BLOG

An Illustrated Introduction to Risk-Limiting Audits

Posted by Karen McKim · December 19, 2018 2:21 PM

December 19, 2018 — “As the secret ballot transformed elections in the last century,” said Joseph Hall, Chief Technologist for the Center for Democracy and Technology, “risk-limiting audits are going to transform elections in this century.”

 In a few years, Americans will look back, aghast, at our current election management. We will be amazed that we ever trusted vote-tabulating computers so much that we routinely declared winners without checking results for evidence of fraud, glitches, or human error.  We will consider routine verification to be an indispensable part of managing elections, just as cash-register reconciliation is now for managing the corner convenience store.

In preparation for that day, it’s time to understand: What is a “risk-limiting audit”?

First, a risk-limiting audit is not a specific set of steps or statistical calculations. Like “home-heating system,” the term describes a function, not a method. If a system heats your home, it’s a home-heating system. If it doesn’t, it’s not. A wood-burning stove is a home-heating system. Electrified tile floors are a home-heating system. Triple-pane windows and attic insulation are not.

A risk-limiting audit is any review that imposes a precise limit, such as 10%, on the risk of certifying incorrect results in the event that Election-Night results identified the wrong winner. Any review that accomplishes that is a risk-limiting audit. If it doesn’t, it’s not. For example, pre-election voting-machine tests and hand-counting to verify a few voting machines’ results are good. But even when completed correctly, they do not precisely limit the risk that officials will detect and correct any outcome-altering miscounts.

(Though it’s not part of the official definition of risk-limiting audit, I’ll mention the other side of the coin. In the event that Election-Night results identified the right winner, a risk-limiting audit does not reduce the risk that officials will certify the wrong one. That risk stays at zero.)

You might be surprised that statistical analysis is not a required feature of risk-limiting audits. A full recount uses no statistical methods and if done correctly, limits the risk of declaring the wrong winner to zero. Therefore, it’s a risk-limiting audit. But full recounts require too much effort to be used routinely. So to reduce the time and effort needed to confirm elections, most types of risk-limiting audits use random sampling for selection and statistical processes for analysis.

Another feature of risk-limiting audits is manual inspection of voter-verified paper ballots. Until some as-yet-uninvented technology comes along, we can verify the computers’ verdicts only by comparing them against something that didn’t come from a computer. That is, we need direct human observation of the paper ballots that were marked, or at least verified, by the voters themselves.

Finally, the word ‘audit’ doesn’t mean what you probably think it means. Outside elections, independent auditors perform audits after auditees have completed the work. In contrast, a risk-limiting audit is completed by the responsible officials as part of their work of certifying election results. A post-certification review might provide useful information for the next election, but it cannot limit the risk that the wrong winner was certified in this one. Risk-limiting audits probably should have been called ‘risk-limiting reconciliation’ or ‘risk-limiting verification,’ but it’s too late to change that now.

Try it yourself…

In December 2018, national election-security leaders came together at an Election Audit Summit in Boston, organized by the MIT/Caltech Voting Technology Project. Dr. Philip Stark of the University of California-Berkeley, who originated the concept of risk-limiting audits, led participants through a demonstration. The instructions below are adapted from Dr. Stark’s handout, Audit Simulation for Auditing Summit

In brief, the exercise uses playing cards to represent ballots containing votes for Black or Red. The cards are sorted into piles representing precincts; a sample is randomly drawn from across all participating precincts. Each card either builds or reduces confidence in the Election-Night results, until a pre-determined acceptable level of confidence is achieved—or is not. To do this exercise, you’ll need:

  • two decks of playing cards;
  • scratch paper;
  • a pencil; and
  • a random-number generator.  

Note: the statistics in this exercise are realistic but not precise; they are for illustration purposes only. A real election audit would use a sample size and confidence level calculated for the results being audited.

Example #1: When Election-Night results are correct

The first illustration will show how a risk-limiting audit plays out when Election-Night results identified the correct winner.

1. Get two decks of playing cards. They don’t need to be the same design, but the same shape and size will make them easier to work with. From one deck, remove the jokers and set the hearts aside. This leaves 39 cards in this deck—26 black ‘votes’ and 13 red.

2.  From the other deck, remove the jokers and set aside both the hearts and diamonds. This leaves 26 cards in this deck, all black.

3. Shuffle all 65 cards together, but not thoroughly. Actual ballots will not be thoroughly shuffled; your cards don’t need to be, either.

4.  Separate the cards into six stacks to represent precincts. You don’t need to make them the same size. In the real world, some precincts have more voters than others. Label the stacks “Precinct A,” “Precinct B,” and so on up to “Precinct F.”

5.  Count the cards in each precinct consecutively and write the numbers on the labels. For example, if Precinct A has 12 cards, you will write “1-12” on that label. Then start Precinct B’s count with 13, so that Precinct B’s label will be something like “13-23.” Precinct C will be something like “24-35,” and so forth. If you’ve counted correctly, the last card in Precinct F will be 65. 
Some vocabulary: A list of precincts indicating the number of ballots in each (e.g., Precinct D has 13 ballots) is a “ballot manifest.” When you assign a unique number to each ballot (e.g., Precinct D contains the 36th through the 48th ballot), it becomes a “ballot look-up table.”

Now, imagine you’re the official who is responsible for certifying this election. You know the possibility of an outcome-altering Election-Night miscount is remote. Nevertheless, you want to: 1) deter fraud in future elections, 2) demonstrate to the voters that local elections are secure against even remote risks; and 3) make sure you don’t miss even a remote possibility of declaring the wrong winner.

So you’ve decided to give yourself at least a 90% chance of detecting any outcome-altering miscount before you declare the official winner. In other words, you have decided to impose a 10% limit on the risk that you will fail to notice and correct any such miscount. (You could choose a different level of risk, if you wish.) If the machines identified the correct winner, there is a 0% chance an audit will reverse that.

Initial Election-Night results indicated that Black got 80% of the vote and Red got 20%. While you haven’t looked at any ballots yet, you know how many were cast.  Using that information, you consult with a statistician or the risk-limiting audit website to find out how big your manually counted sample needs to be to confirm the right winner or to detect the wrong one.

In a real risk-limiting audit, you would be told a specific number of ballots to draw for the first sample—up to a few hundred, depending on the margin of victory and the number of ballots cast in the race. Your statistician or the RLA website could also generate random numbers for you, to determine which ballots to draw for the sample. For this demonstration, let’s imagine you were told to select 10 ballots.

6.  Create a score sheet with columns for the random number, the color of the card, a confidence score for each card, and a running confidence total.

7.  Generate ten random numbers between 1 and 65. Write them in the first column. These are the ballots you need to inspect. 

8. Then find each card. For example, if the first randomly selected ballot was #38, you would check the ballot look-up table and see that card #38 is the third card in precinct D. Look at that card, record its color in the second column, and replace it.

  • If the sampled card was black, it builds confidence that the preliminary results were correct when they identified Black as the winner. Note +5 confidence points for that card in the third column, and add 5 points to the confidence total in the fourth column.
  • If the sampled card was red, it reduces confidence in the preliminary results. Note 10 confidence points in the third column, and subtract 10 points from the confidence total in the fourth column.

9.  When you’ve recorded the color of each card in the sample, look at your total confidence score. If it is 25 or higher, you have statistically confirmed, with 90% confidence or more, that no Election-Day miscount identified the wrong winner. You can end the audit and certify the results.

The photo below shows that this audit could have stopped after the eighth card, because the confidence score reached 25 at that point. On average, an audit like this would need to inspect 14 cards to reach a confidence level of 25—if, that is, the Election Night result was correct.

If your confidence score is less than 25, select another random ballot, and another, until the total confidence level reaches 25. (Or until you realize that you messed up the first two steps of this exercise and are working with a deck in which there are actually more red than black cards.)

#2: When Election-Night results are incorrect

The second part of this exercise shows what happens when Election-Night results were wrong.

1.  Retrieve the red cards you set aside, so that you are using all 104 cards from both decks. Shuffle them together. Again, this does not need to be a thorough shuffle. Some ‘precincts’ can be mostly red and some mostly black.

2.  Separate the cards into 9 stacks of differing sizes to represent precincts. As in step 5 above, count the cards in each stack to create a ballot look-up table.

3.  In this exercise, we know the election was a tie. But in a real election, we would not know that, because the computers told us that Black won, and we have not yet inspected any ballots. So we would give the same information to the statistician or RLA website that we did in the previous example—that is, an 80% victory for Black. Given that situation, the instructions we receive would be the same: Select a random sample of 10 ballots by generating 10 random numbers—this time, between 1 and 104, because we have more ‘ballots.’

4.  As in the first exercise, use the ballot look-up table to find each card selected for the sample. Note the color of each and confidence points on the tally sheet. Check to see whether the total confidence score reached 25. In this case, it did not.
It is possible that your first sample reached a confidence score of 25 or more. If so, your audit incorrectly confirmed a miscounted election. This can happen—statistical confidence is not the same as rock-solid certainty. A 90% confidence target means that 10% of the time it will be wrong. To calm your nerves, think of this from the point of view of election thieves who see a 90% chance that their handiwork will be noticed and corrected.

5.  If the total confidence score is less than 25, you have not yet confirmed the Election-Night results, so you will need to expand the sample by inspecting more random ballots.


When the Election Night results are wrong, the more ballots you sample, the lower your confidence level will sink. As shown in the photo, as more and more ballots are inspected, it becomes more and more apparent that the preliminary results are just not right.

Election officials who conduct risk-limiting audits of real elections adopt written policies that address this possibility. A sensible policy, for example, might dictate that the audit will stop if it fails to confirm the outcome with two additional samples, and the effort will instead be put into a manual count of 100% of the ballots.

About sample size, statistical confidence, and emotional confidence

One concept should now be clear: A random sample of ballots is a miniature version of the entire election.  The same winner will emerge from both–if both are accurately counted.

