Integrity and the Mail In Ballot

I guess I’m amazed by how little the American people know about how their own voting systems work. Over the past couple of weeks (August 2020), as Donald Trump has attacked the mail-in voting system, I’ve had to investigate, report, and explain mail in ballots to hundreds of people on Quora. It’s pretty routine now. Rather than just describe the system, which I’ve done many times, I will discuss the rumored ways that people have imagined for violating the system.

Can I vote twice if I vote by mail and then go to the polls

No. When you sign up for a mail-in ballot, your registration is “flagged” in the voter rolls. If you go to the poll in person, you will check in and the poll worker will look you up in the voter rolls. They will see that you received a mail-in ballot. They will not issue you another one. You cannot vote twice.

There are some interesting rules that vary state by state. Some states let you bring your mail in ballot to the polling place and drop it off in person. You do not have to check in to drop off a ballot.

In other states, you can bring your mail in ballot and have it swapped out for an in person ballot. You are not voting twice because you never returned your mail in ballot.

Sometimes people lose their mail in ballot and they go to the polls in person hoping to vote. These people will be issued a provisional ballot. A provisional ballot is different. It is kept aside, along with information about who you are. After all the mail in ballots are received, then the provisional ballots are counted. If your mail in ballot was received and allowed, the provisional ballot will be discarded.

You cannot game the system and vote twice. Don’t try. It’s a felony.

Can someone request a mail in ballot using my name and then steal my vote?

I checked on a number of states and, for every state I checked, the answer is a clear “no”. When you send in a request for a ballot, you have to sign the request. Your signature is compared with your identity (name/address/drivers license number). If your signature does not match the state data, you will not be mailed a mail-in ballot.

Most states are not simply mailing ballots to voters. They are asking voters to request a mail in ballot.

So no, an anonymous person cannot request a ballot on your behalf unless they happen to have your drivers license number and they can forge your signature. That could happen, but not often enough to influence an election.

Can someone steal my ballot at my mailbox and steal my vote?

No. Once again, the state has your signature on file. If you have ever voted before, you showed ID at least once to a poll worker and signed a register in their presence. THEY HAVE YOUR SIGNATURE.

(You didn’t think all those signatures were just thrown away, did you?)

So if someone steals your ballot, which is individually numbered and bar coded specifically for you, and that someone marks their votes and signs the envelope, it will be rejected since your signature and their chicken scratch will not match.

Can I register my cat to vote?

You can submit a form to register your cat to vote, but you cannot actually register your cat to vote. If you submit a form, the election board will validate that the named person (they don’t know it’s a cat) has a state issued ID or a social security card.

So what is with these stories about states sending mail to people’s cats? The state simply bought a list of magazine subscribers and mailed a form to everyone on the list. Some people sign up for magazines using the name of their cat or dog. So the cat gets mail from the state. But it’s just a form, not a ballot.

How do I show my ID when I vote by mail?

By federal law, the only time you have to show any kind of ID is when you vote for the first time. In states that handle vote by mail only, and in other large well integrated states like California, the validation process happens at the Department of Motor Vehicles (DMV) or State ID Card office when you get your state issued id.

At that point in time, you are asked to prove your identity and automatically registered to vote. The state will collect your signature electronically. That signature is printed on your drivers license or ID card.

For the 2020 presidential election, many states have waved the requirement that new voters have to show their ID if they are using a state-issued ID like a drivers license or ID card. If you have neither, you probably need to register in person.

Once you have shown that your signature refers to a citizen, you never need to show your ID again. Simply include your signature on your ballot envelope. Only someone with your signature can vote your ballot. No need to show an ID.

Can I register to vote if I am not a citizen?

No you cannot. This is an interesting part of the system.

Each state is required to ensure that the voters are citizens. The Federal Government has set up a system to validate the citizenship of people known to it called e-Verify. That database has well over a hundred million people in it, and it is the same system used to verify your right to work.

When you register to vote, your citizenship is verified using e-verify. If you provide a birth certificate, your state does not need to check e-verify. If your state driver’s licenses are Real ID drivers licenses, you are already in e-Verify.

If the state cannot verify your citizenship, the state is required to try to reach out to you and get further information. If you are not a citizen, attempting to register to vote is a felony. Contrary to destructive rumors, the number of non-citizens who have ever attempted to register to vote is extremely small. It’s just not worth doing.

Can a foreign government hack in thousands of fake registered voters?

