North Carolina may be violating state and federal constitutional protections for the secret ballot in the US by tracing some of its citizens’ votes.

The situation has arisen because North Carolina has a state law that demands absentee voting – which includes early, in-person voting as well as postal voting – is required to use ballots that can be traced back to the voter.

The laws are in place as a means of guaranteeing that if citizens cast multiple ballots during early voting or that if ineligible residents – like non-citizens or people who have not completed sentences for criminal offenses – cast ballots, those votes can be retrieved and removed.

Likewise, if a voter casts an early ballot then dies before election day, that ballot can then be discounted.

But voting rights advocates think the North Carolina law breaks one of the most sacred tenets of the democratic system: preserving the secrecy of the ballot.

“Anytime you can link a ballot back to the individual voter, that’s a violation of the secret ballot,” said Caitriona Fitzgerald, the chief technology officer for the nonprofit Electronic Privacy Information Center.

“Even the threat that that could be the case is a risk to democracy because if voters question whether their ballot is secret, that can influence how they vote,” Fitzgerald added.

Other states across the country solve each of these problems without violating the secret ballot, according to Fitzgerald. It is unclear why North Carolina’s ballot retrievability has not been legally challenged despite the likelihood that would be deemed unconstitutional by the courts, Fitzgerald says.

When the secrecy of the ballot is compromised, the threat to the privacy of the voter is not a small one. It was discovered last year that North Carolina has preserved millions of ballots that can be traced to individual voters.

In August 2018, subpoenas from a federal grand jury were issued to 44 counties and the state board of elections requesting voting records, voter authorization documents and completed ballots, among other materials. The request included over 2m traceable ballots.

“This is one of many examples of why states should not be storing this information,” Fitzgerald said. “If they were not storing ballots in a way that could be tied back to the individual voter these requests wouldn’t be possible. The secret ballot is the cornerstone of our democracy and to threaten it in this way can have an impact on the integrity of our elections.”

Ultimately, North Carolina declined to turn over any information that could have linked a completed ballot to the voter who cast it. To expose a voter’s ballot without a court order would be a violation of state law. This, however, is not a protection of the secret ballot, it’s the protection of the confidentiality of the ballot – between a voter and the state.

Absentee ballots in North Carolina are cast predominantly on hand-marked paper ballots. A poll worker writes a unique string of numbers on the ballot before issuing it to the voter. Though still a violation of the secret ballot, finding and reviewing the ballots is a manual process for the majority of counties.

But technology has made the problem potentially worse.

Since 2006, when over a quarter of North Carolina counties began using direct-recording electronic (DRE) voting machines, the process of tracking ballots also went digital, significantly expanding the potential consequences for ballot tracking and perhaps introducing vulnerabilities around hacking into computer systems.

When a poll worker sets up a voting machine for a voter during early voting, the poll worker inputs a unique ID that digitally stays with the ballot. Both the ballots and the unique IDs are exported from the voting machines to a county computer used to count all the votes, said Brooks Jones, North Carolina’s voting systems manager.

That means that one computer holds the information for every voter in the county, every ballot voted early in-person, and the tools to put that information together – a simple task.

When asked whether auditing or security practices currently in place could either prevent or detect the downloading or dissemination of this data, the North Carolina state board of elections did not respond.

According to Jones’s descriptions of the election management systems and to the expertise of computer scientists and elections experts, accessing and exporting the data would be relatively simple.

The 26 counties that, as of November 2018, still used DRE systems for in-person voting include major population hubs like Charlotte, Greensboro and Wilmington. Across the state, over 60% of voters cast their ballots early in-person for the 2016 election.

The problem, in this case, is not with the technology of the DRE voting systems themselves. The ballot retrievability is a matter of law, and in order for voting machines to be certified in North Carolina, they must be able to track a ballot. The use of voting machines and digital ballots amplifies the problem.

Though the state passed a law decertifying all the DRE machines by the end of this year, several counties are seeking an extension. The next generation of voting machines set to be used, which are still under review, will also be required to make ballots retrievable.

The data needed to track the ballots back to the voter is accumulated in a single county computer, according to Jones.

That is a significant security lapse. If a bad actor wanted to gain access to the ballots and know who cast them, that actor would only have to target one computer in a county. That is a much simpler task than needing to hack every voting machine, according to the elections security expert Andrew Appel of Princeton University.

In Mecklenburg county alone, where Charlotte is located, the county computer would have had access to 278,371 ballots cast early in-person in 2016.

“The fact that this can happen is a risk to our democracy,” Fitzgerald said.