Contact Senators NOW about election security

A coalition of national pro-democracy groups is calling for a national day of action for election security. Wisconsin voters need to respond. On or before Tuesday, Sept. 17 contact our two senators to let them know Americans deserve secure elections! Important legislation is stalled in the US Senate, and the senators need to MOVE.

Here is Ron Johnson’s contact page. Ask him to support election security action and to pressure Mitch McConnell to allow votes on the election-security legislation passed by the House.
Here is Tammy Baldwin’s contact page. Thank her for supporting election-security legislation.

Wisconsin has paper ballots, but our election results are not secure. Our county clerks do not use those paper ballots to verify the Election-Night results before they certify the final results. Several other states don’t even have paper ballots. That threatens us all.

The risks are real. Evidence is overwhelming. In 2016, Russian operatives hacked and probed American political campaigns and voter registration systems. But Russia isn’t the only problem–maybe not even the worst. Why would it be? American elections are an attractive target for many around the world and in our own country.  Hackers in China and Iran are showing interest and have launched thousands of attacks not just in the U.S., but in 26 countries, according to Microsoft, which has been helping detect and deter attacks for democracy-supporting organizations of all stripes. 

Many in the US Congress appreciate the need for REAL election security–and NOW. The House of Representatives has passed federal legislation that would make it possible for every state to have:
1) A voter-verified paper ballot for every vote; and
2) Robust ​manual​ election​ ​audits that detect and correct any false outcomes before election results are declared final.

But the US Senate isn’t working.

The House passed $600 million (in H.R. 3351) in election security funding for states and localities to use to secure our vote. While Republicans and Democrats had different proposals, nearly every representative in both parties voted to designated hundreds of millions of dollars for election security. Now it’s time for the Senate to write and pass its funding proposal.

But Mitch McConnell said. “I’m not going to do that.” He and his obedient cronies are blocking the legislation that would allow the states to protect our federal elections in 2020.

Every single U.S. Senator must stand up for democracy now. The Senate must pass funding for election security. They must include the House bill language so that the counties that are the most vulnerable are able to get the funds they need to secure our elections for all. 

The House voted to provide the states with funding for:

  • Paper Records: Every voter can ​​mark​ ​a paper​ ​ballot​ by hand or with an assistive device and verify their vote, so that there is a paper record of every vote cast.
  • Checking the Results: Officials subject ​machine-counted​ ​results​​ to​ a robust ​manual​ ​post-election​ ​audit,​ that can detect and correct false outcomes.
  • Secure Voter Data: Voter databases should be backed up offline, monitored and secured using best practices. Poll workers should be trained to ensure that voters can cast a vote in case of a hack or error.
  • Election websites and election management systems, as well as the vendors themselves also need to be more secure and resilient in the face of possible hacking attempts and computer error. 

FAQ

Q: To what extent can Mitch McConnell hold up the funding?
McConnell can fully block the funding if he wants to. But his spokesperson recently said they have not ruled out an appropriation for election security so national election-security advovates believe there is an opening. At the end of September the government must be funded so the Senate either must pass appropriations bills or agree to a continuing resolution with the House leadership. In either case, $600 million in election security funding for states and localities can and should be included.

Q: Isn’t this a federal mandate on state elections? 
States and localities have been pleading for funding from Congress for years now, and every state wants to be able to secure its elections. The House passed a strong bill with $600 million requiring the funding be spent on the areas of greatest vulnerabilities.

Q: The states got $380 million for election security in 2018 and they haven’t spent it all. Shouldn’t we wait until should spend it before getting more money.
States and counties are spending down the funds, they expect to spend 85% of the funds by the 2020 election. But in too many places it wasn’t enough to do a lot of the serious work. We want them to proceed quickly, but carefully so they actually are able to use the funds to make our elections more secure.

Q: My election official says the voting machines are not connected to the internet, how can they be hacked?
Sadly, our local election officials cannot promise that–they simply cannot know. They don’t have control over the security of the voting-machine manufacturers, where the software is developed. Election officials have no way to know whether those companies’ computers are on or off line. And if the software has been compromised before it even reaches the local officials, it doesn’t matter whether the local clerk keeps it secure.

In addition, it’s just not true that the voting machines are never connected to the internet. Local election officials often don’t understand what the voting machines are doing when they transmit results on Election Night. Almost all of our voting machines and the county elections computers use the internet during pre-election tests and then again for election-night reporting of the results. And on top of that, national cybersecurity sleuths recently found that nine Wisconsin counties had left their county elections computers on line continuously for as much as a year!

Q: We already have paper ballots, what do we need this funding for?
Paper ballots are only decorative if no one ever uses them to verify the voting machines’ accuracy. As things now stand, after a Wisconsin voter casts his or her ballot, chances are it will never be looked at again. It will be sealed up on Election Night and will stay sealed until it is destroyed two years later. In the meantime, the voting-machine tape will be assumed to be correct.

Unless the paper ballots are used in rigorous post-election audits comparing the votes on the paper with the numbers the machine reported, we can’t know for sure if the outcome of the election was correct.

The one huge hole in Wisconsin’s election security is that our officials do not routinely audit the results. The state elections agency could use this money to fund efforts to develop practical, reliable audit practices that fit with Wisconsin’s unique election-administration practices.

About those Russians…

In the past two weeks, three reporters have asked me to comment on Russian interference in US elections. Do I believe the Russians interfered with the 2016 election? Do I think they will try in 2020? And my least favorite: Do I think Russians are the worst threat to the voting machines?

I’ll answer the ‘worst’ question first: What the hell does it matter?  All threats are threats. Will it be a boring news story if our election is stolen by a Canadian anarchist living in his grandmother’s basement, or by a random computer glitch?

I’ll tell you what the worst threat is. It’s the threat that is literally the sum total of all other threats. Wisconsin county clerks are STILL not using the only safeguard effective against every voting-machine threat including the Russians: Using our paper ballots in prompt, routine, hand-counted audits that verify the correct winners.

The simple truth should be obvious. It is ridiculous to allow any computers to make any big decision unless you have a reliable way to detect and correct serious computer errors.  

Can you think of any other government agency that relies on computers and doesn’t have some way to notice if the computer screws up a big operation? No, you cannot. There isn’t one. Only election officials trust their computers that blindly, and demand our trust, too.

When Wisconsin’s county clerks declare election results final without verifying the correct winners, they are allowing computer programmers to pick the candidates who will govern us.1 They don’t supervise these programmers. They don’t know even know who or where they are.2

As to the other questions:  I don’t know whether the Russians or anyone else tampered with the voting machines in 2016 and 2018. No one does.

We don’t know because Wisconsin election officials didn’t check. 3 How is that not scandal enough?

Wisconsin’s election officials just seal our paper ballots on Election Night and leave them sealed until it’s time to destroy them two years later. No one ever knows if the paper ballots tell a different story than the computer tapes.

