Let's Not Paper Over Election Security
As our nation focuses on election security, an errant notion has emerged that paper-only balloting is some kind of panacea against potential threats. While it is vital to election security that we mandate the use of verifiable paper audit trails, the same cannot be said of paper-only ballots, where the voters do not interact with a voting machine of any kind.
The best system is a hybrid approach in which the voter interacts with a machine but still generates a voter verifiable paper record. This offers voters a second chance because they now have the opportunity to review their ballot to ensure that the votes they are casting are the votes they intend to cast. The machine will either indicate to the voter if they made a mistake or will prevent them from making the mistake altogether.
Paper-only balloting, on the other hand, represents a clear vulnerability to election integrity—exactly the type of vulnerability that became apparent after the 2000 presidential election when thousands of people unintentionally voted for two candidates on their paper ballots in Florida and elsewhere. In response, election officials nationwide demanded systems that would ensure their citizens’ votes were counted as intended.
From a cybersecurity perspective, election security means protecting the (1) confidentiality of the ballot; (2) integrity of the voter’s intent; and (3) availability of ballots cast for counting—and, if necessary, recounting. Paper-only balloting, and voting by mail, guarantee none of this. While they rightly address the concern that hostile nations or malicious cyber actors could compromise elections supported by voting machines, paper-only balloting has already been compromised without any foreign interference at all. The difference is that while voting machines can be patched and hardened, paper-only ballots are fundamentally insecure by design.
In terms of confidentiality, it’s critical to know who is actually filling out the ballot. When I was working on the 2010 elections for Congress, the issue of voter fraud, especially against the elderly, was receiving national attention. In Texas, there had been alarming instances of elderly voters’ mail-in ballots being fraudulently filled out by for-hire campaign workers who seek out voters in nursing homes and assisted living centers to deliver votes for their candidates. We simply cannot know who is actually casting the ballot in mail-in paper-only balloting.
Paper-only ballots typically require the voter to fill in an oval next to each candidate. Easy in theory, but in practice this can be a dicey endeavor. Voters often make mistakes because a ballot is poorly designed, the voter is rushed, the voter has a disability or literacy challenge, or other reasons. As a former staff attorney for the New York City Board of Elections, I reviewed countless scantron-type ballots where the voter’s intent was impossible to decipher. Recently, in a 2017 Virginia House of Delegates race, a three-judge panel had to interpret a ballot because the voter filled in two candidates’ ovals but put a line through one. That interpretation eventually decided which party controlled the lower house in Virginia’s legislature, meaning that a state’s balance of power turned on judges interpreting what a voter intended from a marked piece of paper.
Voters also too often vote for too many candidates (disqualifying their votes) or vote for fewer than they intended. In Los Angeles County, in the 2008 presidential primary, 50,000 votes went uncounted because voters did not realize they had to fill in two ovals, one for party affiliation and one for candidates. That meant that 50,000 Americans were disenfranchised. Hybrid balloting prevents these problems. It ensures votes are recorded properly, it does not allow voters to overvote, and it can warn voters if they are under-voting.
Paper-only voting that relies on mail has serious availability concerns given chain-of-custody and reliability issues. While voting machines are governed by federal law and are monitored, tracked, logged, and securely stored, mailed-in ballots sit in publicly accessible mailboxes and sorting rooms where human activity is not always monitored. Building attendants, employers, post office employees, and others can all touch these votes. To compromise an election, a bad actor need only target that room or building to disenfranchise those voters.
While the U.S. Postal Service is a marvel with dedicated federal employees, there are many examples of mail-in voters disenfranchised when their votes were not made available to be counted. In the very same 2017 Virginia race mentioned above, the post office delivered 55 uncounted absentee ballots the morning after the election for a district race that was won by 82 votes. That is too close for government work.
Nationwide, in the 2016 presidential election, nearly 400,000 absentee ballots were rejected for reasons ranging from late submission to invalid signatures, and in August 2017 the ACLU filed a lawsuit against California claiming 45,000 absentee ballots from that election were rejected without voters being given the notice or opportunity to fix their votes.
If states choose to use paper-only systems, they must make those decisions knowing the very real security issues that exist with such balloting and take steps to mitigate them. By the true measure of election security, however, I am not sure whether the risks inherent in paper-only voting can be mitigated. What’s wrong with a little redundancy? Does it add to the expense of holding free and fair elections? Sure, but it seems a small price to pay to ensure the integrity of elective democracy.