Despite progress in securing voting in the United States, many jurisdictions still use electronic voting machines that leave no paper trail. According to experts who gathered October 17 at Princeton, this is a serious vulnerability.

Since the adoption of electronic voting machines in the 1990s, election experts have argued that paper records are critical for auditing elections and detecting potential tampering with vote tallies. The issue has gained new prominence following the 2016 elections, which spurred multiple investigations into allegations of Russian interference in the electoral process.

In a recent panel discussion hosted by Princeton’s Center for Information Technology Policy (CITP), experts examined the state of U.S. election security. The moderator Ed Felten, the Robert E. Kahn Professor of Computer Science and Public Affairs and director of CITP, opened the discussion by noting that “Princeton has quite a bit of expertise in this area.” He cited two faculty members working in election technology and policy, Andrew Appel and Jonathan Mayer.

Appel, the Eugene Higgins Professor of Computer Science, recently served as a member of the National Academies’ Committee on the Future of Voting, while Mayer, assistant professor of computer science and public affairs, recently developed bipartisan election security legislation as a staffer in the United States Senate. Also on the panel was Marian Schneider, a former Pennsylvania elections official and the current president of Verified Voting, a nonprofit organization that aims to improve election security practices.

Surveying the landscape of voting technology around the country, Appel explained that 15 years ago about half of states were using paperless touchscreen voting systems. “We are now in a much better situation with respect to the technology itself in the voting booth,” he said.

Still, he characterized five states – Louisiana, South Carolina, Georgia, Delaware and New Jersey – as “really backwards” for continuing to use paperless touchscreens. And as Schneider pointed out, many other states have a patchwork of voting systems; Verified Voting estimates that 30 percent of U.S. voters currently cast ballots on machines that do not produce a paper trail.

While any electronic system is vulnerable to hacking, Appel said, the lack of a paper record makes it impossible to detect such tampering and correct vote totals. “But having paper ballots doesn’t do much good if you never look at them,” he said.

“The next direction in which we need to make progress in this country is to institute efficient risk-limiting audits to randomly sample those paper ballots, detect whether there’s evidence that machines were hacked, and if so correct it by a full recount by human inspection of the human-readable portions of the paper ballots.”

One of the challenges in encouraging audit policies, said Mayer, is the country’s decentralized voting system, in which “states are in the driver’s seat” when it comes to election policies and procedures. While working as an adviser to U.S. Senator Kamala Harris, of California, Mayer helped to develop the Secure Elections Act, which would give the Department of Homeland Security a responsibility to share information about election security threats and would give states support to adopt paper voting records, risk-limiting audits and cybersecurity best practices.

Schneider highlighted Verified Voting’s efforts to pilot auditing practices in partnership with election officials in Colorado; Orange County, California; and Fairfax, Virginia. The group’s broader goal is for officials around the country to learn from these pilot audits and begin adopting the practice in the coming years.

Felten said that administrators are often surprised by how inexpensive it can be to conduct a statistically sound audit of election results. The number of paper ballots that need to be audited by human inspection depends on the margin of victory and the total number of votes cast. For example, said Appel, about 600,000 ballots were cast in the June 2018 primary in southern California’s Orange County, and auditing several hundred randomly chosen ballots cost $3,500.

“Where we need to go in the next few years is developing the methods [for risk-limiting audits] – not so much computer programs, but more like business practices – for what procedures are appropriate to the way we conduct elections in this state or in that state,” said Appel. “It can’t happen all at once; it needs a pilot in each state so that people can become familiar with the practices.”

In addition to the potential for foreign states or other malicious actors to tamper with vote tallies, Mayer discussed other ways that an adversary could attempt to undermine confidence in the U.S. election system – for example, by hacking into voter registration systems or manipulating election results as they are reported.

Schneider said she was hopeful that the recent designation of elections as a part of the nation’s critical infrastructure would help states and counties stay aware of security threats, as local officials cannot be expected to detect and respond to cyberattacks on their own.

Arming election officials with solutions to secure and verify voting systems “is what bolsters faith in our democracy,” she said.


  • Andrew Appel

  • Jonathan Mayer


  • Public Policy

  • Security and Privacy

Related Departments and Centers

  • Computer Science

    Computer Science

  • Center for Information Technology Policy