And I don’t know whether Russian criminals are planning to mess with the voting machines in 2020. I know that it is wise to assume they are. Most importantly, I know it will be criminally negligent if our county clerks make no effort to detect and correct any hacks that might get by the security system.

Call your Wisconsin County Clerk today and say: “Surely you understand that you cannot guarantee the security of our voting machines. Too much is outside your control. The only thing you can secure is the election results, and you can do that only by using our paper ballots in hand-counted audits during the county canvass to make sure you certify only the correct winners. Get busy now on developing audit procedures for the 2020 elections.”

– – –

1 A few Wisconsin county officials claim they “program their own voting machines” and imply that provides security. They don’t, and it doesn’t.
The county clerks ‘program’ the machines only in the sense that you ‘program’ a new cell phone with your personal address book and settings. If any are messing with the actual tabulation software, they are breaking federal law. Truth is, these county officials rely on the voting-machine company in the same way you rely on Samsung, Apple, or Nokia.

2 Example: In 2016, election-security advocates noticed that Dominion—the nation’s second-largest voting machine company, which counts many Wisconsin votes—was recruiting programmers in Serbia. The company’s official response was: “Like many of America’s largest technology companies, which develop some of the software for their products in places like Asia, India, Ireland and the Mideast, some of our software development is undertaken outside the U.S. and Canada, specifically, in Serbia, where we have conducted operations for 10 years.”

3 In the 2016 recount, half of Wisconsin’s presidential votes were “recounted” only by running the ballots back through voting machines programmed by the same people who programmed them for Election Day. These were the ballots in the state’s largest counties (except Dane)–the counties most at risk of hacking.
In the half that was hand-recounted, the recount found that more than 1 in every 170 votes had originally been miscounted. These errors were not deliberate and affected both major-party candidates equally. As a result, they did not change the outcome and the news media didn’t report it.
But notice this: even when that many votes had been miscountedup to 30% in some individual wardscounty clerks did not notice it in their regular canvass. They detected the incorrect vote totals only when forced to check their work with a recount. Unless our county clerks adopt routine audits, the same will happen when hackers put the Election-Night results outside Wisconsin’s microscopic recount threshold (0.25%). There won’t be a recount and the hackers will have successfully pulled off their crime.

What will happen when election hackers get to Wisconsin? A black comedy

Last week, a reporter and I were discussing election hacks that might happen in Wisconsin. He has done his research and understands the threats. He posed an interesting question: What if hackers wanted only to create chaos and distrust, rather than change the outcome of a statewide election?

Hmmm…what would happen? I thought through the likely chain of events and realized it is not possible to create distrust by hacking a Wisconsin election — but not for the reason you would hope.

If this was a movie, it would be a black comedy with a twist ending. The big gasp would come when the election thieves (along with the viewers) realize the fatal flaw in the plan …

Scene 1 opens in the messy office of computer hackers. They are working for a foreign government that has its eyes on the US presidential election. They are celebrating because they just succeeded in compromising a small voting-machine service company in eastern Minnesota.   

Scene 2 takes place in the Intelligence Headquarters of the foreign capital. The hackers are reporting their progress to the chief.

“The good news,” they say, “is that we know how to make that company provide compromised software to all its customers. Local election clerks will never know. They never inspect the software and their cute pre-election tests cannot detect hacks that activate only on Election Day.”

“The bad news is that the company controls only some of Wisconsin’s voting machines. They don’t have enough votes to deliver a statewide race.”

The hackers are surprised when the intelligence chief doesn’t care.

“No worries,” he says. “If we show we can hack the machines, we will destroy trust in the process. Whoever wins won’t have legitimacy.”

“Go for it,” he says. “Pick whoever you want to win. Just as long as it’s not the candidate the voters want.”

Scene 3 is back in the hackers’ office. The hackers are gleefully developing their plan.

As voters cast their ballots, the hackers will let the voting machines count their votes correctly.

But on Election Night, when the poll workers push “tabulate,” the computer will quickly flip the vote totals of the top two candidates in each primary. The voting machines will give the biggest vote total to the second-place finisher, and make the voters’ choice come in second. Not a single polling place in the entire area will report accurate results. 

Scene 4 takes place on Election Night, April 7, 2020. Poll workers are gathered around a voting machine in a small city in western Wisconsin. The chief inspector pushes a button on the back as others eagerly watch the poll tape emerge. Expressions of surprise.

Cut to the Associated Press Election-Night newsroom. Much excitement. An editor shouts to a reporter: “Go figure out what’s up with Wisconsin’s rural voters! That’s not what anyone predicted they would do, in either party primary.”

Scene 5 consists of a montage of cable-news soundbites on Wednesday, April 8, 2020.

Questions abound:  “What’s going on in rural Wisconsin? Why did the voters in both major-party primaries confound expectations?”  

Guesses tumble out: Maybe voters lied to the pollsters about who they would vote for, or whether they would vote at all. Maybe hostile cross-over voting went both ways…maybe the leading candidates were too confident…

In Scene 6, viewers get the shocking revelation.

It’s now two weeks after the primary. A county clerk and two senior citizens sit in a drab conference room in a small county courthouse. They are finishing up the official canvass. The clerk says: “I printed out the certification statement. This is one election we won’t forget.”

They pass the paper around. Each one signs it. The hacked results are now official.

One of the board of canvass members remarks: “I’ve been doing elections work for 35 years, and voters still surprise me. Well, let’s go for a beer.”

Cut to the Intelligence HQ in the foreign capital. The Chief is furious; the hackers stare at their shoes. 

The Chief slams his fist on the table: “You idiots chose a state where no one would even notice an election hack!!! Why didn’t you do this in Colorado or New Mexico?

“Are you nuts? How did you expect your hack to be noticed when Wisconsin’s paper ballots are sealed up on Election Night and never seen again?

“Didn’t you know that Wisconsin election officials never audit the primary elections?

“Didn’t you bother to notice that Wisconsin never recounts unless results are virtually tied?

“You bozos! Get out of my sight!”

The hackers leave. The chief smiles and picks up the phone.

“Mr. Secretary, good news. We just confirmed the people in Wisconsin trust whatever their computers tell them. No one will notice — not officials, not reporters, no one. Senate, Governor, President, whatever you want. ”

He hangs up the phone and calls his assistant in. “Contact the team who has compromised that big company, ES&S. Tell them to add Wisconsin to the list for November.”

* * *

Wisconsin’s local election officials do not stand a chance against sophisticated international cybercriminals. Too much is outside their control. Too many vulnerabilities, known and unknown, threaten the tabulators. Securing Election-Night results is a wishful fantasy.

