MLB should consider its own history before it lectures anybody else against the evils of having rules to protect the ballot.
There are any number of ironies to Major League Baseball using the All-Star Game as a club to demand that Georgia write election laws exactly the way Georgia Democrats want them written. One of those ironies is that the All-Star Game is itself a notorious festival of open ballot-box stuffing — and sometimes worse — with a long history of controversies about the integrity of the vote, in which MLB has battled for years to keep up with efforts to abuse its voting system.
The most infamous example came in 1957, when fans of the Cincinnati Reds (a third-place team at the break, which finished fourth) engaged in such an egregious campaign that MLB itself threw out some of the results and disenfranchised the fans for over a decade. As MLB.com recounts:
Rumors of ballot stuffing [in Cincinnati in 1956] turned into controversy in 1957, when Reds fans clearly rigged the election of starters for the National League All-Star team — jamming the ballot boxes with pre-marked ballots published in the Cincinnati Enquirer newspaper. Cincinnati bars also joined the campaign to get Reds voted into the starting lineup. An investigation showed that more than half the NL ballots cast came from Cincinnati, resulting in seven Reds being voted into the starting lineup. The only non-Cincinnati player to win a starting spot among the NL position players was St. Louis Cardinals first baseman Stan Musial, who narrowly got the nod over the Reds’ George Crowe. Commissioner Ford Frick stepped in at the eleventh hour and removed Reds outfielders Gus Bell and Wally Post. He also decided to strip fans of their right to vote for the All-Star Game starters — a perk that wasn’t returned to the fans until 1970.
Eliminating pre-printed ballots in favor of punch cards forced people to at least expend a lot of effort to stuff the ballot box:
In 1979, the Padres held a pizza party for some fans to come punch ballots for outfielder Dave Winfield. Thousands and thousands of votes were cast for the right fielder. Who’s to say if that put Winfield over the top, but he was voted in as a starter for the first time.
The dawn of online voting resurrected more serious problems. In 1999, “Chris Nandor, a Red Sox fan who lived in Carver, Massachusetts, hacked the MLB online voting, and cast his ballot for Nomar Garciaparra more than 39,000 times,” leading Darren Rovell to write for ESPN, “Cyber-stuffing remains threat to All-Star voting”:
Internet service providers like America Online and @Home use proxy servers that make it impossible to track a user’s location, several professional hackers told ESPN.com. Still, the ballots must be randomized and cannot arrive in a lump deposit.
In 2015, MLB changed its voting procedures (sound familiar?), going to all-online balloting and eliminating the old paper ballots, imposing a theoretical limit of 35 online ballots per fan. It faced renewed controversy when the middle of June rolled around and the Kansas City Royals led the voting at all eight positions. MLB itself had to reassure the public that it was taking the security of the vote seriously:
Bob Bowman, MLB president of business and media, said his office always has maintained a staunch approach to ferreting out ballot stuffing through the Internet. MLB makes a concerted effort to investigate votes that: 1. come from accounts created using email addresses that appear to have been tweaked in some way that too closely resemble another address; 2. multiple voting accounts that come from the same IP address; and 3. troubling patterns in voting that emerge during the reviews by a third-party company employed to chart All-Star Game balloting trends. Bowman said that process alone leads to about 20 percent of the votes that are cast online being eliminated every year. With that in mind, all the votes MLB has reported so far have been sanitized.
Not everybody was convinced. Pseudonymous blogger HookSlide at Bless You Boys wrote an article entitled, “I hacked the MLB All-Star voting page in under 20 minutes”:
To be fair, “hacked” really isn’t the right word. That word implies some kind of username/password cracking, which in turn implies some kind of secure system, and quite frankly, the All Star voting page set up by MLB is anything but secure. With a basic knowledge of HTML, a bit of Javascript, and a few minutes to play around, I was able to exploit MLB’s All-Star voting system quite easily. The key to exploiting the system was realizing that — are you ready for this? — there is zero verification surrounding the most important piece of information supplied in the voting process: your email address. The voting page asks you to supply an email address, along with some other information such as a birthdate, a zip code, and a favorite team, but unlike most systems that at least try to implement some form of security, MLB does not require you to validate your email address. There’s no confirmation email sent with a “click here to verify” or “use this five-digit verification code” message, some way of ensuring that the email address you supplied in the voting process is actually yours. . . .
