The case of the phantom ballots: an electoral whodunit

The first phantom absentee ballot request hit the Miami-Dade elections website at 9:11 p.m. Saturday, July 7.

The next one came at 9:14. Then 9:17. 9:22. 9:24. 9:25.

Within 2½ weeks, 2,552 online requests arrived from voters who had not applied for absentee ballots. They streamed in much too quickly for real people to be filling them out. They originated from only a handful of Internet Protocol addresses. And they were not random.

It had all the appearances of a political dirty trick, a high-tech effort by an unknown hacker to sway three key Aug. 14 primary elections, a Miami Herald investigation has found.

The plot failed. The elections department’s software flagged the requests as suspicious. The ballots weren’t sent out.

But who was behind it? And next time, would a more skilled hacker be able to rig an election?

Six months and a grand-jury probe later, there still are few answers about the phantom requests, which targeted Democratic voters in a congressional district and Republican voters in two Florida House districts.

The foreman of that grand jury, whose report made public the existence of the phantom requests, said jurors were eager to learn if a candidate or political consultant had succeeded in manipulating the voting system. But they didn’t get any answers.

“We were like, ‘Why didn’t anyone do something about it?’ ” foreman Jeffrey Pankey said.

The Miami-Dade state attorney’s office could not find the hacker because most of his or her actions were masked by foreign IP addresses. But at least some of the ballot requests originated in Miami and could have been further traced, The Herald found.

Prosecutors did not obtain that information as part of their initial inquiry, due to a miscommunication with the elections department.

On Friday, a day after The Miami Herald brought the domestic IP addresses to its attention, the office of State Attorney Katherine Fernández Rundle said it is reviewing them.

Under state election laws, only voters, their immediate family members or their legal guardians can submit absentee-ballot requests. Violations may be considered felony fraud.

The thwarted attempt targeted voters in three districts: Democrats in Congressional District 26, where four candidates — including a suspected ringer criminally charged Friday with federal elections violations — were vying to take on vulnerable Republican Rep. David Rivera; and Republicans in Florida House districts 103 and 112, two competitive seats.

Nine candidates were involved in the campaigns: Joe Garcia, Gustavo Marin, Gloria Romero Roses and Justin Lamar Sternad in District 26; Manny Diaz Jr., Renier Diaz de la Portilla and Alfredo Naredo-Acosta in District 103; and Gus Barreiro and Alex Diaz de la Portilla in District 112.

Garcia, Diaz and Alex Diaz de la Portilla won their primary races, all by comfortable margins. In the end, the phantom absentee ballots would not have changed the results.

But there was no way to know that at the time. And the ballots would have brought more voters into the light-turnout election. The phantom requests targeted infrequent voters who had not applied for absentees, most of whom wound up not voting in the primary at all.

Only candidates, political parties and committees have access during an election to lists updated daily showing which voters have already requested and returned absentee ballots.

Garcia, Marin, Romero Roses, Diaz and Barreiro denied any involvement with the phantom-requests scheme.

So did Renier Diaz de la Portilla and a key consultant for his brother Alex, who declined to comment.

Naredo-Acosta, who did not visibly campaign, could not be reached. And Sternad, who pleaded not guilty Friday to charges that he lied on his federal campaign reports, declined to comment through his attorney, Rick Yabor.

There are links among some of the candidates who ran in different districts.

Sternad hired as his campaign manager Ana Sol Alliegro — an old flame of Alex Diaz de la Portilla who supported him in his race last year, according to rival Barreiro. Renier Diaz de la Portilla hired his brother to run his campaign, and both shared several political consultants.

But the family had nothing to do with phantom requests, Renier Diaz de la Portilla said.

“Absolutely not,” he said.

He was echoed by Elnatan Rudolph, head of the New Jersey-based Cornerstone Management Partners, a key political consultant for both Diaz de la Portillas.

“It doesn’t make any sense to me why someone would do that, because you’d still need the person to [vote for you],” he said.

Had the requests been filled, short of stealing the ballots from mailboxes, the campaigns would have been able to flood the targeted voters with phone calls, fliers and home visits to try to sway their vote.

Persuade enough of them, and you might flip the race.

The hacker adjusts

When the phantom requests were initially flagged, elections staff telephoned a dozen of the targeted voters to check whether they had really asked for absentee ballots. They hadn’t, said Rosy Pastrana, the deputy elections supervisor for voter services.

Lynn Sargent, 23, said she received an email July 8 confirming her absentee-ballot request — even though she had never submitted one.

“I was definitely concerned when I got it,” said Sargent, a Miami-Dade native who had recently moved to Connecticut. But the ballot never arrived, and she voted in her new state.

Once the department knew the requests were phony, it blocked the 15 IP addresses from which they originated. It took several tries — the hacker simply switched to a different address — before the requests stopped.

“Every time we saw that pattern, we would block the IP,” said Bob Vinock, an assistant deputy elections supervisor for information systems. “I guess they finally gave up.”

Then came the hardest part: trying to figure out who did it.

Pastrana, the deputy elections supervisor, sent a letter outlining the local findings and a list of 12 foreign IP addresses to the state attorney’s office on Aug. 8, records show.

On Aug. 21, Thomas Haggerty, a prosecutor in the cyber crimes unit, noted that the IP addresses were foreign, registered in India and the United Kingdom.

“The person requesting these ballots is obviously using a software/service/proxy servers to mask their true IP address,” Haggerty wrote in an email to Johnette Hardiman, the prosecutor leading the review. “These are probably a dead end.”

