Vote by Mail

This page focuses on two different implementations of vote by mail. The first part focuses on vote by mail as practiced by most US states, where voters have the option of voting by mail (but can also go to a polling place and vote.) The second focuses on vote by mail as practiced by Oregon, where voters can only vote by mail. A similar system is also being implemented in Washington, but this part focuses on Oregon mainly because its system has been around for longer.

Infrastructure attack protection
It would be hard but possible for a party with enough resources to sufficiently cripple the postal system. It costs about 44 cents to ship a letter, and having an influx of tens of thousands of letters might slow down post offices tremendously. This could also be easily targeted to certain districts to skew the vote.

Outsider hacking protection
It would be very hard for an adversary to infiltrate and corrupt the proceedings wherein ballots are counted. Adversaries would likely instead use man in the middle attacks - see that section for more information. Yet that doesn't mean it's impossible. These type of high-output optical scan machines are quite conspicuous and someone might be able to break in and compromise the tallying software. Despite the chances of this being rather slim, there is a paper record to serve as a backup and as an auditing tool of the optical scanners.

Malware and virus protection
In an ideal VBM system, there are no "viruses" that can modify people's vote. Votes would be counted accurately by machine with officials from both sides carefully watching. Yet this isn't what happens in most states simply because there aren't the necessary resources available. Votes are tallied using optical scanners, but these optical scanners can suffer from viruses too. Election staffers may notice this even if the paper record is in front of them. Adding to the problem is the fact that 1) paper is bad as a recording medium and 2) it can be unclear when threats are sufficiently bad to completely scrap the optical scan system. Having a paper record is a good thing, but it's useless unless sufficient attention is paid to the optical scan machines in the first place.

Man in the middle attack protection
An adversary could create a lot of mischief if they have sufficient resources. Fake mail carriers could be sent out to collect ballots, fake ballots could be distributed (in Oregon, polls looking exactly like ballots were distributed in 2010 before a tax measure ), and ballots held for counting could be physically destroyed (to name a few options.) To some degree, these fears have already happened. In November 2010, a poll worker stole 75 completed ballots from a polling location in San Francisco and threw them in a river. And, in Chicago during the 2002 primary, a "man reportedly helped 35 seniors apply for absentee ballots at a senior housing center during the 2002 primary, then returned several weeks later to illegally punch their signed ballots." There's plenty more info on these type of problems with VBM and it's likely that these are only the tip of the iceberg. Many of these attacks (such as the fake ballots being distributed in Oregon) are legal, further adding to the problem.

Insider attack protection
Ideally election officials from both parties are there to verify that votes are not intentionally miscounted. But given the amount of votes the process isn't necessarily perfect. If the voter does something like crosses out a mark with an X on his ballot, it gets sent to a bipartisan board to what the voter intended to vote for, and to change the vote accordingly. In addition to the still finite possibility of changing votes here, badly formed ballots could just not get filtered out by the officials scanning for "irregularities", perhaps leading to biases. Yet in many election districts "mail ballots are counted by staff and temporary workers in a backroom rather than publicly by citizen election judges as is done in precincts. This violates the "many eyes" principle and makes election fraud easy."

Coercion resistance
There really isn't any protection to vote attribution. For example, in the 2008 election groups tried to encourage young voters to request absentee ballots and then bring them to "debate and vote parties" where issues were discussed and ballots marked without access to privacy booths.

Ensuring one person, one vote
Many jurisdictions require elections officials to duplicate damaged or difficult to read VBM ballots. These may be counted in addition to the originals: more than 25 precincts in Minnesota had more ballots than voters signed in to vote. Another issue with VBM is that anyone who can obtain a ballot and a sample signature can vote. People could complete multiple applications under different names and use this to obtain ballots. People can vote on behalf of their friends and families, which allows some voters to vote multiple times.

Counting and tallying accuracy
Charles Stewart from the MIT/Caltech VTP notes that the average the return rate of vote by mail ballots is about 90.8%.

Also, there are a multitude of problems regarding voter intent on VBM ballots: what if the voter accidentally marks both candidates down? Since votes aren't opened before a few days prior to election day this issue may be unresolved. Not to mention the proprietary nature of the voting machines, the signature verification process which may disenfranchise some voters, the ease at modifying votes in the mail, and so on. Items are often lost in the mail - the Clearwater post office lost 1100 absentee ballots in a 2008 election. In the presidential election in 2008, 4.2% of all VBM ballots that made it through the post office were rejected in Minnesota due to procedural errors by voters. And, in Minnesota, 13% or more rejected absentee ballots were done so in error.

