The year was 1977, and my friend Gail was in the market for a cheap used car. One of the guys in our apartment building, Chuck, wanted to sell his Pinto.
“No, Gail, no,” I told her. “People are saying the Pinto’s
gas tank can explode in even low-speed rear-end crashes. There’s talk of recall and lawsuits. If you
buy this car, you won’t be able to resell it.”
Gail believed me but dismissed the risk. “Ford wouldn’t be selling the car if it was a big problem,” she said. “And besides, Chuck said the car has seat belts.” She thought for a second and couldn’t come up with any more ways to dismiss or minimize the risk. “I have faith it’ll be okay.”
My roommate backed me up. “Gail, I saw a Datsun B210 for sale on Johnson Street. The B210 does everything the Pinto does, without the risk. Forget about the Pinto.”
The more we tried to reason with her, the sillier her arguments became. Chuck had done a good job cleaning his trash out of the car. She could probably minimize the risk by never filling the gas tank more than a quarter full.
She had turned off her brain when it came to hearing anything negative about the Pinto. Chuck seemed to have her under some sort of spell.
Gail came to mind during the Wisconsin Elections Commission meeting last week. The Commissioners were meeting to decide whether to approve an updated version of a risky piece of elections equipment, called the ExpressVote. They were listening to the manufacturer, ES&S, the way Gail had been listening to Chuck, treating words of warning like flies to be swatted away.
The ExpressVote is a type of ballot-marking device (BMD),
which voters use to mark their ballots when they cannot, or do not want to, use
a pen. BMDs only print ballots; they
don’t count votes. But they can be misprogrammed to print a ballot that
contains different votes than the ones the voter intended.
Safe BMDs manage this risk by printing ballots that look just like regular hand-marked paper ballots. Each vote is recorded once–as a marked oval beside some candidate’s name. The voter can see it’s next to the correct name. The tabulator looks at that same marked oval, verified by the voter, when it counts the vote.
The Pintos among the BMDs—that is, the unsafe ones—print barcoded ballots. Barcoded ballots record each vote twice—once in text, and once in barcode. Voters can verify only the votes printed in the text. The tabulator can count only the votes inside the barcode. If the BMD is programmed to print one vote in text and a different vote in the barcode, the voter cannot notice. The ExpressVote is one of these machines.
In my dreams, whenever a state election authority meets to approve voting equipment, they would invite the manufacturer, of course. But because the commission would want all the relevant, reliable information they could get, they would also invite other trusted people to sit at the table to answer any questions that might arise and to comment on the manufacturers’ claims.
The mission of the meeting would be to determine what is best for Wisconsin elections. The commissioners’ conduct—particularly their follow-up questions—would demonstrate that they wanted nothing less than the full, unbiased facts.
But the June WEC meeting was not that.
As usual, uninvited members of the public could speak for five minutes at the beginning of the meeting. As usual, I took that opportunity. I explained the risks. I warned of the gathering storm of litigation and legislation. I told them barcoding brings no benefit to balance the risk. I told them they have other options. I asked them to protect our votes and turn away from this pointless risk. The commissioners listened politely but asked no questions.
Then for the next two hours, I and everyone else in the room was required to listen silently as the salespeople gave their pitch without time limit and demonstrated their equipment. The Commissioners had arranged for no provision to receive correction or rebuttal from an independent source if ES&S misled the Commission in any way. If the salespeople omitted any important information the commissioners might need to know, the meeting presented no opportunity for anyone to provide it.
The one exception was when Commission Chair Dean Knudson led
a responsible line of questioning about whether the municipal clerks test the
BMDs before each election. To its credit, the commissioners voted to promote that
testing before future elections.
But other than that, everyone’s conduct indicated that ES&S, the commissioners, and staff came to the meeting with one shared goal: to minimize or refute concerns about the security of the ExpressVote and approve it for sale in Wisconsin.
One example: The issue of voter verification. ES&S designed a feature into the ExpressVote that allows a voter to reinsert the barcoded ballot back into the machine, and have the BMD display the votes on a computer monitor for a second time. ES&S wants everyone to believe that this feature provides voter verification.
But of course it doesn’t. Everyone in the room—commissioners, staff, and company reps included—was intelligent enough to know that if a hacker ever programs a BMD to print the wrong votes in the barcode, the hacker will also program it to display only the right votes to the voter.
But the commissioners asked no skeptical or challenging follow-up questions. None even bothered to wonder out loud what good barcoding does anyway. (Answer: Nothing. It’s all risk, no reward.) A few even repeated ES&S’s claim of verifiability back to them, like my friend Gail, as if repetition of a silly argument could make it convincing.
Another example: ES&S’s pitch regarding the safety of barcodes. Barcoded ballots are safe, the sales pitch went, because:
The programmer assigns each candidate a unique numeric code, based on that candidate’s location on the ballot. For example, the candidate whose oval is located in the 2nd column, 15th row, first side, first page of the ballot will be Candidate 021511.
