BLOG

Marking Wisconsin’s ballots: Pens vs. computers

In brief: Vendors are promoting and officials are buying the idea that voters should give up their pens and mark ballots with computers known as ballot-marking devices, or BMDs. Why? How is that better than hand-marked paper ballots?
As with many election-administration issues, the debate features strong opinions and little objective data. Much of the relevant research is conducted by people with a financial or professional interest in promoting BMD technology. Little is conducted by independent unbiased researchers, and only local print shops have a financial interest in promoting hand-marked paper ballots.
In this blog post, I’ve tried to present the best arguments for BMDs and to cite unbiased data when I can find it (I’ll edit it to add more as I find it.)
Bottom line up front: BMDs are necessary for voters with disabilities, but when used by a majority of voters, they address only insignificant problems while introducing serious risks for both security and voter confidence, plus additional cost.

Everyone knows how to fill in an oval. We’ve completed standardized-test ‘bubble sheets’ since we were kids. And most of us understand that computers tabulate the results by reading (techies say ‘interpreting’) the marked ovals. So we understand, basically, how hand-marked paper ballots work.

Ballot-marking computers are less familiar. Originally promoted in the early 21st-century to enable voters with disabilities to mark ballots privately, manufacturers have more recently promoted ballot-marking devices (BMDs) for all voters. They used to call these machines ‘accessible’ machines; now they call them ‘universal’ machines. Voters select their candidates on a computer touchscreen or other electronic input device, and the computer prints a marked ballot. They then insert the ballot into a tabulator, sometimes archaically called an ‘opscan,’ which reads and tabulates it. BMDs used in Wisconsin include the ES&S ExpressVote and the Dominion ICE.

Many of the BMDs’ drawbacks are obvious, so I’ll skim over them in just five paragraphs. Anytime you replace any manual task with a computer, you introduce possibilities for new types of error, malfunction, and manipulation–and the need for new security practices to address those risks. Misprogramming could cause the BMDs to print votes for candidates other than those the voter selected, or to print no vote even though the voter made a selection. As with other elections technology, risks include mistakes or corruption by any of the many people within voting-machine companies and local election offices who have authorized access. If any of their operations are compromised, unauthorized people might get access, too.

In addition to the risks of misprinted ballots, there’s little debate that voting takes more time when each voter has to scroll through several screens; review their selections once on the touchscreen; and review them again after the ballot is printed. Add that to the fact that election clerks cannot quickly or cheaply increase the number of ballot-marking stations during heavy turnout elections or times of day, and you have a recipe for longer Election-Day lines.

But the most heated debate is over whether voters are able and willing to verify their computer-printed ballots. If election results are to be correct, they must start with correctly marked ballots. With hand-marked ballots, voters reflexively verify their votes. As we lift our pen from the paper, it would take effort not to notice whether the pen made the mark we intended it to make. But when a computer marks our votes, verification requires separate, deliberate effort. And BMDs place this responsibility entirely on the voters: if the BMD starts misprinting votes, only voters—not poll workers, not auditors, not recounters—can notice.

The unalterable fact is that BMD-based election results cannot be confirmed unless voters 1) reviewed the printed ballots; 2) noticed any problems; and 3) reported those problems to officials, and unless officials then 4) treated voters’ reports seriously and 5) took action to diagnose and correct any problems. This challenge is unique to elections: You cannot think of any other business or government function where managers responsible for the computers rely solely on customers to report problems, but then when customers do, the managers have no way to know whether the problem was with the computer or the customer. No one has yet demonstrated that any of those five things can be done reliably in real-world elections, and several studies indicate they cannot.

Less obvious but just as unalterable is the fact that BMD-printed ballots cannot be used in the most critical type of election audit: one that seeks to verify which candidate was selected by most voters. BMD-printed ballots don’t work for those audits because they preserve no direct evidence of either the voters’ selections or their verification. (For a visual explanation of this point, see the image at the end of this post.) When BMD-printed ballots make up only a small proportion of the total ballots, an audit might still be able to confirm the correct winner. However, if a large proportion of the ballots provide no evidence of the voters’ selections or verification, anyone working to established professional audit standards must throw in the towel.

The benefits of BMDs are quickly evident only to those who have better-than-average knowledge of elections administration. Cynics say the manufacturers’ motive is simple. As states replace paperless machines, vendors see a revenue-enhancing opportunity of the sort that other companies might brag about in their annual stockholders’ reports. (“We’ve found a way to sell $5,000 computers instead of pens!“) But America’s major voting-machine companies are privately owned and have no stockholders, so even if this is their strategy, we can’t confirm it.

In public, BMD proponents usually point to a few legitimate problems they believe BMDs solve: Badly hand-marked ballots; the need to store multiple ballot versions at some polling places; and the needs of voters with disabilities. Officials and voters need to ask: “How serious are these problems, and do BMDs solve them better than less risky or less costly solutions?”

Arguments in favor of BMDs, Round 1:
MESSY VOTERS

BMD proponents will tell you that messy hand-marked ballots are intolerable. My own county clerk is outspoken on this point. I don’t have a ready quote but if you ask him to share his thoughts on voters’ oval-marking abilities, his answer will make you ashamed you ever imagined your careless, stupid, sloppy fellow voters were capable of such a task.

Pen-wielding voters can get messy. They write random comments on their ballots and mark Xs over ovals instead of filling them in. Others get confused and mark too many candidates in one race. That’s called an overvote and if not caught, it disenfranchises the voter in that race. Hand-marking voters might accidentally skip a race, particularly if ballot design is poor. Finally, I’ve had a BMD proponent tell me that voters sometimes accidentally fill in the wrong oval, but I have no idea what sort of evidence could prove that or why that problem wouldn’t also occur with touchscreens.

I’ll come back to ballot design, but individual voters’ sloppiness does not threaten election outcomes. Only a tiny number of hand-marked votes are ruined in a way that could be prevented by using BMDs, and those errors affect all candidates randomly.

Yes, individual voters can be sloppy, but the truth is that tabulator technology (not BMDs) has already reduced this problem to insignificance. When a voter casts an overvoted ballot, the tabulator identifies the problem and gives the in-person voter a chance to correct it or cast it. (Mail-in voters are not present to fix overvoted ballots rejected by the tabulators, but BMDs can’t help them anyway.)

The tabulators’ ability to interpret idiosyncratically marked ovals has also become impressive in recent years. (There’s data on this; I’ll add it when I locate it.) Modern machines have no trouble reading any color or composition of ink. Professor Douglas Jones of the University of Iowa Computer Science Department told me he tests machines with everything up to and including glitter pens, and they perform well.

But most importantly, the problem of ambiguously or incorrectly marked ballots is very small to start with. Anyone who has participated in a hand count can tell you that probably only one hand-marked ballot in every 250 or so is oddly marked. Of those, only a tiny fraction are marked so badly as to render the vote uncountable.  The Dane County Clerk (the one who so disdains voters’ ability to mark ovals) posts digital images of the ballots online, so if you have the storage space on your computer and the time, you can examine thousands of real ballots yourself. Try it: how many hand-marked ballots (on those linked files, the individual files ending in “i” for ‘image’) do you need to examine before you find one that is overvoted or mismarked in any way? Preventing that small a number of errors cannot possibly be worth the cost and risk of making everyone use a computer to mark their ballots.

Recount data are objective and can help us quantify the problem. In 2008, the state of Minnesota performed a recount of a US Senate race in which 2.9 million ballots were hand-counted. Advocates for both major candidates aggressively looked to find votes they could challenge. They found plenty of officials’ errors—misplaced ballots, mishandled absentee ballots, and more. But by the time they were done, they could find only 14 marked ovals that had to be adjudicated by the state elections board. That’s one fatally mismarked vote in every 206,111 votes, or 0.000485%. That is nowhere near enough to justify taking on the risks of computer-marked ballots.

Wisconsin’s 2016 recounters found many of the same problems. They did not record their findings as thoroughly as Minnesotans did, but not one of the 72 counties’ recount reports noted encountering even one ambiguously marked oval. The WEI hand count of 4,580 ballots in Racine County found no fatally mismarked ballots, either (other than carbonless ink, which is not a problem for modern tabulators.) So whatever Wisconsin voters’ error rate is, it is less than 0.022% (22 thousandths of one percent)–again, not enough to justify the risk of universal BMDs.

What little data BMD proponents have offered me to quantify the hand-mismarking rate has been irrelevant. David Becker, Executive Director of the Center for Election Innovation and Research (CEIR, a voting-equipment company) tweeted me a list of recounts he claimed had found decisive rates of voter error. I looked into each. None were reported to have found even minor levels of ballot-marking errors. As in the Minnesota and Wisconsin recounts, the significant reported causes of miscounts were officials’, not voters’, errors. When I gave him one more chance to provide data showing that voter errors have affected outcomes, he replied: “Facts are stubborn things … but still, there are many, many elections where ambiguous (hand-marked votes) exceeded the margin. Not even arguable. But happy to help point you in the right direction. I think we’ve reached the end of the constructiveness of this convo.