In the first exercise above, Black had more votes in the whole set of ballots from which the sample was drawn. As a result, more of the randomly selected ballots contained votes for Black than for Red. In the second exercise, Black did NOT have more votes than Red, and so we could not confirm a Black victory no matter how many ballots we randomly drew.

In other words, when preliminary election results have identified the correct winner, inspection of a relatively small number of randomly selected ballots provides strong evidence of accuracy. Conversely, if preliminary election results identified the wrong winner, inspecting a random sample of ballots will reveal the problem before officials certify the election.

Once we see that random samples reflect the true results, the next question is what size sample works best. Smaller samples reduce work, but increase uncertainty. Larger samples provide more confidence, but are more work.

This demonstration started with samples of 10 cards, which in the 65-card ‘election’ was a little more than 15% of the ballots. In a real election audit, the initial sample size would not need to be anything close to 15% of total ballots, particularly if the preliminary results indicated an outcome as decisive as this one. 

To work through a real-life example, let’s look at the 2018 race for US Congress in Wisconsin’s First Congressional District. This reasonably close and hotly contested race filled the seat being vacated by former Speaker Paul Ryan. The actual results were: 325,003 total ballots; 177,490 votes for Steil; 137,507 for Bryce; and 10,006 for Yorgan.

When you plug these results along with a 10% risk limit into the online tools for ballot-polling RLAs, statistical operations built into that tool predict that you will likely be able to confirm Steil’s victory, if Steil actually won, with an initial sample of only 301 ballots. That’s only one-tenth of one percent of the 325,003 total ballots. If Steil did not truly win, auditing 301 ballots would produce results more like the second example above–forcing officials to keep expanding the sample until it was obvious that the Election-Night results were incorrect. (Instead of using +5, -10, and 25 total points as indicators of confidence, officials would have counted the votes in the sample and could have used the online tools to assess the results. See the section titled “Should more ballots be audited?” at the bottom of this page.)

If election officials did not believe that 301 ballots would provide voters with enough subjective confidence in the result (as opposed to statistical confidence), they could have selected a smaller risk limit. In this congressional election, a 5% risk limit would have needed an initial random sample of 389 ballots; a 1% risk limit, a random sample of 594 ballots. Or, election officials could adopt an audit policy that every initial sample will contain either enough ballots to support a 5% risk limit, or 1,000 ballots, whichever is greater.

Other lessons from this exercise

This exercise highlighted risk-limiting audits’ tightly focused purpose—to detect and correct any outcome-altering miscounts. This purpose is critical for election security and for voter confidence, but does not solve all problems. Election officials must perform other types of reviews to determine the cause of any miscounts and to monitor other important issues, including:

  • The presence of any miscounts that may have disenfranchised some voters without affecting the outcome;
  • The accuracy of any single precinct’s or voting machine’s tabulation;
  • The quality of any of the processes that determine which ballots were cast and accepted, such as issues with voter registration or ID, or whether all and only valid absentee ballots were accepted and counted.

In addition, this exercise simulated only one type of risk-limiting audit, known as a “ballot-polling audit.” Depending upon the size of the election, the type of records created by the voting-equipment, and other factors, election officials might decide to use a different type of RLA, such as a “comparison risk-limiting audit” or a Bayesian audit. Election officials do not need to read and digest the scholarly articles. Federal officials, staff in jurisdictions that have experience with auditing, and other experts are willing to help local election clerks understand the options well enough to make the right choices and get started with election auditing. A local election official can likely find useful help as close as the nearest local government official who has expertise related to auditing or quality assurance. 

This exercise also probably raised some implementation questions: How can election officials draw a random sample in a election for which ballots are stored in sealed bags across hundreds of municipalities? How do you know how big your sample needs to be if you want to verify the outcomes in two or more races? Election officials who have started with risk-limiting audits have tackled these questions, and more solutions are being worked out with each new election. The solutions are not always easy or obvious, but local election officials who want to try their hand at risk-limiting audits need only to ask those with experience.

Finally, this exercise demonstrated that even risk-limiting audits might, on occasion, fail to detect miscounted election results. A 90% chance that serious fraud will be detected and corrected is the same thing as a 10% chance it will not be.

That highlights the need to keep two other facts in mind. First, a 90% chance of detecting fraud is better than the 0% chance that non-auditing election officials and their voters now tolerate. Second, the audits’ greatest value is, arguably, deterrence. When would-be election thieves contemplate a 90% risk of getting caught, there’s a good chance that election officials will have no electronic election fraud to detect.electionscounting votesWisconsinrisk-limiting auditsdemonstratio

Wisconsin County Clerks Association doesn’t wanna.

Posted by Karen McKim · November 25, 2018 10:31 PM

No city treasurer would refuse to check the accuracy of property-tax bills. 
No county executive would release a report on annual expenditures without double-checking its accuracy.

Most local officials don’t need anyone to pass a law telling them: “Don’t forget to check your work!”  They accept checking accuracy as a basic managerial responsibility.

But the Wisconsin County Clerks Association is officially on record: They don’t want to.

And their work product is our election results.

The WCCA statement came in response to the Wisconsin Elections Commission’s September announcement that they were considering two election-security measures.

The first proposal involved the only accuracy-checks the Commission has authority to order: audits of individual voting machines by municipal (not county) clerks. These audits are better than nothing, but have limited value. Not only are they limited to November elections in even-numbered years, but they also check only a few random voting machines, without confirming the right winners in any race.

The Commission was considering ordering more machines audited than in previous years and requiring the audits to be completed before election results are declared final.

The second proposal would move Wisconsin slightly in the direction of national election-security standards. The Commission said it was considering encouraging county clerks to perform audits of the type that if done widely, might confirm that Election-Night results had identified the right winner and give clerks the opportunity to correct the results if they had not. 

WCCA’s response was swift, naïve, and irresponsible.  The county clerks didn’t want the Commission to require, or even encourage, the county clerks to perform genuine election audits.

Perhaps sensing they are defending the losing side in a national trend (they are), the county clerks also described how they want to restrict this election safeguard:

  • They don’t wanna check accuracy until after they have certified final election results.
  • They don’t wanna check accuracy for any but the top race on the ballot.
  • And they want the State to pay extra if it even suggests they check accuracy.

I’m not making that up. The organization’s memo to the Wisconsin Elections Commission is reproduced, verbatim, below.

About delaying audits until after certification: The WCCA wrote that our paper ballots “should be treated like evidence and remain undisturbed” until after the clerks have certified the results. Join me in a prayer that the Trial Judges Association doesn’t share this idea about the proper use of evidence. Imagine our courts refusing to look at evidence until after they’ve reached their verdict. 

About auditing only the top race on the ballot: The WCCA’s message could be restated: “If you force us to protect the US Senate election, we will refuse to protect the Governor’s race.” Hackers are delighted to know ahead of time which race will be off limits, and which races will be on an honor system.

About making the state pay extra for accuracy: With this statement, the WCCA clearly rejected the idea that accuracy is  a normal managerial responsibility. Imagine a parks manager telling the county budget manager: “I signed off on this accounting of the user fees we collected. If you want me to make sure it’s right, you’ll need to pay extra.”

In a final Trumpian flourish, the memo’s author blatantly misrepresented the findings of a study by MIT, Harvard, and the UW Madison researchers (Learning from Recounts, 2017). The WCCA memo claimed the researchers had declared that “hand counts of election results are inherently inaccurate.” Compare that to the researchers’ actual words:

“…careful hand counting in a recount is the gold standard for assessing the true vote totals — in large part because of the greater focus on a single contest, more deliberate processing of ballots, and careful observation by campaign officials and other interested parties….”

 *  *  *

Wisconsin statutes give the buck-stops-here responsibility for election results’ accuracy to the COUNTY clerks, and to no one else. Municipal clerks cannot verify results in federal, state, and county races; they have access to the ballots from only their own city, village, or town. The state elections agency is the legal custodian of no ballots at all; has only a few days after county certification before they must certify; and has no statutory authority to question results a county has certified.

We must insist the county clerks fulfill that responsibility. They have the paper ballots. They have the time. Modern election-audit practices would allow them to verify a few races on the ballot in just two or three days, while statutes allow them at least two weeks before they must certify the election.  The only cost would be the hand-counters’ time at $10 or $12 an hour—a tiny fraction of the county’s elections-administration budget.  They could randomly select just a few races for verification—just enough to deter election thieves in the races most liable to attract their interest.

And yet, collectively, they refuse.

Update: Wisely, the Commission ignored the WCCA’s whining and voted unanimously to encourage county clerks to start auditing during their canvass. And as the WCCA memo states, a few county clerks have begun voluntarily to incorporate hand-counted audits into their routine canvass procedures.

Every county clerk in Wisconsin received a memo on October 4 explaining the current nationwide move to election auditing and providing the clerks with instructions on how to get started.  

Only voters, though, can make it happen. Voters who care about election security should contact their county clerk to find out whether their votes in future elections will be protected with hand-counted audits during the county canvass.  

If not, the next election on February 19 will provide an excellent opportunity for your clerk to begin developing routine election-audit practices, since it will likely be a low-turnout election. Your county clerk has plenty of time before February to learn about the various methods of checking accuracy and work out his or her local procedures.

Insist on it.  

Better management, less partisanship

We need to talk about how we can defend election officials from partisan allegations of corruption, when they are guilty only of poor, careless, and ineffective elections management.

I hope you perceived that sentence to be as goofy as I intended it. What I really want to know is when we voters are going to demand high-quality election administration. When poorly operated polling places make voting difficult, when ballots are mishandled or when votes are miscounted, I don’t care which party it hurts or whether it was fraud or incompetence.

I want it fixed.

Following every election, my Facebook news feed fills with reports of sloppy election-management practices. If partisans can find a way to use an incident to their advantage (and they always can), that’s all they want to talk about.

