Why getting voting right is hard, Part IV: Absentee Voting and Vote By MailPosted 2021-01-13
This post originally appeared on the Mozilla Blog
This is the fourth post in my series on voting systems. Part I covered requirements and then Part II and Part III covered in-person voting using paper ballots. However, paper ballots don't need to be voted in person; it's also possible to have people mail in their ballots, in which case they can be counted the same way as if they had been voted in person.
Mail-in ballots get used in two main ways:
Absentee Ballots: inevitably, some voters will be unavailable on election day. Even with early voting, some voters (e.g., students, people living overseas, members of the military, people on travel, etc.) might be out of town for weeks or months. In many cases, some or all these voters are still eligible to vote in the jurisdiction in which they are nominally residents even if they aren't physically present. The usual procedure is to mail them a ballot and let them mail it back in.
Vote By mail (VBM): some jurisdictions (e.g., Oregon) have abandoned in-person voting entirely and mail every registered voter a ballot and have them mail it back.
From a technical perspective, absentee ballots and vote-by-mail work the same way; it's just a matter of which sets of voters vote in person and which don't. These lines also blur some in that some jurisdictions require a reason to vote absentee whereas some just allow anyone to request an absentee ballot ("no-excuse absentee"). Of course, in a vote-by-mail only jurisdiction then voters don't need to take any action to get mailed a ballot. For convenience, I'll mostly be referring to all of these procedures as mail-in ballots.
As mentioned above, counting mail-in ballots is the same as counting in-person ballots. In fact, in many cases jurisdictions will use the same ballots in each case, so they can just hand count them or run them through the same optical scanner as they would with in-person voted ballots, which simplifies logistics considerably. The major difference between in-person and mail-in voting is the need for different mechanisms to ensure that only authorized voters vote (and that they only vote once). In an in-person system, this is ensured by determining eligibility when voters enter the polling place and then giving each voter a single ballot, but this obviously doesn't work in the case of mailed-in ballots -- it's way too easy for an attacker to make a pile of fake ballots and just mail them in -- so something else is needed.
Authenticating Ballots #
As with in-person voting, the basic idea behind securing mail-in ballots is to tie each ballot to a specific registered voter and ensure that every voter votes once.
If we didn't care about the secrecy of the ballot, the easy solution would be to give every voter a unique identifier (Operationally, it's somewhat easier to instead give each ballot a unique serial number and then keep a record of which serial numbers correspond to each voter, but these are largely equivalent.) Then when the ballots come in, we check that (1) the voter exists and (2) the voter hasn't voted already. When put together, these checks make it very difficult for an attacker to make their own ballots: if they use non-existent serial numbers, then the ballots will be rejected, and if they use serial numbers that correspond to some other voter's ballot then they risk being caught if that voter voted. So, from a security perspective, this works reasonably well, but it's a privacy disaster because it permanently associates a voter's identity with the contents of their ballots: anyone who has access to the serial number database and the ballots can determine how individual voters voted.
The solution turns out to be to authenticate the envelopes not the ballots. The way that this works is that each voter is sent a non-unique ballot (i.e., one without a serial number) and then an envelope with a unique serial number. The voter marks their ballot, puts it in the envelope and mails it back. Back at election headquarters, election officials perform the two checks described above. If they fail, then the envelope is sent aside for further processing. If they succeed, then the envelope is emptied -- checking that it only contains one ballot -- and put into the pile for counting.
This procedure provides some level of privacy protection: there's no single piece of paper that has both the voter's identity and their vote, which is good, but at the time when election officials open the ballot they can see both the voter's identity and the ballot, which is bad. With some procedural safeguards it's hard to mount a large scale privacy violation: you're going to be opening a lot of ballots very quickly and so keeping track of a lot of people is impractical, but an official could, for instance, notice a particular person's name and see how they voted. Some jurisdictions address this with a two envelope system: the voter marks their ballot and puts it in an unmarked "secrecy envelope" which then goes into the marked envelope that has their identity on it. At election headquarters officials check the outer envelope, then open it and put the sealed secrecy envelope in the pile for counting. Later, all of the secrecy envelopes are opened and counted; this procedure breaks the connection between the user's identity and their ballot.
Signature Matching #
The basic idea behind the system described above is to match ballots mailed out (which are tied to voter registration) to ballots mailed in. This works as long as there's no opportunity for attackers to substitute their own ballots for those of a legitimate voter. There are a number of ways that might happen, including:
Stealing the ballot in the mail, either on the way out to the voter or when it is sent back to election headquarters. Stealing the ballot on the way back works a lot better because if voters don't receive their ballots they might ask for another one, in which case you have duplicates.