That’s not the reply you get from someone who possesses evidence to prove his point.

If anyone were to compile data about hand-marking error rates to inform this debate, they would need to exclude mail-in ballots. Any poll worker knows mail-in ballots are prone to mishaps like soaking up coffee stains and getting fouled with envelope glue. But that’s not relevant to the advantages of BMDs, because BMDs cannot help at-home voters anyway. I’ve also had BMD proponents refer me to data about error rates on standardized tests’ bubble answer sheets. But I see no reason to assume the error rate in marking ballots (where ovals are directly beside candidates’ names) is similar to the error rate in taking standardized tests (where ovals and questions are on separate documents.)

Aside: Speaking of an analogy with standardized testing, imagine that the ACT and SAT companies switched to having students select their answers from a touchscreen; printing out the answer sheets with bubbles already marked, and telling the students they must verify the printed answers because managers have no way to tell if the machines accurately recorded their selections. See any problem?

In contrast to individual errors, poorly designed ballots are a more serious problem. Poor design can systematically disadvantage one candidate or favor another for every voter — not just the careless ones. It is, therefore, more likely to affect an outcome.

But poor design is a problem for both printed ballots and those displayed on a computer screen. Officials have designed printed ballots that ‘hid’ a race under a column of multilingual instructions, and have also designed BMD displays that forced voters to scroll onto additional screens to see the entire list of candidates. Printed ballots arguably have a small advantage because they can be printed in newspapers before the election, a practice that has, on occasion, enabled voters or candidates to identify design errors officials had overlooked. Either way, officials must learn and follow established guidance on ballot design.

Score so far: Preventing voter error gives a microscopically detectable advantage to BMDs. Mismarked ballots have been mostly resolved by tabulator technology except for some of the problems with mail-in ballots, which BMDs cannot help with anyway. Poor ballot design can be a serious threat but gives hand-marked paper ballots only a microscopic advantage, from the increased opportunity to detect problems before Election Day.

Arguments in favor of BMDs, Round 2:
MULTIPLE BALLOT STYLES

For better or worse, both officials and voters have begun to embrace early offsite voting. Election officials want to set up voting sites several weeks before each election in places like libraries, to which voters can come from all over the city to cast their ballots. These are called ‘multi-ward sites.’

In any city, in any election, it’s possible that several different ‘ballot styles’ will be needed. Different areas of the city might be voting on different city council races. In gerrymandered states like Wisconsin, congressional district boundaries can cut through even the smallest municipality.  When those municipalities set up multi-ward voting sites, each site must stock several different ballot styles. This creates more work for the poll workers at those sites, both in handing out the correct ballots and in keeping track of the ballot inventory (an important security practice.)

BMDs address that problem by electronically storing several different ballot styles. When the poll worker enters the voter’s ward number, a correctly programmed BMD will display the correct ballot for that voter.

However, every BMD manufacturer also sells blank-ballot-on-demand printers. These cheaper computers store multiple ballot styles, but they don’t mark the votes before they print the ballot.

Score for this round: No advantage for either. Multi-ward voting sites are a challenge with pre-printed blank ballots. But there’s a solution that doesn’t force us to accept the risks and cost of universal BMD use.

Arguments in favor of BMDs, Round 3:
VOTERS WITH DISABILITIES

Spoiler: BMDs win this round, for people with disabilities. No other solution, even on the horizon, enables voters with vision or movement impairments to mark their ballots privately at the polling place.  For this reason, BMDs are as indispensable as accessible parking spaces and public restroom stalls.

And there’s no disagreement that we need to make BMDs available to everyone even when we don’t encourage their use. Impairments can be temporary so it wouldn’t work to force BMD users to prove a disability, as we do with accessible parking spots. I once left my reading glasses behind when I went to vote and appreciated the opportunity to be able to enlarge the ballot so I could read it more confidently.

Some disability groups argue for universal BMD use out of a concern for what they call segregation. That argument falls apart when we consider how we handle all other public accommodations. We don’t rip out curbs and stairs when we accommodate wheelchair users with curb cuts, ramps, and elevators. Ripping out all the smaller restroom stalls to give everyone an accessible stall would increase cost and lengthen lines, just as it does with BMDs. If we handle polling-place accommodation the same way we handle other public accommodations, we can protect disability rights without degrading election security.

Another complaint, however, is confirmed when we compare it with other types of accommodations: Unreliable set-up of the BMDs. As with the occasional unshoveled accessible parking spot or curb cut, voters sometimes discover that the BMD hasn’t yet been turned on when they arrive at the polling place. But again, the problem could be addressed with less extreme measures, such as improving poll workers’ training and oversight. The League of Women Voters incorporates BMD set-up into their observation program (volunteer here!), as do disability groups. Voters who don’t use the BMD can help. If you have an extra five minutes to spend at the polling place, look to see whether the BMD is set up and ready to go. If not, ask to use it. It’ll take a few extra minutes of your time, but you will strike a blow for disability awareness.

BMD promoters also argue that users have more privacy when everyone uses the BMDs. Privacy is a genuine issue when only one or two voters use the BMD and the BMD prints ballots that contain only the voter’s selections, rather than full ballots with marked ovals. But some BMDs print ballots that are nearly indistinguishable from hand-marked paper ballots. Anyone trying to identify the sole BMD user’s ballot after poll closing would have to carefully examine every ballot cast that day, and even then could not be sure of finding the printed ballot.

On the other hand, BMD users’ ballots are more secure when there are only a few. When only one or two people in each polling place use the BMD, malicious actors could neither swing an election nor create chaos by tampering with the lightly used equipment. In contrast, widespread use makes BMDs a more attractive target for mischief.

Score for this round: BMDs must be preserved to accommodate people with disabilities. To preserve users’ privacy, only BMDs that print full ballots should be used. But for universal use, the advantage goes to hand-marked paper ballots. To bolster BMD security, their use should not exceed a small percentage of the voters.

RELATED ISSUES: ENCODED VOTES AND HYBRID MACHINES

I hope I’ve demonstrated that when discussing BMDs in general, we can logically examine actual problems, seek relevant evidence, and assess the costs and benefits of possible solutions. But for two specific types of BMDs—hybrid machines and encoding BMDs —I see no well-reasoned pro-and-con debate. Proponents can identify no consequential problems that justify the existence of these machines, even if they added no risk.

Hybrid machines combine ballot-marking devices and tabulators in one machine. Only their manufacturers are comfortable with the fact the machines are able to print votes on the ballots after the voter has cast them. Neither voters nor officials have any way under any circumstance to detect the alterations or to recover the true votes if they could detect the altered ballots. That’s unacceptable. Full stop.

As of August 2018 (WEC’s most recently updated inventory), hybrid machines (Dominion’s ImageCast Evolution) were in use in Door, Fond du La, Green, Ozaukee, Racine, Trempealeau, Vilas, Walworth, Washington, Waupaca, and Winnebago Counties.

Encoding BMDs record each vote twice on each ballot, once in barcode or QR code, and separately in a list of names for the voter to review. The tabulators count only the encoded votes, while voters can verify only the text. Encoding gives voters no choice but to trust that the countable votes were recorded correctly.

Encoding BMDs are in use in the counties listed above, plus those that use the ES&S ExpressVote: Columbia, Dane, Dodge, Douglas, Eau Claire, Jefferson, Kenosha, Lafayette, Milwaukee, Outagamie, Pierce, Sauk, St. Croix, and Waukesha, and perhaps more. Because the City of Madison encourages BMD use by early offsite voters, it is likely that more than 30% of Madison’s votes are now encoded.

The critical risk is obvious: How do either voters or officials know that the BMDs correctly encoded the voters’ Election-Day selections? The machines’ proponents will cavalierly tell you officials can detect any incorrectly encoded vote in an audit or recount (assuming the text vote was not also mis-recorded). Yes, they can. But they won’t. We do not yet live in a nation where election officials routinely audit or recount.

And give a thought to what would happen if a post-election audit did detect that encoded votes were different than the text-readable votes. Aside from the chaos that could have been avoided had voters been able to detect and report the misprints on Election Day, who is going — legally — to determine which of the two conflicting votes is valid?

Encoded-vote proponents naively assume lawyers, judges, and combative candidates will passively agree the text votes should be counted. But Wisconsin’s law explicitly allows ‘recounting’ by machine, and contains nothing that provides for counting one set of votes (the encoded ones) on Election Day and a different set (the ones in text) in a later audit or recount. I doubt any other state’s law does, either.

And if there was such a law, what would it say? Perhaps: “Only votes printed in voter-verifiable text may be counted in post-election reviews because audits and recounts must be convincing and decisive. But encoded votes are good enough for Election Day because … “?