I spent last Saturday morning in New Berlin at a meeting of grassroots conservative voters who are loudly disgusted with Milwaukee’s election administration. They freely alleged corruption and fraud, which I think unlikely, but I appreciate their anger and distrust.

Their candidate for governor lost by 30,849 votes on a night when the City of Milwaukee took hours longer than expected to process 47,000 absentee ballots. City officials explained that they needed to copy more than 2,000 of those ballots by hand because the original ballots were too damaged for the machines to read.

How can anyone expect emotionally invested partisans to refrain from yelling “Corruption!” when something like that happens?

So election officials promptly apologized. They admitted they knew ahead of time exactly how many absentee ballots they would need to process. They accepted full responsibility and started an immediate investigation. They made a public commitment that in future elections, absentee ballots will be processed as smoothly in Milwaukee as elsewhere.

I’m being goofy again. They did no such thing. That’s the kind of response we’d expect from a city treasurer who had sluggishly processed 47,000 property tax payments because 2,000 had been mangled.

In reality, the first response from election officials was that the incident was “routine,” hardly a confidence-building defense. Then, Milwaukee Elections Director Neil Albrecht reframed concerns about management as insults to the workers, and blamed Republicans for not passing legislationthat would allow municipal clerks to run the voting machines continuously for weeks before each election. (He did not, however, offer a solution to the as-yet-unresolved details of how security and accuracy safeguards can be maintained when voting machines are in active operation for a six-week period instead of just one day.)

No sensible observer of politics will be surprised when I report that the Republicans in the meeting I attended spoke of using this incident to restrict all early and absentee voting around the entire state. They further mused about reviewing all Milwaukee absentee ballots to make sure the envelope signatures match those on file. They spoke of demanding a randomly selected ballot be thrown out for every ballot disqualified by a non-matching signature. (That’s called a ‘drawdown’ and is legal under current Wisconsin law.) Going after mismatched signatures has been used in other states to get votes thrown out or to make voters jump through hoops to preserve their votes.

Of course, such a process, if done only in Milwaukee County, would throw out many more Democratic votes than Republican votes. That’s why throwing out the ballots of randomly selected innocent voters while creating no consequences for the responsible managers looks like a ‘solution’ through their eyes.

So we’ve got a situation in which the Democrats are using this incident to push for running the voting machines continuously for six weeks, damn the security issues. The Republicans are using it to push for measures that would suppress legitimate Milwaukee votes.

Who is talking about better election administration? Who is asking why Milwaukee officials were prepared to count fewer ballots than they knew they had on hand? Did they not hire enough workers? Did they not assign enough equipment? Were their procedures less efficient than they could have been? Who is demanding to know why Milwaukee had, proportionately, more spoiled ballots than other counties, or what can be done to fix that? 

No one. We don’t hold our election managers to the same standards we hold other local government managers. Can you imagine what would happen to a city treasurer who defended comparable news about processing property-tax payments by calling it ‘routine’? When transactions are conducted in votes rather than dollars, our expectations of the managers plummet. 

When we tolerate–even excuse—elections mismanagement, partisans will always take advantage.  To use this case as an example, it is easy to see that people who want to expand early voting should aggressively work to make it as well-managed as possible, not to defend its mismanagement as unavoidable or routine.

Partisanship will never go away; tribalism is what humans do. But our election officials could stop insisting that voters accept poor planning and accidents as routine. If we want to hush the partisan complaints, we must hold our election managers to higher standards of care and competence. 

Audit this election; deter fraud in the next.

Posted by Karen McKim · November 16, 2018 10:35 PM

Have any Wisconsin elections been hacked? A few elections were recounted, but no one knows about the others. Until this year, Wisconsin’s election officials merely added up the machines’ vote totals and declared the results final. Audits were something that they did later, if ever.

But Wisconsin’s clerks are waking up to the fact that if they choose to, they can detect miscounts in time to correct them.

So this month, for the first time in Wisconsin’s history, voters can be present as clerks hand-count paper ballots. These audits will verify at least some computer-tabulated results before they declare election results final. 

At least one audit will be conducted in every county. The day after the election, Wisconsin Elections Commission staff randomly selected 5% of the voting machines and ordered those municipal clerks to conduct hand counts. Those audits are now underway, and will be completed before November 28. Click here to see if a municipality near you is conducting one. 

Do not expect the audits to detect problems.
Finding problems in this election is not the audits’ main value.
Routine audits are valuable for the fraud they deter.

Our election officials need public support and recognition for starting down the road to secure, audited elections. Here’s what you can do:

  • At a minimum, call your local municipal clerk and your county clerk to thank them for this year’s audits and encourage them to do more in future elections. The WEC can order only municipalities (not counties) to check accuracy, and can do that for only one election every two years. Voters need to pressure our local officials to do more, voluntarily.
  • Better yet, ask the municipal clerk when the audit will be conducted in your municipality. Attend and observe, if only for an hour or two. As administrative procedures, audits are more relaxed than recounts. The municipal clerk should allow you to observe closely enough to see the ballots yourself, and your presence will show the clerks their work is appreciated.
  • More detailed instructions for observing the audits are here.

Call your municipal clerk today, and support the efforts to secure Wisconsin’s elections with routine audits.

How to observe a voting-machine audit

Help protect election integrity.
Observe a hand-counted voting machine audit in your county.

Click here for a pdf version of these instructions.

Note: You will support election security if all you do is show up, sit down, and watch auditors count votes for an hour.

If you’re in a hurry, you can stop reading now. Just show up, and you’ll be doing a good deed. If you’re nervous that you won’t remember the following instructions, don’t worry. You don’t even have to read them. Just show up, follow the clerk’s instructions, and watch, and you will be providing a valuable service. Elections cannot be trustworthy without transparency, and our election officials cannot make transparency happen all by themselves. If voters want transparency, we need to be there. Just be there.

To find out when and where:

  • Find a municipality (city, village, or town) near you that was selected for an audit.  This list is in alphabetical order of municipality, or if you want to look them up by county, use this list from the Wisconsin Elections Commission
  • Find the phone number for that municipal clerk from this list or this list.
  • Call the municipal clerk. Ask when and where the voting-machine audit will take place. 
    If you’re interested and able, ask the clerk whether and how you could participate as one of the vote-counters. Some of the municipal clerks understand the value of public participation and like to get volunteers. Don’t be insulted, though, if the clerk already has the audit staffed. Mostly, they will rely on experienced poll workers.
  • If you cannot set aside an entire day, consider observing only in the afternoon, so that you can be there when the results are compared.

The important role of OBSERVER…

Election audits must have transparency to be credible–but election officials cannot demonstrate anything to the public if the public isn’t present.

The presence of observers also helps to ensure officials perform the tasks thoroughly and in accordance with instructions, and to ensure that any problems discovered in the audit are not dismissed or ignored.

Observers, too, get something out of observing. Only by being there can we get to know our local election officials, and audits are good opportunities to do that. Election Day is often tense and busy, while recounts are often hurried, complicated, and contentious. In contrast, because audits are administrative tasks that can be relatively relaxed, unhurried occasions. Observers can ask questions and learn more about how elections are managed and secured.

What happens at an audit?

  1. On the morning of the audit, sealed bags containing ballots and election records will be brought to the audit site and opened. Clerks will inspect the material for any signs of tampering and will review the chain of custody.

  2. The auditors–the people who will be counting the votes–will probably be some of the more experienced poll workers, selected by the municipal clerk. They will begin by counting the ballots into stacks of 20, and the stacks of 20 ballots are arranged in batches of 100.

  3. The auditors will pair up, and each pair will take two batches of 100 ballots. Each auditor will then count the votes from one batch and trade batches with his/her partner, by making hash marks on a tally sheet. They will then trade their stacks of ballots and count the batch the other just finished.

  4. When both have counted both batches, they will compare their tally sheets. If their totals match, the two batches will be set aside, and they will move on to the next two batches. If the two auditors’ totals for any batch do not agree, they will jointly review the ballots and try to find the ones that they counted differently. Experienced auditors will flag those ballots in some way, so that they can be located again in the final reconciliation process. When the two auditors agree on the vote totals in each batch, one will change his or her tally sheet, and they will move on to the next.

  5. When all the ballots in the precinct have been hand-counted, the subtotals from all the tally sheets will be added together and compared against the totals on the voting-machine tape that was printed out on Election Night.

  6. If the hand-counted totals in each race agree with the machine-tabulated totals, the audit is done, and the official in charge completes a report for the Wisconsin Elections Commission.If any totals disagree, the auditors need to try to figure out why. They will need to check their addition, and then most likely, will engage in something of a guessing game trying to figure out how the voting machine might have read ambiguously marked ballots when auditing an optical-scan machine, or questioning their own counts.When the auditors have decided how to explain any discrepancies, the audit is complete and the official in charge completes a report for the GAB.

  7. Chances are, you will see some variation from WEC instructions for the auditors, and you might see the auditors struggling to figure stuff out. They don’t do this often, so cut them some reasonable slack. Most probably, you won’t see any problems more serious than inefficiency and some trial-and-error. If you do see any more serious problems, they are likely to be one of the following:
  • Ignoring certain types of miscounts. The WEC has instructed clerks and auditors have been instructed to dismiss errors that are the result of human rather than machine error. Observers can make sure any such problems are noticed and followed up, after the audit, by the municipal clerk as part of his or her basic responsibility to certify only accurate election results.
  • Unnecessary secrecy. Excessive secrecy is a problem for election security and voter confidence even if no votes are miscounted, because it creates situations that would hide fraud or errors if they occurred. As a result, observers need to be on the lookout for any practices or constraints that prevent them from verifying, with their own eyes, that the clerks and staff are conducting the audit honestly and accurately, particularly if the constraint has no benefit to the audit.
  • Poor handling of election records.  Like unnecessary secrecy, poor handling of election records puts elections at risk of  undetected problems even if no problems affected the election being audited. Observers might notice departures from what is known as “chain of custody” practices.

