[pdovy]

What is the actual attack vector here for taking advantage of incorrect voter rolls? Just that it's easier to vote more than once by mail than in person?

Where I am in IL you don't need to show photo ID to vote, so the level of verification that occurs in person vs by mail is the same.

Generally it seems like you want the voter rolls to err on the side of being overly broad than vice versa, so long as it doesn't enable fraud - i.e., it's better to leave someone on the voter rolls who has moved/died (who is overwhelmingly unlikely to actually cast a vote) than to disenfranchise a voter by erroneously purging them.

[pc86]

Surely sending half a dozen ballots to the same address, for all the previous tenants from the last half decade, "enables fraud" if the person living there is so inclined.

[djaque]

I don't think any scheme that requires people to be willing to commit felony fraud en masse is very likely. They would need to open other people's mail, forge their signature (on my ballot it clearly states that you will go to jail for this) and send it back in. They would need to risk all of that for one extra vote since they are only accidentally receiving an extra ballot.

We also don't need to sit around speculating about this because the data we have on voter fraud already tells us that it's incredibly rare.

What we should focus on is the 1 in 10 voters here who had a ballot rejected for primarily UX reasons that could be fixed. That's a problem which is supported by facts and could be fixed. Instead the current administration is gutting the USPS and making voting even more difficult in the middle of a pandemic. My ballot application is already taking twice as long to get in as it did last year. How is that OK?

[yostrovs]

You don't know how common voter fraud is. When it's easy to do and you can't be caught, as in other people's ballots coming to your mailbox, many will do it. They do it. I know someone who voted on behalf of another in California because ID is not necessary. There must be many more others doing the same.

[javagram]

If that happened regularly and widely it would be quite obvious because 40-50% of eligible voters vote. So there could be as much as a 40% chance that the person whose ballot you forged also tried to vote and is either turned away or submits a provisional ballot or complaint.

This would create a record that could then be used to examine the signature on the ballot and charge the person with voter fraud.

Note: not many states have changed their laws on vote by mail this year, so theoretical VBM fraud could have been done by submitting fraudulent ballot applications in most past elections too. The main difference this year is more voters are expected to use the no-excuse absentee ballot that was already available to them in other years.

[yostrovs]

This being a hacker forum, would such security measures as you believe in and propose be acceptable in any computing application? In finance? Medicine? Anything really?

[javagram]

This is how the system has worked, oftentimes for decades past.

No, they would not be considered acceptable in a computing application. But in computing, it’s considered acceptable to discriminate against users for the sake of security.

I’m unaware of any major democracy that uses computerized voting with a username, password, and 2FA to replace the traditional ballot box, for obvious UX reasons. (Never mind that computerized results might actually be easier to forge than paper ballots).

Regardless of what is “acceptable” it is a fact that widespread voter fraud using the mechanisms proposed would be detectable.

[treeman79]

Fraction of an percentage is all that is needed much of the time.

A few hindered ballots from a [left/right] leaning district going missing can be enough.

Don’t even need to have individual fraud, just some stats on how likely one area is to vote then “wrong” way.

Hell nursing homes or others could easily swing lots of votes by a single staff.

I’ve dealt with plenty of high officials that have negative documents go missing. It’s just routine for many.

[dunham]

If the person living there is so inclined and successfully forges the signatures on the ballots.

At least in WA state, a signature is required on the exterior of the envelope, and it is validated against the signature on the voter registration form.

[benjohnson]

Signatures are a lousy form of validation for voting in my opinion:

I'm a Washington state resident and because I sign a lot of checks I have two forms of my signature: My 'fancy' signature that has every letter of my name and my check signing signature that is a scrawl of simple squiggles.

I used my fancy signature for voter registration and accidentally used my squiggle signature for my fist mail in ballot and did't get any kickback. I've used it for six years and King County elections still has never questioned it.

[ncallaway]

As a counterpoint, I also live in Washington.

