Articles:   Home     All articles on fixing elections, vote fraud, election manipulation

How to: Do Election Fraud, Steal Elections or Fix a Vote

Other related articles:
Election Fraud, Steal Elections or Fix a Vote, Motivation
How to Hack an Election Audit of Optical Scan Voting! Learn how to break MN audit procedures and get your guy in! This means you Nasty Norm and Inept Al!

Part 2 Targets and Methods for manipulating elections.

Update 2008 State Database Suppression Tactics are Hot this Year:

A widespread voter suppression tactic this year is the removal of voters from the State controlled election databases.

Depending on which state and county you can be bounced by the State and reinstated by a local county or you are removed with no recourse. Most of the time there is no notice that you have been removed from the rolls.

6 states including mine, Minnesota, have same day registration and so the effect would be to clog the lines at polling places when people re-register and delay will drive down turnout. In the other 44 states you may have to "prove" various poll tests. The effect will be to block voters or have voters vote on "provisional ballots" which means straight to the trashcan with the cheezy "provisional ballots". This will also clog the polling lines with "problem" voters to slow down the voting and delayed voters will leave without voting.

I wrote about this tactic in 2004 and called it the "Kiffmeyer Finesse", after Ex-Secretary of State Mary Kiffmeyer (Republican) rewrote the Minnesota election rules to allow this situation where targeted people can be bounced from the voting rolls too late to correct the "problem" before the election.

Another tactic of State controlled database voter removal will be the election roster books. Printed versions can have people "removed", though actually in the State database, just not in the printed version at the polling place. I can hear it now: "Oops, computer error." Electronic versions of vote rosters can just be fritzed and not work in targeted areas to cause delays or late changes to "lose" people from the rosters. Even "live" changes as the elections are in progress can occur with some computerized vote roster systems.

I expect many more absentee ballot (ballot by mail) problems too. Lack of chain of custody, "fixing" ballots after they have been sent, spoiling of many absentee ballots because of arbitrary rules, and plain old ballot stuffing of absentee ballots. Because there are so many absentee ballots and the chain of custody is poor it allows more opportunity to manipulate the absentee ballots.

UPDATE: 2008 Minnesota Recount
The U.S. Senate Franken-Coleman recount in Minnesota (MN), my home state, is centering on the absentee ballot spoilage rate. The spoilage rate is about 20 times higher than the machine counting spoilage rate, (0.2% according to Joe Mansky from Ramsey County Elections who uses Diebold Accuvote scanners,) and there were problems of not finding registrations in the State registration database as well as arbitrary rule application to qualify absentee ballots. As of today Nov 26, 2008 Mark Ritchie Secretary of State says there are 12,000 uncounted absentee ballots or 12/288 = 4.1%+ spoil rate.

That is huge.

Absentee ballots were close to 10% of total ballots cast this year, much higher than previous years, so this spoiled absentee class of ballots is a large pool of ballots, certainly enough to swing the few hundred difference found in the results certified by the state which triggered an automatic hand recount.

Absentee ballots as done in Minnesota are a weakness in the election system and an attack point for election manipulation as many cases have been seen in the past in many other states. Early voting systems that are in other states remove many of the problems of absentee ballots being used for early voting as is the case in Minnesota. An early voting system that mimics regular voting closely seems to be a better system for voting early rather than using the absentee ballot system that is geared for voting from a distant location.

Are the problems with computerized voting machines or ballot scanning systems are fixed? No, it is probably just as bad this year, or worse, since there are more of them and the problems have not been solved or cannot be solved. High cost, loss of ability of local jurisdictions to run an election, technical errors, opportunities to "fix" elections, all still exist.

End of Update 2008

Here is an analysis of vote manipulation for stealing elections as a security process, this is part two, Who does vote fraud and motivation is part 1. A real life example of holes in optical scanner voting is described in Ramsey County Minnesota Public Elections Test.

As described by Bruce Schneier in the book "Secrets and Lies" security has at least two sides, the attacker and the defender, and the attacks can be analyzed by target selection, analyze a target, access a target, attack a target, avoiding detection and escape. On the other side is protection, attack detection, reaction to attack and remediation of damage. In this section I am looking at the election process as targets of security penetration with the goal of the compromise of fair elections.

