August 23, 2017

Woman Registers Dog to Vote, Demonstrates Ease of Fraud

A woman in Seattle registered her dog to vote, and submitted absentee ballots in three elections on the dog’s behalf, according to an AP story.

The woman, Jane Balogh, said she did this to demonstrate how easy it would be for a noncitizen to vote. She put her phone bill in her dog’s name (“Duncan M. MacDonald”) and then used the phone bill as evidence of residency. She submitted absentee ballots in Duncan’s name three times, each ballot “signed” with a paw print. She says the ballots did not designate any candidates and only had “void” written on them, so the elections were not affected.

Nevertheless, she broke the law and now faces charges.

This relates to an issue every applied security researcher has faced: how to demonstrate a security problem is real. People take a problem more seriously when they have seen a real, working demonstration of the problem – otherwise the problem will be dismissed as theoretical. Often there is a lawful way to demonstrate a problem, for example by “breaking in” to your own computer. But sometimes there is no way to demonstrate a problem without breaking the law. Careful researchers will stop and assess the legality of what they’re planning to do, and will hold back if the demo they’re considering breaks the law.

Ms. Balogh went ahead and broke the law. Beyond that (serious) misstep, she did everything right: admitting what she did, avoiding any side-effect on the elections by filing blank ballots, and leaving obvious clues like the paw prints.

Fortunately for her, the prosecutor decided not to charge her with a felony but instead offered to let her plead guilty to a misdemeanor, pay a $250 fine, and do ten hours of community service. She was lucky to get this and will apparently accept the deal.

Any readers considering such a stunt should think again. The next prosecutor may not be so forgiving.

Comments

  1. So how should she have made the point and got attention without breaking the law? People have been saying that this is terribly insecure for ages. Has anyone listened?

  2. Great. Is there any better way to discourage the “good guys” from researching flaws and bringing them to attention, _before_ the “bad guys” find the flaws and exploit them?

    Last time I checked, it was easier for the individual, and much worse for the society at large, to keep quiet about the fraud you committed.

    This system is so unbelievably stupid.

    Or would you prosecute the guy who just brought you back your wallet _together_ with the $1000 in it?

    Right, me neither. I do not want to discourage people being honest. So, why do we _accept_ a legal system like this?

  3. I R A Darth Aggie says:

    Has anyone listened?

    Yes. Certain jurisdictions have proposed issuing picture IDs as voter cards. Invariably, such an effort gets tied up as being either racist or otherwise discriminatory against minorities, even when the cost of such a card is born by the issuing agency.

    So nothing happens. This leads me to believe that there are entrenched entities who have no interest in fixing things, just “fixing” things.

  4. Liam Hegarty says:

    I’m wondering if she actually did break the law. It seems to me that there most likely be an intent to commit fraud or intent to affect election portion of the law. If so, she lacked the necessary intent to break the law. If the law doesn’t have such an element, then people who submit forms with innocent mistakes could be criminally liable.

    In fact she said so herself, “I wasn’t trying to do anything fraudulent. I was trying to prove that our system is flawed. So I got myself in trouble…”

    As a recovering criminal attorney, I wouldn’t be so quick to advise my client to take a plea resulting in a criminal record. Of course I last practiced law 12 years ago and even then I wasn’t so hot.

  5. Another Kevin says:

    @ Liam Hegarty

    You present a fairly weak legal theory for the defense. The Washington statute in question appears to be:

    http://apps.leg.wa.gov/RCW/default.aspx?cite=29A.84.130

    The legal standard that applies is “knowingly” rather than “willfully” – so the defendant can be convicted if a reasonable person in her circumstances should have known that the information provided was false. It would appear that the “knowingly” is in the statute by design, so that the State need not establish mens rea, but can convict upon actus res plus a “reasonable” standard.

    I’m surprised that the judge and prosecutor had enough discretion to reduce the charges. Typically, nowadays, the law provides for Draconian penalties that judges and prosecutors cannot waive, whatever the extenuating circumstances.

    @ Gerv

    The answer in this, as in all cases of civil disobedience, is that a dissident breaks the law (to follow a “higher law”) in the public spotlight, accepting the unjust punishment and trusting that the absurdity of the situation will provoke changes in society. The principle of, “If you can’t do the time, don’t do the crime,” is fundamental to the civil disobedient. Perversely, treating civil disobedients mildly can delay the fundamental changes because it defuses the public outrage.

