Thanks for having such a great conversation on this --
> I am not seeing how the request system is vulnerable.
Here's the scenario: I obtain your SSN, Name and Address to request your ballot to my address (either in the bussing example through your explicit permission or through the nefarious example like using Equifax 2017-2018 Data), then I fill it in at my address, and then mailed it in.
(Edit: to be clear, you have only provided the information to start the ballot process, or I obtained it nefariously, and submitted a ballot without your presence and pen to paper)
That's not a vulnerability? I guess I have a weird definition... I'm saying that's not what I expect when I hear someone 'voted.'
That's a vulnerability, but there's no evidence it happens in any scale.
If it did happen in any scale, people would notice because the victim of fraud, when they tried to vote, would be notified that their ballot was duplicated or already mailed in. Also, note that the address ballots go to is the voter's registered address, and many ballots going to the same address would be noticed.
Anyway. This sort of vulnerability really does exist all over real human systems, and in reality it mostly doesn't matter. People usually don't do this sort of fraud en masse.
Online vulnerabilities can be exploited at scale easily by a single malicious actor, but human vulnerabilities, like dine-and-dash, or package theft, etc, are much more rare. They're illegal, which discourages most people, and to do any of them at scale, you need a lot of people... and one of those people is likely to report it. The human factor makes scaling it up much harder.
Intercepting a lot of voter ballots either requires them all to go to the same address (which will get noticed), or for you to steal them from many addresses (which won't scale easily per above and will be noticed). Either of those schemes will be noticed when a voter attempts to actually vote.
> I am not seeing how the request system is vulnerable.
Here's the scenario: I obtain your SSN, Name and Address to request your ballot to my address (either in the bussing example through your explicit permission or through the nefarious example like using Equifax 2017-2018 Data), then I fill it in at my address, and then mailed it in.
(Edit: to be clear, you have only provided the information to start the ballot process, or I obtained it nefariously, and submitted a ballot without your presence and pen to paper)
That's not a vulnerability? I guess I have a weird definition... I'm saying that's not what I expect when I hear someone 'voted.'