How Secure is Mail-in Voting?
In Colorado, we’ve had universal vote-by-mail since 2013. It’s convenient and secure.
Here’s how it works:
- Every registered voter is mailed a ballot in October. (This year, ballots will be mailed out starting October 9.)
- You can mail it back, put it in a drop box, or take it to your polling place and hand it to an election judge.
If you’d rather vote in person, you can do that too. (find your polling place.)
Every Colorado ballot has
three, er, two parts:
- The actual ballot, with the candidates and issues listed. You vote by filling in little bubbles, like the SAT or any standardized test.
A “secrecy” envelope. It’s really a privacy envelope, so election workers can’t see how you voted as they process your ballot.
I just received my 2020 ballot for Denver County, and there is no secrecy envelope. I think some counties still have them, and we used to, but not this year.
- A return envelope, that you sign and date. This also has a barcode, that provides a key bit of security.
What security measures are in place?
- Each return envelope has a unique barcode and requires the voter to sign and date it.
- Before any ballot is accepted, the information from the barcode, and the voter’s signature are verified.
- Drop boxes are monitored by video 24/7, while ballots are being collected.
- Ballots are collected from drop boxes daily, by a bipartisan team.
- Once the ballots reach a county’s election division, they are kept in rooms with tamper-evident locks and 24/7 video surveillance.
- During the count, ballots are counted by high-speed scanners and tabulated on computers that aren’t connected to the internet.
- Bipartisan teams are responsible for verifying signatures, and processing ballots.
- After the votes are tabulated, an audit is performed on randomly selected ballots.
- All video recordings and ballots are kept for 25 months after the election. The entire vote can be recounted if there are concerns about a miscount or tampering.
If you make a mistake on your ballot, or lose it it, you can go to your polling center and request a new one. What prevents voters from voting more than once?
Colorado maintains a database registered voters and every ballot has a barcode, printed on the return envelope, that uniquely identifies an individual voter. One of the first steps in processing ballots is to check the voter’s record in the database. When a ballot is accepted, the voter’s record is updated to indicate that their ballot has been received. Both the signature and the voter info must match the voter identified by the barcode. The barcode is the primary key in a voter lookup, that uniquely identifies one person.
If a voter mails in a ballot, and then shows up to vote in person, only the first ballot received will be counted. (It’s a crime to vote twice. The clerk will notify the district attorney of any duplicate votes.)
Isn’t my vote private?
Only the the outer envelope has a barcode. After the voter’s signature is verified, and the database is checked, the ballot is removed from the outer envelope. Then the ballot, devoid of any identifying information, is processed in a separate room. The voter database contains a record that a ballot was received from a specific person, but no indication of how they voted.
What about foreign interference?
Couldn’t Russia send in a bunch of fake ballots and flood the system? If they mail in the ballots, or drop them off, they’d need to reverse engineer the barcodes used to identify voters, and convincingly fake thousands of voter signatures. And each county has a different system, uses different machines and uses a different approach to verifying signatures.
Even if they could bypass this step, maybe with inside assistance, and somehow evade the video surveillance, card keys, tamper-proof locks, and the bipartisan teams overseeing the count, at best all they could do is invalidate the election, not pick a candidate.
If someone were to introduce a bunch of ballots for one candidate, the total number of votes counted wouldn’t match the number of ballots accepted. It wouldn’t survive the audit. They’d need to introduce a bunch of fake ballots and hack the voter database, too. And do it in a way that introduces enough ballots to have an effect without being caught by the audit.
Dead Man Voting
There are a few cases of ballots cast by dead people in Colorado. In every case, it turns out that a family member was submitting the ballot of a deceased relative. In El Paso County, a woman submitted ballots for both her dead parents in several elections. These are voting crimes of opportunity. And they occur in in very small numbers.
To turn this into an election rigging scheme, you’d need to systematically collect the ballots of dead people who are still registered, and forge their signatures. There is no evidence that anyone has made this work at scale.
What about hackers on the internet?
None of the machines involved in scanning ballots, or tabulating votes are connected to the internet. This is what is known as an air-gapped network.
Hackers can target the internet connected bits, like the elections website reporting results, or the voter database, but they can’t effect vote counts or totals. A successful effort could sow chaos, but it wouldn’t affect the count. It wouldn’t survive the audit, and at best might trigger a recount of the paper ballots. And this itself paper trail itself offers more security that most electronic voting systems.
The post election audit
According to the Colorado Secretary of State’s website, there are two kinds of the audits performed:
“After all of the ballots have been tabulated, audit boards made up of county residents are tasked with finding a random sample of specific ballots and reporting the markings on that ballot. If what the audit board reports matches how the voting system tabulated the ballots, the audit concludes. If there are discrepancies, additional ballots are randomly selected to compare until the outcome has been confirmed. If the wrong outcome was reported eventually all of the ballots will be examined and a new outcome will be determined.”
“After all of the ballots have been tabulated, audit boards made up of county residents are tasked with finding a random sample of specific ballots and reporting the markings on that ballot. If a sufficient proportion of the sample conforms with the reported winner, the audit concludes. If not, additional ballots are randomly selected. If the wrong outcome was reported, eventually all of the ballots will be examined and a new outcome will be determined.”
Signatures & Rejected Ballots
The biggest risk to having your ballot counted in Colorado? It might be rejected because your signature doesn’t match the one on file. Colorado Public Radio covers this issue in their story, “Uncounted Votes In Colorado: Diverse Areas And Younger Voters More Likely To Have Ballots Rejected.”
If your ballot is rejected, you’ll be given the opportunity to “cure” your ballot. Your best protection is to sign up for text or email alerts about the status of your ballot:
- https://ballottrace.org - Denver County Residents
- https://colorado.ballottrax.net - The rest of Colorado
This will keep you up-to-date about the status of your ballot. If it is rejected, you’ll be notified by that system and via a letter sent to the address where you are registered.
If it is rejected you have eight days to fix it. The rejection letter has instructions, but this year Colorado is also using a program called
TXT2Cure, that allows you to cure your ballot from a smart phone.
To use the system:
- text “Colorado” to 2VOTE (28638)
- click the link that is sent in reply
- enter your voter ID number, which is printed on your rejection notice
- affirm that you submitted a ballot
- sign the affidavit on the phone (using a finger)
- take a photo your Colorado driver’s license or other acceptable form of identification
- submit the form
The system has been used by some counties in the past, and many users posted selfies instead of a picture of their ID. The instructions now read “NO SELFIES PLEASE.”