[EL] FL absentee voting rules and the attempted Miami-Dade web-request absentee ballot fraud

Steve Kolbert steve.kolbert at gmail.com
Sun Jun 2 14:15:29 PDT 2013 

Bev, thanks for your thoughtful response. I'm not sure I followed
everything you wrote, so I'm going to summarize your points here, as I
understand them. If any of these are a mischaracterization, please correct
me.
(1) Unscrupulous insiders can compromise an election, so insiders must be
trustworthy.
(2) Excuse-required absentee balloting makes fraudulent requests more
easily detectable, because officials can more easily observe deviations in
the volume of requests using each category of excuse, compared to the
normal volume of requests using that category of excuse.
(3) The attempted Miami-Dade hack would have succeeded had the fraudster
been more careful about proper geographic distribution, and distribution
over time, of his online requests.

You make an excellent point with regard to (1). Though I'm not sure whether
election administrators "typically," as you say, use third-party vendors to
manage the mailing of absentee ballots -- in fact, in my experience as an
election administrator, my office managed its absentee ballot operation
in-house -- I agree that regardless of who manages the mailings, that
entity must be trustworthy. But I'm not sure the trustworthiness of
insiders is relevant to the failed Miami-Dade hack. The unsuccessful
Miami-Dade hack did not depend on insiders for its operation, nor would the
unsuccessful Miami-Dade hack have made any insiders any more or less
trustworthy. Further, no unscrupulous insider would have used a hack
similar to the attempted Miami-Dade attack, because the insider would have
better means of generating fraudulent absentee ballot requests or
fraudulently redirecting legitimately-requested ballots. So while I agree
that insiders must be trustworthy and that untrustworthy insiders can
compromise an election's integrity, it's not clear how insiders are
relevant to the failed Miami-Dade hack, which did not involve insiders.

With regard to (2), I think that's also an excellent point, and I agree
that generally speaking, election policy should increase the opportunities
for officials to detect fraud. But we can't ignore that there are costs to
excuse-required absentee balloting: denying some voters the opportunity to
cast an absentee ballot, and causing administrative difficulties even for
some who remain eligible to vote absentee. Especially in light of Florida's
struggle with polling place lines, I'm not sure we should be diverting more
voters to in-person polling places. Considering (a) that there are other,
equally useful data points for for fraud-detection comparisons (e.g., the
geographic distribution of the requesting voters, the timing of the
requests, the identities of the individual voters requesting ballots,
etc.), (b) that there are other, entirely unrelated opportunities to detect
fraud (e.g., the signature verification process), and (c) none of these
fraud-detection opportunities do present the same costs as the
excuse-required absentee voting regime, the substantial costs of
excuse-required absentee voting outweigh any benefit (which can be obtained
by other, less costly means).

With regard to (3), I'm not sure that's accurate. Under Florida's new
legislation, the only thing the hacker could have successfully done online
was get election officials to mail ballots to voters who didn't request
them; the hacker could not have used the online request system to get
election officials to mail other voters' ballots to the hacker, without the
assistance of an insider. (But again, if the hacker had the assistance of
an insider, the hacker would have better options than engaging in this kind
of attack.) But even if the hacker somehow managed to get election
officials to mail him the ballots belonging to other voters, and then the
hacker fraudulently voted and returned those ballots, election officials
would still reject those fraudulently-cast ballots at the signature
verification stage.


Steve Kolbert
(202) 422-2588
steve.kolbert at gmail.com
@Pronounce_the_T



On Sun, Jun 2, 2013 at 12:25 AM, Bev Harris <bev at blackboxvoting.org> wrote:

> That's easy to catch, though, and in fact has ben caught fairly often. The
> number of need-only absentee ballots, and the general percentage for the
> reasons, is known and easily seen when it spikes. In New Jersey in 2009,
> suddenly some 10 percent of all voters had requests that listed them as
> "sick
> and shut in" and the fraud was caught quickly and traced to the database
> guy
> working with some operatives.
>
> The Florida hack would have worked, and it does demonstrate why no-fault
> absentee is so dangerous. What the writers of the article missed is what
> can be
> done with the bogus requests for ballots. Typically the database dictating
> where ballots will be mailed is outsourced from the elections office to a
> middleman, and some of these guys are really quite sketchy. Several
> counties in
> Colorado and California outsource the vote by mail database to John Elder,
> who
> is a convicted narcotics trafficker who shared a cell with another convict,
> embezzler Jeffrey Dean, who developed his own vote by mail software, which
> is
> still widely used throughout the USA.
>
> Need-only absentee does two things: (1) it caps the risk for these ballots
> at
> one to five percent, depending on how tough the state makes it to get the
> ballots; and (2) it provides a check and balance because the number of
> requests
> and the distribution of reasons is a known factor. It's much like the store
> owner who knows the percentage of cash transactions. When suddenly that
> percentage skews (downward, in the case of cash), he knows someone has
> their
> hand in the till.
>
>
> > Even if Florida moved to an excuse-required absentee balloting regime,
> if a
> > fraudster can request ballots online en masse, the fraudster can just as
> > easily alter his/her hack to communicate an appropriate "excuse" to the
> > Supervisor of Elections' computer systems during the hack -- especially
> if
> > one of those reasons doesn't require offline submission of additional
> > proof. The problem, then, is the Internet-based request system, not the
> > no-excuse legal regime.
>
> Bev Harris
> Founder - Black Box Voting
> http://www.blackboxvoting.org
>
> * * * * *
>
> Government is the servant of the people, and not the master of them. The
> people, in delegating authority, do not give their public servants the
> right
> to decide what is good for the people to know and what is not good for
> them to
> know. We insist on remaining informed so that we may retain control over
> the
> instruments of government we have created.
>
> Black Box Voting is a nonpartisan, nonprofit 501c(3) elections watchdog
> group
> funded entirely by citizen donations.
> http://www.blackboxvoting.org/donate.html
> Black Box Voting
> 330 SW 43rd St Suite K
> PMB 547
> Renton WA 98057
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> _______________________________________________
> Law-election mailing list
> Law-election at department-lists.uci.edu
> http://department-lists.uci.edu/mailman/listinfo/law-election
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://webshare.law.ucla.edu/Listservs/law-election/attachments/20130602/8f6df364/attachment.html>

View list directory