About five years ago I decided to change my signature. The first ballot I mailed in after changing my signature was rejected for having a non-matching signature, and I had to prove my identity and update my signature on file with the King County elections in order for my ballot to be counted.

[breser]

My signature ended up changing over time and I had to update my signature with the county elections office in Washington to stop my ballots from being rejected. So really not sure how you're slipping by.

[heymijo]

In Ohio its signature and ID number on your driver's license or last 4 of your social security number.

So ballots go to the wrong place, fine. The probability of random person there being interested and then finding any of this information is low.

[listenallyall]

Election officials could assign "strict" signature validators to certain targeted districts, so approx 10% of ballots get thrown out, and "loose" validators elsewhere, so only 2% of votes get tossed.

[javagram]

That would be illegal. See the “Bush v Gore” decision which was about a similar idea but applied to counting hanging chads, etc. rather than signatures.

[listenallyall]

Of course it is illegal. The discussion is about how anti-fraud measures (like signature verification) could potentially be flipped to actually assist in cheating/fraud.

Let's keep in mind, depending on where power lies post-election, that doing something illegal, even if caught, doesn't necessarily means one would be punished for it.

[dTal]

Sounds great! I'm sure nobody would take advantage of that.

[pc86]

Sounds like a violation of equal protection.

[chrisseaton]

Do you think they have handwriting experts validating every vote?

[dmurray]

And even if they did...most of the time their opinion would be "yeah, looks OK". You'd like that to just be stage 1 and call for further scrutiny if it turns out it would affect the result - but you can't, if you keep the evidence longer to revisit it during a recount, you lose the secrecy of the ballot.

[abhorrence]

You can do it the other way around. If the signature seems fishy, you set it aside unopened, and only do further validation before opening it if the election is close enough for it to matter.

For example, in an election with 100 votes cast. If 10 signatures are suspicious, you only do extended validation and open them if the election was won by a margin smaller than 10.

[lefrenchy]

I’m confused.. do you think it’s likely that someone forges the signature of a person they’ve never met within a believable margin of error? Seems the burden of proof is on the people claiming that happens a lot

[gerdesj]

A few years back me and the wife went on a cruise that disembarked in NOLA. We had a lovely time and at one point went to buy some new luggage cases: one of ours had fallen to bits and the other had suffered somewhat (my fault.) We took the tram out of town to a mall on the outskirts and hit a decent sized department store.

I was offered a tablet to sign on when I offered up my card. So I took back my card and signed it on the back and then loosely repeated that same signature on the tablet thing.

I'd had that card for around two years. I never sign them these days because it doesn't really mean anything around here any more in the UK. Bear in mind I am old enough to remember signing cheques for "To cash".

[stordoff]

How much validation is actually done in practice? In the UK, I sign something about once at year _at most_ - I can't remember the last time I signed something without going back a few years, and I've no idea how I signed it.

[soco]

But how could somebody actually KNOW the signatures of the previous tenants? In order to try forging them you need first some models...

[khuey]

How is the person living there going to figure out how to correctly forge the signatures of all those previous tenants?

[burfog]

There is no such thing as large-scale signature verification.

If a close match were demanded, people would complain of disenfranchisement. People don't sign the exact same way every time.

Realistically, the workers are tired and they don't care. If they do reject anybody, it's probably because the vote comes from an area that tends to vote in the undesired way. In other words, this human element is a problem. It would be especially easy to bias the election by rejecting based on name.

An imperfect signature of the desired ethnicity (more likely to be a "correct" vote) gets a pass. An imperfect signature of the undesired ethnicity is a fail. That's all it takes to quietly flip an election, with no evidence trail at all.

[djaque]

There doesn't need to be. I feel like we're failing to recognize that this is a soft solution, not a tech solution. The signature is there so that you go to jail for felony fraud if you forge it. Then with simple detection schemes the cost of trying compared to the benefit of like one extra vote doesn't make sense.