Distribution vs Centralization in Elections

An election is complex in the USA, there are no set ways of conducting elections, every state has different laws and rules, equipment and social processes. In fact, almost every county can have differing methods of voting and is a locus of decision making for large parts of the election process. One result is a lack of standards for elections including voting eligibility, counting procedure and recounts, district mapping, absentee balloting, provisional balloting, election equipment and procedure, reporting results, etc. As with any security problem with a myriad of target types the methods of manipulation are many and varied and can be fine tuned to a few critical units. This lack of standards has serious security implications. There are over three thousand counties in the USA and many voting process targets, such as counting absentee ballots, can be attacked differently in many locations which makes detection of attacks and protection from attack very difficult. Add to this that target selection has been made easy with the application of cheaply available technology and equally cheap public data. A simple PC and a database program or spread sheet is enough technology to sort targets by vulnerability or effectiveness for attack. Public available data files such as public voting records from the Secretary of State, ( about $45 for the data set from the State of Minnesota, ) and the US Census are enough data to fine tune a set of targets figure out vulnerabilities and organize subsets of targets by method of attack. Lack of standards and cheap availability of target selection technology points to an increase in vote manipulation in the USA.

On the plus side is that the distributed responsibility and processes of the elections makes it difficult to control or attack centrally. 100% voted for the ruling party is an unlikely scenario with over 3000 counties and 50 states counting the vote totals, setting voting eligibility and procedures. Of course, no one needs 100%, just 50% plus one vote. The centralization of voting lists under state vs county control, the counting of votes with electronic voting procedures is eroding the distributed nature of voting and inserting many central points of attack in the process.

A possible solution is an improvement to standards for such things as voter eligibility, registration, counting, recounting, voting procedure, reporting results, district mapping, and other issues while keeping the distributed responsibility for implementation and counting at the county level. This may drop the target variability for similar processes, making protection and detection of attack on the voting process easier with fewer types of targets available, yet keep widely distributed powers in the process, making central manipulation difficult. Supposedly HAVA, the Help America Vote Act was ment to be a means of setting some national standards, yet as now implemented seems to add some very nasty compromises to the voting process.

HAVA examples of problems:

- Provisional ballots, no standard for counting them has been established, just that they can be cast. This pool of votes could be exploited like absentee ballots have been or the pool of non-active voters (voting while dead).

- Central database of voters by state allow Secretaries of State to inject their influence into the voter lists. In Minnesota, for example, the Secretary challenges any voter that does not match exactly the names and drivers license/state ID number. Yet instead of using the drivers license/state ID database as the source of voter registration (ultimate motor voter) the voter enters that information separately, a guarantee of data mismatch.

- In Minnesota ES&S reported lobby expense went from $0-2003, $7000-2004, $40,000-2005. Because of HAVA, in 2005 all Minnesota counties adopted ES&S ES&S' Model 100 precinct-level ballot counters with an Intel processor, and QNX operating system, and PCMCIA memory cards. and ES&S' AutoMARK Voter Assist Terminals for disabled access, except for the few counties that already had Diebold ballot scanners. Deibold reported no lobbying expenses and sold no machines. The contracts netted ES&S an estimated $39 million of the $44 million in HAVA money for Minnesota, not a bad return on $40,000.

Before HAVA, many of the rural counties used hand counted ballots. Now most of them do not have the staff to run an election, they must use ES&S technical staff. A central point of election tampering has been inserted into the process. A software "update" by ES&S and most of Minnesota voters can be affected. Ballot scanners run software, the software can be cracked, a central controlled non-public technical staff is in place to install the software and is responsible for "counting".

In Ohio in 2004 during a few days just before the election and after the election according to data at the central vote tally systems were switched from the state ip addresses to servers at an Internet Provider (IP), Smartech, controlled by the Republican National Committee, the address block includes same set of servers that Karl Rove seems to have lost the email of the lists of U.S. Attorneys that were fired. The vote tallies were then controlled by partisans, the same trick was done in 2006, why mess with success. RNC controls Ohio Election (Slashdot) This was only possible with the power of the Secretary of State (SOS) of Ohio, the chairman of the Bush re-election campaign, possibly neutral technical staff controlled the tallying servers in Ohio so maybe they switched the servers away from the state to an easier to control environment. This switcheroo was effective, when caught after the fact Ohio has not changed a vote or election result. Soon after the election the tally servers were switched back to State of Ohio. Central tallying as part central control of the state election process allows tampering at a vulnerable choke point.

Because of HAVA expenses and complexity for elections are going up. ES&S Project support, election support, verification testing is over $1000/per day per item with contract minimums of 3 days. Elections are becoming expensive, more than the basic pens and paper ballots, combined with lack of expertise to run elections and you have a restriction on democracy, elections themselves are becoming difficult, much less is the difficulty in stealing them. All the technical gizmos and setup must work for an election to occur, what happens when the process fails and the election process falters and does not complete?

