by 2028 or 2032, voting systems must include end-to-end crypto proofs, we’d be in business.”
The advantage, according to him, would be clarity in future elections, especially in heated contests where trust is fragile.