This story is from The Pulse, a weekly health and science podcast.

Find it on Apple Podcasts, Spotify, or wherever you get your podcasts.

20 years ago, when J. Alex Halderman was a computer science graduate student at Princeton University, he received the strangest homework assignment of his life.

At the time, he was part of a research group working on security issues and public policy when his team got a tip from an anonymous source.

“My instructions were to drive up from New Jersey to New York,” said Halderman. “I double parked my car outside a hotel near Times Square and went back into the alleyway behind the hotel where a man in a trench coat handed me a black leather suitcase.”

Inside that suitcase was something that could become a treasure trove for researchers — a voting machine. 

“It’s like something out of a spy movie,” he said. 

Electronic voting machines have been widely used in U.S. elections since the 1980s. 

But up until that back-alley hand-off, very little independent academic research had been done on their vulnerabilities to manipulation, or hackers.

“That became the first hands-on security review of a U.S. voting machine in the computer science literature,” he said. 

Today, Halderman remains protective of his source. He still won’t reveal any details about the man in the trench coat.

But Halderman is now a professor of computer science at the University of Michigan and a sought-out expert on cyber security issues and voting systems. One of very few in the world. 

“I could probably count on my fingers the number of people in academia who are serious researchers about election cybersecurity,” he said. 

And that’s a problem.

Because, to combat baseless allegations of voter fraud during the 2020 election, federal agencies like the Cybersecurity and Infrastructure Security Agency have had to make exaggerated statements of their own—calling the election “the most secure in American history.”

“To an expert, that’s meaningless at best, and it’s stretching the truth at worst,” said Halderman. “And I think it really risks jeopardizing the public’s trust in government officials who make sweeping claims like that as well.”

The truth is that the process of voting and counting votes nationwide is extremely complicated, varying from state to state, and even county to county. 

All while relying more and more on software that is largely invisible to increasingly skeptical voters. 

A dizzying process

There is no evidence of widespread voter fraud in any recent U.S. election, but without more experts with the technical skills to dig into these processes, Halderman says election officials risk proving skeptics right. 

In 2021, a group of unauthorized technologists hired by Republican operatives got their hands on voting software used in elections in Coffee County, Georgia. They copied hard drives and software in an effort to show that the system could be manipulated. 

In connection with a lawsuit related to those claims, Halderman conducted a review of the county’s technology and election processes.

While there is no indication of any past election interference in the county, his review describes a dizzying process ripe for potential missteps or even malfeasance. 

“In Georgia, when you go to vote, you mark your ballot using a touchscreen computer called a ballot marking device. And that’s the first step where there is unobservable software running,” said Halderman.

“What you pick on screen gets printed on a piece of paper, but also on that piece of paper there’s going to be a QR code, a kind of two-dimensional barcode that is supposed to encode your choices. But you as a voter have no way to individually verify that.”  

From there, the voter puts their paper into a ballot scanner which counts the vote.

“But in Georgia, it’s only counting what’s in the QR code. It’s ignoring all of the pieces of the ballot you can see, so that QR code had better be right.  Now, internally, the scanner is, well, it’s a computer system. It’s running other proprietary software, that’s recognizing the choices from the ballot and hopefully adding them up correctly to produce digital records.”

Those records are stored on a memory card inside a PC. Later that night, the memory card gets physically returned to election headquarters. 

“[The records are] put into a separate computer system, usually running Microsoft Windows and some different proprietary election software.”

The software adds up all the different totals from the polling places to tally up an official result.

“Those results, sometime late on election night, an election worker will take a USB stick, put it into that Windows computer that’s adding up the results from different polling places, and transfer the results to an internet connected system, a county PC or laptop, and upload the results to a website for other people to see. So that’s basically how our election results go from you casting your vote to the data that you’re going to see on the NPR website on election night.”

This is just one process out of thousands that will take place on election night—utilizing technology that, as one expert put it, even “the state doesn’t understand.”

Voters make their choice, submit their piece of paper, and go home.

“To a security person, when we discover something is more complicated than we thought, that makes us much more worried about it,” said Halderman. 