But Election-Night results are preliminary and unofficial. Final results are the ones that matter and that could be secured — relatively easily, too. County clerks could use the paper ballots and their administrative authority to order hand counts. Simple audits could verify the winners while the clerks still have time to correct any miscounts.

But Wisconsin county clerks refuse to do that, so our elections continue largely on an honor system.

The Wisconsin Elections Commission orders scattered audits of individual voting machines after November elections. That’s grounds for some hope. But even with improvements made in 2018, if these audits ever detect a miscount, they are as likely to cause chaos as to prevent it. They are not rigorous enough to verify the correct winners and are not binding on final results. Officials have no agreed-upon procedures for what they will do if auditors detect that the Election-Night results were miscounted.

Contact your Wisconsin County Clerk. Tell him or her to develop written canvass procedures — NOW — to verify the correct winners in the 2020 elections before they certify the final results.

Support nonpartisan redistricting for Wisconsin. Now’s the time!

This just in from Common Cause of Wisconsin:

For Release: Monday – July 15, 2019

“Iowa Model” Redistricting Reform Legislation Publicly Presented

Tuesday, July 16th at 10:30 AM – Assembly Parlor, State Capitol  

On May 8th, Wisconsin Republican legislative leaders, Assembly Speaker Robin Vos (R-Rochester) and State Senate Majority Leader Scott Fitzgerald (R-Juneau), and their GOP minions on the Legislative Joint Finance Committee (JFC) stripped the redistricting reform provision proposal that Gov. Tony Evers had inserted in his 2019-2021 state budget proposal.   That measure is based on Iowa’s redistricting process which was developed and enacted into law in Iowa by Republican Governor Robert Ray and a Republican-controlled Legislature (both chambers) in 1980.

Now, out of the state budget, the “Iowa Model” redistricting measure has been introduced, with bi-partisan support, in the Wisconsin Legislature as stand-alone legislation and on Tuesday, July 16th, it will be formally “rolled out” by the lead sponsors at 10:30 AM in the Assembly Parlor of the State Capitol. CC/WI Chair, former State Senator Tim Cullen will speak in favor of the measure on behalf of CC/WI.

In the State Senate, the lead sponsor is Sen. Dave Hansen (DGreen Bay), who has introduced Senate Bill 288. In the Assembly, the lead sponsor is Rep. Robyn Vining (D-Waukesha), who has introduced an identical measure, Assembly Bill 303.   They will speak at the press conference with Cullen and other reformers.

Illustration credit: Isthmus

You can attend the press conference, too, if you are available and would like to join us.   It is vitally important for you to do your part to help make ending partisan gerrymandering a reality in Wisconsin before 2021, when the next redistricting process will occur, following the 2020 Census.

This week, contact both your state senator and your state representative and demand that they co-sponsor and support Senate Bill 288 and/or Assembly Bill 303. If you are not sure who your state senator and/or state representative is, go here.  

These measures have overwhelming citizen support all throughout Wisconsin. Now, state legislators need to adhere to the demands of their constituents to defy Vos and Fitzgerald and do the right thing. Support fair maps!

Some legislators and their staff may tell you the U.S. Supreme Court has now said that their current, partisan gerrymandering system is the only way the redistricting process can occur. 

That is a bald-faced lie! They absolutely could and should adopt the fair, non-partisan legislation (SB 288/AB 303), now ready for a public hearing and consideration by the full Wisconsin Legislature tomorrow, if they put the public interest ahead of their narrow, partisan interest.  

For your information, you can watch this very recent video (taped July 11th) about the June 27th U.S. Supreme Court decision on partisan gerrymandering and the path forward for ending it Wisconsin on Wisconsin Eye, featuring CC/WI Director Jay Heck and UW-Madison Professors David Canon and Rob Yablon.   Take action. Make your voices heard. Never, ever surrender. On Wisconsin!

Voters ask for security. The Wisconsin Elections Commission gives only reassurances.

Summary: The WEC should be pressuring manufacturers to improve insecure election equipment, not pressuring voters to accept it. But they are doing the opposite. 7-minute read.

* * *

June 27, 2019 – Imagine two friends walking down the street when a masher starts to hit on the woman—even tries to get her into his car.   

The woman’s friend doesn’t need to throw any punches. But he should at least say: “Hey, buddy. You’re out of line. Move on.”

The last thing you expect him to do is to tell the woman: “You need to trust. This guy’s offer sounds legit. He’s got a nice car. Go ahead; get in.”

Voting-machine companies have been acting like the masher. They are pressuring voters to take risks with elections equipment that has built-in security flaws:

  • Some models of ballot-marking devices (BMDs) print ballots with the votes recorded in barcodes, rather than in marked ovals beside candidates’ names. BMDs are necessary for people who cannot mark their own ballots. The problem is that barcoded votes make it impossible for voters to verify which candidates will get their votes. Even a voter carrying a barcode reader wouldn’t be able to tell whether 02060101 was the right candidate. The barcoded ballots also print the candidate’s names as text, but the computers count only the barcoded votes.  The Commission has approved two barcoding BMDs:  the ES&S ExpressVote and the Dominion ICE.
  • Hybrid voting machines combine a ballot-marking device and tabulator in one machine, which sounds okay until you know that, after a voter has inspected the ballot and inserted it back into the machine for counting, the machine passes the ballot back under the printer head. As a result, the machines can be mis-programmed to print additional votes on the ballots or to make marks that invalidate the ones the voters made.  Like barcoding, that makes voter verification impossible. Dominion ICE is the only hybrid voting machine currently in use in Wisconsin.

The Wisconsin Elections Commission has been telling voters to go ahead and get into the car. 

Manufacturer ES&S recently asked the Commission for permission to sell an updated voting system that includes both a safe BMD (the Automark) and a barcoding BMD (the ExpressVote).  The Commission took the matter up at their June meeting.

In advance of that meeting, dozens of voters contacted the Commission, asking them to deny approval to the barcoding machine. After reading the voters’ emails, the commissioners saw a problem, but it wasn’t the security flaw. The problem they saw was voter resistance to the security flaw.  (With one exception–see the footnote)

When they met on June 11, neither staff nor commissioners were coy about the purpose of the meeting. Administrator Meagan Wolfe introduced the staff who “conducted the campaign to approve the voting equipment.” (At 11:30 in this video recording of the meeting.)

Commissioner Mark Thomsen was equally clear about what he wanted from the meeting:  “I’d like to be reassured about any security issues and that the public knows that we don’t have a problem there.”  (38:38 in that video)

Were these mere figures of speech? Did Wolfe and Thomsen instead mean to say that they wanted to conduct a rigorous assessment to reduce or eliminate the risks?

Nope. Watch that video and you will see staff, commissioners, and ES&S sales representatives working together with shared purpose: To convince each other and the voters that all is well.