Election Targets Include The Entire Voting Process

Many targets and methods of attack are not just for election day, as the election process is not a one day discrete act but has operation rules, registration, census taking, re-districting, multiple elections per year for different political units, like school, city, county, state primaries, special elections, etc. As a continual process it can be compromised at any point in the process and many methods of manipulation of election process targets can widely affect all elections as well as just manipulate discrete election results.

Central attack points allow wide manipulation effects in elections. Usually these involve political office holders such as the Secretary of State and the centralization of power to affect the process. The classic example is the year 2000 election when the Florida secretary of state Harris sent out a list of 50,000 voters to the counties to drop from the registration list because of a central access point into the election process. Now, other secretaries of state are using the HAVA federal voting legislation to insert access to the voter lists into the election process.

Example of Inserting Security Problems with Voting Rule Manipulation

One example was reported July 23, 2004 when Republican Mary Kiffmeyer, the secretary of state of Minnesota, wrote election rules to supposedly implement HAVA without public hearings. Some of the election rules were overturned by a State Administrative Law Judge. But then they were rewritten without any hearings, again, to do essentially the same thing and became official election rules a month before primary elections. Check Google for "Kiffmeyer election rules."

One set of rules in particular creates very easy challenges of voters who could be barred from voting if the voting information was not exactly matched by "official" databases. So, if the voter data had "Joe X. Blow" but some Department of Public Safety database says "Joe Xavier Blow", a voter could be barred from voting. What is more, if the Secretary of State challenges voters the County auditor must verify the voter in ten days or the voter is barred from voting and must re-register.

A method of distributed denial of service (DDOS) attack on the voting process I will call the "Kiffmeyer Finesse" would be to drop voter participation in targeted precincts by challenging thousands of voters in a county for not matching exact data from the non-specified Public Safety or Social Security databases or other non-specific problems close to the time that the lists must be created for an election. The precincts and the voters are easily targeted because all the election results are also centrally located in the central database. An outside contractor could compare political party donation databases, interest group lists, credit card, finance data (home owner vs renter), health data, etc., to refine the challenge lists to specific political characteristics. The Department of Public Safety databases have other characteristics such as criminal records, general police incident records, court records, physical attributes (brown vs blue eyes), id photos, race data. A finely tuned challenge list is created, shades of Florida, and sent to the counties a day or two before the election roster deadline.

The counties have limited staff, yet are responsible to verify the challenged voters in only ten days, however this is only a day or two before the election lists must be created and the county staff gets overwhelmed and only verifies several hundred of the thousands of voters challenged. The "finesse" is that unlike Florida, the Minnesota county cannot just reject the changes to the list, the master list is now controlled by the Secretary of State of Minnesota with power to add and drop voters and the challenged voters not verified by the county are dropped. The voters then show up at the poll, but surprise, they are not on the list as registered voters and get questioned by judges, slowing the voting process at the targeted precincts and dropping voter participation because as lines grow long people will leave as well as voters that are turned away or marked "provisional" if they cannot convince the election judges that they are proper voters. Meanwhile, in the non-targeted precincts very few such problems occur.

To defend from this attack is difficult, no audit process is in place to prevent the Secretary of State from using any criteria they wish to check a specific set of voters for minor data differences in "official" data sources. Also, the timing is up to the Secretary of State. Masking attack targets by sprinkling challenges across counties and precincts can confuse an audit scheme. Unlike Florida, the county officials cannot just reject the voter challenges by the Secretary of State, but must accept them until proven otherwise by the county.

Many other rules also had the effect of moving the decision power from the county level to the secretary of state, weakening the distributed nature of the election process and making the process vulnerable to central attack points.

Some Attacks Enable Other Attacks

Lowering voter turnout, like the example above is a strategic plan, making many attacks on specific tactical targets much easier.

An interesting wide spread attack I noticed in the 2004 presidential election: touch screen voting was used as a vote suppression system. Touch screen vote systems can only process a voter every 2-5 minutes, in comparison a vote scanner system can process a vote in a handful of seconds, at least a magnitude of 10 times faster. Many seemingly targeted precincts had a shortage of touch screen voting machines causing long wait times to vote.

Time in line is a factor in final vote count as is cost to the government (usually county) that implements an election. Touch screen is both more than a magnitude of 10 more expensive AND slower, guaranteeing a suppression of turnout in districts that supporters of touch screen systems want to suppress most, poor precincts that have a history of not voting Republican. If the counties that had touch screen voting and long wait times had bought new ballot scanner systems the final counts would be far different.

Vote scanners are far cheaper and can service huge amounts of people with one scanner in a short time interval, maybe more than 20 per minute vs. as few as a dozen per hour with a touch screen system. Also, scanner ballots can be held and counted later, when a touch screen system is out of commission the vote is very effectively suppressed. This is not to say that vote scanners cannot be manipulated or are a perfect system, but they can count a lot of votes in a short time.

