The Ripon Forum

Volume 52, No. 4

September 2018

Paper Ballots & Election Security:

By on September 20, 2018

Why machine vulnerabilities must be balanced against human flaws


“Would you say that oval is filled in 5/8ths, or more like 7/8ths of the way?”

The question may sound esoteric, but in the fall of 2005, it was actually one that was frequently asked during the recount of a New York City judicial election.

Following the 2000 Presidential election, Congress passed the Help America Vote Act (HAVA), transitioning the nation from butterfly ballots to electronic voting machines. That solved a 20th century problem, while creating a 21st century problem.  DEFCON’s Voting Village, as well as researchers like Alex Halderman and Matt Blaze, have demonstrated that a well-trained adversary could flip an election with current electoral machines.

Some recommend returning to voter-completed paper ballots. In 2005, before New York City fully implemented HAVA, provisional and absentee ballots were cast on paper ballots while Election Day voting was conducted on refrigerator-sized mechanical machines designed by Thomas Edison.

My experience with voter-completed paper ballots demonstrated a significant security flaw: They cannot guarantee the integrity of the voters’ intent.

Measuring Election Security
When I worked on cybersecurity policy for the Federal government, we focused on the CIA triad: Confidentiality, Integrity, and Availability.

Given the concern about foreign actors hacking our elections, it is important to assess whether proposed reforms improve an election’s CIA. Moving to voter-completed paper ballots significantly weakens each CIA element.

Confidentiality of the ballot is sacrosanct to democracy. True electoral security requires that we maintain a secret ballot. Vote-by-mail, all-paper ballots fail this test. It is impossible to determine who actually filled out a ballot — elderly citizens’ ballots, for example, might have been filled out by their child or assisted living facility staff — much less who was present when the ballot was filled out.

My experience with voter-completed paper ballots demonstrated a significant security flaw: They cannot guarantee the integrity of the voters’ intent.

Did an employer verify employee votes? Did the ballot arrive at the intended recipient? Ostensibly, signature requirements guard against the latter.  But I have rarely seen a judge uphold signatures as a security mechanism, due to it being impossible to determine why a signature no longer matches, as speed, injury, and writing surface impact appearance.

Integrity of the voter’s intent is the real detriment of all-paper ballots. Paper ballots filled out by individuals present election lawyers with a multitude of opportunities to overturn election outcomes. A partially-completed oval will lead to the ballot being rejected; an incomplete erasure will lead to an over-vote and the ballot being rejected; an errant mark may indicate the voter was trying to nix their vote and the ballot will be rejected. These issues are adjudicated, at best, by a judge, but more often are decided at each table recounting an election.

Availability of ballots for counting is another drawback of all-paper ballots when it is practiced as part of a substantial vote by mail system like in Oregon and Colorado. In 2016, nearly 400,000 mailed paper absentee ballots were rejected for late arrival or invalid signature — both issues that cannot be cured when paper ballots are mailed. Moreover, as America continues to segregate itself along partisan lines, mailed paper ballots with a likely partisan tilt congregate in certain mailboxes and sorting rooms. A bad actor need only target mail drops in a specific neighborhood to tilt a tight election.

A Recommended Solution
While the 2016 presidential election ballot count was almost certainly not flipped, it should nonetheless serve as a clarion call that the electoral process is a new attack vector much like airplanes after 9/11.

This is a deeply troubling, nonpartisan issue. An estimated 108 nations can hack critical infrastructure, including electoral systems. The revelation of the global Iranian social media campaign should motivate all political parties to ask whether they are universally supported by all 108 cyber-capable nations. That question can easily be answered: They are not. Failure to address election security, as a national security risk, only guarantees that the 2020 presidential election will be a proxy cyberwar for Russians, Chinese, Iranians, and up to 105 other national interests.

The best solution is a machine-generated voter verifiable paper ballot with mandatory risk-based auditing.

The best solution is a machine-generated voter verifiable paper ballot with mandatory risk-based auditing. Eliminating the human element from filling out paper ballot is as essential to election security as ensuring election machines produce a voter verifiable paper ballot. The voter can verify that malware has not changed their ballot, candidates cease to worry that attorneys will toss out the paper ballot for insufficiently demonstrating voter intent, and the public has faith that the outcome was properly adjudicated given verification by a risk-based audit.

Machine-generated paper ballots and mandatory risk-based audits are critical defenses against foreign attacks. Given the administration’s China and Iran positions, Chairman Roy Blunt should return both safeguards to the Secure Elections Act.

As a matter of national security, Congress should also appropriate Federal funds to implement both nationally before Republican ballots are attacked.

Philip Stupak is a Senior Advisor with Cambridge Global Advisors.

Print Friendly, PDF & Email


If you enjoyed this article, subscribe now to receive more just like it.

Comments are closed.