[burfog]

That argument is weak, but not insane, for in-person voting.

For vote-by-mail though, how could anybody go to jail? The ballot shows up. It is accepted or rejected. If rejected, then what? Are we going to pick fingerprint DNA out of the paper fibers for this? There is no reasonable way to ever determine who attempted to cast the vote.

It'll be fraud, but never part of the official statistics. It can't be proven without using the level of resources normally reserved for famous murder cases.

There just isn't a deterrent. Severe punishment means nothing if the criminal thinks he has no chance of being caught. The fraud can be done in bulk, and it is, via ballot harvesting.

Also, what about the corrupt verifiers? Being prone to rejecting some names more than others can change an election, and there would be no way to prove it. If the signature verifier has a preference between Cohen and Abdul, or between Garcia and Washington, what can anybody do?

[baddox]

What’s different about in-person voting? You show up, you vote, you leave. Are they going to take fingerprints and DNA samples of the polling center?

[ikerdanzel]

Signature validation is not enforced 100%. Go asked those who worked with it in the pasts elections informally. You will know how bad it is.

[jablongo]

The attack vector for voter fraud is obvious but not really scalable. Ballot fraud is a bit more scalable because you could request absentee ballots on other people’s behalf - signatures aren’t a huge deal b/c even w/ a 50% success rate you are achieving your objectives. All of that said, fraud is simply not very prevalent in either case.

[djaque]

At a 50% success rate you go away to federal jail for a couple of years. How many people are willing to throw away their lives for a few extra votes? That doesn't make sense to me.

[jb775]

> you don't need to show photo ID to vote, so the level of verification that occurs in person vs by mail is the same

Except that voting in-person requires traveling to public places where you're seen by others, and likely walk past at least 1 security camera along the way (not to mention pinging every cell-tower while traveling). That's pretty daunting compared to filling out a bunch of voting forms and dropping them in a mailbox.

[virtue3]

So your argument is basically "Big Brother" makes in person voting more secure?

Oregon has had mail in ballot the default and it's been fine.

At least there is a damn paper trail with the vote by mail. All the swing states were using Diebold machines that were deemed INSECURE by california over a decade ago. And they don't have backup paper trails. We should IMHO be burning those with pitchforks and what not and going mail in voting over that.

We have more issues with people NOT VOTING than actually doing extra ballots.

[moeadham]

Comments like this are really concerning.

I wonder if it’s too many CSI style shows or what, but conspiracy theories are getting popular at a startling scale.

[treeman79]

Our previous president got into his first office by disqualify all his opponents over signatures.

http://ballot-access.org/2008/06/01/cnn-re-publicizes-accoun...

[moeadham]

Let me guess: he used CCTV and cell towers to prove it too? /s

[dredmorbius]

Though concerns over vote-by-mail fraud seem greatly overstated, truth is that where you are at a given moment says a lot about who you are.

Identity and location are closely linked.

And being somewhere specific carries a high opportunity cost: it precludes being elsewhere. In-person vs. remote mechanisms (mail, phone, electronic) reflect this.

[atlgator]

I know in Georgia if you move from one County to another there could be duplicate voter registrations. If you die or move out of state your voter registration may not be terminated. Either could allow duplicate votes. Another vector for mailed ballots is simply stealing them. If I know the state mailed them all two days ago and I received mine today, chances are my neighbors also got theirs. I could just steal their ballot, mark down who I want, and drop them all at a random blue mailbox.

[wincy]

I recently moved from Missouri and even though they know my new address in a different state they send me voting literature. It’s really weird.

[Uhhrrr]

I am not an expert, but I imagine this could work:

-Generate fictional registered voters at real addresses

-Elections office dutifully sends out ballots

-Rely on actual residents to toss those ballots. Or maybe they vote with them - if it's in the right district, they're likely to vote for the right person anyway

-Send in copies of their mail-in ballots come election time

This would work if you keep the numbers low. And the numbers of dead/moved voters would help camouflage it.