Step by step: How to observe a voting-machine audit

Before the audit, as soon as you can:

  1. Find out when and where the audit will take place. (See information under the red heading, above.)

  2. If you can attend, please email your name and which municipality you intend to observe to us at  wiscelectionintegrity@gmail.com. We are trying to get as many observers to as many audits as we can, so we’d like to know which municipalities are covered. 

  3. Browse through the instructions provided by the WEC to the municipal clerks, so that you know what they are supposed to be doing. You can watch the whole 28-minute training video provided to the municipal clerks—but if you just want a preview of what will happen during the audit you observe, watch the six-minute segment from 13:00 – 19:00.

  4. Print out the clerk’s instructions to take with you for reference, or save the location on your portable device so that you can access it if needed.

  5. Print out this reporting form, so  you can take notes and let us know how it went.

  6. Plan how long you will spend observing. Auditing a single precinct can take all day, depending on the number of people counting votes, so you may want to plan to be there only at the beginning and at the time they reconcile the completed hand count with the machine tape. They will be unable to predict exactly when they will finish the hand count, but you might be able to estimate that after watching them count the first few batches.

  7. Know the rules of observing: 
    The basic rule is just common sense–Do nothing to interfere with or obstruct the auditors’ work. It’s in their interest and ours that they are able efficiently and accurately to complete the audit. You will not be permitted to touch any election materials.
    But observers can observe. You should be permitted to look at any document you want to see, and to photograph some documents or the process. If you plan to photograph, it would be polite (not required) to let the municipal clerk know this ahead of time, so that he or she can make sure the auditors are not surprised or upset at being photographed. The clerk may impose reasonable restrictions about thing like talking, asking questions, bring food or drink into the audit room. 

On the day of the audit:

  • Take a camera with you, in case problems arise that need to be documented.

  • Take a red pen for taking notes. Red pens are typically the only ones allowed in a room when ballots are being handled, to avoid any chance that the election records could be altered or damaged without detection.

  • Arrive a little early to allow time for cordial introductions, and to discuss with the clerk clear expectations of how and what you want to, and will be able to, observe and when and of whom you will be permitted to ask questions. Explain to the official in charge that the point of public observation is to support public confidence in elections. To do that, you would like to be able to see enough that you can verify that the votes are being counted correctly. Let the clerk understand that you would like to be able see the ballots as the auditors are counting the votes, in a way that will not disrupt their work. Some municipal clerks allow observers to stand behind the seated auditors; others have allowed observers to sit beside the auditors.  At a minimum, the municipal clerk should allow you to view any ballots that the auditors discuss. It may be that the clerk will find no way to accommodate this. Please report that to us on the reporting form.

  • The audit should begin with an inspection of the election records, including the ballot bags, to make sure all necessary records are on hand and are in order, much as the clerk would do for a recount. Observers should be able to inspect–not touch–the material closely enough that they can verify that the marked ballots or machine-printed paper trail are sealed in bags or containers in such a way that no ballots could have been inserted or removed without breaking the seal, and that the records show no signs of tampering; the inspector’s statement should be on hand and in order, containing the seal numbers that match those on the ballot bags, among other information; and the machine-printed results tape should be on hand.

    Before the auditors open the ballot bags, they will compare the number on the bag’s seal to a number recorded on another record when the bag was sealed on Election Night. Ask to observe, for yourself, that the numbers match. If they do not, take a photo to document the problem. Note the problem and what the auditors did, if anything, to determine why the seal numbers did not match and whether the ballots has been tampered with.

  • As the audit tasks proceed, ask questions throughout, as long as your questions don’t interfere with the purpose of the audit or slow it down more than the officials are willing to accommodate.

Issues to watch for (if you are observing a hand-count of voter-marked paper ballots)

Ambiguously marked ballots   A certain proportion of votes can be expected to be ambiguously or sloppily marked, so that the hand-counters will disagree on the voter’s intent. 

Watch to see about how often the auditors disagree, and how they resolve their differences. Ask to see the ballots that seem to them to be ambiguously marked, so that you can develop your own sense of how well the voters marked their ballots. A very large proportion of ambiguously marked ballots—more than an average of one in every 100 ballots—may indicate a problem you could discuss with your municipal or county clerk: How could the voters be instructed more effectively in the next election?

Votes not read or noticed by the voting machine   The type of miscount that is most likely to be noticed is something called an “undervote.”  The human auditors will be able to count more votes on the ballots that the machines counted on Election Night. 

There two most common reasons why voting machines ignore some votes are:

  1. Voters marked their votes in odd ways, such as circling a candidate’s name on the ballot rather than filling in the target dot beside the candidate’s name, making a very faint mark, or using a type of ink the machine could not detect. These are legally valid votes if a human can see the voters’ intent, even if the machine cannot.
  2. The voter cast a write-in vote but did not mark the oval beside the write-in line on the ballot. A human can easily read that write-in vote; the machine looks only at the ovals and sees nothing.

Other possible causes are, of course, more concerning. Programming errors in the past have caused voting machines to ignore some votes; machines can lose calibration and simply malfunction; and (worst case) malicious code could have been inserted to tell the machine to ignore 5% of the votes for a certain candidate. 

In a well-run election, there should not be a large number of these ballots—no more than one in every 200 votes or about 0.5% in the top race on the ballot.  (In other words, 99.5% of the voters typically vote in the main race on the ballot–in this case, governor or US Senate.) 

Here’s where the audits you will observe get harder to understand–but the problem isn’t you. The auditors have been instructed to count the votes as the machines would have counted them, without regard to voter intent. That’s because WEC believes that in order to satisfy federal law, they must assess the performance of the machines apart from any human error or interference. Their reasoning (I’m not making this up) is that if the voting machine was programmed to ignore one-third of the votes (an actual incident in Taylor County in 2004), and the voting machine did, in fact, ignore those votes, the machine was working just as it was supposed to and there is no problem.

Voters, of course, see a problem whenever votes are miscounted, for any reason.

In many municipalities, auditors won’t follow the WEC’s instructions to ignore voter intent and read the votes as the machine would have read them. The auditors are not machines; they’re humans and they can see voter intent. But still, observers should be alert that a serious miscount might be dismissed by the auditors on the grounds that it wasn’t the machine’s fault. 

When all the votes are hand-counted, ask to see the total number of votes for all the candidates in the Governor’s race, including the write-ins. Add all the candidates’ votes together, and divide that number by the total number of ballots. For example, the auditors might hand-count 599 votes for governor, out of 600 ballots (That is, they found votes on 99.8 percent of the ballots.)That means the actual undervote rate was 0.2%–normal.

Now, compare the total number of votes counted by the machine on Election Day to the total number of ballots. The machine might have counted the same number of votes as the human counters–and everything is fine.

But the machine might have counted only 595 votes for governor–that is, it saw a vote on only 99.2 percent of the ballots. That’s an undervote rate of 0.8%–above what experience shows is a normal undervote rate. That could indicate a problem. Ask the auditors if they can find the four votes that account for the difference. If they find four ballots with write-in votes recorded, without the ovals being checked, there’s the answer. 

But if they cannot find the explanation, or if their explanation is a guess, ask them to note that on their report to the WEC, and please report it to us at wiscelectionintegrity@gmail.com. Small errors in one voting machine can add up to a big difference in a statewide election, and should not be ignored.

Issues to watch for (if you are observing a hand-count of a paper trail printed by a touchscreen voting machine)

Unusable voter-verifiable paper audit trail – Wisconsin law wisely requires touch-screen machines to create a voter-verifiable paper audit trail (VVPAT) –a paper print-out of each ballot cast by each voter. If the auditors finds that the paper trail cannot be read, they will likely go ahead and do what they can, or ask the vendor to reprint the tape from the computers’ memory. 

But in reality, an audit is impossible, because there is no voter-verified record to audit. Ask the municipal clerk to note that on his or her report to the WEC, and please report it to us at wiscelectionintegrity@gmail.com.

Cancelled votes – Touchscreen voting machines give each voter a chance to reject a ballot after in has been printed on the paper trail. If the voter rejects the printed ballot, a message is printed on the tape and the voter can start over to create a correct ballot. Experts on election fraud have determined that, if a malicious programmer manages to manipulate a touch-screen voting machine, the fraud might leave evidence in the form of a larger-than-expected number of cancelled ballots.

Local election officials in Wisconsin tend to be dismissive and unconcerned about this possibility, but it is a possibility and certainly something an audit should notice. But the municipal clerk will not likely be alert for cancelled votes–except to exclude them from the audit. Observers, however, can watch out for it. If you see the auditors encountering more than two cancelled votes on one voting machine, ask the municipal clerk to not the number of cancelled ballots in his or her report to WED and please report that observation to us at wiscelectionintegrity@gmail.com.

When the hand count is complete

When the hand-count is complete, the results are compared to the machine-tabulated results. If the two totals match, the machine tabulations are confirmed accurate and the audit is done. The clerk will complete a report to WEC indicating an ‘error rate’ of zero.

If the two totals do not agree, the clerk will need to figure out why they differ before he or she can calculate an error rate, per WEC instructions. Common human-error mistakes include addition errors and forgetting to exclude hand-counted provisional ballots. (The machine couldn’t have possibly counted these votes in the Election-night machine tape).  

As noted above, if the hand-counters found more votes than the voting machine counted on Election Day, there could be a problem. Watch how the municipal clerk and auditors handle that. If they follow WEC instructions, they are supposed to try to figure out why the two counts differed. If the reason is obvious (such as several write-in votes for which the voters did not mark ovals), the auditors might be able to solve the mystery. 

But other problems simply cannot be diagnosed by a municipal clerk and handful of auditors, without more time and resources. Be on the lookout for auditors guessing at explanations for miscounts, without really having enough information to be sure. Ask the municipal clerk to note the auditors’ uncertainty on his or her report to WEC, and please report it to us at wiscelectionintegrity@gmail.com.