Voter anonymity
Each VBM ballot must be directly bound to identify the voter to ensure one person-one vote. There are procedures to protect voter privacy but the inherent vulnerability still exists. Because votes have to be directly counted it's likely these procedures aren't applied 100% of the time. Yet, it seems like the worst case scenario (assuming that the majority of election officials aren't corrupt) Is having a poll worker learn about the contents of someone's vote. This doesn't seem like a terrible situation, because the voter and the election official likely do not know each other and it's not very useful information for an individual election official.

Voter verifiability
In most VBM systems it is impossible to verify that your ballot was both a) received and b) counted correctly. This presents a problem because ballots may not always go through.

Immediate results protection
I see no reason why this couldn't occur, except for perhaps human error. I'm unsure of the significance of this issue however.

Ease of performing a recount
It's possible but it might not be very useful - these elections aren't fully auditable because there could be problems with the post office, etc. However performing a recount could check back problems arising from optical scan machines.

Usability
Voters may forget to sign the envelopes containing their ballots - in this case, they are required to go their election office and sign their ballot, or else it's not counted. The election office will try to contact the voter in that case via phone. These signatures must pass verification which is performed manually by an election official - this process isn't 100% accurate because voters will often sign things differently on different days. If the signatures don't seem to match then the voter must come in and resign their envelope.

Many votes are discounted because voters don't follow the instructions. Many military ballots aren't counted because they can't get them in by the proper deadline or are "lost" (1/4 in 2008 ).For the general population, "of 103,000 ballots mailed, 30,000 were lost, 4,000 were rejected, and 3,000 were undeliverable"

Transparency
Many VBM systems don't have transparency. In many places "ballots are counted in the 'back room' at the county or city clerk's office, a concerted effort is often made to cover up problems and only the most obvious and egregious errors become public."

Infrastructure attack protection
It would be hard but possible for a party with enough resources to sufficiently cripple the postal system. It costs about 44 cents to ship a letter, and having an influx of tens of thousands of letters might slow down post offices tremendously. This could also be easily targeted to certain districts to skew the vote. Making it worse is the fact that in Oregon VBM is the only system used to vote, so this could potentially be a lot more effective. However, in Oregon ballots can be dropped off at collection booths which partially solves this problem.

Outsider hacking protection
It would be very hard for an adversary to infiltrate and corrupt the proceedings wherein ballots are counted. Adversaries would likely instead use man in the middle attacks - see that section for more information. Yet that doesn't mean it's impossible. These type of high-output optical scan machines are quite conspicuous and someone might be able to break in and compromise the tallying software. Despite the chances of this being rather slim, there is a paper record to serve as a backup and as an auditing tool of the optical scanners.

Malware and virus protection
In an ideal VBM system, there are no "viruses" that can modify people's vote. Votes would be counted accurately by machine with officials from both sides carefully watching. Yet this isn't what happens in Oregon (and most other states), simply because there aren't the necessary resources available. Votes are tallied using optical scanners, but these optical scanners can suffer from viruses too. Election staffers may notice this even if the paper record is in front of them. Adding to the problem is the fact that 1) paper is bad as a recording medium and 2) it can be unclear when threats are sufficiently bad to completely scrap the optical scan system. Having a paper record is a good thing, but it's useless unless sufficient attention is paid to the optical scan machines in the first place.

Man in the middle attack protection
An adversary could create a lot of mischief if they have sufficient resources. Fake mail carriers could be sent out to collect ballots, fake ballots could be distributed (in Oregon, polls looking exactly like ballots were distributed in 2010 before a tax measure ), and ballots held for counting could be physically destroyed (to name a few options.) To some degree, these fears have already happened. In November 2010, a poll worker stole 75 completed ballots from a polling location in San Francisco and threw them in a river. And, in Chicago during the 2002 primary, a "man reportedly helped 35 seniors apply for absentee ballots at a senior housing center during the 2002 primary, then returned several weeks later to illegally punch their signed ballots." There's plenty more info on these type of problems with VBM and they're only the tip of the iceberg. Many of these attacks (such as the fake ballots being distributed in Oregon) are legal, further adding to the problem. Yet in Oregon, there is one solution, however: campaigns are given the contact info of people whose votes aren't sent in, which could get voters to realize that their votes haven't been counted yet. But it's not a perfect one because 1) voters may not know what's going on and 2) it doesn't defend against the changing of votes in transit.

