Voter ID, Political Ego

As you may recall, my day job involves com­puter secu­rity. A sig­nif­i­cant ele­ment in secu­rity is threat mod­el­ing, where one lays out the over­all struc­ture of the sys­tem, iden­ti­fies areas of threats (defined as the­o­ret­i­cal means of attack), finds cor­re­spond­ing vul­ner­a­bil­i­ties (defined as prac­ti­cal imple­men­ta­tions of threats), and rates them based on their over­all risk to the system.

In the case of vot­ing, I’ve worked out threat mod­els based on the archi­tec­ture of vot­ing sys­tems com­mon to the United States. I did this sev­eral years ago, in fact, because the topic has been dis­cussed fre­quently at var­i­ous secu­rity con­fer­ences. Unsur­pris­ingly, the focus at com­puter secu­rity con­fer­ences has been on elec­tronic vot­ing machines, but I was prompted to look out­side the obvi­ous. After all, to the man with a ham­mer, the world is made of nails; to the com­puter secu­rity con­fer­ence attendee, the secu­rity vul­ner­a­bil­i­ties of inter­est are in com­put­ers. I wanted to go fur­ther, so I looked at the entire system.

Where are some of the threats? What vul­ner­a­bil­i­ties arise from them? How bad are they? And what can and should be done about them?

The threats are many, but I will focus only on the public-​​facing (“retail”) threats today, as they are the ones receiv­ing the most atten­tion of late. The retail attack sur­face has two basic forms. One is at the polling place, while the other is through the mail (i.e., via absen­tee ballot).

At the polling place, a per­son can cast a bal­lot for which that per­son is not autho­rized (being inel­i­gi­ble to vote, or cast­ing a vote on behalf of some­one else), which allows a per­son to impact a sin­gle vote per attack. A repeat attack is dif­fi­cult, because the per­son must inter­act with a polling offi­cial for each attack. Alter­na­tively, a per­son can tam­per with the vote tal­ly­ing mech­a­nism (hack­ing into an elec­tronic vot­ing machine would be one such exam­ple), which allows a per­son to impact poten­tially a few hun­dred votes per attack. These are the only two real­is­tic mech­a­nisms for retail attacks at the polling place.

Through the mail, a per­son also can cast a bal­lot for which that per­son is not autho­rized, in the same way as at the polling place. Again, this gains a sin­gle vote per attack. Unlike at the polling place, how­ever, a repeat attack is espe­cially easy to per­form, since it can be done in the pri­vacy of one’s home. The great­est hur­dle is acquir­ing the bal­lots, but one rarely needs to inter­act with a polling offi­cial to do so.

How com­mon is the polling-​​place form of attack? At first glance, one might con­clude that it would be impos­si­ble to deter­mine the fre­quency of one cast­ing a bal­lot on behalf of some­one else. How­ever, let’s look at how log­ging reduces the like­li­hood of the attack remain­ing undetected.

When a voter arrives at the polling place to ten­der a vote, the polling offi­cial asks for the voter’s name, finds the name in the voter book, val­i­dates both that an absen­tee bal­lot was not sent to that voter and that the voter has not yet signed the book, has the voter sign the book, and then issues the bal­lot. This means that, in order to suc­cess­fully obtain a bal­lot, the voter must know the name of some­one who has not yet voted (an easy task, since the book is typ­i­cally open and read­ily vis­i­ble to the poten­tial voter). But, more­over, the name cho­sen by the attacker must not match some­one who will be vot­ing later in the day. Oth­er­wise, the fraud is detected and reported. This means that, in order to avoid detec­tion, the fraud must occur near the clos­ing time of the polls, sig­nif­i­cantly reduc­ing the win­dow of oppor­tu­nity for the attack. In other words, if a sin­gle per­son is using this attack, and the attack is remain­ing unde­tected, he isn’t able to make more than a cou­ple of fraud­u­lent votes, at best.

Could this be hap­pen­ing on a wide scale with hun­dreds, or even thou­sands, of peo­ple in a coör­di­nated effort with­out us know­ing? Per­haps, but it’s really unlikely. Why? Because the odds of being caught by the real voter show­ing up later is far greater than zero. The more hotly con­tested an elec­tion is, the higher the turnout, and the greater the like­li­hood of detec­tion. Yet those are the elec­tions where a small num­ber of votes will impact the outcome…the very elec­tions about which we are most concerned!

But we know that this type of attack was com­mon for a num­ber of years. How did we know this? Because vot­ers would show up, and dis­cover that some­one had forged their names in those voter roll books! This was a fre­quent occur­rence all over the nation in the early part of the 20^th cen­tury, and it was well doc­u­mented. It seems to have had a sharp decline begin­ning around the 1970s. What coin­cided with this decline? Tougher penal­ties (five years in prison and $10,000 for each offense), and absen­tee ballots.