What to do if you see problems

If you see any practices that don’t match your expectations of a transparent, fair and accurate hand count, or that don’t follow the WEC’s instructions, ask the clerk to explain. There may be some necessary, harmless variations the clerk is doing for a sensible reason. As long as the main purpose of the test is fulfilled—to verify the accuracy of the machine-tabulated total by comparing it to the results of an objective hand count—there’s no need for observers to be sticklers.

If the clerk cannot give you a good explanation why he or she is departing from the instructions, and you think the variation prevents the audit from verifying the results’ accuracy, encourage the clerk to contact WEC.

You can call WEC at (608) 266-8005 to report an immediate problem, such as observers being locked out of the audit room (it has happened), or other serious violation of the audit requirements. If the issue is not resolved, ask WEC about the procedure for filing a formal complaint.

– – – – – – – – – – –

Whether your observing experience is good or bad, or a mix, we’d love to hear what you noticed and how it went. 
Please write to us, after observing an audit, to let us know: wiscelectionintegrity@gmail.com. 

These instructions can be improved by your feedback. Please email your suggestions to us at wiscelectionintegrity@gmail.com.

How to observe a voting-machine audit

Help protect election integrity.
Observe a hand-counted voting machine audit in your county.

Click here for a pdf version of these instructions.

Note: You will support election security if all you do is show up, sit down, and watch auditors count votes for an hour.

If you’re in a hurry, you can stop reading now. Just show up, and you’ll be doing a good deed. If you’re nervous that you won’t remember the following instructions, don’t worry. You don’t even have to read them. Just show up, follow the clerk’s instructions, and watch, and you will be providing a valuable service. Elections cannot be trustworthy without transparency, and our election officials cannot make transparency happen all by themselves. If voters want transparency, we need to be there. Just be there.

To find out when and where:

  • Find a municipality (city, village, or town) near you that was selected for an audit.  This list is in alphabetical order of municipality, or if you want to look them up by county, use this list from the Wisconsin Elections Commission
  • Find the phone number for that municipal clerk from this list or this list.
  • Call the municipal clerk. Ask when and where the voting-machine audit will take place. 
    If you’re interested and able, ask the clerk whether and how you could participate as one of the vote-counters. Some of the municipal clerks understand the value of public participation and like to get volunteers. Don’t be insulted, though, if the clerk already has the audit staffed. Mostly, they will rely on experienced poll workers.
  • If you cannot set aside an entire day, consider observing only in the afternoon, so that you can be there when the results are compared.

The important role of OBSERVER…

JustShowUp.jpg

Election audits must have transparency to be credible–but election officials cannot demonstrate anything to the public if the public isn’t present.

The presence of observers also helps to ensure officials perform the tasks thoroughly and in accordance with instructions, and to ensure that any problems discovered in the audit are not dismissed or ignored.

Observers, too, get something out of observing. Only by being there can we get to know our local election officials, and audits are good opportunities to do that. Election Day is often tense and busy, while recounts are often hurried, complicated, and contentious. In contrast, because audits are administrative tasks that can be relatively relaxed, unhurried occasions. Observers can ask questions and learn more about how elections are managed and secured.

What happens at an audit?

  1. On the morning of the audit, sealed bags containing ballots and election records will be brought to the audit site and opened. Clerks will inspect the material for any signs of tampering and will review the chain of custody.

  2. The auditors–the people who will be counting the votes–will probably be some of the more experienced poll workers, selected by the municipal clerk. They will begin by counting the ballots into stacks of 20, and the stacks of 20 ballots are arranged in batches of 100.

  3. The auditors will pair up, and each pair will take two batches of 100 ballots. Each auditor will then count the votes from one batch and trade batches with his/her partner, by making hash marks on a tally sheet. They will then trade their stacks of ballots and count the batch the other just finished.

  4. When both have counted both batches, they will compare their tally sheets. If their totals match, the two batches will be set aside, and they will move on to the next two batches. If the two auditors’ totals for any batch do not agree, they will jointly review the ballots and try to find the ones that they counted differently. Experienced auditors will flag those ballots in some way, so that they can be located again in the final reconciliation process. When the two auditors agree on the vote totals in each batch, one will change his or her tally sheet, and they will move on to the next.

  5. When all the ballots in the precinct have been hand-counted, the subtotals from all the tally sheets will be added together and compared against the totals on the voting-machine tape that was printed out on Election Night.

  6. If the hand-counted totals in each race agree with the machine-tabulated totals, the audit is done, and the official in charge completes a report for the Wisconsin Elections Commission.If any totals disagree, the auditors need to try to figure out why. They will need to check their addition, and then most likely, will engage in something of a guessing game trying to figure out how the voting machine might have read ambiguously marked ballots when auditing an optical-scan machine, or questioning their own counts.When the auditors have decided how to explain any discrepancies, the audit is complete and the official in charge completes a report for the GAB.

  7. Chances are, you will see some variation from WEC instructions for the auditors, and you might see the auditors struggling to figure stuff out. They don’t do this often, so cut them some reasonable slack. Most probably, you won’t see any problems more serious than inefficiency and some trial-and-error. If you do see any more serious problems, they are likely to be one of the following:
  • Ignoring certain types of miscounts. The WEC has instructed clerks and auditors have been instructed to dismiss errors that are the result of human rather than machine error. Observers can make sure any such problems are noticed and followed up, after the audit, by the municipal clerk as part of his or her basic responsibility to certify only accurate election results.
  • Unnecessary secrecy. Excessive secrecy is a problem for election security and voter confidence even if no votes are miscounted, because it creates situations that would hide fraud or errors if they occurred. As a result, observers need to be on the lookout for any practices or constraints that prevent them from verifying, with their own eyes, that the clerks and staff are conducting the audit honestly and accurately, particularly if the constraint has no benefit to the audit.
  • Poor handling of election records.  Like unnecessary secrecy, poor handling of election records puts elections at risk of  undetected problems even if no problems affected the election being audited. Observers might notice departures from what is known as “chain of custody” practices.

Step by step: How to observe a voting-machine audit

Before the audit, as soon as you can:

  1. Find out when and where the audit will take place. (See information under the red heading, above.)

  2. If you can attend, please email your name and which municipality you intend to observe to us at  wiscelectionintegrity@gmail.com. We are trying to get as many observers to as many audits as we can, so we’d like to know which municipalities are covered. 

  3. Browse through the instructions provided by the WEC to the municipal clerks, so that you know what they are supposed to be doing. You can watch the whole 28-minute training video provided to the municipal clerks—but if you just want a preview of what will happen during the audit you observe, watch the six-minute segment from 13:00 – 19:00.

  4. Print out the clerk’s instructions to take with you for reference, or save the location on your portable device so that you can access it if needed.

  5. Print out this reporting form, so  you can take notes and let us know how it went.

  6. Plan how long you will spend observing. Auditing a single precinct can take all day, depending on the number of people counting votes, so you may want to plan to be there only at the beginning and at the time they reconcile the completed hand count with the machine tape. They will be unable to predict exactly when they will finish the hand count, but you might be able to estimate that after watching them count the first few batches.

  7. Know the rules of observing: 
    The basic rule is just common sense–Do nothing to interfere with or obstruct the auditors’ work. It’s in their interest and ours that they are able efficiently and accurately to complete the audit. You will not be permitted to touch any election materials.
    But observers can observe. You should be permitted to look at any document you want to see, and to photograph some documents or the process. If you plan to photograph, it would be polite (not required) to let the municipal clerk know this ahead of time, so that he or she can make sure the auditors are not surprised or upset at being photographed. The clerk may impose reasonable restrictions about thing like talking, asking questions, bring food or drink into the audit room. 

On the day of the audit:

  • Take a camera with you, in case problems arise that need to be documented.

  • Take a red pen for taking notes. Red pens are typically the only ones allowed in a room when ballots are being handled, to avoid any chance that the election records could be altered or damaged without detection.

  • Arrive a little early to allow time for cordial introductions, and to discuss with the clerk clear expectations of how and what you want to, and will be able to, observe and when and of whom you will be permitted to ask questions. Explain to the official in charge that the point of public observation is to support public confidence in elections. To do that, you would like to be able to see enough that you can verify that the votes are being counted correctly. Let the clerk understand that you would like to be able see the ballots as the auditors are counting the votes, in a way that will not disrupt their work. Some municipal clerks allow observers to stand behind the seated auditors; others have allowed observers to sit beside the auditors.  At a minimum, the municipal clerk should allow you to view any ballots that the auditors discuss. It may be that the clerk will find no way to accommodate this. Please report that to us on the reporting form.

  • The audit should begin with an inspection of the election records, including the ballot bags, to make sure all necessary records are on hand and are in order, much as the clerk would do for a recount. Observers should be able to inspect–not touch–the material closely enough that they can verify that the marked ballots or machine-printed paper trail are sealed in bags or containers in such a way that no ballots could have been inserted or removed without breaking the seal, and that the records show no signs of tampering; the inspector’s statement should be on hand and in order, containing the seal numbers that match those on the ballot bags, among other information; and the machine-printed results tape should be on hand.

    Before the auditors open the ballot bags, they will compare the number on the bag’s seal to a number recorded on another record when the bag was sealed on Election Night. Ask to observe, for yourself, that the numbers match. If they do not, take a photo to document the problem. Note the problem and what the auditors did, if anything, to determine why the seal numbers did not match and whether the ballots has been tampered with.

  • As the audit tasks proceed, ask questions throughout, as long as your questions don’t interfere with the purpose of the audit or slow it down more than the officials are willing to accommodate.

Issues to watch for (if you are observing a hand-count of voter-marked paper ballots)

Ambiguously marked ballots   A certain proportion of votes can be expected to be ambiguously or sloppily marked, so that the hand-counters will disagree on the voter’s intent. 

