Mail-in Ballots Are Secure, Confidential, and Trustworthy

The U.S. has enjoyed a robust election security system, and mail-in ballots—long known as “absentee ballots”—are no exception.

As any expert will tell you, election security is similar to other situations: security or insecurity don’t stem from any one factor, but from the interactions of many. To show why I have confidence in the voting system, I'll analyze the security of mail-in ballots the same way I'd analyze a computer system's security.

To do that, we must start with the standard definition of security: "confidentiality, integrity, availability."

That’s present here from the first layer of defense: Absentee ballots are only sent to registered voters. While the checks at registration differ by jurisdiction, election officials at a minimum verify that a voter resides in their jurisdiction. That authentication promotes integrity by ensuring only those eligible can vote.

To provide confidentiality, absentee ballots are mailed back in nested envelopes, which also provide a second safeguard for integrity. The inner envelope (or flap attached to it) contains verification data, including a signature and serial number or bar code.

This is key—serial numbers are matched against those sent to voters, making it impossible for someone to simply print up a pile of blank ballots and submit them. Similarly, the voter’s signature is checked against the registration database, a guard against imposters using valid ballots.

Only then is the authentication flap or envelope separated from the ballot, leaving the anonymous ballot itself. This protects the confidentiality of mail-in ballots just as with in-person voting. Often, both Democratic and Republican poll workers are required to be present whenever filled-in ballots are handled; this is an obvious defense against partisan chicanery and supports all three security properties.  

But what about security features that guard voters against systemic errors? Many places, including New York, have implemented ballot-tracking: when it was mailed, when it was received back, and, crucially, if it was rejected as invalid for some reason. If so (depending on the jurisdiction), voters may be able to “cure” the error.  

Ballot-tracking is what we call an “availability feature”: It helps people cast valid votes. Other defenses represent a trade-off between ease of voting and voting security. Remember, availability is part of the standard definition of security; a system that is too strong could thus hinder net security. One example is a witness or notary requirement. Supporters say that’s a defense against forged or coerced ballots. The Supreme Court recently allowed South Carolina to enforce it, but other states, such as Rhode Island, have dropped similar policies because they hurt turnout.

How do we balance such conflicting goals in cybersecurity? We weigh relative risks and costs. Every single study conducted on voter fraud in the U.S. shows that fraud in absentee or mail-in voting is vanishingly small—all but non-existent. At the same time, other studies have concluded that too-strict requirements disenfranchise a significant number, and that disenfranchisement disproportionately affects historically disadvantaged groups. In other words, the choice here is between a very small improvement in integrity versus a considerably larger harm to availability—and both are part of security.

These security measures bring the integrity of mail-in ballots to levels very close to those of in-person ballots, while also considerably increasing availability. In my business, we call that a net win for security. 

Steven M. Bellovin is the Percy K. and Vida L.W. Hudson Professor of Computer Science in The Fu Foundation School of Engineering and Applied Science and an affiliate faculty member at Columbia Law School. He works on security, privacy, and related legal and public policy issues. This column is editorially independent of Columbia News.