Inserting fake ballots for people who you don't expect to vote. This is obviously somewhat risky, as they might decide to vote and then you would have a duplicate, but many people vote infrequently and therefore have a reduced risk of creating a duplicate ballot.
Again, I'm assuming that the attacker can make their own ballots and envelopes. This isn't trivial, but neither is it impossible, especially for a state-level actor.
Some jurisdictions attempt to address this form of attack by requiring voters to sign their ballot envelopes. Those envelopes can then be compared to the voter's known signature (for instance on their voter registration card). Some jurisdictions even require a witness to sign the ballot too -- affirming the identity of the person signing the ballot, to include a copy of their ID, or even to have the ballot envelope notarized. The requirements vary radically between jurisdictions (see here for a table of how this works in each state). To the best of my knowledge, there's no real evidence that this kind of signature validation provides significantly more defense against fraud. From an analytic perspective, the level of protection depends on the capabilities of an attacker and the detection methods used by election officials. For instance, an attacker who steals your ballot on the way back could potentially try to duplicate your signature (after all, it's on the envelope!), which seems reasonably likely to work, but an attacker who is just trying to impersonate people who didn't vote might have some trouble because they wouldn't know what your signature looked like.
Ballots with Errors #
It's not uncommon for the returned ballots to have some kind of error, for instance:
- Voter used their own envelope instead of the official envelope
- Voter didn't use the secrecy envelope
- Voter didn't sign the envelope
- Voter signature doesn't match
- Envelope not notarized.
- Damaged ballots (torn ballots, ballots with stains, etc.)
Each of these can potentially lead to a voter's ballot being rejected. Moreover, the more requirements a voter's ballot has to meet, the greater chance that it will be rejected, so there is a need to balance the additional security and privacy provided by extra requirements against the additional risk of rejecting ballots which are actually legitimate, but just nonconformant. Different jurisdictions have made different tradeoffs here.
Just because a ballot has a problem doesn't mean that the voter is necessarily out of luck: some jurisdictions have what's called a cure process in which the election officials reach out to the voter whose name is on the ballot and offer them an opportunity to fix their ballot, with the fix depending on the jurisdiction and the precise problem. Some jurisdictions just discard the ballot, for example in the case of "naked ballots" -- ballots where voters did not use the inner secrecy envelope.
Of course, not all problems can be cured. In particular, once the ballot has been disassociated from the envelope, then there's no way to go back to the voter and get them to fix an error such as an overvote. This issue isn't unique to vote-by-mail, however: it also occurs with voting systems using central-count optical scanners (see Part III). In general, if the ballots are anonymized before processing, then it's not really possible to fix any errors in them; you just need to process them the best you can.
Ballot rejection is an opportunity for some level of insider attack: although voting officials do not know how individuals voted, they might be able to know which voters are likely to vote a certain way, perhaps by looking at their address or party affiliation (this is easier if the voter's name is on the ballot, not just a serial number) and more strictly enforce whatever security checks are required for ballots they think will go the wrong way. Having external observers who are able to ensure uniform standards can significantly reduce the risk here.
Voting Twice #
There are a number of situations in which multiple ballots might have been or will be cast for the same voter. A number of these are legitimate, such as a voter changing their mind after they voted by mail and deciding to vote in person -- perhaps because they changed their mind about candidates or because they are worried their absentee ballot will not be processed in time -- but of course they could also be the result of error or fraud. There are two basic ways in which double voting shows up:
- Two mail-in ballots
- One mail-in ballot and one in-person ballot
In the case of two mail-in ballots, it's most likely that the first ballot has already been taken out of the envelope, so there's no real way not to count it. All you can do is not count the second ballot. Note that this means that if an attacker manages to successfully submit a ballot for you and gets it in before you, then their vote will count and yours will not. Fortunately, this kind of fraud is rare and detectable and once detected can be investigated. I'm not aware of any election where fake mail-in ballots have materially impacted the results.
The more complicated case is when a voter has had a mail-in ballot sent to them but then decides to vote in person, which can happen for a number of reasons. For instance, the ballot might have been lost in the mail (in either direction). This situation is different because we need to prevent double voting but poll workers don't know whether the voter also submitted their ballot by mail. If the voter is allowed to vote as usual, you might have a situation in which case the mail-in ballot had already been processed (at least as far as removing it from the envelope) and there was no way to remove either ballot, because they're both unidentified ballots mixed with other ballots. Instead, the standard process is to require the voter to fill in what's called a provisional ballot, which is physically like a mail-in ballot except that it has a statement about what happened. Provisional ballots are segregated from regular ballots, so once the rest of the ballots have been processed you can go through the provisionals and process those for voters whose ordinary mail-in ballots have not been received/counted.
