The continued use of computers to mark ballots on behalf of voters, as many counties do, is a “disaster waiting to happen,” Princeton University computer scientist Andrew Appel told the Pennsylvania Senate’s State Government Committee March 18.

Appel, the Eugene Higgins Professor of Computer Science, is a leading researcher of computer voting and has testified before the U.S. Congress and in several states about steps to improve and secure voting systems.

As part of Monday’s testimony, Appel delivered a letter signed by 20 computer voting experts that makes recommendations for securing systems and ensuring fairness and integrity. The letter addressed general issues and focused on systems that mark ballots for voters. These ballot marking devices are used in more than a dozen states including Georgia, New Jersey and Pennsylvania.

While emphasizing that there is no evidence that anyone has used the security vulnerabilities of computer-marked ballots to sway an election, Appel said, “I strongly recommend that Pennsylvania change to hand-marked paper ballots in all counties and limit the use of touchscreen voting machines to those voters who cannot mark a paper ballot by hand.”

Appel explained that in the early 2000s many states and counties started using touch-screen machines to record votes, but experts quickly sounded the alarm that these fully automated systems made hacking all but impossible to prevent or detect. After 2008, many jurisdictions changed to paper ballots, which could be checked in a recount, but many areas still required voters to use a touch-screen device, which in turn, marked a paper ballot.

“When the voter uses a touchscreen voting machine, a “ballot marking device”, to create their paper ballot, then a hacked computer program can print votes onto the paper ballot that are not the candidates that the voter chose on the touchscreen,” Appel said. Experience has shown that a slim minority of voters carefully check their machine-printed ballots for accuracy.

In Pennsylvania, 14 counties are using touchscreen ballot-marking devices for all in-person voters, Appel said. “Now is the time to replace that equipment in those counties,” he urged the committee.

The text of the letter’s executive summary is included below. The full text is posted on Freedom to Tinker, a blog hosted by Princeton’s Center for Information Technology Policy.

Suggested Principles for State Statutes Regarding Ballot Marking and Vote Tabulation

This letter, signed by 20 election cybersecurity experts, was addressed to the Pennsylvania State Senate Committee on Government in response to a request for policy advice, but it applies in any state — especially those that use Ballot Marking Devices for all in-person voters: Georgia and South Carolina; most counties in Arkansas, New Jersey, and West Virginia; some counties in Texas, Tennessee, Indiana, Ohio, Pennsylvania, Kansas, Nevada, and California.

Executive Summary

We believe that the goal of laws, regulations and directives relating to elections must be focused on fairness, security, transparency, and accessibility. Each state should strive to approach the gold standard in every category, so that no reasonable candidate or party may have grounds to object that the process was unfair, insecure, or compromised. The process must be transparent, so the public may be assured the winners won and the losers lost.

We believe that no system is perfect, with each having trade-offs. Hand-marked and hand-counted ballots remove the uncertainty introduced by use of electronic machinery and the ability of bad actors to exploit electronic vulnerabilities to remotely alter the results. However, some portion of voters mistakenly mark paper ballots in a manner that will not be counted in the way the voter intended, or which even voids the ballot. Hand-counts delay timely reporting of results, and introduce the possibility for human error, bias, or misinterpretation.

Technology introduces the means of efficient tabulation, but also introduces a manifold increase in complexity and sophistication of the process. This places the understanding of the process beyond the average person’s understanding, which can foster distrust. It also opens the door to human or machine error, as well as exploitation by sophisticated and malicious actors.

Rather than assert that each component of the process can be made perfectly secure on its own, we believe the goal of each component of the elections process is to validate every other component.

Consequently, we believe that the hallmarks of a reliable and optimal election process are hand-marked paper ballots, which are optically scanned, separately and securely stored, and rigorously audited after the election but before certification. We recommend state legislators adopt policies consistent with these guiding principles, which are further developed below.


  • Andrew Appel


  • Security and Privacy

  • Public Policy

Related Departments and Centers

  • Computer Science

    Computer Science

  • Center for Information Technology Policy