Had commissioners come to the meeting ready to grapple with and resolve the security issues, they would quickly have posed the obvious first question, given the controversy: Why are barcodes used at all? Particularly when it is demonstrably possible to manufacture a machine with all the desirable features of the ExpressVote but without the barcodes? What benefit do the barcodes provide, to whom, that justifies degrading voter verifiability like this?

But no one asked that. So no one answered.

That wasn’t the only important question unasked and unanswered. Tony Bridges, the Commission’s Election Security lead, reassured the commissioners that the votes recorded as text, rather than the barcodes, will be counted in recounts and audits.  (Starts at 48:12 in the video linked above.)

The Commissioners know — even if Bridges does not — that in 2016 the Commission testified in court that statutes give counties, not the Commission, authority to decide whether to recount by hand or by machine. The judge agreed. So Commissioners know they cannot require the recount method Bridges described. Yet no one corrected him. The stated purpose of the meeting was to increase confidence in election security — and Bridges’ misstatement did that.

Several commissioners are lawyers. If they had been engaged in assessing risks rather than excusing them, they surely would have also noticed that no Wisconsin statute anticipates that votes will be recorded twice on the same ballot. That creates a rat’s nest of legal questions around barcoded ballots: Which is the ‘real’ vote?

What does it say about the validity of results in un-recounted races when the Commission insists, as Bridges suggests, that only those votes recorded as text are reliable enough to decide a recount? One of the candidates in the next contested recount might suspect he or she got more votes from the barcoded ballots. When that candidate challenges the hand-counting counties, what legal argument will the Commission suggest to those clerks to defend Bridges’ method against pressure to recount by machine?

Bridges’ proposal is just as problematic for voting-machine audits. For years, the Commission has repeatedly asserted that this state’s audit law, s.7.08(6), Wis. Stats., requires auditors to read the votes the way the machines are designed to read them. Reading only the text votes from barcoded ballots cannot fulfill that requirement, because the tabulators don’t use those votes. So Bridges’ proposed audits do not qualify as s.7.08(6) audits. Yet those are the only audits the Commission has authority to order.

None of that came out in the meeting, however, because the commissioners were wholly fixated on defending the barcoding BMD. Having built up the illusion that officials will routinely check the barcodes for accuracy, Bridges’ testimony was on script and accepted.

The manufacturer’s claims were also accepted without question. None, however, stand up to even simple critical examination.

  1. The manufacturer’s first argument is: “The voters can verify the votes that are printed as text.”
    Commissioners working to protect voters would have said: “We cannot consider something that’s never counted to be a ‘vote.’ So we don’t see the value in verifying the text. It’s the votes that will be counted that must be verifiable to comply with the law that says that voters must be able to privately verify the votes selected.”  
    No commissioner said that.
  2. The next argument is: “Audits and recounts will notice if the barcoded votes differ from the printed text.”
    Commissioners working to protect voters would have told the manufacturer that is irrelevant in Wisconsin. Here, very few races are protected by recounts because recounts are allowed only when preliminary results are too close to have been hacked (Manipulated results will surely have a victory margin larger than 0.25%.) Audits protect even fewer races because the Commission has no authority to correct election results even if an audit detects a problem in the sampled machines.  
    No commissioner brought that up.
  3. Manufacturers offer a third defense when they are forced to admit the votes printed as text are merely decorative. They have built a feature into the BMDs that allows a curious voter to reinsert the ballot into the machine that printed it, which will read the barcode and display the votes on a monitor.
    Commissioners working to protect voters would have pointed out that’s not verification. It requires a voter to trust the machine once to print the correct votes, and then trust it again to read back the correct votes. If a barcoding BMD is programmed to print the wrong votes in the barcode, it will also be programmed to read the right votes back to the voter.
    No commissioner pointed that out.
  4. For their final line of defense, ES&S falls back on obfuscation. The manufacturer explains that the tabulator uses the same set of codes to interpret both marked ovals and barcodes. For example, the code assigned to a candidate whose oval is located in the second row of the sixth column on the first side of the first page of a printed ballot would be 02060101. The barcoded votes for that candidate contain a reference to that same spot—02060101.
    Commissioners working to protect voters would have scoffed and said, “If the voter hasn’t verified it, we don’t care how the tabulator reads it. Stop yammering about irrelevant technicalities and bring us a BMD with the good features of the ExpressVote and voter-verifiable ballots.”
    None of the commissioners scoffed.

Staff contributed additional weak arguments to help make ES&S’s case: 

  • Staff pointed out that they found no problems with the barcodes when they tested the systems. They did not mention that the machines used by Election-Day voters will be at risk of mis-programming, while the machines provided by ES&S for testing were not.
  • Staff said that previous recounts and audits found no problems with incorrect barcodes in past elections. They did not explain how that protects future elections.
  • Staff told commissioners that local officials often test the machines before each election. They did not explain that pre-election tests provide no security against malicious code, which would be designed never to reveal itself before Election Day.

No surprise: After this discussion, the Commission voted unanimously to approve the machine, and instructed its staff to reassure the voters.  A few days later, every voter who had urged caution got an email from Public Information Officer Reid Magney.  Following the commissioners’ instruction to convince voters that barcoded votes are “a perceived problem, not a real one,” (43:32), Magney uncritically repeated the manufacturer’s claims and even used the opportunity to distribute an ES&S marketing brochure.

So here’s a direct plea to the Wisconsin Elections Commission and their staff: Stop seeing it as your job to make the companies’ case to the voters. Start making the voters’ case to the companies.

When you hear manufacturers’ claims, make skepticism your default attitude. When you hear voters’ concerns, default to curiosity.

When a law or regulation can be interpreted either way, go with the common-sense interpretation that favors the voters’ interests. Don’t devote extra effort to wresting out an interpretation that favors the voting machine companies’ interests. (I’m looking at you, Staff Attorney Michael Haas—1:27:00.)   

Demand security from them, not trust from us.

In short, WEC, come over to the voters’ side where you belong.

Footnote: Chair Dean Knudson’s line of questioning, which starts around 50:00, was responsive to concerns about pre-election testing. However, to be fair, that line of questioning challenged only election officials to reduce the risks of barcodes. He did not challenge the manufacturer to eliminate them.

* * *

Note to the media:  Voters could use your help in getting the WEC to work on tabulation security, rather than to continue working on reassurance.
The security problems with barcoding and hybrid BMDs are being taken very seriously outside Wisconsin. Federal election-security legislation has been introduced that would prohibit their use. Senator Tammy Baldwin is co-sponsoring the Senate bill, SB 1472; Representative Mark Pocan voted for the House bill, HR 2722.
If you ever ask WEC about election security, be prepared to receive a list of measures they have taken to protect the voter registration system, WisVote. The list will not explain–unless you press–that those measures don’t protect the tabulation system.
The WEC might also list some things they have done related to securing the tabulation system. Before you file your story, notice which are guidance rather than binding requirements, and notice that none resolve the risks created when voters cannot verify their ballots, such as in barcoding BMDs or a hybrid voting system. 