Insider attack protection
Ideally election officials from both parties are there to verify that votes are not intentionally miscounted. But given the amount of votes the process isn't necessarily perfect. If the voter does something like crosses out a mark with an X on his ballot, it gets sent to a bipartisan board to what the voter intended to vote for, and to change the vote accordingly. In addition to the still finite possibility of changing votes here, badly formed ballots could just not get filtered out by the officials scanning for "irregularities", perhaps leading to biases. Because there are sufficient people surrounding vote counters though, this condition should be satisfied, however. To some degree insiders will be able to change or manipulate votes, but the defenses are likely good enough.

Coercion resistance
Vote by mail lacks solutions to the issues of coercion and vote selling. For example, in the 2008 election groups tried to encourage young voters to request absentee ballots and then bring them to "debate and vote parties" where issues were discussed and ballots marked without access to privacy booths. To an example from Oregon, in the 2008 primary elections Oregon democrats were asked to attend a "bring our own ballot" party with former President Bill Clinton.

Ensuring one person, one vote
One issue with VBM is that anyone who can obtain a ballot and a sample signature can vote. People could complete multiple applications under different names and use this to obtain ballots. People can vote on behalf of their friends and families, which allows some voters to vote multiple times.

Counting and tallying accuracy
Though Oregon didn't report the number of ballots returned for counting, based on other data from states that did report this statistic, Charles Stewart from the MIT/Caltech VTP estimates the return rate was 90.8%. This may be higher in Oregon as voters don't have the option to vote in person, but it is still significant. Also, there are a multitude of problems regarding voter intent on VBM ballots: what if the voter accidentally marks both candidates down? Since votes aren't opened before a few days prior to election day this issue may be unresolved. Not to mention the proprietary nature of the voting machines, the signature verification process which may disenfranchise some voters, the ease at modifying votes in the mail, the fact that some things can get lost in the mail, and so on.

Voter anonymity
Each VBM ballot must be directly bound to identify the voter to ensure one person-one vote. There are procedures to protect voter privacy but the inherent vulnerability still exists. Because votes have to be directly counted it's likely these procedures aren't applied 100% of the time. Yet, it seems like the worst case scenario (assuming that the majority of election officials aren't corrupt) Is having a poll worker learn about the contents of someone's vote. This doesn't seem like a terrible situation, because the voter and the election official likely do not know each other and it's not very useful information for an individual election official.

Voter verifiability
There is partial verifiability in that campaigns get the contact info of voters if they don't vote or if their vote has not been received - this may let some know that their votes were lost in transit. However, there's no way for voters to A) know that the vote that they submitted is exactly the same as the vote that the election officials count (i.e. whether it was lost in transit) and B) know that it was counted correctly.

Immediate results protection
In Oregon, votes are opened and counted on election day. The problem of having no immediate results doesn't seem to matter that much in Oregon since a) many voters will likely fill out their ballots in advance and b) immediate results may not reflect the full election because they would likely be concentrated to the results of certain districts rather than the whole state. Given that Oregon only uses VBM it's likely precautions have been taken to ensure that no immediate results can be obtained before the voting period is over.

Ease of performing a recount
Performing a recount wouldn't be very useful using a vote-by-mail system because elections aren't auditable.

Usability
Voters may forget to sign the envelopes containing their ballots - in this case, they are required to go their election office and sign their ballot, or else it's not counted. The election office will try to contact the voter in that case via phone. These signatures must pass verification which is performed manually by an election official - this process isn't 100% accurate because voters will often sign things differently on different days. If the signatures don't seem to match then the voter must come in and resign their envelope.

Many votes are discounted because voters don't follow the instructions. Many military ballots aren't counted because they can't get them in by the proper deadline or are "lost" (1/4 in 2008 ).For the general population, "of 103,000 ballots mailed, 30,000 were lost, 4,000 were rejected, and 3,000 were undeliverable"

Transparency
Oregon's mail-voting system is pretty transparent. "Optically scanned machine counts are verified by random hand-counts." And it seems like from the video on youtube that there are suffient bodies in the room to ensure that votes aren't changed or modified.