In my experience with encoding proponents (emails, Twitter, and at WEC meetings), I’ve encountered none who could both describe and quantify any problem that encoded votes are designed to solve. Without that information, neither they nor we can assess whether the added risk is justified.

I shredded the vendors’ arguments put forth at WEC meetings in an earlier post. Since then I’ve had several discussions with encoded-vote advocates who put forth better arguments.

Ben Adida, Executive Director of VotingWorks, a nonprofit voting-equipment company, explained two reasons for encoding votes. First, it is “easier to get to a high level of reliability” in the tabulators’ interpretation of the marks when they are recorded in QR. In the context of our discussion, I understood him to mean that it’s easier for developers, and that he is speaking about QR codes in comparison to machine-printed ovals.

To assess whether this additional ease or reliability is worth sacrificing voter verifiability, we would need to compare data on tabulators’ error rate with marked ovals to their error rate with encoded votes. QR codes reduce the error rate from what to what? My sense, however, is such information is not worth digging for. If the tabulators were making any noticeable level of oval-reading errors, any real-world recount of marked-oval ballots would have detected it. None has. It is not a problem.

Adida’s second reason was: “More importantly … (if you) want voters to check (a BMD-printed ballot), a summary ballot is going to be much easier to check than a multi-page bubble ballot. And we really want voters to check their BMD ballot.

In my opinion, that’s the best argument for ballot slips I’ve encountered (once you’ve accepted universal BMD use, that is.) However, we still need evidence before acting on it. I’ll keep an open mind, but my sense is that objective study would show that, regardless of the length of the ballot, voters’ reviews are more accurate when they can see the names of both the candidates they did and did not vote for. In particular, voters need to see the whole question to review their referendum votes.

Adida added that developers are working on the possibility that BMDs could print votes only once, in human-readable text, for tabulators that can reliably use optical character recognition (OCR) to count the same votes that voters are able to verify. When that technology is ready, in my opinion, the question of ballot slips’ safety could be revisited–though it still would not establish a need for ballot slips in place of full ballots.

Aside from Adida, encoding proponents with whom I’ve engaged rely heavily on motivated reasoning. For example, proponents often reflexively deflect discussion of BMDs’ undeniable flaws (e.g., voters cannot verify encoded votes) by tossing out irrelevant facts. For example, many have pointed out that voters cannot read the timing marks at the edges of printed paper ballots, either. True but irrelevant: the timing marks are not the input that voters must be able to verify. And if the tabulator misreads the timing marks, that’s a problem with the tabulator, not the ballot.

Also irrelevant is the fact that just as BMDs could be misprogrammed to print the wrong votes, paper ballots can be misprinted to put candidates’ names in different spots than the tabulators are programmed to find them. Again, true, but the risks are far from comparable. A misprinted-ballot fraud would have to involve or originate with the local printing company and involve several layers of conspirators to avoid detection during pre-election testing and distributing the misprinted ballots to polling places. It would, therefore, be limited to individual counties or municipalities. It is not comparable to a BMD hack that could originate in Omaha or Pyongyang and affect up to 55% of the BMDs in Wisconsin (the market share of the most popular model.)

When I argue like that, I know I have no truly solid points to make. It’s not earnest problem-solving discourse.

SO WHY DO OTHERWISE SENSIBLE PEOPLE SUPPORT THESE THINGS?

I’m not ready to say all, or even any, encoding proponents have corrupt motives. My most charitable guess is that the technology developers are like the proverbial children with hammers who perceive everything needs pounding. Where you and I see only minor blemishes, geeks perceive possibilities for major fun and profit. Intensely focused on bringing cutting-edge technology to the election-equipment market, they don’t pause to think about real-world issues such as the chaos that will blossom when litigious parties to a recount realize they can fight over which vote to count on each ballot.

I also suspect that developers, accustomed to working with private-sector businesses, overestimate the likelihood that local election officials will implement security practices the developers consider obvious and necessary. Elections are run by a small army of lightly trained, minimally supervised, part-time, temporary employees who get no more than four days on-the-job-experience every year. The officials who manage that army often exhibit a child-like trust in voting equipment that, in their own words, makes them reluctant to implement recommended security measures. The following are real quotes from real Wisconsin county clerks, which I’ve collected from newspaper articles, emails, and phone conversations over the past two years:

  • “I don’t need to audit to be very confident the results are accurate.”
  • “Honestly, I am not concerned about any kind of hacks into our system. Everything is hardwired.”  
  • It’s an “irrational belief that Wisconsin’s highly decentralized and secure elections infrastructure is vulnerable to the kind of meddling that might overturn the will of the voters. All our software and hardware has been federally certified.”
  • “Why pay $8000 and more for a voting machine if you have to (check its accuracy)?”
  • Auditing “would defeat the purpose of having the voting machines.”
  • “Why should we audit? Things work well and when something works well, you don’t mess with it.”

Accustomed to working with private-sector executives who might lose their jobs if they did not implement manufacturer-recommended security measures, it’s quite possible that developers don’t understand they are selling equipment to officials who genuinely perceive no need to manage it professionally.

And why do election officials buy and promote the encoding BMDs and hybrid machines? As I write this, Pennsylvania officials are in court defending their decision to force encoding BMDs on all voters there. If I can get a copy of their briefs, I’ll know definitively what they put forth as their best arguments.

Based on what I already know — for both this and other issues — my most charitable guess is that election officials rely exclusively, even mindlessly, on vendors for information about the products’ risks and benefits. With little IT expertise of their own, they cannot ask sophisticated questions or notice what the salesperson is not saying. Example: for years, vendors were telling them the equipment was not connected to the internet, and election officials believed them, even as they instructed poll workers on how to wirelessly transmit election-night results to the county elections-management computer. Local election officials have no relationships with unbiased elections-technology professionals and no Consumer Reports-type counsel to inform voting machine purchases — pr at least none that the election officials accept as authoritative. Finally, they are too pressured by time and money do much other than grab the hand of the friendly voting-machine vendors and follow where they lead. The problem is exacerbated by the nature of the voting-machine market.

WHAT VOTERS CAN DO.

  1. Encourage your local clerk to purchase only the minimum number of BMDs needed to ensure accessible polling places and to refrain from encouraging voters to use BMDs in situations like early voting.
  2. Pressure your local clerk to adopt policies that:  1) enable poll workers to take voters’ report of misprinted ballots seriously; and 2) describe an effective response when voters report malfunctioning BMDs. The policies must be in writing and must be specific. They won’t help if all they say is: “if poll workers receive more than a few reports of misprinted ballots, they should report to the municipal clerk.” How many is more than a few? What will the municipal clerk to determine the nature and extent of the problem, and what will the clerk do if the BMDs are misprinting?
  3. Mark your own ballot with a pen whenever you can. If you must use a BMD, be prepared to spend extra time at the polls to review it carefully. Ask for a copy of a regular paper ballot against which to check your BMD-printed ballot. (That will help you remember all the races and candidates.) If you find an error, don’t just assume you did something wrong. Insist the poll worker report it to the municipal clerk.
  4. Join with others to get encoding and hybrid BMDs out of Wisconsin entirely. Email info@wisconsinelectionintegrity.org, and I’ll contact you when we get enough people interested to start action through formal complaints or a lawsuit.   
Computer-printed ballots can be used in audits that seek to confirm only whether the tabulators operated correctly, but are not “competent evidence” of the voters’ selections per generally accepted standards for government auditing. Therefore, the proportion of BMD ballots must be kept to a minimum if officials want to be able to perform an audit that can verify which candidate was selected by most voters.

Wed. night: Are Wisconsin’s voting machines ready for 2020?

Join us on Wednesday evening, January 29, at the Waukesha Public Library for an update on issues with Wisconsin’s election security, and a discussion of what can be done. There’s good news and bad.

Karen McKim, a nationally recognized advocate for election security will present and local election officials from the surrounding counties have been invited. Here’s hoping at least a few local officials accept the invitation to engage with voters on this important issue!

Preview: Our voter registration system security is among the best in the nation, but our voting-machine security is no better than average. Worse, we’re losing ground compared to other states, as they move ahead to adopt modern canvass practices that are capable of detecting and correcting problems. In addition, Wisconsin is making more use of certain voting machines that have actually been declared illegal in other states, and that federal legislation would ban!

Waukesha Public Library, 6 PM, Wednesday January 29
321 Wisconsin Avenue, Waukesha 53186

Breaking: WEC might not comply with laws that don’t apply to it!

Summary: A lawsuit over voter registrations is getting a lot of publicity lately. In the frenzy to portray the issue as a huge menace to Wisconsin elections or voters, the news media is overlooking an important detail: The law that WEC, a state agency, is accused of not following applies only to municipal officials.

When I worked for the Legislative Audit Bureau, about 80% of the projects I supervised asked the question “Is this agency complying with the law?” It was my job to read the law; figure out what compliance would look like; find out whether the agency was doing that; and write a report telling the Legislature what I found and what, if anything, they might want to do about it.