In the USA where voter turnout is very low for primary elections (10%-20%) and commonly less than fifty percent for even a presidential election in many states. A primary may be the target rather than the final election where all real choice is made before the big show. So a target election where the turnout is 10-15% will be affected by a small manipulation, and a small manipulation is easier to hide from detection or evade reaction or avoid remediation. Combination attacks could be very effective, a "Kiffmeyer Finesse", to target opposition precincts with voter challenges, can make effective other narrow effect attacks such as changing some poll stations in the target precincts to confuse the voters, setting up some speed traps or police activity, road closings, shortage of ballots, lack of election judges, some voting equipment problems or electric power outage with plenty of provisional ballots and the combination could effectively change the results of target elections. The fact is that many small manipulation tactics have a better chance of success with little chance of being caught or if caught, little consequence or penalty.

Wide Participation is Protection Against Manipulation

One of the best protections against manipulation is wider participation in the actual vote. This stops many attack targets from being effective, it shrinks the pool of inactive voters and neutralizes that basic fact that a crucial attack target is suppressing the vote turnout and that suppression of the vote enables other attacks to be more effective, especially small combination attacks.

I see no move by the major parties, Democrat or Republican, to do much for this basic protection of the voter process in the last 25 years. Same day voter registration (only in six states), lowering the voter age to age 18 from 21, "motor voter" registration (registering people voluntarily when applying for drivers license) were initiatives by the Democratic party during the Nixon backlash of the late 1970's. But effectiveness of some of these measures has been compromised by lack of follow through. Motor voter registrations never getting on actual voter rolls, lack of registration of 18 year olds (drivers are not registered at 16 when they get a drivers license and is not a requirement of a high school diploma or GED of any citizen.)

What are the barriers to voter participation?

Voting itself is a sacrifice for the participant without much reward except an "I voted" sticker and a vague sense of do-goodedness. To do this act one has to take time to find out how to register, then register to vote, which exposes the voters name and address to exploitation and jury duty, take time to find the polling place and vote. Or go through some process to get an absentee ballot and send it in. About as much work as driver license renewal, without the more tangible reward of being able to drive a vehicle. And it must be done typically on a Tuesday between 7am and 8pm, a work day, with the possible loss of income and inconvenience for child care, job responsibilities, etc. Though my state says that a few hours can be taken off work to vote without penalty my guess is that this is not really done.

The barrier of voter registration is part of what keeps participation low, people who see a process that has no rewards and that has substantial penalties are not going to go out of the way to register to vote. Several methods of dropping barriers to voting registration can be implemented, including automatic voter registration of eligible voters with drivers license application, automatic voter registration of eligible public school students, same day registration, (which only six states have, all with more than the average voting turnout.)

Dropping barriers to actually voting include having paid public holidays during statewide voting, tax incentives to voters, schools and child care available, free public transit on voting days, but nothing has happened for decades. Political advancement in removing the barriers to registration and voting will be difficult as the people who hold power have no incentive to implement any advantages or removing the existing barriers, in fact the barriers are increasing, notably the "provisional vote", which ment that even if you pass the current barriers to cast a vote it gets tossed or manipulated.

Wide Effect Attacks

The classic attack on the voting process is gerrymandering or the creation of election districts for various political offices such as Congress, Legislature, judge, etc., which used to be at 10 year intervals that followed the Census update, the count of people and where they live. Now, however, with the easy access to analytical data and technology there is continual redistricting in several states, such as Texas and Colorado where Republicans now have taken full control of the the state apparatus and are trying to perpetuate that control by concentrating opposition voters into a few districts and dispersing others. If you can draw districts that elect the incumbents or unseat the opposition you can control the elections. This may be one of the most important set of manipulating tools available.

There are no set ways to create election units, it is raw political power that decides this process.

The effects of gerrymandering are clear, as a friend says, "Gerrymandering discourages votes in districts where people know their candidate is going to lose. Most would not consider this fraud, it definitely helps eliminate close election races. I suspect gerrymandering has a much larger effect on democracy than everything else ..., if you can believe media spouting about only 2% of elections are contested races." Low voter rates help perpetuate the incumbents in power.

Targets to attack the redistricting process: Start with the US Census, as manipulation of the numbers can give you a basis for redistricting in your specific model. Control the legislative body that sets up the districts. A key target is the control the judiciary process which is where many of the district mapping processes end up. Defending against a gerrymander attack is difficult.

