This is the front page of my mail-in ballot from the 2020 election. It's okay in the U.S. and in my state to post pictures of unmarked ballots. Some jurisdictions forbid posting pictures of marked ballots. In-person voting is done with fully-electronic voting machines with paper printout backups. You can see the printout scroll by, in human-readable form, as you vote. But as I've said many times, almost all voting in Utah is by mail using the pictured ballots.
The brick that reads these sheets is fairly dumb. You can see the registration marks along the top and side edges. The marks along the bottom are different for every ballot front-page that I inspected. I don't have photos, but there are also ultraviolet-revealed ink marks that seem to follow the same numerical encoding strategy as our postal codes. I say the machine is dumb because the conversion of the filled-in circles to a digital data set is clearly optimized for high accuracy at high volume. The matrix barcode at the top identifies the voting precinct, which determines which candidates should appear in elections for city offices. It's the same for everyone in my neighborhood.
Clearly some established document security and tracking methods have been employed to guard against forgery. There may be others that I'm either not familiar with or don't have the proper equipment to see them. Obviously keeping some of them secret would be advantageous.
The reason this part of the process is allowed to be stupid is that the validation process for a ballot is stepwise. The marked ballot is placed in a privacy sleeve, which is then inserted into the return envelope. The voter signs the sleeve, which has his name, address, and a barcode on it which presumably identifies him and provides checksum-like verification. A tear-off panel on the return envelope reveals the barcode and signature. Signature and registration verification occurs with the ballot still sealed inside the return envelope. At this point ballots may also be rejected if, for example, the ballot had been sent in error. Signature verification is automatic, using AI software, with potential negatives reviewed by bipartisan reviewers.
A web portal exists to allow voters to check on the status of their mail-in ballots. If the signature check fails, the county clerk affirmatively notifies the voter of this and allows a cure procedure. You can also request a replacement ballot.
Accepted ballots are then opened, and the signature sleeves destroyed. From this point on the ballot is effectively anonymous, although the unique markings allow such things as automated recounts, duplicate-scan rejection, and subsequent digital manipulation of the tabulated votes. But at this point the ballot is considered authenticated, so encoding and tabulation are the remaining steps. The scanner reads ballots and confirms the physical document-security measures. The tabulator is a computer system that enforces authentication requirements on humans that are allowed to manipulate cast votes (e.g., reject groups subsequently deemed invalid) and data-integrity and -security constraints. That's the part that has to be smart, and therefore the part most susceptible to tampering. It's typically air-gapped from area networks and physically protected.