Here’s an example. Municipal clerks (city, village, or town) are responsible for updating voter registrations. These records need to have current addresses. Sometime in the past, someone wrote a state law that seems to have been intended to help municipal clerks keep addresses up to date without causing either them or the voters much extra work.

“Municipalities” are cities, villages, and towns.

That law is still on the books as §6.50(3), Wis. Stats.   It requires all municipal officials—assessor, librarian, police chief, whoever—to tell the municipal clerk when they learn a local resident has moved. For example, the local water utility might know that some home’s account was switched to a new name, indicating that somebody moved. The law requires the water-utility manager to tell the municipal clerk about that.

Then, the law requires the municipal clerk to do one of two things. If the voter left town, the clerk must mail a first-class letter to the voter’s registration address. If the voter fails to respond to the letter within 30 days, the municipal clerk must deactivate that voter’s registration.

If the voter didn’t leave town, but only moved to another address within the municipality, the law requires the local clerk to update the address on the voter’s registration records and send a letter telling the voter of the correction.

Perhaps because the law requires the municipal officials to do this only when they receive reliable information, the law says nothing about what the clerk is supposed to do if the voter didn’t actually move. A sensible reading would be that the legislature intended just that: Nothing.

If a legislator had directed me, as one of their oversight staff, “Find out if they are complying with that law,” I would have trotted out to a few different cities, large and small, and started asking questions.

My first question would be: “How on god’s green earth are you supposed to know whether the person stayed in town or left?” If a water account is switched to a new homeowner, how is the municipal clerk supposed to know whether the first homeowner left town or moved to a utilities-paid apartment down the block? In short, it seems to me like a poorly written law. Such laws exist. More than a few of my real-life reports concluded with, “The agency is not complying, but that’s because you wrote a silly law. A better law might be…”

If I learned, however, the law is more workable than it seems, I’d have reviewed local records to look for evidence of compliance.

There are at least two things I Definitely. Would. Not. Have. Done.

First, I wouldn’t have expected any municipal official to go looking for people who only maybe moved. The law speaks only about reliable information that comes to the local officials through their normal work. Nothing in the law requires, for example, the librarian and the municipal clerk, on their own initiative, to compare the addresses on library cards and voter registrations; to consider any differences to be ‘reliable evidence’ of a move; or to threaten those voters with deactivation if they do not defend their current address.

Second—and I feel silly even saying this, because it is just so absurd—I would not have paid a visit to the Wisconsin Elections Commission to ask what that state agency was doing to comply with requirements that legislators had placed on municipal officials.

If I had given the Legislature a report concluding: “No state agencies are complying with the local governments’ statutory requirements,” I’d have been fired for wasting time on such obviously frivolous fieldwork.

The Wisconsin Elections Commission is a STATE agency, not a municipality.

But that, fellow voters and taxpayers, is what I have to write about in this blog post. Because a misguided law firm has sued a state agency, the WEC, for not complying with requirements that apply only to municipal officials.  

Yes, in real life: A law firm is accusing WEC of failing to comply with the law I just described–the one that requires municipal clerks (not WEC) to deactivate voter registrations within 30 days after the municipal clerks (not WEC) sent a notice to voters based on reliable information that the municipal clerks (not WEC) had received indicating that the voters had moved (information that WEC does not possess.)

The laws that actually do apply to WEC require it to follow the procedures of a multistate compact known as ERIC. Once every two years, ERIC compares Wisconsin’s voter-registration files to files maintained by other state agencies such as the Department of Transportation. ERIC then gives WEC a list of people who have reported different addresses to different agencies.  For example, a person who had registered to vote in Milwaukee but who had avoided Milwaukee’s wheel taxes by registering their cars using the address of their Northwoods cabin would have earned a spot on ERIC’s imprecisely named “Movers List.”

WEC knows, from their long experience with this sort of administrative task, that rough information such as the ERIC list is far from reliable evidence of moving. They know how to clear it up, although it takes some patience. For example, they flag those people on the poll book to make sure the voters are asked to clear up the address question the next time they show up to vote. And if the voter never again shows up to vote at that address, their registration will be deactivated through a different process.

WEC’s boring compliance with this routine administrative procedure was ignored by the press as WEC worked on it over the past summer and fall. But as soon as a lawsuit was filed, the press has been all over it, spinning a partisan angle as hard as they can and parroting an inflated click-bait 234,000-voter figure. Thousands of those voters have already re-registered or updated their addresses, so the number of voters at risk of deactivation is nowhere near that many.  

Because I attend WEC meetings regularly, I realized the small effect this list-maintenance exercise would have for actual elections, no matter how it turns out.

First, understand my perspective: I spend most of my time working to get election officials to pay attention to something that theatens all 3 million voters: Wisconsin does not yet employ methods that would enable election officials to detect and correct the effects of voting-machine hacks. So even 234,000 seems to me like a junior-varsity number.

Still, there are other reasons I cannot see these voters as a huge threat to Wisconsin elections: Many other safeguards reduce the risk of voter fraud to an inconsequential level. And if these particular voters are attempting fraud, they are being flamboyantly inept. They were not going to be able to vote in two places by using their vehicle registration as if it was a voter registration.  

On the other side, we have to appreciate the ease with which people can register at the polls—especially (excuse me) people such as those who have cars to register and two addresses from which to register them. Among any voters who might be incorrectly deactivated, few will have their ability to vote impaired by anything worse than a few minutes’ delay. (To be clear: Any judge would be outside the law to order deactivation of any registrations in the absence of reliable information that the voter has moved. What I’m saying is that, if one does, the effect on actual voters will not be anywhere close to the levels that devout partisans fear or hope for.)

So it wasn’t until today that I sat down and read through the complaint and looked up the statute it references—actually even quotes. Anyone can read that law and see that it applies to municipal officials, not to a state agency. Check it out for yourself—the complaint accurately quotes the law. It’s the paragraph numbered ‘10’ on page three of the complaint. In that law, you will see nine references to municipal officials and not one to WEC.  

As irritated as I am with the media for their breathlessly misleading coverage, I am furious about the lawsuit. It is wasting your tax dollars and mine by asking the courts to address this bogus issue and making the WEC defend itself. I’d sputter about the lawyers’ and judge’s apparent inability to use their legal education, but reading that statute requires only elementary-school reading skills and a man-on-the-street understanding that WEC commissioners are not municipal clerks.

Postscript: Pollyanna that I am, I have to note the silver lining. This whole episode has provided a great opportunity to publicize one of Wisconsin’s treasures, our eminently usable and convenient voter-registration and election-information website, MyVote. Click on that link to see solid, up-to-date information about elections in general and your own voter registration in particular. And yes, if you were on the ERIC list, you’ll see that, and you can fix it.

Everyone calm down. No one is voting twice. No one is being purged.

The Wisconsin Elections Commission is working on a project to contact voters who have more than one home address on state government databases. If the voter has moved within Wisconsin, the WEC wants them to register at their new address. If they haven’t moved, WEC wants only to confirm their voting address.

In our current political climate of eager fearfulness and lunging-at-each-others’-throats, this is causing controversy, even a lawsuit. But the facts are neither as the partisan Republicans or the partisan Democrats fear or want you to fear.

Last October, the WEC checked the addresses on the voter registration database against other State of Wisconsin databases and found 234,039 mismatches–mostly with the Department of Transportation. They sent postcards to the voter-registration address to make sure the voter was registered to vote at the right address. Everyone involved–the WEC, the voters, the local clerks–has plenty of time to resolve this before the next election. That’s why the cards went out in October, when there was a long lull between elections.

The practice of checking registration rolls for people who have moved is widely recognized as prudent maintenance. It’s routine and useful for preserving election integrity and WEC is going about it as carefully as any other state.

Personally, I don’t think it adds value to election integrity beyond appearances, but I won’t go to the mat to defend that belief. It has no effect on voter fraud because the voters are registered to vote at only one address. If they are attempting fraud, they are being so clumsy we don’t need to worry that they will succeed. Slightly inaccurate voter-turnout statistics is the only drawback I see to leaving movers on the rolls until they register someplace else or fail to vote for four years.

For Republicans: NO ONE IS REGISTERED TO VOTE TWICE. In addition, no one has voted twice. There’s not even any evidence that any of them are trying.

There are plenty of non-fraudulent reasons why people have different addresses for their vehicle registration and their voter registration. Small business owners might register their car from their business address. Same for people who own two homes–don’t we want them to vote? Tax evaders who live in cities that levy wheel taxes might register their cars at their relatives’ homes. (Okay, that might be fraud, but it’s not voter fraud.)

And give a thought to those individuals’ freedoms. Why shouldn’t a man who owns a home in Waukesha and cabin in the Northwoods be able to choose which he’ll use to register his cars and which he’ll use to register to vote? Leave the guy alone. If you force the WEC to remove people like him from the registration list every time they register a new car, you’re causing him trouble and causing the WEC to divert effort from real problems.