Let that sink in for a moment. And while you were letting that sink in, I just cast 35 more ballots, using your email address. Let me know when you get the “Thank You for Voting” email from MLB. With that major security flaw exposed, it was a simple matter of using Google Chrome’s built-in network traffic monitor to discover that all of the voting selections are being sent via URL, attached to a request for an image that is 1×1 and white. It’s so small you’d never see it, but it’s there, and embedding that image effectively casts another ballot.
A pro-Royals blog argued that this wasn’t really hacking, and the claims and counter-claims can look familiar to anybody who has gone down the rabbit hole of stolen-election conspiracies. NBC’s Craig Calcaterra confirmed for himself how easily the system was gamed:
I myself voted multiple times with multiple email address — several which were non-working email addresses I made up on the spot — in order to see if the system was as easily circumvented as SB Nation said it was. There was no confirmation email or anything of that nature following a vote with a bad email address. I received a nice “thanks for voting” message at the end of the process. My votes, at least from my perspective, we all accepted. I laughed heartily at this as I thought about how I was helping make A.J. Pierzynski an All-Star. . . . Just about every online vote and survey you do of any consequence asks that you provide an email address and, prior to accepting your input, verifies it by sending you an email and asking you to click on a link to make sure you are who you say you are. Indeed, the process is so ubiquitous that it was somewhat jarring not to see it with respect to the All-Star vote.
MLB commissioner Rob Manfred even told reporters that he was open to changing the voting rules if the results looked too fishy:
What I would say is I hope over time that what people come to think about the commissioner’s office is when we have a situation such as this — this is one example — that we are responsive and open to change if in fact it appears we get a result that is not consistent with the goals of the system that is currently in place.
As it turned out, MLB got the starting lineup down to four Royals. It did that in part by publicizing the ongoing effort, so other fans were encouraged to get out the vote. But it also threw out between 60 and 65 million votes, according to Bowman, almost a sixth of the votes cast. Bowman explained himself to Calcaterra:
“The old concern was bots,” Bowman said, referring to automated scripts or macros which registered phony votes. “Today we’re seeing more esoteric means of getting past security, requiring a post-facto approach.” Bowman added that while these “esoteric” efforts, which more often than not may be manual, aren’t as large in number as bot attacks, they’re not as easily thwarted via old verification means. “We immediately ping an email to see if it’s valid,” Bowman said. “And it could be valid at that moment. Some of these email addresses can be created and then expire in ten minutes,” he said, adding that it’s then necessary to ping them again later, after the vote is registered or to employ other after-the-fact means of verification. Why not send a message to the user when their vote is rejected or say up front that the emails will be checked later? “We don’t want to get into an arms race with someone looking to buck the system.” There is some logic to this approach, but it certainly seems like a bit of a Rube Goldberg Device-method of preventing voting fraud. And one wonders why other online votes, surveys, portals and the like — including ones with a much greater need for integrity and security than a fan vote for the All-Star Game — don’t employ the same “make them think they’re getting away with it” strategy.
In 2016, Bowman was still trying to reassure voters that MLB was taking steps to ensure the security of its election, noting that MLB throws out about 20 percent of the vote every year:
“We looked at it pretty hard and we disallowed some votes,” Bowman said. “In the end, it was about 20 percent and that’s about the number we disallow every year. People just get overzealous. “In the past years it was what we call bots where they get these machines that do voting. It turned out last year that there were a lot of people voting from their same computer more (than allowed). “We disallowed those votes. There’s always going to be a healthy effort to try and skirt the rules but we’re pretty adept at fighting all that. I don’t know what this year’s effort will be but something will happen somewhere.” And, Bowman said, MLB will act accordingly. These days that means checking multiple emails from the same IP address and verifying that the ballot came from a real person.
Now, the voting system we use for choosing our government is run differently, has much more serious stakes, and presents different challenges than the MLB All-Star Game. But human nature is a constant: people will try to game your voting systems if you do nothing to protect them, and you’ll end up having to work ever harder to win back public confidence in the integrity of your elections. MLB should consider its own history before it lectures anybody else against the evils of having rules to protect the ballot.