If it takes a leap of faith…

The year was 1977, and my friend Gail was in the market for a cheap used car. One of the guys in our apartment building, Chuck, wanted to sell his Pinto. 

“No, Gail, no,” I told her. “People are saying the Pinto’s gas tank can explode in even low-speed rear-end crashes.  There’s talk of recall and lawsuits. If you buy this car, you won’t be able to resell it.”

Gail believed me but dismissed the risk. “Ford wouldn’t be selling the car if it was a big problem,” she said. “And besides, Chuck said the car has seat belts.” She thought for a second and couldn’t come up with any more ways to dismiss or minimize the risk. “I have faith it’ll be okay.”

My roommate backed me up. “Gail, I saw a Datsun B210 for sale on Johnson Street.  The B210 does everything the Pinto does, without the risk. Forget about the Pinto.”

The more we tried to reason with her, the sillier her arguments became.  Chuck had done a good job cleaning his trash out of the car. She could probably minimize the risk by never filling the gas tank more than a quarter full.

She had turned off her brain when it came to hearing anything negative about the Pinto. Chuck seemed to have her under some sort of spell. 

Gail came to mind during the Wisconsin Elections Commission meeting last week.  The Commissioners were meeting to decide whether to approve an updated version of a risky piece of elections equipment, called the ExpressVote.  They were listening to the manufacturer, ES&S, the way Gail had been listening to Chuck, treating words of warning like flies to be swatted away.  

The ExpressVote is a type of ballot-marking device (BMD), which voters use to mark their ballots when they cannot, or do not want to, use a pen.  BMDs only print ballots; they don’t count votes. But they can be misprogrammed to print a ballot that contains different votes than the ones the voter intended.

Safe BMDs manage this risk by printing ballots that look just like regular hand-marked paper ballots.  Each vote is recorded once–as a marked oval beside some candidate’s name. The voter can see it’s next to the correct name. The tabulator looks at that same marked oval, verified by the voter, when it counts the vote.

The Pintos among the BMDs—that is, the unsafe ones—print barcoded ballots.  Barcoded ballots record each vote twice—once in text, and once in barcode.  Voters can verify only the votes printed in the text. The tabulator can count only the votes inside the barcode.  If the BMD is programmed to print one vote in text and a different vote in the barcode, the voter cannot notice. The ExpressVote is one of these machines.

In my dreams, whenever a state election authority meets to approve voting equipment, they would invite the manufacturer, of course. But because the commission would want all the relevant, reliable information they could get, they would also invite other trusted people to sit at the table to answer any questions that might arise and to comment on the manufacturers’ claims.

The mission of the meeting would be to determine what is best for Wisconsin elections. The commissioners’ conduct—particularly their follow-up questions—would demonstrate that they wanted nothing less than the full, unbiased facts.

But the June WEC meeting was not that.

As usual, uninvited members of the public could speak for five minutes at the beginning of the meeting. As usual, I took that opportunity. I explained the risks. I warned of the gathering storm of litigation and legislation. I told them barcoding brings no benefit to balance the risk. I told them they have other options. I asked them to protect our votes and turn away from this pointless risk. The commissioners listened politely but asked no questions. 

Then for the next two hours, I and everyone else in the room was required to listen silently as the salespeople gave their pitch without time limit and demonstrated their equipment. The Commissioners had arranged for no provision to receive correction or rebuttal from an independent source if ES&S misled the Commission in any way.  If the salespeople omitted any important information the commissioners might need to know, the meeting presented no opportunity for anyone to provide it.

The one exception was when Commission Chair Dean Knudson led a responsible line of questioning about whether the municipal clerks test the BMDs before each election. To its credit, the commissioners voted to promote that testing before future elections.

But other than that, everyone’s conduct indicated that ES&S, the commissioners, and staff came to the meeting with one shared goal: to minimize or refute concerns about the security of the ExpressVote and approve it for sale in Wisconsin.

One example: The issue of voter verification.  ES&S designed a feature into the ExpressVote that allows a voter to reinsert the barcoded ballot back into the machine, and have the BMD display the votes on a computer monitor for a second time.  ES&S wants everyone to believe that this feature provides voter verification.

But of course it doesn’t. Everyone in the room—commissioners, staff, and company reps included—was intelligent enough to know that if a hacker ever programs a BMD to print the wrong votes in the barcode, the hacker will also program it to display only the right votes to the voter. 

But the commissioners asked no skeptical or challenging follow-up questions. None even bothered to wonder out loud what good barcoding does anyway. (Answer: Nothing. It’s all risk, no reward.) A few even repeated ES&S’s claim of verifiability back to them, like my friend Gail, as if repetition of a silly argument could make it convincing.

Another example: ES&S’s pitch regarding the safety of barcodes. Barcoded ballots are safe, the sales pitch went, because:

  • The programmer assigns each candidate a unique numeric code, based on that candidate’s location on the ballot. For example, the candidate whose oval is located in the 2nd column, 15th row, first side, first page of the ballot will be Candidate 021511.
  • When the tabulator looks at a hand-marked ballot and sees a marked oval at that position, the tabulator will count a vote for Candidate 021511.
  • When that same tabulator looks at a barcoded ballot and sees a barcode that translates into “021511,” the tabulator will count a vote for Candidate 021511.

In summary (ES&S says), hand-marked and bar-coded ballots are equally secure because the tabulator uses the same numeric code, whether it is reading from a marked oval or from a barcode.

This information—presented in a glossy, illustrated, full-color brochure—answered a question no one had asked and no one cares about. The problem isn’t that the tabulator might use different numeric codes when interpreting ovals and barcodes. 

The problem is that when counting a barcoded ballot, the tabulator looks at information no voter has verified, unlike when the voter and tabulator both look at the same marked oval.

The commissioners gave no sign they noticed the time-honored marketing ploy: Distract the customer by talking about something else and pretend you have addressed the concern. Gullible and eager-to-say-yes customers smile and nod.

I don’t know what accounts for this smile-and-nod process for approving voting equipment. I do know the commissioners are capable of being tigers when it comes to security — of a different system. I’ve witnessed the commissioners asking serious, challenging follow-up questions—really engaging their critical faculties—when working through security issues involving WisVote, our state’s voter-registration system.

During the weekend before their Tuesday meeting, participants in our group (Wisconsin Election Integrity) had emailed the commissioners warning them of the barcoding BMDs’ security issues and asking them to stop certifying them. Had we been raising security concerns about something in the WisVote system, I’m confident the commissioners’ response would have been to tell their staff to resolve the security issue.  

But we were raising an alarm about the tabulation-system security. So the commissioners’  response was to tell their staff to reassure voters there is no problem.