  6. The principle of, “If you can’t do the time, don’t do the crime,” is fundamental to the civil disobedient.

    Oh, bullfeathers.

    That’s only Thoreau’s loopy philosophy. And it’s been perverted into an excuse that every single activist, performing constitutionally protected activities, is just begging to be arrested on some trumped-up excuse. If you want to be arrested for no reason, well, that’s your problem.

  7. Anonymous says:

    The lady should not accept the plea, or enter any plea at all. She should make the State prove its case, entering all of the insanity as incontrovertible evidence. At some point — probably at sentencing — the question “Why did you do this?” will be asked, and that’s the right time to explain the situation.

    However, she would probably be sent to jail for forcing the government to prove it is wearing no clothes. As they say, no good deed goes unpunished.

  8. I would suggest that the time she spent concocting and executing her “crime” be counted as her community service.

  9. Can anyone explain the problem with requiring photo ID to vote? I mean, explain it like you would to a 5th grader.

    Every time the issue comes up, someone shows up on TV, states “I hereby play the race card” and the idea is dropped until after the end of the current election cycle.

    How is a photo ID requirement racist, or classist, or whatever PC-protected group-ist? Who the hell doesn’t have photo ID these days, anyway?

  10. James,

    I doubt this explanation would satisfy a 5th grader. I don’t think most 5th graders understand all of the complex issues leading up to Civil War—or the War Between the States—if you prefer that appellation.

    But federal mandates on the states have already made it increasingly difficult for some citizens to satisfactorily prove their names and current residence. The REAL-ID act will exacerbate these problems.

    A federal “no-vote list” is probably less worrisome than a federal “no-work list”. But I think it’s more worrisome than a federal “no-fly list”.

  11. Lawrence D'Oliveiro says:

    It seems to me the only legal recourse is, having worked out the details of the vulnerability, to publish them for all the world to see. Let somebody else prove the point by breaking the law.

  12. All 13 comments so far show the real problem: the discussion is about the sentencing of the perpetrator, not about the security implications of the voting fraud.

    I guess the real problem with doing “illegal” research is that even if it were to benefit a society, everyone would get distracted by the question if such research should be punished and thus give the state a solid excuse to do nothing…… again.

  13. Many of the “vote only with photo ID” plans also have the problem that they constitute an illegal poll tax. Some of them have required payment outright, others merely require would-be voters who don’t currently have photo ID to take a day off work and travel to the next county. (Furthermore, the only reason that photo ID seems a reasonable solution is that most of us don’t think it would be worth the trouble of acquiring false ID just for the purpose of voting — it’s easy enough for other purposes.)

    Is there any system other than prosecutorial discretion that would work to insulate nominally law-breaking researchers while not also insulating real criminals? I hate the idea that the government would be in a position to license certain people to break certain laws, because of the possibilities for discrimination and for gaming.

  14. Anonymous says:

    “Let somebody else prove the point by breaking the law.”

    Had Jane Balogh come to this forum and suggested, as a test, that someone register their dog to vote, complete with paw prints, and actually submit a voided ballot … she would have been laughed at, people saying “No one would fall for this blatantly obvious, almost juvenile, prank. Not even the government agencies that monitor the sanctity of the elections that create the government itself could be populated with such terminally credulous employees.”

  15. @Another Kevin
    not all crimes have draconian punishments; generally only drug and violent crimes have them. And few if any statutes restrict the ability of a prosecutor to decide what crime to charge a person with. Prosecutors have nearly absolute authority to decide who and what to charge; when they claim not to have discretion, they are nearly always lying. What’s described here is a garden variety plea bargain. You plead guilty to a misdemeanor with this reasonable sentence, and the state forgoes seeking a conviction on a more serious crime with a harsher potential sentence.

    And a small fine is appropriate here because by going public with this, she will encourage copycats who may not be so honest, and something to deter her is therefore reasonable.

  16. Richard Johnson says:

    How, beyond the cuteness factor of using a dog’s paw-print, does demonstrating an exploit for a known and accepted vulnerability in voting by mail do any good? After all, it’s not like this woman was breaking new ground and telling us about some novel attack that was formerly regarded as impossible.