In December, as the state attorney’s office prepared its grand-jury report on absentee ballots, prosecutor Tim VanderGiesen, who was not involved with the August inquiry, got back in touch with elections. It wasn’t until then — four months later — that elections IT staffers realized Pastrana had never sent the state attorney’s office three additional IP addresses, corresponding with the very first phantom requests from early July.

All three addresses were domestic — at least two of them in Miami, a quick search of online IP addresses shows. The location of the third U.S. address is unclear.

The delay in providing the addresses to prosecutors was an oversight, Vinock said. On Dec. 12, he emailed the addresses to VanderGiesen. But they appear to have been lost in the shuffle.

A month later, on Jan. 15, Jose Arrojo, head of the public corruption unit at the state attorney’s office, signed off on Hardiman’s four-paragraph memo closing the phantom-request inquiry . It contained no reference to domestic IP addresses.

The domestic IP addresses are now being examined, Ed Griffith, a state attorney’s office spokesman, said Friday.

Armed with the complete information, prosecutors can now follow up, using their subpoena power to obtain the users’ physical addresses from Internet service providers.

With the locations in hand, they might then be able to identify the hacker’s residence or business, or the public place, such as a library or Starbucks, that he or she used to take advantage of wireless Internet, said Steven Rambam, a New York-based private investigator with extensive experience in computer database and privacy issues. There, prosecutors could try to obtain surveillance video to identify the person online at the time the ballot requests came in.

“If it’s McDonald’s, McDonald’s routinely has video of their entire premises, inside and out,” said Rambam, who reviewed the IP address origins for The Miami Herald.

Even the foreign IP addresses were worth checking out, he added.

“I’ve picked up the phone as a private investigator doing these investigations and spoken to the security-and-abuse departments at the Internet service providers and gotten cooperation,” Rambam said .

The elections department also sent prosecutors a map of the voters targeted by the phantom requests. Though the department didn’t draw any conclusions from the map, it clearly illustrates that the voters were in three specific districts.

The Jan. 15 “close-out” memo makes no mention of the map, or of prosecutors following up with any political campaigns. “The map provided us with little useful information in tracking down the source of the computer attacks,” Griffith said.

Telltale pattern

The map showed that the first requests — the ones that originated from at least two Miami-area IP addresses on July 7 and 8 — targeted Miami-Dade voters in Congressional District 26, which stretches from Kendall to Key West. A little more than a week later, on July 16, the requests resumed — this time from foreign IP addresses — for voters in Florida House districts 103 and 112. They stopped on July 24.

District 103 extends from Doral to Miramar; District 112 from Little Havana to Key Biscayne.

The Herald analysis showed that, in the congressional district, 466 of 472 requests targeted Democrats. In House District 103, 864 of 871 requests targeted Republicans, as did 1,184 of 1,191 requests in House District 112.

Requests came in twice for nearly 500 voters, and three times for seven of them. The elections department doesn’t consider multiple requests suspicious, because voters are allowed to submit two ballot requests per election, in case the first ballot gets lost, for example.

Only a smattering of the total 2,046 voters were registered outside the three districts.

What alerted the elections department to trouble was how quickly the requests rolled in from the same IP addresses.

Jane Watson, president of Tallahassee-based VR Systems, which provides elections software to Miami-Dade and 52 other Florida counties, said the software flags suspicious activity, such as when five or more requests originate from a single IP address.

There are other safeguards, too. When a voter submits an absentee request online, Miami-Dade doesn’t automatically send a ballot. The request is reviewed by an elections department staffer, who must manually sign off on sending it.

The online ballot-request form requires voter information available on a public database of registered voters. It also asks for an email address — which doesn’t have to be real.

Most of the email addresses on the phantom requests were formulaic and clearly fake — the voter’s first name at AOL, Gmail or Yahoo, for example — but the email addresses on at least some of the early requests were accurate. That is significant, because while those addresses are not publicly available from the voter file, political campaigns routinely compile email addresses through other sources.

To submit an online ballot request, the voter must verify a series of skewed letters and numbers — an extra step intended to make automated requests more difficult.

“That’s a barrier, but I’m told that for someone who’s sophisticated enough as a programmer, they can get over that hurdle,” Watson acknowledged.

In the past, Watson said her company has brought in online security experts from Florida State University to test the software and look for loopholes.

But neither the county nor the software vendor have changed their programs or policies since the August primary, Watson and the elections department said. The reason: The existing procedures worked, they said. The phantom requests were caught.

No special skills

Creating a computer program to automatically fill online ballot requests using voter information is not difficult, said Rambam, the private investigator. Pre-written programs, known as scripts, are available online and easy for amateur hackers to modify.

With a little more skill, the hacker behind the phantom requests could have included computer code to keep the program from triggering the elections department’s safeguard, Rambam said.

Once the program has been set up, purposely obscuring its origins through foreign IP addresses is also inexpensive, he added.

“And that, of course, is the most frightening thing: that any moderately or even marginally skilled programmer could have done this,’’ Rambam said.

That’s why the grand jury recommended requiring at least a login and password for voters to submit absentee ballot requests, said Pankey, the group’s foreman. It was one of 23 recommendations proposed by the grand jury, convened after Deisy Cabrera and Sergio Robaina, two Hialeah absentee ballot brokers, known as boleteros, were arrested shortly before the primary last August and charged with voter fraud. Both have pleaded not guilty.

No county official has followed up on the online security recommendation, which, unlike other grand-jury proposals, could be addressed locally, Pankey said Friday.

“You can’t go to your bank account — you can’t go to anything that is secured — without putting in at least a name and a password,” he said.

“Why should the elections be any different?”

Related stories from Miami Herald