I cannot imagine any commissioner shrugging and telling me, “Well, it does take a leap of faith,” to end a conversation about voters’ ability to verify their registration records, as one did to end a conversation with me about voters’ inability to verify barcoded votes during a break in Tuesday’s meeting.

“Leap of faith” doesn’t cut it with any of them when it comes to voter-registration records. I cannot understand why they vote as if they see that as an acceptable standard for the tabulation system.

If something requires a leap of faith, it’s probably not a good idea.

Quick facts about Ballot-marking devices

By Karen McKim

First: No, I’m not making this up. Vendors really are promoting $5,000 computers to replace pens for marking ballots. Yes, election officials really are buying them.  

And on Tuesday, June 11, the Wisconsin Elections Commission is set to certify an updated model of one of these systems already in use in this state—without seriously considering the risks. (Discussion starts on page 25 of that linked document.)

Originally designed in response to federal disability-rights laws, ballot-marking devices (BMDs) allow voters to select candidates by touching a computer monitor. Visually impaired voters can listen through earphones and vote by speaking their choices.

Because BMDs only mark paper ballots, but do not count votes (the votes must be counted either by hand or a tabulator), they do not create the same set of security risks as touchscreen machines that tabulate results.

However, all BMDs create risks that do not exist when a voter marks a paper ballot with a pen. The worst types of BMDs create security problems so serious they rival paperless voting.

When hand-marking a ballot, voters can notice and correct any problem—perhaps the pen slips or runs out of ink.  And when the voter casts the ballot, he or she can be certain that the marks accurately record the voter’s intent because, well, the voter recorded them.

The same is not true when a computer records the votes. Hardware sometimes develops problems because of poor maintenance, wearing out, or just plain random malfunction. Software sometimes develops glitches. Human programmers sometimes make mistakes. Being human, even authorized programmers can deliberately manipulate the system so that it does what they, not the voters, want.  

And those are the risks before we even mention the hackers who so thoroughly dominate media imagination and public comprehension of election security issues.

Local election officials, lacking superhero powers, cannot prevent every glitch or malfunction. They have no control of security before the software comes into their possession.  Even the most rigorous pre-election testing cannot detect malicious code written to operate only on Election Day.

One risk—that the BMD can omit some votes or record the wrong ones—could be eliminated if voters were willing and able to review the printed ballots and re-mark their ballots if they saw a problem.  But voters are neither willing nor able.

Voters prefer to vote quickly, and few take the time carefully to review their printed ballot.  This problem is more serious than it seems, because only voter-verified ballots qualify as auditable records of voter intent.  Without proof that the voters verified the ballots, the best that auditors can do is confirm that the voting system produced the results it was programmed to produce—but they cannot confirm the results reflect the will of the voters.

On top of that, voting machine companies have found a way to make sure voters are not able to verify. Take a look at the BMD-printed ballot reproduced below, from an ES&S demonstration of their BMD, the ExpressVote.  Election officials say—and many even believe—that voters can verify their votes by reading the text.

But that human-readable text is merely decorative; it serves no function. The real votes—the only votes the tabulator will see and count—are encoded in those bar codes

And no voter can verify those. So to complete the decorative effect, the voting-machine company provides an additional feature: a barcode reader that voters can use if they want to take additional time to see a read-out of the votes. That is like asking the computer programmer, “You’re not lying to me, are you?”  

The very worst type of BMD is used in a few places in Wisconsin, and is making more headway in some other states. When you understand what’s known as a “hybrid machine,”  it’s easy to think that, for some reason, voting companies are actively trying to undermine voter confidence.  

Hybrid machines combine a BMD with a tabulator, in one machine. The voter uses a touchscreen to select his or her votes, and tells the computer to print the ballot.  When the voter inspects the printed ballot (or not; it’s the voter’s choice), the ballot goes back into the same machine to be tabulated.

But in doing that, the ballot passes back under the same printer heads that marked it in the first place!  If these machines malfunction or are mis-programmed, they could make additional marks on the ballots that the voters did not intend and cannot know about.

There’s more I could say about BMDs and the management practices necessary to minimize the risk whenever they are used.  For one, voters need to insist on adequate public pre-election testing.  Right now, I know of no Wisconsin municipality that publicly pretests the barcoding function before allowing early voters to use BMDs. I know of one (City of Madison) that conducts early voting by BMD for weeks before the public pre-election tests. That practice is unnecessary, careless and, if widely known, would be seriously detrimental to voter confidence.

And some good news: A group of US Senators (16 as of June 8), led by Ron Wyden of Oregon and including Tammy Baldwin of Wisconsin, are sponsoring federal election-security legislation that, among other safeguards, bans BMDs that do not “mark votes in such a way that vote selections can be inspected and verified by the voter … without the aid of any machine or other equipment.”

WEC can be contacted by email at elections@wi.gov.  Before close of business Monday, June 10, contact them with “Message for Commissioners” in the subject line. Tell the Commissioners to understand and resolve the security issues before they certify any more BMDs.

While you’re at it, you can contact Senator Baldwin to thank her for co-sponsoring the PAVE Act.

Quick facts

Ballot-marking devices are computers that mark ballots, but do not count votes.

Benefits of BMDs:

  • Accessible independent voting at the polling place for voters with certain types of disabilities (but they don’t need barcodes for that);
  • BMDs that print ballots on blank paper (as opposed to those that mark pre-printed ballots) have the following benefits: 1) Early, off-site voting locations (such as public libraries) can serve multiple wards without having to stock each ward’s unique ballot; 2) Polling places can never run out of printed ballots, unless they run out of plain paper; 3) Unused ballots can be kept to a minimum or eliminated, reducing opportunity for ballot-box stuffing or other mix-ups.
  • Potentially fewer ballot-marking errors that might invalidate votes or ballots (but tabulating machines also identify mismarked ballots and return them for voter correction).

Drawbacks and dangers of BMDs:

  • Increases election costs (A computer costs more than a pen, and one whole computer is needed to replace each voting booth)
  • Slows down the voting process, because it takes longer to scroll through a computerized menu and make selections than it does to view and mark a paper ballot;
  • Barcoded ballots eliminate voters’ ability to verify their ballots contain the correct votes;
  • Even when barcodes are not printed, no auditable record of the election is created, because there is no way to know whether every voter paused to review the printed ballot and was willing and able to re-mark a ballot if they noticed a problem;
  • When used to replace hand-marked ballots, BMDs reduce the ability of polling places to expand to accommodate high-turnout elections or avoid long lines when many voters appear at the same time.

Voting machine software delivered via internet? You betcha.

Summary: Dominion Voting, one of the nation’s largest voting-machine vendors, uses the internet to deliver voting-machine software to local election officials before each election. Local election clerks can be so naive that they will proudly say “The voting machines are never connected to the internet,” and genuinely believe that protects the software–even though they themselves downloaded the machines’ software from Dominion’s website onto a county computer, from which they made copies for each voting machine. 

