Smart. Sharp. Funny. Fearless.
Thursday, June 21, 2018

Absentee Ballot Cyberhack In Florida Offers Disturbing Lessons About Vote-by-Mail And Internet Voting

Originally posted at The Brad Blog

One month ago, The Miami Herald’s Patricia Mazzei unleashed an excellent investigative report on an attempted series of online cyberhacks of absentee ballot requests prior to last August’s primary election in Miami-Dade County, Florida.

Mazzei’s article describes the mysterious attempt by someone to request more than 2,500 absentee ballots for elections in three different Miami-Dade districts using anonymous proxy Internet Protocol (IP) addresses from foreign countries to hide the real identity of the requester. A grand jury looked into the matter [PDF] of the “phantom” requests, but was hamstrung by the fact that they were not told — the article says it was due to administrative confusion — that the initial IP addresses used to make the absentee ballot requests were actually not from overseas, but local to Miami-Dade. Had prosecutors had that information, they might have been able to zero in on the culprits, rather than close the investigation late last year without identifying a suspect.

The case has now reportedly been reopened, but the length of time since the initial event may have allowed the trail run cold. Hopefully we will find out soon.

Last week, the story suddenly received a lot of fresh attention after it was picked up by NBC News’ Gil Aegerter, who describes what happened as the “first known case” of such a cyberattack on a U.S. election.

Setting aside, for now, the point as to whether this is the first such attack — I’ve reported quite a bit of evidence of several others over the years (the NBC report links to a number of stories I’ve broken on these matters, including one of my stories at ComputerWorld in 2007 describing a malicious virus that struck Sarasota’s contested 2006 special election for the U.S. House where some 18,000 votes ultimately disappeared from the touchscreen voting machines) — there are a few key points and lessons from this story that I’d like to underscore, despite the fact that the mainstream corporate coverage has been pretty decent here for a change.

Additionally, one of several key remaining mysteries in the story — one that I’ve been trying to make sense of over the past several weeks, since learning of the story — may now have an answer, or at least a new and troubling clue.

Potential Clue to One of the Story’s Central Mysteries

Aside from the identity of the failed “bad guy(s)” here, and why the prosecutors weren’t originally notified about the Miami-Dade IP addresses in the first place, there has been another major “unknown” in the story originally headlined by The Miami Herald as “The case of the phantom ballots: an electoral whodunit.”

That “unknown” has been how the scheme was supposed to have affected the elections in question, had it not been discovered and stopped. Since the absentee ballot requests were made on behalf of “infrequent voters” (who would otherwise be unlikely to show up to vote in person), and scheduled to be sent to their normal address, where they are registered, how would anybody then be able to use those ballots to game the elections with fraudulent votes?

“It doesn’t make any sense to me why someone would do that, because you’d still need the person to [vote for you],” said one of the NJ-based consultants for two of the candidates (brothers) involved in two of the races.

“Had the requests been filled,” the Miami Herald’s Mazzei goes on to suggest, “short of stealing the ballots from mailboxes, the campaigns would have been able to flood the targeted voters with phone calls, fliers and home visits to try to sway their vote.”

“Persuade enough of them,” she suggests, “and you might flip the race.”

But that seems a fairly sloggy way to try and have an effect on election results. On Friday,’s Bev Harris offers up a more reasonable (and disturbing) scheme that could have been planned here, had the operation not been interrupted before it fully played out.

She points out that the printing and mailing of absentee ballots is generally jobbed out to third-party contractors by election officials. The third parties are given the database of voters who have requested absentee ballots and then they take care of the job from there. Often, the company hired for this job is publicly known and vetted, but that contractor sometimes then hires yet another outfit to do the actual work of printing ballot envelopes and mailing them out to voters.

“If you have a few thousand strategically targeted extra ballots that you know are bogus, and you reroute the database to an off-the-public-record consultant during the print-and-mail phase, you can deliver those ballots anywhere you want,” Harris writes. “They can all be sent to the same address; no one would know.”

“I’m not sure what vendor Miami-Dade County is using to print and mail ballots; some Florida counties use Runbeck, out of Arizona by way of Tampa. But regardless of who they use, it isn’t the Miami-Dade elections people who actually do the mailing. Whoever does the print-and-mail phase has both the absentee request database and total control over where absentee ballots go.”

The scheme, as Harris envisions it, then would require a “bad guy” to make the absentee ballot requests and an accomplice either at the final print-and-mail outfit — or somewhere else along the chain of custody of the absentee ballot database — to change the addresses where those illegitimately requested ballots were to be sent. As prosecutors are said to be looking into this case again, they may want to ask some questions of whoever might have received access to that absentee ballot request database.

See the BBV article for a bit more background on some of the shady players who can be found in the absentee ballot print-and-mailing business, as well as a few more details on potential suspects in the FL case revealed by common threads between the three elections in question.