[bananabreakfast]

And how exactly do you plan to register fake voters? Are you going to go to the DMV with forged Social Security cards and birth certificates?

[Uhhrrr]

I have never needed a birth certificate to register to vote.

You could use a SSN from a person residing in another state. Or, according to this form: https://www.eac.gov/sites/default/files/eac_assets/1/6/Feder..., "If you do not have a current and valid driver license or non‑operating identification license or a social security number, please write “NONE” on the form. A unique identifying number will be assigned by the Secretary of State."

[refurb]

I have no idea what verification is done on the back end, but registering as a voter in CA is as simply as filling out a postcard and sending it in.

I'm guessing there isn't much verification, as I've heard of immigrants accidentally being registered to vote because they checked "Yes - I'm a US citizen" on a driver's license form.

[tathougies]

None of those things are required to register in my state of Oregon. You just swear you're a citizen.

[jb775]

I think there needs to be some form of authentication to at least publicly show IF someone voted or not. i.e. this way, we could log on to make sure a vote wasn't cast from our dead Uncle Albert or w/e...and maybe even voters could be given an encrypted private key upon voting to so they could verify their vote whenever.

[ncallaway]

It generally is public information in which elections a voter has voted.

You cannot see how they voted, but you can see that they voted.

This is how all political campaigns know which people always vote, which people usually vote, which people sometimes vote, and which people never vote.

For example, in Washington State there is a voter registration database. These are public records that can be requested from the state (https://www.sos.wa.gov/elections/vrdb/default.aspx). In them, the date that the person last voted is listed (see "lastVoted" in column 36 https://www.sos.wa.gov/_assets/elections/vrdbdatabasefields....).

In addition, King County ballots come with a unique identifying code that you can look up on their website to see if your ballot was received or counted (https://info.kingcounty.gov/kcelections/vote/myvoterinfo.asp...).

[secabeen]

It's actually even more than that. The list of people who have voted is available for public inspection on election day itself. In close races, campaigns will send people out to review the list(s), note which of their likely voters haven't voted yet, then call them to offer a ride or otherwise help them get to the polls so they can vote. It's not that common at the presidential level, but for city council or the like, it can make a real difference.

[jb775]

Do you have a source for this? I tried to find the laws on this but don't really see anything that discusses accessing a list of who voted during an election. I feel this this should be inaccessible until after the election.

[secabeen]

Looks like it depends on the state: https://www.rcfp.org/open-government-sections/i-election-rec...

Most common is allowing the inspection of the list of absentee requestors, like in North Carolina: The chief election judge of each precinct is required to post one copy of the precinct absentee ballot list “in a conspicuous location in the voting place.”

That said, there are other states that do not allow this, so it's less widespread than I originally thought, and when it is allowed, it's usually either just the absentee requestors, or the list is made available after the election, not during. Sorry.

[OldHand2018]

> Where I am in IL you don't need to show photo ID to vote, so the level of verification that occurs in person vs by mail is the same.

It's not quite the same. If you go in person, you fill out a piece of paper and sign it. You turn in that paper to get your ballot, and they compare the signature. But, if the poll worker says that your signature doesn't match, you have the opportunity to verify yourself with ID, etc. And there is supposed to be Democrat and Republican election judges present to agree and consent to giving you a ballot.

If you vote by mail and there is an issue, you have no opportunity to resolve any problems.

[gootdude]

Incorrect, I vote by mail from Illinois and they send you confirmation of both your ballot being received and that it was properly counted.

Illinois 10 ILCS 5/19-8 Voters are notified by mail of rejected ballot within two days of rejection. Voters have until 14 days after election to resolve issue with county election authority.

Why are you making up reasons to question the accuracy of voting by mail if you haven’t read the basics or even tried it?