“But interestingly, it seems like the public, when they learn more about elections, if they learn that it’s more complicated than they thought, that makes them feel more assured about the results. That’s what election officials tell me.”

Marci Andino spent 19 years as the state election director in South Carolina. She believes educating voters about the process is an essential part of the job. 

“I think usually, if you have a better understanding of how the system works, then there can be more trust,” Andino said. 

Officials may not know all the technical ins-and-outs like Halderman, but they are fluent in the process. They are the ones moving memory cards and USB sticks. 

If they see something that’s off, Andino says voters can count on them to say something because they are typically trusted community members. 

“The people that are conducting your elections are your friends, your neighbors, you see them at the grocery store, you go to school with them, to church with them,” she said.

Andino is now the vice president of the Elections Infrastructure Information Sharing and Analysis Center, a collaborative group among federal agencies and funded through the Cybersecurity and Infrastructure Security Agency.

“We work with election officials to raise their cybersecurity posture and resilience. And we do that through training through providing security briefings, alerts, and no cost cybersecurity solutions for election offices,” Andino said. 

She and more than 400 federal employees coordinate with local election officials to safeguard elections nationwide at every step of their process.

“We mainly monitor for cyber trends. It could be something as simple as a phishing email that is targeting election officials or it could be foreign adversaries doing scanning of public facing systems,” she said. 

Her team is responsible for keeping election officials at nearly 100,000 voting centers and polling places up to date on what to look out for come election day. 

“It could be that it’s an emailed alert, and then it could be escalated up to a meeting, just depending on the severity.”

But it’s what her team and election officials don’t know that scares her. 

“The worst-case scenario is that kind of fear of the unknown,” Andino said. 

Identifying vulnerabilities

Since 2020, election officials have become targets of harassment and threats. 

As a result, Andino says more and more seasoned, experienced officials have resigned from their posts. Some precincts lost up to 75 percent of their staff. 

“It’s just more than some people signed up for. There’s been a lot of turnover and that’s concerning because that’s a great loss of institutional knowledge,” she said. 

When it comes to concerns, this brain drain is at the top of her team’s list.

“There’s only one way to get election experience and that’s to conduct an election,” she said. “And a presidential election isn’t the one you want to start with.”

But many poll workers and election officials who are new at the job will be doing just that this year. 

And it’s very likely they’ll be navigating machines and complicated processes like those reviewed by Alex Halderman in Coffee County.

“What I found, unfortunately, was a large number of vulnerabilities. Probably more problems than you would expect in modern, current generation election equipment,” Halderman said.

As part of his review, Halderman was able to rig the outcome of a hypothetical election using phony software, some cheap electronic equipment, and a pen. 

A local election official called the scenario unrealistic—not worth changing an entire system for. 

Halderman disagrees. 

“We would expect a critical system like this to be very well tested and secure by design, but that’s unfortunately not what the industry and the regulatory process behind U.S. election equipment is being produced right now,” he said. 

While elections are technically considered critical infrastructure, they are chronically underfunded. 

In 2025, more federal funds will likely be spent providing security detail for elected officials than on making sure those officials are the people who won the most votes.

With more funding and standardization, Halderman says it’s possible to design elections that truly maximize public trust and security—processes that don’t require regular meetings with anonymous sources in trench coats. 

“We can do that by designing elections that create evidence of the outcome that the public can view and scrutinize, starting with hand marked paper ballots that voters fill out, and then rigorous public audits of the election result to make sure that the totals that are announced match what’s on those paper ballots,” Halderman said.

“That way people can trust election results without being forced to trust either the people who are involved in running the election or the technology itself.”

Whether these types of elections will become reality before something really goes wrong — before it’s too late — is an entirely different question. 

“Looking ahead to this year’s election, I think it’s perfectly fine to claim that the government is being vigilant about cyber security or that state and local governments are making efforts to improve cyber security,” he said.  

“But what’s not right, what is deceptive, is to claim that therefore there’s no risk of anything going wrong. We’re not at that stage yet. We have a lot more work to do before we can claim that the risk has been eliminated. And in fact, if the election is extremely close, as in my nightmare scenario, well, then the risk might be quite high.”