Limit Candidates and party participation: One man, one vote sounds good until you realize it could literally be one man running. Or one party or just two parties. Limiting candidates and political organizations will drop participation and effectively manipulate the outcome to an easily controlled few choices.

Narrow Effect Attacks


Multiple Attacks on Voting Ensure Successful Manipulation of Elections

Multiple attacks using many methods have been the history of successful manipulation. Each attack method may be a small effect but the cumulation of effects moves the election result to the desired outcome.

For example, multiple voter suppression techniques were used in Ohio 2004 and other elections to suppress participation including rejecting registrations filed on the "wrong paper weight" form, "losing" registrations of target populations with phony registering agents, absentee ballot suppression of targeted populations, "provisional ballot" non-counting of targeted populations, lack of voting equipment in targeted precincts, moving voting locations to cause confusion, etc. Combining the suppression with multiple manipulation of vote counting and about a 5% change from exit polls was effected in several states.


Below are draft notes that are not yet addressed.

Barriers to registration:
  - inconvenience to register, make the procedure difficult.

  - scare people off, make registration intrusive, or in a scary place such
    as a police station.

  - onerous side effects of voter registration such as jury duty.

  - Tests such as property ownership, "literacy", "language"
     - subjective tests especially aimed at specific classes of people.

  - legal status of classes of people barred from voting, past or
    current legal criminal status, high voting ages, age limits.

Manipulation of registration data in control of the state:
  - "lose registrations", computer "error", human "error"

  - removing classes of citizens from voting lists without verification.

  - target removal of registrations to special geographical or other
    data characteristics of voter data. (Names, ages, etc)

  - Inactive voter pool.
     - Leave plenty of dead and inactive voters on the lists to 
       allow a large pool of possible manipulation later.
       A large pool of inactive voters leaves opportunity to scatter
       a few critical fraud votes over the inactive domain to 
       avoid a detectable pattern.

  - "Helpful" registration for certain classes of voters but not others
     - fixing registration forms after the fact.
     - lax authentication.
     - automatic registration of certain classes of voters.

Attack opposing party organizations:
  - Bar candidates from the ballot.
  - Attack the party organizations by denial of service attacks on
     party offices, phone banks.
  - Paramilitary raids on headquarters,
     file trumped up charges, jail party leaders.
Voting day mechanics:
  - Inconvenient or restricted voting hours, for example a work day
    that is not a holiday, opens late or closes soon after work 
    hours (7 or 8 pm).

  - Excessive cold, heat or other stressful conditions in the voting place
    or weather.

  - Cause riots or disturbances during voting hours in targeted
    districts or targeting classes of citizens ( women, racial, clothing
    type, etc.) Could be perpetrated by military, paramilitary (police)
    or goon squads.

  - Declare "civil emergency" alerts (like Government terror warnings
    or third party bomb threats) to drop voter turnout. Can be targeted
    to specific districts or regions.

  - Shortages of:
       - Ballots
       - Polling workers
       - Voting machines
       - early closing hours
       Target shortages to specific locations.

  - Inconvenient polling locations, 
       - difficult to get to (automobile access only, 
         no public transport, not accessible to handicapped, 
         under construction, "hidden" location)
       - change voting locations often. 
       - power outages to add inconvenience.
       - construction and detours near polling places, can be done the
         day of the vote to block participation.
       - change locations just for special districts or votes. 
-Ballot manipulation:
  - complex ballot layout
  - confusing ballot layout
  - position of names or issues on the ballot
  - manipulate wording of propositions, referenda
  - Shortages of ballots in targeted locations.

Voting machines have another access point to manipulation, the
technical staff, usually a private contractor that services and 
programs the voting machinery.

- complex machine-human interface exploits
- complex ballot layout as a byproduct of machine interface
- secret software for machines
- access to machines for mechanical or software manipulation
- break machines in targeted districts
- technical software manipulation widespread, or targeted to specific 
  polling places.
- power outages in districts with dependencies on electronic voting machinery.
- Cannot verify software used on ES&S Model 100 ballot scanners:

Vote counting:
- change of counts at precinct
- change of counts at districts
- change of counts at county
- Throwing out cast ballots to some manipulated standard.
- Provisional ballot count process manipulation.
- Absentee ballot count process manipulation.
- Lack of control of ballots allowing ballot box stuffing with regular,
absentee or provisional ballots.

In conclusion, targets can be affected by many strategic and tactical methods of manipulation spanning long intervals of time, not just election day. Protection, detection and reaction are difficult problems.

Related Voting articles

List of articles on fixing elections, vote fraud, election manipulation

The views and opinions expressed in this page are strictly those of the page author.
The contents of this page have not been reviewed or approved by the University of Minnesota.