Voter ID, Political Ego
As you may recall, my day job involves computer security. A significant element in security is threat modeling, where one lays out the overall structure of the system, identifies areas of threats (defined as theoretical means of attack), finds corresponding vulnerabilities (defined as practical implementations of threats), and rates them based on their overall risk to the system.
In the case of voting, I’ve worked out threat models based on the architecture of voting systems common to the United States. I did this several years ago, in fact, because the topic has been discussed frequently at various security conferences. Unsurprisingly, the focus at computer security conferences has been on electronic voting machines, but I was prompted to look outside the obvious. After all, to the man with a hammer, the world is made of nails; to the computer security conference attendee, the security vulnerabilities of interest are in computers. I wanted to go further, so I looked at the entire system.
Where are some of the threats? What vulnerabilities arise from them? How bad are they? And what can and should be done about them?
The threats are many, but I will focus only on the public-facing (“retail”) threats today, as they are the ones receiving the most attention of late. The retail attack surface has two basic forms. One is at the polling place, while the other is through the mail (i.e., via absentee ballot).
At the polling place, a person can cast a ballot for which that person is not authorized (being ineligible to vote, or casting a vote on behalf of someone else), which allows a person to impact a single vote per attack. A repeat attack is difficult, because the person must interact with a polling official for each attack. Alternatively, a person can tamper with the vote tallying mechanism (hacking into an electronic voting machine would be one such example), which allows a person to impact potentially a few hundred votes per attack. These are the only two realistic mechanisms for retail attacks at the polling place.
Through the mail, a person also can cast a ballot for which that person is not authorized, in the same way as at the polling place. Again, this gains a single vote per attack. Unlike at the polling place, however, a repeat attack is especially easy to perform, since it can be done in the privacy of one’s home. The greatest hurdle is acquiring the ballots, but one rarely needs to interact with a polling official to do so.
How common is the polling-place form of attack? At first glance, one might conclude that it would be impossible to determine the frequency of one casting a ballot on behalf of someone else. However, let’s look at how logging reduces the likelihood of the attack remaining undetected.
When a voter arrives at the polling place to tender a vote, the polling official asks for the voter’s name, finds the name in the voter book, validates both that an absentee ballot was not sent to that voter and that the voter has not yet signed the book, has the voter sign the book, and then issues the ballot. This means that, in order to successfully obtain a ballot, the voter must know the name of someone who has not yet voted (an easy task, since the book is typically open and readily visible to the potential voter). But, moreover, the name chosen by the attacker must not match someone who will be voting later in the day. Otherwise, the fraud is detected and reported. This means that, in order to avoid detection, the fraud must occur near the closing time of the polls, significantly reducing the window of opportunity for the attack. In other words, if a single person is using this attack, and the attack is remaining undetected, he isn’t able to make more than a couple of fraudulent votes, at best.
Could this be happening on a wide scale with hundreds, or even thousands, of people in a coördinated effort without us knowing? Perhaps, but it’s really unlikely. Why? Because the odds of being caught by the real voter showing up later is far greater than zero. The more hotly contested an election is, the higher the turnout, and the greater the likelihood of detection. Yet those are the elections where a small number of votes will impact the outcome…the very elections about which we are most concerned!
But we know that this type of attack was common for a number of years. How did we know this? Because voters would show up, and discover that someone had forged their names in those voter roll books! This was a frequent occurrence all over the nation in the early part of the 20th century, and it was well documented. It seems to have had a sharp decline beginning around the 1970s. What coincided with this decline? Tougher penalties (five years in prison and $10,000 for each offense), and absentee ballots.
With absentee ballots, the attack is far easier and more effective. The time constraints no longer apply; the attacker is able to take his time in acquiring the ballots, filling them out, and submitting them. And, with no direct contact with polling officials, the likelihood of getting caught diminishes greatly. To the extent that retail voting fraud occurs today, threat modeling points to absentee ballots as the most likely avenue.
One thing I always stress in mitigating security vulnerabilities is that the cost of the mitigation must be lower than the cost of the vulnerability. For example, it’s not worth it to implement a million dollar security system to protect a thousand dollar item. Similarly, a protection against vote fraud must disenfranchise fewer voters than the number of fraudulent votes that would otherwise have been cast absent the protection. So, ideally, new laws designed to prevent retail voter fraud should focus their attention first and foremost on absentee ballots, and do so in a way to minimize disenfranchisement.
Oddly, though, the voter ID laws that have been passed in swing states are focusing their attention on in-person voting fraud, not absentee ballots. Why is this? The political ego of Pennsylvania House Republican Leader Mike Turzai clues us in on the answer:
Voter ID, which is gonna allow Governor Romney to win the state of Pennsylvania, done.
Why would voter ID “allow Governor Romney to win the state of Pennsylvania”? Because those without approved photographic identification are disproportionately minorities, the poor, and college students, all groups that are dominated by Democratic voters. The Pennsylvania Department of Transportation estimates that nine percent of registered voters lack state-issued photographic identification as required by their new voter identification law. Judge Robert Simpson, who upheld the law last week, believes that the number is closer to one percent (though provides no justification for his belief). A recent Carnegie-Knight report found a total of less than one allegation (not conviction) per year — nationwide — of in-person voter fraud that would be addressed by voter identification. That’s 1.5×10–6 percent of the votes cast in 2008. In other words, even if we assume Simpson’s lower estimate is more accurate, we are still disenfranchising a million times as many voters as we are preventing fraudulent votes of this type. Let’s even go so far as to assume that 99 percent of those without a photographic identification are able to obtain one before the election (another generous assumption). Even then, we are still disenfranchising ten thousand times as many people as the number of fraudulent votes prevented by the law. Clearly, the cost far outweighs the benefit.
Incidentally, Republicans who favor such laws should consider the reasons the voter fraud they are trying to prevent would benefit only Democrats, as that has been the common accusation from the right. Is there something inherent to in-person voting on behalf of another of which only Democrats can take advantage? If not, one would certainly expect any such fraud to apply equally to both parties…quite a different proposition from the disenfranchisement resulting from voter identification laws.
I’m very much in favor of improving the security of our voting system. I do believe that there are significant vulnerabilities in the current structure — at every level, from the precinct to the departments of state. In fact, it is for that very reason that I oppose these voter identification laws. They cynically use a very real issue for the political gain of one party.
And that is the antithesis of the core of my beliefs as a security professional.
- GOP Voter ID Backers Admit Voter ID Backs GOP (tribuneofthepeople.com)
- Voter impersonation less likely than a lightning strike… (theartofaccess.com)
- In Wake of Voter ID Ruling, Pennsylvania Dumps Online Initiatives to Boost Voting (balloon-juice.com)
- Disabled and elderly voters face new hurdles at polls (publicintegrity.org)
- Absentee Ballots Create A Market For Votes — OpEd (eurasiareview.com)
- MA Republican Investigated for Massive Absentee Ballot Fraud Scheme to Defeat Fellow Republican (bradblog.com)