Technically, this is the weakest spot in our systems. While bills have been passed by Pelosi’s House of Representatives to strengthen and secure voting systems, the Republican Senate has refused to even consider, debate, or vote on those bills. By refusing to vote, none of the Republican senators have a voting record that says “Senator XYZ refused to fund secure voting.” So it’s easy to leave the voting systems more vulnerable than they should be.

There is ample evidence that, in 2016, nearly every state’s voter systems were exposed by hackers. There is very little evidence, however, than the hackers injected new registrations into the system. That’s actually a great deal more difficult to do. It is possible that a few thousand foreign-fake voters exist in databases around the country. There is no evidence, however, that there are anywhere near enough to sway an election.

What makes this difficult is that it’s simply not practical to use fake voters to sway an election. The foreign actor would need to insert a fake voter, complete with a social security number and signature. The foreign actor would need to intercept all of the verification post cards to make sure that they are never returned as undeliverable. That requires them to be present in the country.

In addition to the registration, they foreign actor would need to insert actual ballots into the system with votes on them. The checks and balances in the system makes this extramely difficult to do. Actual ballots would need to be submitted. They would all have to be signed. They would have to mailed from within the US (the overwhelming majority of which would need to be mailed near or in the state itself). All of this is logistically difficult and leaves a very large pile of paper to catch and audit.

Can I vote for a dead person?

Your father dies and his ballot arrives at your address. Can you vote on his behalf? You would have to forge his signature. So most of the ballots filled out for a dead person would just be rejected because the signatures don’t match. You may also be arrested for voter fraud. It’s a felony. Don’t do it.

A voter has moved and I now live in their house/apartment. Can I submit their ballot?

Same as the notion of voting for a dead person, filing out a vote for another person is a felony. Your signature on the ballot envelope will be matched against the one on their registration. It won’t match. The ballot will be disallowed and referred to law enforcement. The vote won’t count and you’ll get caught.

Banks no longer verify all the signatures, why would a board of elections do it?

While signature matching software was originally developed for use in banks, it’s true that many banks have stopped verifying signatures unless someone complains. However, those same companies have kept innovating on signature matching technology. State laws across the country require that every mailed-in ballot must have the signatures checked. This is not an efficient system but it is the current state of the art. So everyone does it.

A more efficient use of technology is being used in other countries using chip-embedded voter id cards. The US isn’t there yet.

What’s the threshold if a state gets in more ballots than they send out?

Zero. There is a zero threshold. Each ballot sent out in the mail is individually numbered. The numbers include encrypted values. They are not sequential. So if a ballot is received, the election board checks to make sure that the specifically numbered ballot was sent out. If it wasn’t sent out, it’s set aside (and investigated).

If two ballots come in with the same number, it is set aside and investigated. The ONLY way that the same ballot arrives twice is that fraud is happening. The investigation would be very deep. This has never happened but if it did, you’d see national news about it. There’s be a paper trail a mile long.

Swaying an election requires you to stay hidden. This is a terrible strategy to stay hidden.


Some basic facts about mail in voting

Process of signature verification (and problems with it)

Requirement for uniform signature verification against state databases (Colorado)

Signature verification guidelines for the State of Texas

3 thoughts on “Integrity and the Mail In Ballot”

  1. Question: in your research about mail-in voting, have you run across proposed solutions to the concern of a “denial of service” attack?

    The way the attack would work is like this: mail-in voting centers would be flooded with vastly more mail-in ballots than should receive/are prepared for. For example, 10,000 times as many ballots as expected. Most would be duplicates or fakes, but it would not be obvious to a human which were which, and in the case of duplicate ballots with numbers and signatures matching (but different ballot selections), it wouldn’t even be obvious to the computers which ballot was the genuine one and which were the fakes.

    This type of attack would succeed simply by making the vote tallying process take so much longer than it should have, that the election would have to be scrapped because the vote couldn’t be counted before the election deadline had passed.

    This type of attack is impossible with in-person voting because a voter authenticates himself by providing the physical presence of his body, and that is something that cannot be duplicated at all, let alone 10,000 times.

    I think this is the most significant voting integrity risk for mass mail-in voting, and I wonder whether anyone has contemplated ways to prevent or protect against this type of attack.

  2. Intriguing comment Darrell. I appreciate your suggestion.

    First off, different states have different systems. Your suggestion may actually work in some states. However, from my research, the ballots and ballot envelopes have security features built in that allow computers to very quickly differentiate between a fake ballot and a real one.