And now that we’ve resolved that, Republicans, consider this. A law firm is spending donations from people like you to force the State of Wisconsin to spend your tax dollars to respond to a frivolous lawsuit that won’t have any effect on voter fraud even if it succeeds. Surely there are better things to do with both the donations and the tax dollars.

For the Democrats: NO ONE IS BEING PURGED. In fact, the postcards might be preventing problems for some voters.

Since the postcards went out, 13,267 of the voters registered to vote at their new location. That’s 13,267 voters who won’t have to clear this up the next time they go to vote.

Another 1,666 responded to the postcard saying that they hadn’t moved. Their voter registrations were confirmed. No harm, no foul, good to go.

As of mid-November, 54,234 postcards had been returned as undeliverable, confirming the voters no longer lived at the address where they were registered. In the future, if any of those voters show up at a polling place anywhere in Wisconsin, they will be able to re-activate their registration right then and there and cast a regular (not provisional) ballot. That’s not a smidgen more work than they would have had to do if WEC had not removed them from the voting rolls.

The remaining 164,873 voters have been flagged on the registration database. If in 2020 they show up to vote at their old polling place, they will be told they have two home addresses listed with the State and asked to clarify the right address for the voter-registration database. If they say, “This is my voting address. I’m in the right place,” they will be allowed to sign the poll book and vote. It’ll take them maybe five seconds longer to vote than it would have taken them had the computer not flagged them.

If they show up at some other polling place or if the court decides to force the WEC to remove them from the registration rolls right now, the next time they show up at a polling place, they will be able to re-activate their registration right then and there and cast a regular (not provisional) ballot. It’ll take them maybe five minutes longer to vote than it would have taken them had the court not ruled against them.

And now that we’ve resolved that, Democrats, consider this. Imagine you’re a marginal, disenchanted would-be voter. What will you feel when you see social media spreading the message: “Lawsuit could affect the ability of 234,000 Wisconsin voters to cast ballots”? Suspecting you might be one of them isn’t going to make you any more eager to show up at the polls to find out.

Spreading fear of routine election-administration practices can be nearly as effective at suppressing votes as actual purging would be. When there really is nothing to fear, use your words and energy to spread that message instead. There are other alarms to be raised about the real threats to our democracy.

Verifying a statewide election could be this easy and cheap.

Photo: Michigan election officials assess the results of a manual count of a sample of ballots for a risk-limiting audit in 2018. Photo credit: Berkeley Institute for Data Science, UC-Berkeley


Think of “risk-limiting audits” as low-effort exit polls.

Exit polls determine who won by asking randomly selected voters “Who did you vote for?” Risk-limiting audits work on the same principle to confirm the correct winners, but they skip the sidewalk conversations and phone calls.

Instead, they pose the question directly to randomly selected paper ballots.

Either way, a small sample can provide statistical proof of who really won the election, independently of the vote-counting computers.

No one in Wisconsin now does risk-limiting audits. Sometimes local officials spot-check a few randomly selected voting machines, but those efforts do not ensure that any outcome-altering miscounts will be detected and corrected before preliminary election results are made final. Risk-limiting audits do.

There’s no one correct way to do a risk-limiting audit. Our election officials could sample individual ballots (less work) or entire polling places (more work). They could do nothing more than confirm the correct winner in one race (less work) or they could answer other questions at the same time (more work).

A risk-limiting audit of a statewide election in Wisconsin could be this easy and cheap:

1) After they close the polls on Election Night, poll workers would record how many ballots they seal into each bag. Using this information, the municipal clerk would create a “ballot manifest” (e.g., City of Abbotsford: Bag #1 – 234 ballots; Bag #2 – 122 ballots).

It’s unlikely anyone has ever counted, but a fair guess is that a big election produces around 4,750-5,000 sealed ballot bags statewide. One bag can contain a maximum of around 300 ballots but might contain fewer than 10.

2) The day after the election, every municipal clerk would send their ballot manifest to the Wisconsin Elections Commission. The WEC could create an online reporting form to make this task easy and quick. It wouldn’t need bullet-proof security if the municipal clerk also mailed a hard copy of the manifest to WEC, and WEC staff later verified them against each other.

3) The WEC would then assign a number to every ballot in the state. For example, ballot numbers 1-234 would be assigned to the first bag from the City of Abbotsford; numbers 235-356 to the second bag, all the way up to the last bag from the Town of Yuba, which might be assigned the numbers 2,673,149 – 2,673,308.

4) WEC staff would examine the preliminary election results for the statewide races and enter the results for the closest race into a statistical tool that has been endorsed by the American Statistical Association, tested, and used in other states. This would generate a sample size for the audit.

The size of the sample depends upon the Election-Night margin of victory. If the margin is large or normal, the sample size will be small. For example, the 2018 contest for the US Senate was neither close nor a landslide: 55.4% to 44.5%. A risk-limiting audit of that race would have needed an initial sample size of only 401 ballots across the entire state. However, officials could choose to select a larger sample to provide voters with ’emotional’ confidence in addition to statistical confidence.

An extremely close election such as the 2018 Governor’s race (49.5% to 48.4%) would have needed an initial sample of 37,841 ballots (out of almost 2.7 million cast). But it’s these races that officials legitimately need to be most careful about, and it’s the very close races that, when left unaudited, provoke the most candidate resentment and voter suspicion.

Wisconsin election officials have already demonstrated they can handle larger sample sizes. For comparison, the voting-machine spot-checks conducted after the November 2018 election required officials to count votes from 135,712 ballots — more than 3.5 times the number of ballots they would have needed for a risk-limiting audit. But because of the way WEC selected that sample and their instructions that auditors ignore voter intent, that effort did not confirm the correct winner in any race.

Wisconsin election officials counted 135,712 ballots in the random voting-machine spot-checks after the November 2018 election, but used a method that did not confirm the winner in any race.
A risk-limiting audit of the same election would likely have verified the correct winners in the statewide races with only 37,841 ballots.

And because races from the same ballot (as those two races were) do not need separate samples, a risk-limiting audit could have verified all the statewide contests on the ballot in that election–an accomplishment of enormous value to election security and voter confidence.

5) WEC would randomly select ballot numbers and then use the statewide ballot manifest to identify the bag in which each of the selected ballots is stored. For example, if ballot #284 turned up in the random sample, the WEC would know it is in the second bag from the City of Abbotsford. If the random selection turned up ballot #2,673,193, they would know it is in the last bag from the Town of Yuba.

6) At this point, WEC could ignore the hypothetical numbers they assigned to each ballot and tell the municipal clerks only the number of ballots to be randomly selected from each bag.
For example, the WEC would tell the City of Abbotsford clerk to randomly select one ballot from the second bag. The instructions for random selection could be something like: “In the presence of observers, pull the ballots out of the bag, set them in a stack on the table, let an observer from each political party cut the stack several times like a deck of cards, cut the stack two more times, and select the ballot at the bottom of the last cut.”
Other methods could be prescribed for jurisdictions that use machines that print flimsier forms of paper ballots.

7) The municipal clerk would display the selected ballot to the observers; fax it to the WEC; mark it with red ink indicating it was the ballot selected for the audit; put it on the top of the stack of ballots; and reseal the bag.

8) The WEC would conduct a publicly observed manual count of the faxed ballots and enter the results of that count into the standard risk-limiting audit formulas. If the proportion of votes for the Election-Night winner in the manual count is close enough to the proportion reported on Election Night, the result is confirmed. The audit would be concluded and the county canvasses could conduct their certification process as normal.

If the proportion of votes for the Election-Night winner differed too much, an additional sample would be drawn and counted. That process would be repeated until statistical confidence in a winner was established.
The WEC would need to adopt policies to govern what will happen in the rare event that the sample has to be expanded more than twice, or if the confidence level declines as the sample is enlarged. Likely, WEC would stop the audit, declare a lack of confidence in the preliminary Election-Night results, and order a full recount on its own initiative.

Other states’ election officials think their voters’ right to self-government through secure elections is worth at least that much time and effort.

If you think Wisconsin elections are worth the effort it takes to conduct a genuine risk-limiting audit, contact your county clerk and the Wisconsin Elections Commission to tell them so.

Wisconsin’s Election Security Council sees the gorilla.

The first meeting of the Wisconsin Elections Commission’s new Election Security Council was both reassuring and scary.

First, the good news. I’m genuinely not sure whether WEC created the council more to promote belief in security or to promote security itself. But whatever WEC’s intention, the members of the new council are there to promote security.

They uniformly exhibited a desire for actual security. Understandably, they showed some legitimate interest in appearances, but their primary concern seemed to be for real security.

Hang on to that idea as I describe the bad news. I do think intention matters.

The second piece of good news is that the members did not seem to share—even slightly—WEC’s hesitance to include voters on the council. (See note at the end of this post.)

