Paper Ballot Security

Most people are familiar with paper ballots. Paper ballots, in concept, represent physical, countable votes written on paper and placed into a box. While implementation differs, this model works well for basic election security study.

Auditability Limitations

When ballots move out of sight, we entrust their integrity to the few remaining in their presence—typically chosen by Local and State Boards, who may assemble a corrupt chain of custody and manipulate the ballots. If the ballots have any force as an official record—if we allow recounts—then they are their own audit trail, which means there is no audit trail.

Because of the lack of an audit trail, we must count paper ballots in view of the voters. This provides some difficulty with ranked ballots: while simple vote counts fully describe a set of non-ranked ballots, ranked ballots require an exponentially-growing body of information as candidate size and vote count grows. Final precinct counts cannot sum to produce final total counts.

Handling Procedures

With paper ballots, we are chiefly concerned with the integrity of the ballot box, mainly with ballot stuffing and ballot forging. These attacks typically come from organized election officials rather than individual voters.

Prior to voting, election officials open the ballot box and demonstrate its emptiness to observers. This prevents ballot box stuffing—pre-loading the ballot box with votes.  Visibly counting votes is another method, ensuring that the number of votes in the ballot box matches the number of votes observed.

Paper ballots require anti-forgery features, or else an agent can pre-fill several forged ballots and slip them into the box when casting their own vote. Election judges often place a tear-off tab into a visible ballot count box and verify that the number of tabs matches the number of ballots distributed to voters.

Ballot boxes are sealed in a tamper-evident manner, and never taken from public view without attendance by election judges of opposing interest. This allegedly prevents ballot tampering, but in reality would allow the judges to agree to trade tampering opportunities, such as to win various elections which are more-meaningful to each. In truth, election judges must count ballots before removing the boxes from view, or else we cannot guarantee integrity.

Finally, election judges hand-count ballots, announcing each vote for the observers. This allows verification of figures from each polling location, as observers can record and publish the observed count. This secondary-source record acts as an audit trail, although it’s trivial to record forged numbers; prohibiting the exclusion of any members of the public from observing the election makes such forgery less-likely.