Watch to see about how often the auditors disagree, and how they resolve their differences. Ask to see the ballots that seem to them to be ambiguously marked, so that you can develop your own sense of how well the voters marked their ballots. A very large proportion of ambiguously marked ballots—more than an average of one in every 100 ballots—may indicate a problem you could discuss with your municipal or county clerk: How could the voters be instructed more effectively in the next election?

Votes not read or noticed by the voting machine   The type of miscount that is most likely to be noticed is something called an “undervote.”  The human auditors will be able to count more votes on the ballots that the machines counted on Election Night. 

There two most common reasons why voting machines ignore some votes are:

  1. Voters marked their votes in odd ways, such as circling a candidate’s name on the ballot rather than filling in the target dot beside the candidate’s name, making a very faint mark, or using a type of ink the machine could not detect. These are legally valid votes if a human can see the voters’ intent, even if the machine cannot.
  2. The voter cast a write-in vote but did not mark the oval beside the write-in line on the ballot. A human can easily read that write-in vote; the machine looks only at the ovals and sees nothing.

Other possible causes are, of course, more concerning. Programming errors in the past have caused voting machines to ignore some votes; machines can lose calibration and simply malfunction; and (worst case) malicious code could have been inserted to tell the machine to ignore 5% of the votes for a certain candidate. 

In a well-run election, there should not be a large number of these ballots—no more than one in every 200 votes or about 0.5% in the top race on the ballot.  (In other words, 99.5% of the voters typically vote in the main race on the ballot–in this case, governor or US Senate.) 

Here’s where the audits you will observe get harder to understand–but the problem isn’t you. The auditors have been instructed to count the votes as the machines would have counted them, without regard to voter intent. That’s because WEC believes that in order to satisfy federal law, they must assess the performance of the machines apart from any human error or interference. Their reasoning (I’m not making this up) is that if the voting machine was programmed to ignore one-third of the votes (an actual incident in Taylor County in 2004), and the voting machine did, in fact, ignore those votes, the machine was working just as it was supposed to and there is no problem.

Voters, of course, see a problem whenever votes are miscounted, for any reason.

In many municipalities, auditors won’t follow the WEC’s instructions to ignore voter intent and read the votes as the machine would have read them. The auditors are not machines; they’re humans and they can see voter intent. But still, observers should be alert that a serious miscount might be dismissed by the auditors on the grounds that it wasn’t the machine’s fault. 

When all the votes are hand-counted, ask to see the total number of votes for all the candidates in the Governor’s race, including the write-ins. Add all the candidates’ votes together, and divide that number by the total number of ballots. For example, the auditors might hand-count 599 votes for governor, out of 600 ballots (That is, they found votes on 99.8 percent of the ballots.)That means the actual undervote rate was 0.2%–normal.

Now, compare the total number of votes counted by the machine on Election Day to the total number of ballots. The machine might have counted the same number of votes as the human counters–and everything is fine.

But the machine might have counted only 595 votes for governor–that is, it saw a vote on only 99.2 percent of the ballots. That’s an undervote rate of 0.8%–above what experience shows is a normal undervote rate. That could indicate a problem. Ask the auditors if they can find the four votes that account for the difference. If they find four ballots with write-in votes recorded, without the ovals being checked, there’s the answer. 

But if they cannot find the explanation, or if their explanation is a guess, ask them to note that on their report to the WEC, and please report it to us at wiscelectionintegrity@gmail.com. Small errors in one voting machine can add up to a big difference in a statewide election, and should not be ignored.

Issues to watch for (if you are observing a hand-count of a paper trail printed by a touchscreen voting machine)

Unusable voter-verifiable paper audit trail – Wisconsin law wisely requires touch-screen machines to create a voter-verifiable paper audit trail (VVPAT) –a paper print-out of each ballot cast by each voter. If the auditors finds that the paper trail cannot be read, they will likely go ahead and do what they can, or ask the vendor to reprint the tape from the computers’ memory. 

But in reality, an audit is impossible, because there is no voter-verified record to audit. Ask the municipal clerk to note that on his or her report to the WEC, and please report it to us at wiscelectionintegrity@gmail.com.

Cancelled votes – Touchscreen voting machines give each voter a chance to reject a ballot after in has been printed on the paper trail. If the voter rejects the printed ballot, a message is printed on the tape and the voter can start over to create a correct ballot. Experts on election fraud have determined that, if a malicious programmer manages to manipulate a touch-screen voting machine, the fraud might leave evidence in the form of a larger-than-expected number of cancelled ballots.

Local election officials in Wisconsin tend to be dismissive and unconcerned about this possibility, but it is a possibility and certainly something an audit should notice. But the municipal clerk will not likely be alert for cancelled votes–except to exclude them from the audit. Observers, however, can watch out for it. If you see the auditors encountering more than two cancelled votes on one voting machine, ask the municipal clerk to not the number of cancelled ballots in his or her report to WED and please report that observation to us at wiscelectionintegrity@gmail.com.

When the hand count is complete

When the hand-count is complete, the results are compared to the machine-tabulated results. If the two totals match, the machine tabulations are confirmed accurate and the audit is done. The clerk will complete a report to WEC indicating an ‘error rate’ of zero.

If the two totals do not agree, the clerk will need to figure out why they differ before he or she can calculate an error rate, per WEC instructions. Common human-error mistakes include addition errors and forgetting to exclude hand-counted provisional ballots. (The machine couldn’t have possibly counted these votes in the Election-night machine tape).  

As noted above, if the hand-counters found more votes than the voting machine counted on Election Day, there could be a problem. Watch how the municipal clerk and auditors handle that. If they follow WEC instructions, they are supposed to try to figure out why the two counts differed. If the reason is obvious (such as several write-in votes for which the voters did not mark ovals), the auditors might be able to solve the mystery. 

But other problems simply cannot be diagnosed by a municipal clerk and handful of auditors, without more time and resources. Be on the lookout for auditors guessing at explanations for miscounts, without really having enough information to be sure. Ask the municipal clerk to note the auditors’ uncertainty on his or her report to WEC, and please report it to us at wiscelectionintegrity@gmail.com.

What to do if you see problems

If you see any practices that don’t match your expectations of a transparent, fair and accurate hand count, or that don’t follow the WEC’s instructions, ask the clerk to explain. There may be some necessary, harmless variations the clerk is doing for a sensible reason. As long as the main purpose of the test is fulfilled—to verify the accuracy of the machine-tabulated total by comparing it to the results of an objective hand count—there’s no need for observers to be sticklers.

If the clerk cannot give you a good explanation why he or she is departing from the instructions, and you think the variation prevents the audit from verifying the results’ accuracy, encourage the clerk to contact WEC.

You can call WEC at (608) 266-8005 to report an immediate problem, such as observers being locked out of the audit room (it has happened), or other serious violation of the audit requirements. If the issue is not resolved, ask WEC about the procedure for filing a formal complaint.

– – – – – – – – – – –

Whether your observing experience is good or bad, or a mix, we’d love to hear what you noticed and how it went. 
Please write to us, after observing an audit, to let us know: wiscelectionintegrity@gmail.com. 

These instructions can be improved by your feedback. Please email your suggestions to us at wiscelectionintegrity@gmail.com.Add your reaction Share

Are Wisconsin’s elections audited yet? No, but….

VotersFollowThrough.jpg

November 02, 2018 at 10:13pm — If performing election audits is like riding a bicycle, Colorado and a few other states are training for professional racing. 

In about 20 other states, election officials haven’t yet decided whether they want to give up their tricycles, and in about a dozen, officials haven’t even tried a tricycle yet.

And 13 states are still inside, in their pajamas, playing with their paperless touchscreen voting machines.

In Wisconsin, Wisconsin Elections Commission has given our county election officials a two-wheeler with training wheels and told them to get moving.

In other words, we’re on our way.

Before now, officials didn’t check accuracy until after they had declared election results final. That practice, in the words of a recent national comparison of states’ election-security practices, “leaves Wisconsin open to undetected  hacking and other Election-Day problems.”

So the WEC did what it could: It voted to order municipalities to audit 5% of the voting machines immediately after the November 6 election, and to “encourage” county clerks to start experimenting with legitimate election audits. 

All that is good, but here’s the problem: the municipal voting-machine audits have only a limited ability to protect our election results from hacking and errors. But they are the only audits the WEC has authority to order.

Broader election audits could truly protect our elections, but the WEC doesn’t have authority to order those. County clerks are elected constitutional officials. They don’t have to listen to the national and state election authorities if they don’t want to. 

In short, only the voters can hold county clerks accountable. Only we can make sure they heed federal and state authorities’ advice. Only we can make sure the county officials make sure the election results are accurate.

The WEC’s October 4 memo to the county clerks is probably the best little document on election audits that the state elections agency has ever produced. Click on this link to read it for yourself—it’s clear, simple, and complete. No frills. There is no reason why any Wisconsin county clerk cannot follow the WEC’s simple step-by-step instructions—even if they decide at the last minute to add this powerful safeguard to their canvass procedures.

What voters need to do:

It is absolutely worth checking with your county clerk—or in Milwaukee County, the county election commission. Call today; here’s a link to their contact information.

When you ask your county elections clerks about election audits in your county, you might get some good news. Some have already decided to try their hand at election auditing. 

But others are being stubborn, even childish.  The Wisconsin County Clerks Association, sadly, sent a whiny memo to WEC saying that they didn’t want even to be “encouraged” to conduct audits. Among other things, the WCCA thinks no more than one race each election should be verified. They even told WEC that any hand counts would be “inherently inaccurate.”  (In truth, Wisconsin’s county clerks are perfectly capable of conducting an accurate hand count if they want to.)