* * *

Before we talk about Dominion in particular, a reminder about the basics: In Wisconsin (like everywhere else), every voting machine system (like every other computer) is hackable. Even if never connected to the internet, every working computer contains software copied from some other computer. And hacks don’t need to come in over the internet: Every computer is programmed by normally fallible humans who occasionally have motive, means, and opportunity for fraud.

That’s why every responsible manager, including every elections official, must routinely audit their computers’ output (that is, our election results).

Now, about Dominion Voting Systems and their Imagecast Evolution (ICE) machine.

Voters and reporters in the 12 Wisconsin counties* using ICE voting machines believe that their voting machines are never connected to the internet. What they probably don’t know is that (except for Fond du Lac County), their vote-counting software was downloaded from the internet anyway.

The software in our voting machines has to be updated for every election, because each election has a unique set of races and candidates. No election official in Wisconsin has the ability or authority to write these programs by themselves. They either send the information to an out-of-state vendor who will write the programs for them, or they use an app provided by their voting-machine vendor to compile the vote-counting instructions themselves.

Typically, when an outside vendor writes the software for voting machines, they will deliver it to the local election officials on portable media (something like a USB drive, an SD card, or a “PROM” pack) via courier or FedEx.

But Dominion Voting, a corporation headquartered in Toronto and Denver, emails the county clerk when the software is complete, and the county clerk then downloads the software from the Dominion website.

I first discovered this last year, when I was contacting the county clerks in an attempt to inventory their current security practices; get a read on their level of understanding of the risks; and assess their receptivity to the idea of protective election audits.

Here’s how it works: In Wisconsin, it’s the municipalities that own and operate the voting machines, but because the county clerk has overall responsibility for designing and printing the ballots and reporting the election results, municipalities in most counties cooperate to buy the same voting-machine system. They then rely on the county clerk to handle the machine preparation before each election.

The first four Dominion-ICE-using county clerks I interviewed were happy and proud to explain to me their pre-election procedures. When they get the email from Dominion before every election, they download the tabulation software to a county computer from the Dominion website; save it onto an SD card; copy it onto the county elections-management computer (which is never connected to the internet!), and from there copy it onto portable media to give to the municipal clerks to load into the individual voting machines.

As I spoke with them, I was trying hard to stay completely in a fact-gathering mode, to understand their point of view without influencing it. So I was trying hard to avoid asking follow-up questions like “Are you JOKING?!?!?).

But I do not have a poker face, and one clerk picked up on my discomfort. She patiently explained to me that it was safe to send voting-machine software over the internet because the Dominion website was secure and wouldn’t let her get to the software without a password. And because she downloads the software to a different computer–not the central county elections-management computer or any individual voting machine–she assured me that the local elections equipment stays “air-gapped” and secure.

I didn’t ask, but I imagined her thinking that any malicious code can be erased by waving the SD card through the air.

Yes, that is the level of IT sophistication typical of local election officials.

The fifth ICE user I spoke with was the atypical Lisa Freiberg, Fond du Lac County Clerk. Whew. 

Freiberg has enough IT sophistication and backbone that, when Dominion suggested to her that she rely on them to write the program updates and download the software via internet, she refused. Instead, she obtained from Dominion software that she maintains on the county elections-management computer. She uses that software before each election to design the ballots and write the instructions the voting machines will use to count the votes. When I interviewed her in July 2018, she believed she was the only ICE user in the state who refuses delivery of the voting-machine software via the internet.

ICE is not the only voting system that Dominion offers or supports, and I don’t know if the company sends any other system’s software out over the internet. But even without being an IT professional, I can see some of the opportunities this practice might offer to those who would like to manipulate our elections.

When even the New York Times cannot protect its email from hackers, we cannot expect the deputy clerk in a rural Wisconsin county to know not to open an email containing malicious code that will allow hackers to intercept the next download from Dominion. Once they’ve got the rural county’s ICE software, they can use that knowledge to interfere with the next election in any other county that uses Dominion software.

This one problem could easily be fixed, as Freiberg demonstrated. Dominion ICE users could simply refuse to download software over the internet, and work with their vendor to find a different way.

Less easily fixed is Dominion’s way of doing business. Why did Freiberg even have to ask for an alternate method of obtaining the software? Does Dominion itself understand the risks to election security and voter confidence?

And it’s not just this one slip-up. Independent observers and experts have expressed serious concerns about the design of the system. Other serious concerns are:

  • The ICE system is designed in a way that would allow someone to program it to print additional votes on a ballot after the voter has cast it. This feature renders elections conducted on these machines unauditable, because the ballots were not secured from alteration after leaving the voters’ hands.
  • The ballot-printing feature of the system records voters’ selections in the form of barcodes printed on the ballots, which the tabulator reads when it counts the votes. This means that the voters are unable to verify that the counted votes are the ones they intended to cast.
  • The ICE system incorporates a feature known to security advocates as “permission to cheat.” A voter who uses the touchscreen to mark his or her votes can choose to have the machine count the votes and drop the printed ballot into the bin without the voter’s review–essentially giving the computer programmers permission to cheat. Security advocates (and common sense) insist that voters MUST verify the integrity of the printed ballot if election results are to be trustworthy.

Arguably more than any other voting system, the Dominion ICE is the target of voter concern, even outrage. The most direct, immediate solution is for candidates and voters to demand that no more counties buy the ICE system, and to demand that their election officials who already use it follow the Fond du Lac county clerk’s example and refuse to download software over the internet.

Beyond that, we need to take action to make Dominion take security seriously or to prohibit use of their products. The ICE system could be decertified at either the state or federal level, and federal legislation could prohibit the use of voting systems capable of changing voters’ ballots after they have been cast. 

* Door, Fond du Lac, Grant, Green, Ozaukee, Racine, Trempealeau (one municipality), Vilas, Walworth, Washington, Waupaca (four municipalities), and Winnebago Counties

Projected Ballot Counting

Paper ballots can be manually counted in different ways–sort by candidate and then count the ballots; stack the ballots into groups of 20 and 100 and then have counters mark tally sheets as they go through the stack one-by-one; and more.

Affordable technology–a simple digital camera hooked up to a projector–can beat all these methods on each of the four attributes of a good manual-counting method.

1.  Ballot security.

Ballots must not be altered by the manual count.  Sorting and stacking methods require the ballots to be handled several times, by several people, and moved around tables. When ballots are projected, only one person needs to handle the ballots, only once, and can keep them on one table, in full view.

2.  Accuracy.

In a manual count, accuracy is established with redundant counts—two or more people must agree on each vote, reconciling any disagreement.  When counters make errors in sort-and-stack or tally-sheet methods, finding and reviewing the problem ballot can take a lot of time and ballot-handling. With projected ballots, everyone sees the same vote at the same time, so ambiguous votes can be reconciled when they are first encountered.