A bit of background: the state election agency’s longstanding attitude toward citizen participation is not normal. After 30 years working as a state bureaucrat in three agencies and auditing dozens of others for the legislature, I know “normal.” Even agencies running unpopular programs like septic-tank regulation or state-forest timber harvest seek citizen participation as a routine matter of course.

In contrast, the WEC runs a popular function—people like elections—and yet they hide under their desks when someone mentions voter participation. I’ve never understood why; it makes no sense. I sincerely think that, overall, their objectives are in line with those of the voters.

Fortunately, the council members know normal. When WEC administrator Meagan Wolfe asked whether they wanted to add voter representatives to the council, the members’ brief discussion can be summarized: “Well, duh.”

The representative from the Wisconsin Counties Association, whose name I didn’t catch, pointed out that legislative advisory councils routinely include representatives from citizen groups. Then, after Wolfe said she would bring a detailed proposal for selecting voter representatives to the next meeting, Governor Evers’ representative, Jenny Dye, said that would be too late. The council’s work was “already short on public input,” she said, and it wouldn’t do to have the public members miss the first two meetings. WEC agreed to work out the details and get voters’ representatives to the table by the council’s December meeting.

Okay, now the bad news.

The level of naivete in the room was frightening. Among the utterances that made me shudder:

  • In the limited discussion of specific threats to election security, I heard reference only to external hackers. I detected no awareness that insider corruption (e.g., a rogue employee of a voting-machine company) is the single greatest threat to vote-counting security—one that our election clerks have no reliable defense against. When a representative from the Wisconsin Statewide Intelligence Center listed the threats to look for, he described only external threats. Later, WEC Assistant Administrator Richard Rydecki explained to me that was because external threats are the only ones WSIC has noticed. Well … yes … that is why the other threats are more serious. Wisconsin officials don’t have any way to detect unauthorized remote-control software in the county election-management computers or dicey Serbian programmers working for Dominion.
  • Hearing Mike Davis from the League of Wisconsin Municipalities open his question with “I don’t know much about elections administration, but…” Yikes! Municipalities run Wisconsin’s elections! (On the other hand: his ‘but…’ led into a question about what we do with our paper ballots—displaying that he has good intuitive sense about how we could be securing our elections from that rogue programmer or service technician.)

Ignorance doesn’t have to be a problem. No one was born knowing this stuff. They can learn.

However, WEC’s conduct of the meeting gave me some concern that the council members might not get the education they need.

Put it this way: If you convened a new council to get advice on election security, how would you have opened the first meeting? If it had been me, I would have started by describing the basic elements of a secure election system. Then, I would have given the council a quick overview of Wisconsin’s strengths and weaknesses vis-a-vis these elements–which are covered, and where are the weak spots or holes?

Instead, WEC staff presented a rosy overview of all the good things. When they were done, I’m guessing some council members were wondering why they were there, given that things are already as good as can be.

Wolfe wasn’t making stuff up–a lot of good security measures are already working. She was leaving stuff out—specifically, stuff relating to voting machines.

One fact is critical to understanding election security: Two separate systems must be secured. (See the chart below). These two systems have practically no overlap. They have different creators and different owners. They operate on different computers, managed by different agencies. They face different threats and require different safeguards.

WisVote–the voter-registration system–is secure, thanks to the good, hard work of the state elections agency. I wouldn’t trade our voter-registration system for any other in the nation.

Security for the vote-tabulation system–that is, our voting machines–is closer to an honor system.

Yet Wolfe danced over the tabulation system so lightly I’m not even sure she said the words “voting machine.” For example, one of her Powerpoint slides listed the steps in an “End-to-end Election Administration System.” The list went right from “prepare the poll lists” to “report results to the State.” I wonder whether any of the council members noticed the missing step: “Count the votes.”

I’ve seen this tunnel-vision focus on WisVote security from WEC staff many times before. Whenever they are asked about “election security” (with or without specific reference to voting machines), they respond by describing safeguards that protect only the WisVote system. Dozens of reporters have failed to notice.

But for some reason, I didn’t expect it to be on full display in the meeting today. Perhaps I was thinking that creating an advisory council was something like going to a therapist. You want help, right? So be honest about the problems that bring you there.

(Spoiler alert. If you’ve never taken the selective perception test where you watch a brief video and count the number of times a white-shirted team passes a basketball, do that before reading further. I don’t want to spoil anyone’s opportunity to experience this phenomenon firsthand.)

I’m not a mind reader and so cannot say how much of this relentless tunnel vision on WisVote security is strategic, and how much stems from the fact that tabulation-system security is simply not the WEC’s job.

But as I listened, I started to see WisVote as WEC’s white-shirted basketball team. They are so intently focused on it—absolutely, fully engrossed—that they cannot see the gorilla that is the tabulation system.

Here’s my best hope, and I think it’s a real possibility: I think this council might be able to provide WEC staff with more guidance and education than they realize they need.

After WEC staff had shared all the lovely information about WisVote security, they turned the microphone over to the council members. They asked each member to say a few words about their organization and describe how they see their role in election security over time.

The county clerks went first—and promptly ignored the instructions. Instead, they immediately started to talk about voting-machine security and the fact that they are not getting the IT support they need. Then the League of Municipalities representative popped in with his question about the role of paper ballots in securing election results.

The WEC staff may not see the gorilla, but it was the first and only thing council members wanted to talk about.

In summary, this seems like a good bunch of sensible people. In addition, on my way out, I had a quick but solid discussion with Rydecki about some nuts-and-bolts details regarding the sort of risk-limiting audits that could work to secure Wisconsin election results.

So progress is underway, and I’m okay with that.

* * *

NOTE: After reading this blog post in mid-November, Assistant Administrator Richard Rydecki reached out to explain what had appeared to me to be WEC’s hesitance to include members of the voting public on the new Election Security Council. Our conversation was easy and pleasant and provides a window into WEC’s thinking about its various stakeholders.

The idea to form such a council is not new. In early 2019, the WEC created its first election-security advisory committee, limiting membership to county and municipal clerks. So in March, both Wisconsin Election Integrity and the League of Women Voters of Wisconsin publicly urged the WEC to seek election-security advice from additional stakeholders. We suggested that they either expand that committee to include public representatives (particularly those with security expertise), or to form a separate election-security advisory group with broader membership.

I cannot speak for the LWV-WI, but WEI received no response. If the WEC gave the proposal even momentary consideration, it was quickly forgotten. Rydecki made no mention of it when he explained that the idea for this new election-security advisory council arose in June, in discussion among government officials at a Department of Homeland Security training exercise.

Apparently, the officials who proposed its creation did not mention anything at the time about public members. Nevertheless, Rydecki said, WEC staff did consider how public input might be handled. Some clerks “were not terribly enthused” about having public members on the Council and might not have agreed to participate if public members were included.

One option, according to Rydecki, was that officials’ trepidation might be accommodated by allowing a short period for public comment at the beginning of each meeting, as the Elections Commission itself does.

But ‘professional courtesy’ required WEC staff to refrain from making a ‘unilateral decision’ on how or whether anyone who is not a government official would participate. So WEC formed the council exclusively with government officials and then presented it with the question of how or whether it would have public participation.

I’ll let the reader decide whether that information supports or contradicts the observations I made, above, about WEC’s attitude about citizen participation.

This is what secure tabulation looks like

Up to now, the Wisconsin Elections Commission’s interest in elections security has focused on the voter-registration system (WisVote), rather than the vote-tabulation system (the voting machines). When the Commission has paid attention to concerns about voting-machine security, it typically has been for only as long as it took commissioners to ask the vendors “Tell us how to refute these concerns.”

The Commission has also made a habit of limiting its own information sources. Earlier this year when they felt the need for advice on election security, they convened an Election Security Advisory Panel consisting entirely (not making this up) of county and municipal clerks. That was a revealing indication of the Commission’s level of interest in seeking advice from anyone else … say, disinterested IT professionals or highly interested voters.

This image has an empty alt attribute; its file name is CAPQuote.jpg

But the Commission’s interest in voting-machine system security may be showing signs of life.

Last week, the Commission announced the formation of a new Elections Security Council of “federal, state and local partners” that will “formalize collaboration between these key groups and the public to improve communication and maximize election security.”

As usual, the Commission’s idea of “key groups” is limited to government officials. It’s also possible their idea of ‘communication’ remains limited to outgoing messages to reassure voters that all is well.

Oh, well, it’s a start. Give the new council a chance to join the fight for voting-machine security. We’ll know more after their first meeting on October 16, when they will discuss whether and how they want to involve any stakeholders.

Realistically, though, it’s possible this new council will — as the Commission itself has always done — focus its efforts exclusively on the voter registration system (WisVote) rather than voting-machine system security. Nothing in the press release specifically indicated the Commission is looking to expand its election-security efforts beyond WisVote.

Nevertheless, just in case this council represents an awakening, its members should know what a secure tabulation system would look like.