So contact your county clerk.  When you ask for valid, routine election audits, you’re merely repeating what federal and state authorities have already told your count clerk.  Accept no excuses:

  • Your county clerk has the time to ensure accuracy and security. The entire audit process shouldn’t take more than two days if they assign or bring in enough staff and volunteers. They have two weeks in which to schedule it. Some of their counterparts in other states do more auditing with even less time.
  • Your county clerk has the staff. Any competent chief inspector (that’s a head poll worker) could easily lead the audit—it’s not rocket science—while the county clerk keeps on with his or her other duties.
  • Your county clerk has the budget. The only expense should be the hand-counters, and the clerk could accept volunteers. If none of the poll workers want to help (and they do), the clerk can check with the Rotary Club or the high school social studies teacher. There’s no reason high school students cannot do this. The WEC has offered to reimburse the clerks up to $300 to cover the costs, if it costs even that much.

PT Barnum-style election security

Reporter: “Does it bother you that what you’re showing is humbug?” 
PT Barnum: “Do these smiles seem humbug? It doesn’t matter where they come from if the joy is real.” 

I recalled this dialogue from The Greatest Showman as I was observing a pre-election voting machine test in the City of Elroy, Wisconsin on Monday, August 6.

Conducted in every municipality before every election, these tests serve some necessary functions.

But as a safeguard against hackingthey are humbug—as authentic as a bearded lady whose facial hair is hanging from strings looped around her ears. 

Nevertheless, because the tests make some voters and reporters feel confident, they are touted as a security measure.

I’ve observed more than two dozen of these tests over the years. The ones I observed this week were typical. Even if you’re not an IT professional, I’ll bet you can pick out why these tests don’t protect Election-Day results from hacking—whether the hacker is an Internet cyber-crook or a corrupt voting-machine company insider.  

Here, try it. Start by predicting what the hacker might try to do. First, do you think the hacker would make the malicious code miscount every single vote or only some votes?

You guessed ‘only some,’ and experts agree. When a blue-ribbon election-security task force convened by the Brennan Center for Justice worked out how a hacker would steal a statewide race in the imaginary State of Pennasota, they calculated that no hacker would likely alter more than 7.5% of the votes, or a little more than 1 in every 13. So if you want to detect hacking, your set of fake ballots—your ‘test deck’—should contain enough ballots to give each candidate at least 13 valid votes.

But Wisconsin municipal clerks typically create test decks with only one vote for each candidate—enough to catch only hacks that affect every single vote.

Second, do you suppose the hacker might instead allow the machines to count votes accurately all day, and then simply flip the candidates’ vote totals at the end of the day to give his guy the biggest total? You probably guessed yes, he might. So you would need to create a test deck that has a winner in each race, a different number of votes for each candidate.

Wisconsin municipal clerks’ pre-election test results typically contain a lot of ties–the same number of votes for each candidate in each race. Those test decks would not detect any vote-flipping hacks.

Finally, would the hacker’s malicious code kick in whenever the machine was turned on, or only on Election Day? This one is easy. Hacks would never trigger on any day other than Election Day.

This is the fatal flaw of pre-election testing as a safeguard against hacking. Hackers can program their code to trigger only when the calendar says it’s Election Day…or only when ballots are inserted at a rate typical of Election Day…or only when the machine has been operating continuously for more than eight hours…or only on some other telltale sign that real votes, not test votes, are being counted. As the Brennan Center Task Force report put it, trying to use tests like these to detect hacking would create a constantly escalating arms race between election officials trying to make the test look like a normal Election Day and hackers finding new ways to detect a test situation.

As a result, the Task Force didn’t bother even to mention pre-election testing as a safeguard in its list of six security recommendations.

Many of Wisconsin’s pre-election tests do not hide the fact that the machines are running in test mode, not Election-Day mode. The photo at right is a close-up of the voter-verifiable paper trail from an AVC Edge voting machine, programmed by Command Central, being tested in Juneau County before the August 14, 2018 primary. Notice that the voting machine printed “PRE-LAT PAPER RECORD” at the top of the ballot. ‘LAT’ is the computer professionals’ term for “logic and accuracy testing,” a basic routine whenever software has been updated. (I don’t know why Command Central calls it “PRE-LAT”.)

This machine clearly knows it is counting test ballots, not real ones. Operating in test mode doesn’t render the test useless for things like catching innocent programming errors.  But:

It is humbug for election clerks 
to fool themselves, or to fool the public, 
into thinking these pre-election tests 
provide any protection against hacking.
 

If we want to stop being fed humbug, we have to stop falling for it. If your local election officials tell you:

  • Election results are protected by pre-election voting machine tests“, tell them that you know Wisconsin’s pre-election voting machine tests could not detect hacking any less obvious than that which in 2010 elected a cartoon robot to the Washington, DC school board.
  • Election results are protected by keeping the machines unconnected from the Internet,” tell them that you know that they have no idea about what happens to the software before it comes into their control.
  • Election results are protected by federal and state certification,” tell them you know that the software has been copied and updated many times since it was certified, and that no one has ever or will ever inspect the software that will count your votes on Election Day.
  • Election results are protected by the audits we already do,” tell them that audits completed only after the canvass cannot possibly protect results they have already declared final (‘certified’).

The solution: Contact your county election office. In Milwaukee County, that’s the Elections Commission; in other counties, it’s the county clerk. Tell them: 
“This voter is done with humbug. I know that one and only one safeguard can protect our final election results. 
Use our paper ballots to detect and correct any electronic miscounts before you declare election results final. Start this November.”

Don’t expect your county official to be stubborn; several are already planning to check accuracy before they certify the November results as final. Find out if yours is one.

But if your county officials are not now planning to begin auditing, don’t accept excuses. They got a memo on August 1, 2018 from the Wisconsin Elections Commission that made it clear: “A post-election audit is a tool that could be implemented to confirm that results have been tabulated accurately,” and “post-election audits of the results may be conducted prior to certification of the canvass.” The Commission even gave them basic instructions they can follow.

No more humbug 
about election security. 
Tell your county officials 
today: “Time’s up. 
Pre-certification audits. 
This fall.”


You can also help by donating to help Wisconsin Election Integrity get the no-humbug word out to voters, officials, and media through our 2018 publicity campaign.

And you can email the Wisconsin Elections Commission at elections@wi.gov to encourage them to mandate pre-certification audits in every county, at their September 25 meeting.electionshackingWisconsinauditssecurityvoting machineselection technology

Wisconsin could have real election audits in November!

Just a few tweaks to WECs’ audit policy could make Wisconsin’s November 2018 elections the most secure since we started counting our votes with computers.

July 24, 2018  — There’s still time before the November 2018 elections for the Wisconsin Elections Commission (WEC) to put a patch on the state’s biggest, most dangerous election-security hole. Up to now, local election clerks haven’t been checking the voting machines’ Election-Day accuracy before the certify election results. They could be doing that easily, quickly, and cheaply.

To audit voting machines’ November 6 output, neither WEC nor the local clerks need to spend an extra penny over what they already have budgeted for that election. The WEC has to change only one policy at their September 25 meeting.

But voters have to speak up–now. We must tell the WEC to revise their policy regarding the voting-machine audits for 2018, and order those audits to be completed in every county before election results are declared final. The WEC can be reached at (608) 266-8005 or by e-mail at elections@wi.gov.

THE PROBLEM

 We have paper ballots. And local officials have up to two weeks after each election to review (‘canvass’) them to make sure the results are correct before they declare the official winners (‘certify’).

But Wisconsin election clerks seal them in bags on Election Night. During their review, they look at the poll tapes, but leave the ballots sealed. Then they certify. They swear the winners into office. Twenty-two months later, they destroy the ballots.

Perpetually sealed paper ballots do not deter hackers; they protect them.

About half the states require officials to do at least a little auditing of computer-calculated Election-Day results before they certify. But in Wisconsin, state law merely allows, but does not require, accuracy checks.

When I ask county clerks why they don’t check Election-Day accuracy, I get answers like, “If we had to count votes manually, that would defeat the purpose of using the machines,” and “If these machines were capable of miscounting, the State wouldn’t let us use them.” And “We did a recount before and didn’t find that election had been hacked.” Basically, the people who manage our voting machines don’t believe they can be hacked. Or that they can malfunction. Or that humans sometimes make programming errors.

We can’t have kind of naiveté among our voting-machine managers. 

THE SOLUTION

Since 2006, Wisconsin statutes have required the state elections agency to order voting-machine audits following November elections. That law, section 7.08(6) of the statutes, also orders local governments to do any audits the WEC tells them to do.

As is typical for laws like this, the statute leaves the details to the bureaucrats. How many voting machines to audit? When to audit? How to select the sample? Those decisions are left to the state elections agency.

But state elections officials have, before this year, denied the risk of an Election-Day hack. They were so confident, they didn’t think anyone needed to look for it. So they have never ordered the type of audits that would protect final election results from hackers. 

But times have changed, and awareness of the complex risks–not limited to Russian hackers–has grown. WEC will be tweaking their voting-machine audit instructions soon, as they always do shortly before November general elections, and we voters have got to make sure they do it right this time.

We must demand two things.

First, the 2018 audit instructions need to tell local officials “Finish the audits during the county canvass so that you can correct any hacks or errors you might find.”

From 2006 through 2012, the State told local officials to wait to check accuracy until after they had certified the results. In 2014, state elections board members ordered their staff to stop prohibiting on-time audits. But they have never ordered timely audits—they merely stopped prohibiting them.

Second, we must demand that the WEC order audits of at least one voting machine in each county. More would be better, of course, but they’ve budgeted for only 100 voting-machine audits, and Wisconsin has 72 counties. So they can do this.

The sample selection method used in previous years is too odd to explain here. It has to do with making sure the sample contains five of each make and model of voting machine. The critical fact is that it has always left some counties out.

Wisconsin’s voting machines are, in all but a few counties, programmed at the county level. For the federal, state, and county races, the same vote-counting code is copied onto all the voting machines in a county. So there’s a good chance you could deter hackers by randomly selecting one machine in each county.

