A new paper by Henry Herrington, a computer science undergraduate at Princeton University, demonstrates that a hacked PDF ballot can display one set of votes to the voter, but different votes after it’s emailed – or uploaded – to election officials doing the counting.
For overseas voters or voters with disabilities, many states provide “Remote Accessible Vote By Mail,” or RAVBM, a system that allows voters the ability to download and print an absentee ballot, fill it out by hand on paper, and physically mail it back. Some states use commercial products, while others have developed their own solutions. In general, this form of RAVBM can be made adequately secure, mainly because the voters make their own marks on the paper.
In some forms of RAVBM, the voter can fill out the ballot using an app on their computer before printing and mailing it. This is less secure: if malware on the voter’s computer has “hacked” the voting app, what’s printed out may differ from what the voter indicated on the screen, and voters are not very good at reviewing the printouts and noticing such changes.
The most dangerous form of RAVBM is one that allows electronic ballot return, in which the voter uploads or emails a PDF file. Thirty states allow overseas voters to do electronic ballot return, either by email, fax, or web-portal upload, as shown in Table 5 (pages 34-35) of Herrington’s longer paper, Ballot Acrobatics: Altering Electronic Ballots using Internal PDF Scripting.
The danger is that malware on the voter’s computer