So here’s a welcome gift to the new Elections Security Council:
A list of what would be in place if our voting-machine system was secure.

Most of the elements listed below are common sense, not rocket science. It’s just sensible, prudent management of a highly critical IT system. Some elements are present for Wisconsin. Others are missing. State and local election officials cannot create all the missing elements, which means they need to look for ways to make up for their absence.

If any members of the new council are curious to know which of these elements are in place and which are missing, multiple nationallyrespected electionsecurity authorities stand ready to share critical insights. Those experts’ interest in security is unaffected by financial interests and by any reflexive defense of the status quo.

In a secure vote-tabulation system:

Voting equipment manufacturers would…

  • Manufacture only those systems that are as secure as possible given current technology and customers’ budgets.
  • Manufacture only systems that use or produce ballots that voters have verified as accurate records of their intent, and that allow local officials to verify the votes were tabulated accurately.
  • Cooperate fully with the federal Department of Homeland Security monitoring of the companies’ own computers and security practices.
  • Cooperate fully with state and local governments’ security requirements.

The federal government would…

  • Promulgate strong, clear, and frequently updated regulations for secure, auditable voting systems, and for the independence of private testing labs.
  • Actively and rigorously apply those regulations when certifying new systems or updates.
  • Actively monitor and enforce compliance with those regulations.

The state government would…

  • Through law and regulations, implement strong security and auditability requirements for voting systems used in this state, and rigorously enforce those through certification.
  • Provide guidance and technical assistance to local governments related to voting-machine system security, so that vendors are not their customers’ only source of information and advice.
  • Adopt laws and regulations for local governments’ voting-system security practices.
  • Monitor local compliance with required voting-system security practices, and have the ability to correct poor practices.
  • Coordinate strong post-election tabulation audits, involving all the counties’ boards of canvassers, that verify the correct winners in all statewide races before certification.

County government election officials would…

  • Follow federal and state requirements for securing county elections-management system hardware and software.
  • Have professional IT staff capable of and assigned to working with the voting-system vendor on security-related matters. (If not county staff, an independent contractor who is unaffiliated with voting-machine sales and service.)
  • On Election Night, obtain electronic election records (including CVR and digital ballot images) from municipalities. Maintain strong internal control and to support voter confidence and ballot security, post digital ballot images to the internet within 24 hours of poll closing.
  • During the county canvass, use the paper ballots to verify that the computers identified the correct winners. If problems are found, correct results before certification.
  • Between elections, audit various election-security practices and take action to improve whenever any issues are found.

Municipal government election officials would…

  • Maintain year-round strong internal control of marked and unmarked ballots; other election records (e.g., CVR, digital ballot images); and voting-system hardware and software.
  • Maintain equipment according to manufacturer recommendations. Routinely and reliably inspect equipment inside and out for signs of tampering or malfunction; take action to correct any issues noted.
  • Conduct strong pre-election testing of both tabulators and ballot-marking devices; take action to correct any problems noted. Make sure all voting machines are equally reliable and operable.
  • Train election workers in how to maintain security; how to notice trouble signs; how to document and respond to trouble signs or lapses.
  • Monitor performance of elections workers to ensure that no bad habits develop, that any departures from standard procedures are quickly noted and corrected.

Voters would…

  • Volunteer to serve as poll workers and hand-counters for audits.
  • Pay attention to election security issues, getting neither too excitable nor too complacent.
  • Be willing to hold their local officials accountable for verified accurate election results.

WEC to voters: Voting machines use binary code, so you don’t need to be able to decipher your ballot.

No, you’re not crazy. It doesn’t make any sense.

Today the Wisconsin Elections Commission once again took up a voting-machine vendors’ request to market a new product here. Once again, the Commission confined voters to five-minute comments and then invited voting-machine vendors to sit down at the table with them to pitch their products.

Once again, the Commission discussed the voters’ concerns only for the purpose of asking the vendor to refute them.

And then the Commission once again approved a ballot-marking device (BMD) that records our votes as barcodes we cannot read.

The machine in question today is called the ExpressVote. Designed primarily for voters who cannot use a pen, BMDs require voters to use a touchscreen to indicate their votes. The computer then prints a marked paper ballot. Increasingly, BMDs are being promoted to voters without disabilities, particularly early voters.

Some BMDs print ballots that are nearly indistinguishable from hand-marked paper ballots. The ballots cast by voters with disabilities look just like everyone else’s. Both voters and tabulators look at the same input to read the votes.

Bad BMDs, like the ExpressVote, print ballots that look like large cash-register receipts. On these ballots, votes are recorded as barcodes. This prevents voters from verifying their votes were printed correctly. It violates voters’ privacy when a polling place has only one or two voters with disabilities. (More about barcoding BMDs here.)

But why?

You might ask (most people do) why anyone would build such a feature into a machine.

You might ask, but the Wisconsin Elections Commission doesn’t.

Commissioners never asked the vendor: “Why? Why are you offering us a machine with this weird feature, when we know you can manufacture machines that perform all the desirable functions and none of the dicey ones?”

Whatever the answer is, it must not make the barcoding BMDs look good.

The vendor’s defense attorney

At one point, Chair Dean Knudson sympathetically acknowledged that voters who use barcoding BMDs can independently verify their votes only if they bring a barcode reader to the polls. He wisely noted that’s too much to expect of voters.

But beyond that, the commissioners’ questions on the barcoding issue could all be paraphrased: “How can we refute the voters’ stupid concerns?”

“Motivated reasoning” is the chop-logic that appears when people pick a conclusion first and go looking for reasons to justify it afterwards. For example, commissioners and staff repeatedly reminded each other: “We saw no problems when the barcodes were tested/audited/recounted. Therefore, we conclude the system is safe.”

That’s a textbook case of motivated reasoning. People wearing their thinking caps know that hackers don’t avoid any system that worked well during the manufacturer’s demo or the customer’s test.

People with unclouded vision know that computers do not earn magical immunity from future problems by working well on a previous occasion.

People who are seeking to build voter confidence know it’s a bad idea to give every questionable voting system one freebie botched election before rejecting it.

Commissioner Mark Thomsen, in particular, took it upon himself to play defense attorney for the vendor. He acted insulted that voters had implied the barcoding BMDs are “hackable.” But that wasn’t the voters’ point. Of course the barcoding BMDs are hackable; all computers are. If Thomsen had been listening to understand rather than listening to refute, he would have understood the issue was not “hack-ability,” but that barcodes remove voters’ and officials’ ability to detect hacking.

Most bizarrely, Thomsen repeatedly reiterated one laughable argument made by the vendor. The argument is this: Because the tabulators read all votes as binary code, voters have no reason to object when the printer makes their votes indecipherable to humans.

Thomsen has more than enough intellect to understand that users need to be careful to feed computers only accurate information, so he understands why voters need to be able to tell whether their intended votes were faithfully recorded on their paper ballots.

The voter registration system, like the voting machines, processes information as binary code, but I have no doubt Thomsen would immediately see the problem if anyone suggested that WisVote render each voter’s registration record unreadable to the voter.

But for some reason he pretended he didn’t understand.

Thomsen even went on to argue in favor of another type of BMD that WEC staff had wisely recommended rejecting. This machine combines a ballot-printer and a tabulator in one machine, creating a feature independent elections-technology experts ridicule as the “permission to cheat” feature. Fortunately, the other commissioners acted as a wise jury, so the notion of overriding the staff recommendation to reject that component went nowhere.

Voters shouldn’t give up.

The commissioners are neither stupid nor crooked, as far as I can tell. They do a fabulous job, for example, when they’re working on security for WisVote (the voter-registration system).

It’s only when the questions involve the tabulation system that they become more interested in making excuses for security flaws than in fixing them. They suspend their common sense only when the voting-machine vendors sweet talk them. But whatever the reason, siding with the voting-machine vendors against the voters is something of a habit for them.

As voters who want to protect our own votes and our communities’ elections, we’ve got work to do. We need to show up and object every time the Commission considers idiotic equipment. I see too much common sense on that commission to believe they will keep these particular blinders on forever.

The other suggestion on the table is a lawsuit. Wisconsin law requires that voting systems “permit an elector to privately verify the votes selected by the elector before casting his or her ballot.” If the WEC admits the barcodes are the only marks ever counted as votes, they will be admitting that the BMDs don’t comply with the verifiability requirement. On the other hand, if the WEC argues that the voters can verify the human-readable text on each barcoded ballot, they will be stuck with no explanation of why that text is never counted as votes. Therefore, if we can find a lawyer willing to defend election security and voters, we could make an argument that barcoding BMDs are already illegal in Wisconsin. If the Commission wants to build voter confidence and enhance security, it will adopt this line of reasoning even without a lawsuit.

Contact Senators NOW about election security

A coalition of national pro-democracy groups is calling for a national day of action for election security. Wisconsin voters need to respond. On or before Tuesday, Sept. 17 contact our two senators to let them know Americans deserve secure elections! Important legislation is stalled in the US Senate, and the senators need to MOVE.