3.  Speed.

Faster methods of manual counting help to restrain costs, because labor is the biggest cost. Quicker counting also makes the task more pleasant for both counters and observers. Projected-ballot manual counts have accurately counted votes in one race at a rate of 100 ballots every four minutes, including time to stop to compare paired counters’ totals and resolve any differences. Depending on ballot design, two races could go just as fast.

4.  Transparency.

The value of a manual count depends upon how much trust it produces in candidates and voters. In traditional manual-count methods, observers cannot see ballots well enough to verify for themselves that the votes are being counted accurately and honestly. 
When the ballots are projected, observers see exactly what the official counters see. In addition, because projected-ballot counts require no ballot-handling by the counters, observers can be drafted on the spot as official counters–powerfully counteracting any distrust.

A tally sheet completed in full view of all counters and observers serves as a record of the manual count.

A pdf document containing step-by-step instructions is here.

What might a recount discover?

Quick summary: A recount in this week’s Supreme Court race would be a good idea for everyone involved. Verifying accuracy is a necessity if we want to protect our right to self-government from errors, glitches, and fraud. Even the seeming winner, Brian Hagedorn, would be better off if a recount removes the shadow of doubt from his legitimacy as winner. But because our legislature, egged on by our county clerks, tightened the recount law so extremely, it’s unlikely we’ll get one.

* * *

April 5, 2019 – A statewide election decided by only 6,000 votes is frustrating for everyone. Accurate or not, it indicates no clear will of the people. Chances are last week’s Supreme Court race was determined by random events. Who got tied up at work and didn’t get to the polls? Who neglected to get a valid witness signature on their early ballot?

And of course, such a close result raises fears of manipulation. 

I’ve been asked about what I think happened.

First, I can say with certainty that the vote totals are incorrect. Statewide results always are, not just on Election Night but even after the county clerks have certified them. Every recount always finds miscounts.

Few people know that the 2016 recount found at least 17,681 mis-tabulated votes, or 0.58% of the total, because news media highlighted only the change in the victory margin. That’s 1 miscounted vote for every 170 cast. In 2016, the errors were random—affecting all candidates—so correcting them did not change the outcome.

Why so many miscounted votes? Lots of reasons, caused by both man and machine. Our elections are administered by a temporary workforce, without serious IT expertise. Even the county clerks don’t work full time on elections. Most workers are only lightly trained and supervised; get no more than four days’ on-the-job experience every year; and work under enormous time pressure. Only in recounts do they examine their work to find out how well they did.  They would have to be superhuman not to make lots of mistakes. 

But back to this specific race. Were the miscounts bad enough to have identified the wrong winner? And were they random?

I see no obvious sign of hacked voting machines. When someone manipulates Wisconsin’s election computers to alter the outcome in a statewide race, they are most likely to mis-program the software for one or two of the big counties, and they will surely put the statewide result outside the recount margin.

But the unexpected results in this Supreme Court race came from northern Wisconsin, and the statewide result is so close that Lisa Neubauer can—if she can raise huge cash quickly—get a recount. If that was computer hacking, it took impressive effort (accessing several small counties’ systems) while also being incredibly clumsy (creating results that are subject to recount.) 

If a mis-tabulation (either accidental or deliberate) flipped the outcome in this Supreme Court race, my nominee for the most likely culprit is mishandled early, absentee, and mail-in ballots.

The 2016 recount found widespread errors with absentee ballots, mostly officials rejecting envelopes they should have accepted and vice-versa. But there were other mistakes, too. In Dane County alone, the recount found more than 60 uncounted absentee ballots. Neither rejected nor cast, these ballots were simply overlooked on Election Day and later, during both the municipal and county canvasses.

So we know absentee and early ballots are often miscounted by mistake, and we know those mistakes are not noticed except in a recount. We also know that in elections as anywhere else, the best place to hide fraud is where no one looks for it, and where any oddities that are noticed are written off as human error.

So messing with absentee ballots would be a good way to manipulate a relatively small number of votes.

There are many ways to interfere with absentee, mailed-in, and early ballots. As we saw in North Carolina, you can intervene between the voter and the delivery of the ballot to the municipal clerk. (That’s one ‘hack’ that cannot be detected or corrected by a typical recount.)

But once a ballot has been delivered, it can still be rejected on several grounds.

Local officials can—must, in fact—exercise judgment (e.g., Is this handwriting legible?) when deciding whether to cast or reject an absentee ballot.  And while they are exercising that judgment, they can see the name and address of the voter. That means they can make reasonable guesses about which candidate will get the votes if they decide the ballot can be cast. Implicit, unintentional bias almost certainly shapes some decisions; the effect could be much stronger with deliberate effort. Rarely does anyone review their judgments.

To be clear, I’ve seen nothing to indicate that such manipulation was done in this election or any other Wisconsin election, but it’s a fact that it could be done. A recount would clear that up for both those who suspect and those who deny any wrongdoing.  If no recount occurs, we’ll just have to keep guessing.

But we are not likely to get a recount. For the past several years, the Legislature–urged on by the Wisconsin County Clerks Association–has tightened the recount law to make it nearly impossible to get a recount in a statewide race. Had an election held in April 2015 produced a victory margin of less than 0.50%, as this one did, Neubauer could have obtained a recount at no cost.

From the 2016 recount, we now know that a 0.58% error rate is a realistic expectation. So we can see why the old law, which made it easy to get a recount if the margin was 0.50%, was sensible. If unlike our legislators, we care about protecting our right to self-government against election errors, a recount is always wise when we could easily be declaring the wrong winner by mistake. 

So we will all be well-served if Lisa Neubauer can quickly raise the cash—$2 million, based on the cost of the 2016 recount—that she’ll need to get a recount. The losing candidate is the only one who can buy a recount; our laws assume voters have no standing or interest in accuracy.

But neither she nor we should underestimate the effort needed to raise that much cash that quickly. To get the cash into WEC’s bank account by the deadline, she will need to raise it within about 60 hours of when WEC receives the last county’s official results. Jill Stein had a little longer to raise the money (legislators shortened the deadline after Stein showed it was possible), but this election is not drawing the sorts of national interest that helped Stein raise that much money that fast.

Having said all that, if the result in the Supreme Court race was ‘manipulated,’ my bet would not be on an outcome-flipping miscount, but on the success of a last-minute, under-the-radar, highly targeted, dark-money effort to motivate northern and rural voters to get out and vote for Hagedorn.

But as long as we allow that conduct to be legal (and we do), we cannot call it manipulation. If we want to put an end to that, we’re going to have to do more than complain about it. We’re going to have to fix campaign-finance laws. And to do that, we voters are going to have to get a constitutional amendment.