The best audit would, of course, include enough ballots to produce a statistically valid answer to “Are these the right winners?” But we’re down to the wire in 2018, and valid, respectable audits will probably need to wait until 2020. Until then, we need quick, better-than-nothing audits.

About cost: Funding for around 100 voting machine audits has already been budgeted–or should have been. Unless they increase the sample size, the WEC can order protective audits for the same price they are planning to pay for useless ones.

Just those two tweaks to WECs’ audit policy, and Wisconsin’s November 2018 elections will be the most secure in our state’s history since we started counting our votes with computers. They will be the first in which would-be hackers were put on notice: Any voting machine anywhere in the state might be randomly selected for an audit while there is still time to detect your mess and clean it up.

So:  We must tell the WEC to order voting-machine audits in every county, and that they be completed before November 2018 election results are declared final.

This topic will be on their September 2018 meeting agenda, and they have asked for voters’ input.

The WEC can be reached at (608) 266-8005 or by e-mail at elections@wi.gov.

What if WEC talked straight about election security?

July 21, 2018 — The job description for the Wisconsin Election Commission’s public information officer does not say “Secure Wisconsin’s elections.” So Reid Magney’s annual performance review won’t suffer if, next November, hackers compromise ES&S headquarters in Nebraska, manipulate Milwaukee County’s voting system, and pick Wisconsin’s US Senator.

Magney’s job description probably says something like “Build voter confidence.” So don’t expect him to draw attention to this or that national report, or whichever new report has once again given Wisconsin poor marks for election security.

Last Wednesday, Carrie Kaufman of WPR’s Morning Show told Magney, “Assure me that our voting system is secure.”

Magney obliged, and recited all the great things about security for the voter-registration system (my emphasis, not his). He talked about firewalls, multifactor authentication, hiring new Internet security staff, and installing software that will monitor for suspicious activity.

Magney avoided saying much about Wisconsin’s vote-tabulation system, for which he would need to tell a different security story.

WEC has very little responsibility for the vote-tabulation system. It was developed by private out-of-state companies, and is owned, operated, updated, and maintained by those companies and Wisconsin’s counties, cities, villages, and towns. Not by WEC.

Magney left the impression that the wonderful safeguards protecting WEC’s voter-registration system also protect the vote-tabulation system.

I know enough election technology to notice Magney’s feints and finesses. As I listened, I found myself imagining a different interview. I imagined that Kaufman had asked specifically about the tabulation system, and that she was speaking with a WEC representative whose job description said “Make sure voters understand the real risks and necessary safeguards.”

Here’s that interview: 

Interviewer: Welcome to our show. Every day seems to bring more alarming news about Russia’s intent to tamper with American elections.  Is Wisconsin’s computerized vote-tabulation system secure?  I will discuss that today with my guest, Earnest Veracity of the Wisconsin Elections Commission. Welcome, Earnest.

Veracity: Thank you for having me.

Interviewer: I’m assuming you’re familiar with the five basic functions of a cybersecurity program, spelled out by the National Institute of Standards and Technology—identify the risks; protect the system; detect any problems; respond to any problems; and recover. Would that be a good framework for discussing Wisconsin’s election security?

Veracity: Yes, that framework is useful. But I must make one thing clear before we start. I’ll answer your questions as best I can, but tabulation-system security isn’t something that WEC has much say about. That’s the job of the voting-machine companies and the local election officials. Wisconsin has decentralized elections administration, and voting-machine security is no exception.

Interviewer: I understand that. Let’s start with simply describing the system. Are the computers that count our votes inside those machines at our polling place, or somewhere else? Whose system is it? Who manages it? 

Veracity: The vote-tabulating system consists of three parts: whatever computers the voting-machine companies use to develop and update the software; an ‘elections management’ computer in each county clerk’s office; and the voting machines in each polling place. Each new election has its own set of races and candidates, so the county computers and the voting machines have to be reprogrammed for every new election. Typically, the software is developed out of state at one of the voting-machine companies’ offices, and then transferred to the county either over the Internet or with portable digital media. The county clerk then prepares the software for each voting machine, and the municipal clerks install it in the voting machines. That software really travels. 

Ownership and management get a little tangled. The companies own the software and some of the equipment. Counties typically own and manage the county computers, while the voting machines are owned or leased by the cities, villages, and towns.

Interviewer: So where are our votes counted?

Veracity: The software that counts your votes is typically inside the machine in your polling place. But it got there through the county’s computer and the vendor’s computers.

Interviewer: Got it. Let’s move to security, and start with the first function, risk identification. Have the voting machine companies and the local election officials identified the risks?

Veracity: We don’t know whether the voting-machine companies have identified the risks. It’s possible they haven’t, because to the best of our knowledge, none employ any IT security professionals.  Your network carries a great show, Science Friday, which aired a very good segment on this topic right before the 2016 elections. Aviel Rubin, director of the Johns Hopkins University Information Security Institute, described what he learned when he visited all the major voting-machine companies. 

As for the local election officials, few understand the risks. Most, for example, will tell you the voting machine cannot be hacked if it isn’t connected to the Internet, overlooking the other computers involved in the process. They also believe that pre-election tests can detect hacked software.  No one should expect local election officials to be IT security professionals. They just are not.

Interviewer: I suppose that’s fair. How about the second function of a good cybersecurity program. Do the managers of the vote-tabulation system protect it from the risks?

Veracity: Again, we know almost nothing about the voting-machine companies’ security practices.  A few incidents indicate they might be lax. For example, in 2016, recount observers noticed manufacturers’ seals missing from voting machines in St. Croix County.  When we investigated those citizens’ reports, we discovered a vendor’s service technician had left machines unsealed through several elections. We checked only St. Croix County’s machines. There may have been others that the technician left unsealed.

The local election officials, well, they do the best they can. They keep the voting machines and county election computers in locked rooms, and only occasionally find someone got unauthorized access. They are very reliable about keeping track of the software as it passes back and forth between the county and the municipalities.  But keep in mind the nature of the workforce.  Elections are run mostly by people who work on those tasks only a few days each year. We cannot expect security protocols to be reliably followed.

Interviewer: Well, that’s sobering. Who oversees the local governments’ election-security efforts? Do you?

Veracity: No, they’re pretty much on their own. County clerks are independently elected. Making sure they do their job right is up to the voters. Municipal clerks generally answer to the city council, village board, or town board, not to any professional election overseers. WEC does not, cannot, monitor their security practices.

Interviewer: Yikes. So as far as we know, no one is making sure we have much risk-identification or strong protection going on. What about detection? Do the local officials at least have ways to detect Election-Day computer miscounts? I understand that hacking isn’t the only threat—that they also need to be on the lookout for human error and random malfunction.

Veracity: Yes, those are the three main categories of electronic threats to our election results. But again, I’m sorry I cannot answer that question with regard to the voting-machine companies’ security practices. We have no idea what they do, if anything, that would, for example, detect malicious code if one of their programmers goes rogue and starts working for Russia.

And local election officials have no way to notice any malicious code if it’s already there when they receive software or updates from the vendor and install them in the voting machines. They are good about doing pre-election voting-machine tests, which can catch human programming errors. But those tests wouldn’t detect hacking. Remember the Volkswagen scandal? That should have taught everyone that hacks are designed to operate only during actual use, not during testing. A hacker would make the malicious code operate only on Election Day.

After each election, local election officials check that the machines counted ballots correctly, but not whether the machines counted votes correctly.  That doesn’t protect our election results, because hackers would tamper only with vote totals and leave the ballot totals alone.

When miscounts are really obvious, local election officials sometimes notice, like they did in Stoughton in 2014. But sometimes they don’t. In Racine and Marinette Counties in 2016, and in Medford in 2004, the local officials just blew past obvious computer miscounts and certified the wrong vote totals. Hackers could make thousands of votes just disappear, and it probably wouldn’t be noticed or corrected in the canvass.

A citizens’ group, Wisconsin Election Integrity, has been pressuring us since 2012 to promote routine post-election audits during the canvass. National authorities recommend, and other states use, those audits because they deter hacking and protect certified election results from all types of miscounts. But we cannot make a decision in only six years. Maybe we’ll give it some thought for 2020. Maybe not. 

Interviewer: Do the managers have procedures to respond to an event, so that they can prevent or minimize damage to the final election results?

Veracity: Finally, I can answer “Yes!” If local election officials detect incorrect preliminary vote totals during the canvass, Wisconsin statutes give them everything they need to protect the final, certified election results. They have the paper ballots, the freedom to decide to hand count, enough time for the canvass. The Stoughton voting-machine miscount of 2014 is an excellent illustration. Once they noticed the miscount, the municipal clerk quickly opened the ballot bags, hand-counted, and didn’t even miss the municipal canvass deadline.  So if they do routine audits during the canvass, they will always be able to secure the final election results.

If they wait to detect problems until after they certify, though, that would be royal mess—expensive lawsuits and scandal, massive damage to voter confidence. I don’t even want to think about it.

Interviewer: Do the managers have procedures to recover and restore the system to normal functioning after an event?

Veracity:  Well, neither we nor the local election officials have the skills or resources for serious forensic investigation. So it’s hard to say what we’d do to determine the causes and fix the flaw if we ever noticed a hack. When in 2017 we could no longer ignore the Optech Eagle’s inability to count votes from many absentee ballots, we decertified that system. But we probably wouldn’t do that if we found problems with a newer system. I cannot imagine, for example, expelling ES&S from the state if we found they’d installed remote-access software here like they admit they’ve done elsewhere. They count more than 70% of Wisconsin’s votes. Banishing them would be terribly disruptive and expensive.

*  *  *

Russians aren’t the only ones who can buy social media. We can do it, too–if you donate. Help us publicize the easy solutions to Wisconsin’s frightening election-security situation. Just $25 could help us reach hundreds of people and move Wisconsin that much closer to true election security.   Please donate now!