Here is Ron Johnson’s contact page. Ask him to support election security action and to pressure Mitch McConnell to allow votes on the election-security legislation passed by the House.
Here is Tammy Baldwin’s contact page. Thank her for supporting election-security legislation.

Wisconsin has paper ballots, but our election results are not secure. Our county clerks do not use those paper ballots to verify the Election-Night results before they certify the final results. Several other states don’t even have paper ballots. That threatens us all.

The risks are real. Evidence is overwhelming. In 2016, Russian operatives hacked and probed American political campaigns and voter registration systems. But Russia isn’t the only problem–maybe not even the worst. Why would it be? American elections are an attractive target for many around the world and in our own country.  Hackers in China and Iran are showing interest and have launched thousands of attacks not just in the U.S., but in 26 countries, according to Microsoft, which has been helping detect and deter attacks for democracy-supporting organizations of all stripes. 

Many in the US Congress appreciate the need for REAL election security–and NOW. The House of Representatives has passed federal legislation that would make it possible for every state to have:
1) A voter-verified paper ballot for every vote; and
2) Robust ​manual​ election​ ​audits that detect and correct any false outcomes before election results are declared final.

But the US Senate isn’t working.

The House passed $600 million (in H.R. 3351) in election security funding for states and localities to use to secure our vote. While Republicans and Democrats had different proposals, nearly every representative in both parties voted to designated hundreds of millions of dollars for election security. Now it’s time for the Senate to write and pass its funding proposal.

But Mitch McConnell said. “I’m not going to do that.” He and his obedient cronies are blocking the legislation that would allow the states to protect our federal elections in 2020.

Every single U.S. Senator must stand up for democracy now. The Senate must pass funding for election security. They must include the House bill language so that the counties that are the most vulnerable are able to get the funds they need to secure our elections for all. 

The House voted to provide the states with funding for:

  • Paper Records: Every voter can ​​mark​ ​a paper​ ​ballot​ by hand or with an assistive device and verify their vote, so that there is a paper record of every vote cast.
  • Checking the Results: Officials subject ​machine-counted​ ​results​​ to​ a robust ​manual​ ​post-election​ ​audit,​ that can detect and correct false outcomes.
  • Secure Voter Data: Voter databases should be backed up offline, monitored and secured using best practices. Poll workers should be trained to ensure that voters can cast a vote in case of a hack or error.
  • Election websites and election management systems, as well as the vendors themselves also need to be more secure and resilient in the face of possible hacking attempts and computer error. 

FAQ

Q: To what extent can Mitch McConnell hold up the funding?
McConnell can fully block the funding if he wants to. But his spokesperson recently said they have not ruled out an appropriation for election security so national election-security advovates believe there is an opening. At the end of September the government must be funded so the Senate either must pass appropriations bills or agree to a continuing resolution with the House leadership. In either case, $600 million in election security funding for states and localities can and should be included.

Q: Isn’t this a federal mandate on state elections? 
States and localities have been pleading for funding from Congress for years now, and every state wants to be able to secure its elections. The House passed a strong bill with $600 million requiring the funding be spent on the areas of greatest vulnerabilities.

Q: The states got $380 million for election security in 2018 and they haven’t spent it all. Shouldn’t we wait until should spend it before getting more money.
States and counties are spending down the funds, they expect to spend 85% of the funds by the 2020 election. But in too many places it wasn’t enough to do a lot of the serious work. We want them to proceed quickly, but carefully so they actually are able to use the funds to make our elections more secure.

Q: My election official says the voting machines are not connected to the internet, how can they be hacked?
Sadly, our local election officials cannot promise that–they simply cannot know. They don’t have control over the security of the voting-machine manufacturers, where the software is developed. Election officials have no way to know whether those companies’ computers are on or off line. And if the software has been compromised before it even reaches the local officials, it doesn’t matter whether the local clerk keeps it secure.

In addition, it’s just not true that the voting machines are never connected to the internet. Local election officials often don’t understand what the voting machines are doing when they transmit results on Election Night. Almost all of our voting machines and the county elections computers use the internet during pre-election tests and then again for election-night reporting of the results. And on top of that, national cybersecurity sleuths recently found that nine Wisconsin counties had left their county elections computers on line continuously for as much as a year!

Q: We already have paper ballots, what do we need this funding for?
Paper ballots are only decorative if no one ever uses them to verify the voting machines’ accuracy. As things now stand, after a Wisconsin voter casts his or her ballot, chances are it will never be looked at again. It will be sealed up on Election Night and will stay sealed until it is destroyed two years later. In the meantime, the voting-machine tape will be assumed to be correct.

Unless the paper ballots are used in rigorous post-election audits comparing the votes on the paper with the numbers the machine reported, we can’t know for sure if the outcome of the election was correct.

The one huge hole in Wisconsin’s election security is that our officials do not routinely audit the results. The state elections agency could use this money to fund efforts to develop practical, reliable audit practices that fit with Wisconsin’s unique election-administration practices.

About those Russians…

In the past two weeks, three reporters have asked me to comment on Russian interference in US elections. Do I believe the Russians interfered with the 2016 election? Do I think they will try in 2020? And my least favorite: Do I think Russians are the worst threat to the voting machines?

I’ll answer the ‘worst’ question first: What the hell does it matter?  All threats are threats. Will it be a boring news story if our election is stolen by a Canadian anarchist living in his grandmother’s basement, or by a random computer glitch?

I’ll tell you what the worst threat is. It’s the threat that is literally the sum total of all other threats. Wisconsin county clerks are STILL not using the only safeguard effective against every voting-machine threat including the Russians: Using our paper ballots in prompt, routine, hand-counted audits that verify the correct winners.

The simple truth should be obvious. It is ridiculous to allow any computers to make any big decision unless you have a reliable way to detect and correct serious computer errors.  

Can you think of any other government agency that relies on computers and doesn’t have some way to notice if the computer screws up a big operation? No, you cannot. There isn’t one. Only election officials trust their computers that blindly, and demand our trust, too.

When Wisconsin’s county clerks declare election results final without verifying the correct winners, they are allowing computer programmers to pick the candidates who will govern us.1 They don’t supervise these programmers. They don’t know even know who or where they are.2

As to the other questions:  I don’t know whether the Russians or anyone else tampered with the voting machines in 2016 and 2018. No one does.

We don’t know because Wisconsin election officials didn’t check. 3 How is that not scandal enough?

Wisconsin’s election officials just seal our paper ballots on Election Night and leave them sealed until it’s time to destroy them two years later. No one ever knows if the paper ballots tell a different story than the computer tapes.

And I don’t know whether Russian criminals are planning to mess with the voting machines in 2020. I know that it is wise to assume they are. Most importantly, I know it will be criminally negligent if our county clerks make no effort to detect and correct any hacks that might get by the security system.

Call your Wisconsin County Clerk today and say: “Surely you understand that you cannot guarantee the security of our voting machines. Too much is outside your control. The only thing you can secure is the election results, and you can do that only by using our paper ballots in hand-counted audits during the county canvass to make sure you certify only the correct winners. Get busy now on developing audit procedures for the 2020 elections.”

– – –

1 A few Wisconsin county officials claim they “program their own voting machines” and imply that provides security. They don’t, and it doesn’t.
The county clerks ‘program’ the machines only in the sense that you ‘program’ a new cell phone with your personal address book and settings. If any are messing with the actual tabulation software, they are breaking federal law. Truth is, these county officials rely on the voting-machine company in the same way you rely on Samsung, Apple, or Nokia.

2 Example: In 2016, election-security advocates noticed that Dominion—the nation’s second-largest voting machine company, which counts many Wisconsin votes—was recruiting programmers in Serbia. The company’s official response was: “Like many of America’s largest technology companies, which develop some of the software for their products in places like Asia, India, Ireland and the Mideast, some of our software development is undertaken outside the U.S. and Canada, specifically, in Serbia, where we have conducted operations for 10 years.”

3 In the 2016 recount, half of Wisconsin’s presidential votes were “recounted” only by running the ballots back through voting machines programmed by the same people who programmed them for Election Day. These were the ballots in the state’s largest counties (except Dane)–the counties most at risk of hacking.
In the half that was hand-recounted, the recount found that more than 1 in every 170 votes had originally been miscounted. These errors were not deliberate and affected both major-party candidates equally. As a result, they did not change the outcome and the news media didn’t report it.
But notice this: even when that many votes had been miscountedup to 30% in some individual wardscounty clerks did not notice it in their regular canvass. They detected the incorrect vote totals only when forced to check their work with a recount. Unless our county clerks adopt routine audits, the same will happen when hackers put the Election-Night results outside Wisconsin’s microscopic recount threshold (0.25%). There won’t be a recount and the hackers will have successfully pulled off their crime.