Returned Ballot Theft #
Another new source of attack on mail-in ballots -- as well as ballot drop-boxes -- is theft of the ballots en route to election headquarters. In-person voting has a number of accounting mechanisms designed to ensure that the number of voters matches the number of cast ballots which then matches the number of recorded votes, but these don't work for mail-in ballots because many people who are sent ballots will fail to return them. In many jurisdictions, voters are able to track their ballots and see if they have been processed, and could cast them in person if they are lost. However, as a practical matter, many voters will not do this. The major defense against this kind of attack is good processes around mail deliver and drop-box security as well as post-hoc investigation of reports of missing ballots.
Secrecy of the Ballot #
With proper processes at election headquarters, the ballot secrecy properties of mail-in ballots are comparable to in person voting, with one major exception: with mail-in ballots it is much easier for a voter to demonstrate to a third party how they voted. All they have to do is give the ballot to that third party and let them fill it out and mail it (perhaps signing the envelope first). This allows for vote buying/coercion type attacks. This isn't ideal, but it's a difficult attack to mount at a large scale because the attacker needs to physically engage with each voter.
The cost of security #
As noted above, many states have fairly extensive verification mechanisms for mail-in ballots. These mechanisms are not free, either to voters or election officials. In particular, requirements such as notarization increase the cost of voting and thus may deter some voters from voting. Even apparently lightweight requirements such as signature matching have the potential to cause valid ballots to be rejected: some people will forget to sign their name and people do not sign their name the same way every time and election officials are not experts on handwriting, so we should expect that they will reject some number of valid ballots. Cottrell, Herron and Smith report about 1% of ballots being rejected for some kind of signature issue; with Black and Hispanic voters seemingly having higher rates of rejection than White voters. Because real fraud is rare and errors are common, the vast majority of rejected ballots will actually be legitimate.
There is a more general point here: although mail-in ballots seem insecure (and this has been a point of concern in the voting security community) real studies of mail-in ballots show that they have extremely low fraud rates. This means that policy makers have to weigh potential security issues with mail-in voting against their impact on legitimate voters. The current evidence suggests that mail-in voting modestly increases voting rates (experience from Oregon suggest by about 2-5 percentage points). The implication is that making mail-in voting more difficult -- whether by restricting it or by adding hard-to-follow security requirements -- is likely to decrease the number of accepted ballots while only having a small impact on voting fraud.
Up Next: Direct Recording Electronic systems and Ballot Marking Devices #
OK. Three posts on paper ballots seems like enough for now, so it's time to turn to more computerized voting methods. The other major form of voting in the United States uses what's called the "Direct Recording Electronic" (DRE) voting system which just means that you vote directly on a computer which internally keeps track of the votes. DRE machines are very popular but have been the focus of a lot of concern from a security perspective. We'll be covering them next, along with a similar seeming but much better system called a "Ballot Marking Device" (BMD). BMDs are like DREs but they print out paper ballots that can then be counted either by hand or with optical scanners.
in this version, the ballots can just have numbers and not names, but as we'll see below, many jurisdictions require names. ↩︎
People familiar with computer privacy will recognize this technique from technologies such as proxies, VPNs, or mixnets. ↩︎
Provisional ballots are also used for a number of other exception cases such as voters who go to the wrong polling place (here again, it's hard to tell if they tried to vote at multiple polling places) or voters who claim to be registered but can't be found on the voters list (this actually looks the same to precinct-level officials because each precinct usually just has their own list of voters). ↩︎
This dynamic is quite common when adding new security checks: any check you add will generally have false positives. In environments where most behavior is innocent, that means that most of the behavior you catch will also be innocent people Bruce Schneier has written extensively about this point. ↩︎
While mail-in voting generally seems to increase turnout by reducing barriers to voting, there are a number of populations that find mail-in ballots difficult. One obvious example is the disabled, who may find filling in paper ballots difficult. Less well-known is that Native Americans experience special challenges that make exclusive vote-by-mail difficult. Thanks to Joseph Lorenzo Hall for informing me on this point. ↩︎
- Authentication for Vaccine Passports covid networking security standards
- Notes on Implementing Vaccine Passports security privacy standards
- Some stuff about running pacers running
- Addressing Supply Chain Vulnerabilities security
- What WebRTC means for you webrtc
- Why getting voting right is hard, Part V: DREs (spoiler: they're bad) voting
- Why getting voting right is hard, Part IV: Absentee Voting and Vote By Mail voting
- Why getting voting right is hard, Part III: Optical Scan voting
- Why getting voting right is hard, Part II: Hand-Counted Paper Ballots voting
- Why getting voting right is hard, Part I: Introduction and Requirements voting