  17. One thing that could be done is to change the law such that if the bogus ballots are all explicitly void, so they cannot possibly count for or against any candidate, the felony charge of election fraud is not applicable. That still leaves misdemeanors that can be used if someone does this obnoxiously, from public-nuisance laws to obstruction of state officials in the performance of their duties and perhaps some form of lesser perjury or contempt. (Meanwhile, I’d like to see certain acts, like editorial staff putting a dog like Anna Kournikova on the front cover of the Sports Illustrated Swimsuit Edition *again*, fall under “defacing a national monument”. :P)

    P.S. why was there a machine other than a Web server at the address “www.freedom-to-tinker.com” resolved to earlier today? That obviously should not happen; if a machine is at a “www.*” address it should certainly respond sensibly to HTTP traffic received at port 80. Yet whatever was at that URL for several hours this morning was obviously not a Web server, seeing as the machine in question was up (i.e. not timing out/unreachable) but had port 80 closed to inbound traffic. That isn’t a plausible state for even a poorly configured Web server; it indicates that the machine at that address at that time was not, at that time, configured as a Web server at all.

    Was the server hacked a third time, and reconfigured to something other than web server? (e.g. botnet zombie). If so, why haven’t you found a better host for this blog yet? The one you’re currently using (reeks of Dreamhost) is obviously no great shakes when it comes to security, and a security professional hosting a security blog on a server with obviously awful security is going to start looking foolish in front of six and a half billion people if that state of affairs persists for too long. What did the host do, dump Linux/*BSD+Apache for Windows Vista Server + IIS? Nothing else seems plausible as an explanation for the nosedive the host’s resistance to compromise has visibly taken recently.

  18. Lawrence D'Oliveiro says:

    Had Jane Balogh come to this forum and suggested, as a test, that someone register their dog to vote … she would have been laughed at …

    That would be true … for most of the audience. But somebody would be bound to give it a try. And when they do, that would prove the point.
    That would be true for any other security vulnerability. Most of those reading about it would not believe it could be so simple. But someone among them will try it, and show it works.

  19. graphex says:

    Look at Australia’s system – voting there is compulsory. You must show up to the polls to be counted on voting day or you are fined. For those whose religious or cultural ties dissuade them from voting, they can certainly refrain from voting but must be checked off the list nonetheless.

    I’m not saying that compulsory voting would be my recommendation for the US, or even logistically possible, given our apparent lack of ability to deal with even the paltry 60% who sometimes vote, but I do think it is worthwhile to look outside our country a bit more for some guidance.

    And heck, if my dog weren’t such a hardline communist, (she is a Siberian after all) I’d consider letting her vote in the next election. Something tells me she’d have some trouble with Diebold’s machines, but because she has an implanted microchip, identification should not be a problem.

  20. That’s a load of crap. She is helping their security and she made it as obvious as can be while not affecting the vote at all. She should be given an award, not a punishment.

  21. Harry Day says:

    I believe she was trying to demonstrate a very valid point, that it is so very easy to register that the government will do anything for a potential voter.

    and by the way, graphex, I laughed my head off when you said
    “And heck, if my dog weren’t such a hardline communist, (she is a Siberian after all) I’d consider letting her vote in the next election.”

  22. I think that She made a good Point. The fact that she was Given a fine think is wrong. Her demonstration speaks to those in power who dont Always follow the system. The government made the mistake of contacting her to allow her dog to register to vote. This raises the question, Who exactly can be allowed to vote? I think That our government needs to be more Accurate about who they contact or allow to register as a voter. I find it very humurous, wow, maybe my dog or cat one day may be allowed to vote. Obviousely If they are contacting them for a voters registration. Intersting thought, Huh.

  23. Pause For Thought says:

    Keeping in mind that her only crime was checking a box saying the above is true is funny to say the least.

    If she has simply wrote on the registration form “on behalf of by (her name)” she wouldn’t have commited any crime.

    At that point they would have chased after the Dog. If you think that is crazy then keep in mind they served the Dog notice of challenge to vote. That’s right the Dog was served papers to contest his eligibility to vote because the laws require the person (or I guess name on the roll) to be presented wth notice.

    That almost implies that the Dog had the right to defend his self and say woof woof I was born in the USA woof woof and why shouldn’t I have human rights woof.

    The government is retAAAAded