When the tabulator looks at a hand-marked ballot and sees a marked oval at that position, the tabulator will count a vote for Candidate 021511.
When that same tabulator looks at a barcoded ballot and sees a barcode that translates into “021511,” the tabulator will count a vote for Candidate 021511.
In summary (ES&S says), hand-marked and bar-coded ballots are equally secure because the tabulator uses the same numeric code, whether it is reading from a marked oval or from a barcode.
This information—presented in a glossy, illustrated, full-color brochure—answered a question no one had asked and no one cares about. The problem isn’t that the tabulator might use different numeric codes when interpreting ovals and barcodes.
The problem is that when counting a barcoded ballot, the tabulator looks at information no voter has verified, unlike when the voter and tabulator both look at the same marked oval.
The commissioners gave no sign they noticed the time-honored marketing ploy: Distract the customer by talking about something else and pretend you have addressed the concern. Gullible and eager-to-say-yes customers smile and nod.
I don’t know what accounts for this smile-and-nod process for approving voting equipment. I do know the commissioners are capable of being tigers when it comes to security — of a different system. I’ve witnessed the commissioners asking serious, challenging follow-up questions—really engaging their critical faculties—when working through security issues involving WisVote, our state’s voter-registration system.
During the weekend before their Tuesday meeting, participants in our group (Wisconsin Election Integrity) had emailed the commissioners warning them of the barcoding BMDs’ security issues and asking them to stop certifying them. Had we been raising security concerns about something in the WisVote system, I’m confident the commissioners’ response would have been to tell their staff to resolve the security issue.
But we were raising an alarm about the tabulation-system security. So the commissioners’ response was to tell their staff to reassure voters there is no problem.
I cannot imagine any commissioner shrugging and telling me,
“Well, it does take a leap of faith,” to end a conversation about voters’
ability to verify their registration records, as one did to end a conversation
with me about voters’ inability to verify barcoded votes during a break in
“Leap of faith” doesn’t cut it with any of them when it comes to voter-registration records. I cannot understand why they vote as if they see that as an acceptable standard for the tabulation system.
If something requires a leap of faith, it’s probably not a good idea.
Originally designed in response to federal disability-rights
laws, ballot-marking devices (BMDs) allow voters to select candidates by
touching a computer monitor. Visually impaired voters can listen through
earphones and vote by speaking their choices.
Because BMDs only mark paper ballots, but do not count votes (the votes must be counted either by hand or a tabulator), they do not create the same set of security risks as touchscreen machines that tabulate results.
When hand-marking a ballot, voters can notice and correct any problem—perhaps the pen slips or runs out of ink. And when the voter casts the ballot, he or she can be certain that the marks accurately record the voter’s intent because, well, the voter recorded them.
The same is not true when a computer records the votes. Hardware sometimes develops problems because of poor maintenance, wearing out, or just plain random malfunction. Software sometimes develops glitches. Human programmers sometimes make mistakes. Being human, even authorized programmers can deliberately manipulate the system so that it does what they, not the voters, want.
And those are the risks before we even mention the hackers who so thoroughly dominate media imagination and public comprehension of election security issues.
Local election officials, lacking superhero powers, cannot
prevent every glitch or malfunction. They have no control of security before
the software comes into their possession.
Even the most rigorous pre-election testing cannot detect malicious code
written to operate only on Election Day.
One risk—that the BMD can omit some votes or record the wrong ones—could be eliminated if voters were willing and able to review the printed ballots and re-mark their ballots if they saw a problem. But voters are neither willing nor able.
Voters prefer to vote quickly, and few take the time carefully to review their printed ballot. This problem is more serious than it seems, because only voter-verified ballots qualify as auditable records of voter intent. Without proof that the voters verified the ballots, the best that auditors can do is confirm that the voting system produced the results it was programmed to produce—but they cannot confirm the results reflect the will of the voters.
On top of that, voting machine companies have found a way to make sure voters are not able to verify. Take a look at the BMD-printed ballot reproduced below, from an ES&S demonstration of their BMD, the ExpressVote. Election officials say—and many even believe—that voters can verify their votes by reading the text.
But that human-readable text is merely decorative; it serves no function. The real votes—the only votes the tabulator will see and count—are encoded in those bar codes.
And no voter can verify those. So to complete the decorative effect, the voting-machine company provides an additional feature: a barcode reader that voters can use if they want to take additional time to see a read-out of the votes. That is like asking the computer programmer, “You’re not lying to me, are you?”
The very worst type of BMD is used in a few places in Wisconsin, and is making more headway in some other states. When you understand what’s known as a “hybrid machine,” it’s easy to think that, for some reason, voting companies are actively trying to undermine voter confidence.
Hybrid machines combine a BMD with a tabulator, in one machine. The voter uses a touchscreen to select his or her votes, and tells the computer to print the ballot. When the voter inspects the printed ballot (or not; it’s the voter’s choice), the ballot goes back into the same machine to be tabulated.