    I do not know all of the features. Professionals who work on these things are understandably tight lipped about them. However, there are two that I’m aware of that may help alleviate your level of concern. As you may know, I’m a computing professional and am well trained in security. I suspect you have more than a passing awareness yourself from your use of the terms “man in the middle” and “denial of service”. Let’s agree that the attack you’ve described is not a man in the middle attack but is definitely a denial of service attack.

    First off, on the outside of every ballot envelope is printed an “envelope identifier.” This is not a ballot number. It is a unique value associated to a combination of the voter’s ballot and their registration (typically a hash of the voter’s registration id and the ballot unique id). It cannot be decrypted, being a one-way hash. But it can be quickly verified.

    These non-sequential values represent a sparse matrix mathematically speaking. Each can be looked up in the sending system database. Each is a function of a carefully secured private key and each reflects the ballot number (a non visible value) and the registration id of the voter (another non visible value).

    Since the ballot number is not assigned to the voter, and therefore this value is not calculated until the day before the ballot is actually mailed, there is very limited opportunity for a malicious actor to gain access to this “list”. (more like a secured data table, but that’s getting picky).

    As a result, when the ballot envelopes arrive, every ballot that is not in an approved envelope is set aside as a provisional ballot, and everything else is quickly scanned. Any envelope with an invalid envelope identifier is set aside as “likely fraud”. Just like a Web Application Firewall is quickly able to separate the invalid packets arriving at a website from the valid ones, the envelope identifier is quickly able to set aside the ballots that are not part of the expected return.

    The provisional ballots are less of a problem. Assuming that your malicious actor sent in 100,000 provisional ballots to an area with only 50,000 voters, the authorities would quickly notice the discrepancy. This is pretty hard to hide. Provisionals are only counted AFTER both the mail in ballots and in-person ballots are counted. The effect is that the registration of every voter who voted legally has been marked. “Joe Blank voted”. So a provisional ballot from Joe Blank is clearly invalid and can be set aside. That process is very fast (a quick lookup in a database… a good data entry clerk can check about 1200 per day. Federal law does not require election officials to count every provisional ballot before certifying the election, so even if you have 10 people churning through that load of 50,000 excess provisional ballots, you can wrap it up in 10 days. Remember that, by law, election officials have a month.

    The second provision is on the ballot itself. While the ballot does not have a visible ballot number on it, it does have a signature embedded in the computer-readable print. An intelligent person can find and read the signature but it’s a meaningless number to a person. Each ballot has a unique signature. It’s a globally unique id (a GUID) which is equivalent to a number between 1 and 100,000,000,000,000,000,000,000,000,000,000,000,000.

    The algorithms for calculating GUIDs have been around for quite a while. Windows 95 had them 25 years ago. This is not new math.

    The thing is that every ballot has a unique preassigned GUID and it’s built in to the printing. If you were to print a fake ballot at home, you may print 10,000 ballots but you would end up printing 10,000 with the same GUID. Exactly one might get through, and that’s only if your are astronomically lucky or you duplicated an actual ballot. The rest would be quickly spit out by the machine as a duplicate ballot.

    Ballots are unique.

    There are other security features, I’m told, but I do not know them. I would suggest that those regions who are doing the best at mail-in ballots, like the five states that have been doing it for years, have those other mechanisms in place. Special paper, special ink, encoded watermarks, hidden barcodes, etc. All can be embedded in the ballot. It’s not quite a secure as a $20 bill (the most counterfeited currency denomination on Earth), but it’s pretty close. I briefly worked with the company that prints British currency notes. (yes, in the UK, currency notes are printed by a private company).

    The net result is that some states will omit your DOS attack without breaking a sweat. Others will struggle. That is because the US does not have consistent election laws. The states that are most likely to have problems are the “rural red” states who have wildly underfunded their election processes. Most of the ‘blue’ states have invested in modern election systems as have many of the midwestern states like Wisconsin, Ohio and Indiana. I think you’ll find that, in this election, the states at the most risk of failing your attack are not on the list of battleground states.

    I do think that our system of ensuring the vote is functionally obsolete. Voter registration should be national and attached to my citizenship id. In other words, I take my ID, go online, and can change my registration from one place to another when I move. No more “drop me from one city” and “add me to another city” which leaves these “ghost” registrations hanging around. That’s nuts and no other industrialized country does it.

    However, it would require a constitutional amendment to fix it. Alas.

Leave a Reply

Your email address will not be published.