With absen­tee bal­lots, the attack is far eas­ier and more effec­tive. The time con­straints no longer apply; the attacker is able to take his time in acquir­ing the bal­lots, fill­ing them out, and sub­mit­ting them. And, with no direct con­tact with polling offi­cials, the like­li­hood of get­ting caught dimin­ishes greatly. To the extent that retail vot­ing fraud occurs today, threat mod­el­ing points to absen­tee bal­lots as the most likely avenue.

One thing I always stress in mit­i­gat­ing secu­rity vul­ner­a­bil­i­ties is that the cost of the mit­i­ga­tion must be lower than the cost of the vul­ner­a­bil­ity. For exam­ple, it’s not worth it to imple­ment a mil­lion dol­lar secu­rity sys­tem to pro­tect a thou­sand dol­lar item. Sim­i­larly, a pro­tec­tion against vote fraud must dis­en­fran­chise fewer vot­ers than the num­ber of fraud­u­lent votes that would oth­er­wise have been cast absent the pro­tec­tion. So, ide­ally, new laws designed to pre­vent retail voter fraud should focus their atten­tion first and fore­most on absen­tee bal­lots, and do so in a way to min­i­mize disenfranchisement.

Oddly, though, the voter ID laws that have been passed in swing states are focus­ing their atten­tion on in-​​person vot­ing fraud, not absen­tee bal­lots. Why is this? The polit­i­cal ego of Penn­syl­va­nia House Repub­li­can Leader Mike Turzai clues us in on the answer:

Voter ID, which is gonna allow Gov­er­nor Rom­ney to win the state of Penn­syl­va­nia, done.

Why would voter ID “allow Gov­er­nor Rom­ney to win the state of Penn­syl­va­nia”? Because those with­out approved pho­to­graphic iden­ti­fi­ca­tion are dis­pro­por­tion­ately minori­ties, the poor, and col­lege stu­dents, all groups that are dom­i­nated by Demo­c­ra­tic vot­ers. The Penn­syl­va­nia Depart­ment of Trans­porta­tion esti­mates that nine per­cent of reg­is­tered vot­ers lack state-​​issued pho­to­graphic iden­ti­fi­ca­tion as required by their new voter iden­ti­fi­ca­tion law. Judge Robert Simp­son, who upheld the law last week, believes that the num­ber is closer to one per­cent (though pro­vides no jus­ti­fi­ca­tion for his belief). A recent Carnegie-​​Knight report found a total of less than one alle­ga­tion (not con­vic­tion) per year — nation­wide — of in-​​person voter fraud that would be addressed by voter iden­ti­fi­ca­tion. That’s 1.5×10^–6 per­cent of the votes cast in 2008. In other words, even if we assume Simpson’s lower esti­mate is more accu­rate, we are still dis­en­fran­chis­ing a mil­lion times as many vot­ers as we are pre­vent­ing fraud­u­lent votes of this type. Let’s even go so far as to assume that 99 per­cent of those with­out a pho­to­graphic iden­ti­fi­ca­tion are able to obtain one before the elec­tion (another gen­er­ous assump­tion). Even then, we are still dis­en­fran­chis­ing ten thou­sand times as many peo­ple as the num­ber of fraud­u­lent votes pre­vented by the law. Clearly, the cost far out­weighs the benefit.

Inci­den­tally, Repub­li­cans who favor such laws should con­sider the rea­sons the voter fraud they are try­ing to pre­vent would ben­e­fit only Democ­rats, as that has been the com­mon accu­sa­tion from the right. Is there some­thing inher­ent to in-​​person vot­ing on behalf of another of which only Democ­rats can take advan­tage? If not, one would cer­tainly expect any such fraud to apply equally to both parties…quite a dif­fer­ent propo­si­tion from the dis­en­fran­chise­ment result­ing from voter iden­ti­fi­ca­tion laws.

I’m very much in favor of improv­ing the secu­rity of our vot­ing sys­tem. I do believe that there are sig­nif­i­cant vul­ner­a­bil­i­ties in the cur­rent struc­ture — at every level, from the precinct to the depart­ments of state. In fact, it is for that very rea­son that I oppose these voter iden­ti­fi­ca­tion laws. They cyn­i­cally use a very real issue for the polit­i­cal gain of one party.

And that is the antithe­sis of the core of my beliefs as a secu­rity professional.

Related arti­cles

• GOP Voter ID Back­ers Admit Voter ID Backs GOP (tri​bune​ofthep​eo​ple​.com)
• Voter imper­son­ation less likely than a light­ning strike… (thearto​fac​cess​.com)
• In Wake of Voter ID Rul­ing, Penn­syl­va­nia Dumps Online Ini­tia­tives to Boost Vot­ing (bal​loon​-juice​.com)
• Dis­abled and elderly vot­ers face new hur­dles at polls (pub​licin​tegrity​.org)
• Absen­tee Bal­lots Cre­ate A Mar­ket For Votes — OpEd (eurasiare​view​.com)
• MA Repub­li­can Inves­ti­gated for Mas­sive Absen­tee Bal­lot Fraud Scheme to Defeat Fel­low Repub­li­can (brad​blog​.com)