But in doing that, the ballot passes back under the same printer heads that marked it in the first place! If these machines malfunction or are mis-programmed, they could make additional marks on the ballots that the voters did not intend and cannot know about.
There’s more I could say about BMDs and the management practices necessary to minimize the risk whenever they are used. For one, voters need to insist on adequate public pre-election testing. Right now, I know of no Wisconsin municipality that publicly pretests the barcoding function before allowing early voters to use BMDs. I know of one (City of Madison) that conducts early voting by BMD for weeks before the public pre-election tests. That practice is unnecessary, careless and, if widely known, would be seriously detrimental to voter confidence.
And some good news: A group of US Senators (16 as of June 8), led by Ron Wyden of Oregon and including Tammy Baldwin of Wisconsin, are sponsoring federal election-security legislation that, among other safeguards, bans BMDs that do not “mark votes in such a way that vote selections can be inspected and verified by the voter … without the aid of any machine or other equipment.”
WEC can be contacted by email at email@example.com. Before close of business Monday, June 10, contact them with “Message for Commissioners” in the subject line. Tell the Commissioners to understand and resolve the security issues before they certify any more BMDs.
Ballot-marking devices are computers that mark ballots, but
do not count votes.
Benefits of BMDs:
Accessible independent voting at the polling place for voters with certain types of disabilities (but they don’t need barcodes for that);
BMDs that print ballots on blank paper (as opposed to those that mark pre-printed ballots) have the following benefits: 1) Early, off-site voting locations (such as public libraries) can serve multiple wards without having to stock each ward’s unique ballot; 2) Polling places can never run out of printed ballots, unless they run out of plain paper; 3) Unused ballots can be kept to a minimum or eliminated, reducing opportunity for ballot-box stuffing or other mix-ups.
Potentially fewer ballot-marking errors that might invalidate votes or ballots (but tabulating machines also identify mismarked ballots and return them for voter correction).
Drawbacks and dangers of BMDs:
Increases election costs (A computer costs more than a pen, and one whole computer is needed to replace each voting booth)
Slows down the voting process, because it takes longer to scroll through a computerized menu and make selections than it does to view and mark a paper ballot;
Barcoded ballots eliminate voters’ ability to verify their ballots contain the correct votes;
Even when barcodes are not printed, no auditable record of the election is created, because there is no way to know whether every voter paused to review the printed ballot and was willing and able to re-mark a ballot if they noticed a problem;
When used to replace hand-marked ballots, BMDs reduce the ability of polling places to expand to accommodate high-turnout elections or avoid long lines when many voters appear at the same time.
Summary: Dominion Voting, one of the nation’s largest voting-machine vendors, uses the internet to deliver voting-machine software to local election officials before each election. Local election clerks can be so naive that they will proudly say “The voting machines are never connected to the internet,” and genuinely believe that protects the software–even though they themselves downloaded the machines’ software from Dominion’s website onto a county computer, from which they made copies for each voting machine.
* * *
Before we talk about Dominion in particular, a reminder about the basics: In Wisconsin (like everywhere else), every voting machine system (like every other computer) is hackable. Even if never connected to the internet, every working computer contains software copied from some other computer. And hacks don’t need to come in over the internet: Every computer is programmed by normally fallible humans who occasionally have motive, means, and opportunity for fraud.
That’s why every responsible manager, including every elections official, must routinely audit their computers’ output (that is, our election results).
Now, about Dominion Voting Systems and their Imagecast Evolution (ICE) machine.
Voters and reporters in the 12 Wisconsin counties* using ICE voting machines believe that their voting machines are never connected to the internet. What they probably don’t know is that (except for Fond du Lac County), their vote-counting software was downloaded from the internet anyway.
The software in our voting machines has to be updated for every election, because each election has a unique set of races and candidates. No election official in Wisconsin has the ability or authority to write these programs by themselves. They either send the information to an out-of-state vendor who will write the programs for them, or they use an app provided by their voting-machine vendor to compile the vote-counting instructions themselves.
Typically, when an outside vendor writes the software for voting machines, they will deliver it to the local election officials on portable media (something like a USB drive, an SD card, or a “PROM” pack) via courier or FedEx.
But Dominion Voting, a corporation headquartered in Toronto and Denver, emails the county clerk when the software is complete, and the county clerk then downloads the software from the Dominion website.
I first discovered this last year, when I was contacting the county clerks in an attempt to inventory their current security practices; get a read on their level of understanding of the risks; and assess their receptivity to the idea of protective election audits.
Here’s how it works: In Wisconsin, it’s the municipalities that own and operate the voting machines, but because the county clerk has overall responsibility for designing and printing the ballots and reporting the election results, municipalities in most counties cooperate to buy the same voting-machine system. They then rely on the county clerk to handle the machine preparation before each election.
The first four Dominion-ICE-using county clerks I interviewed were happy and proud to explain to me their pre-election procedures. When they get the email from Dominion before every election, they download the tabulation software to a county computer from the Dominion website; save it onto an SD card; copy it onto the county elections-management computer (which is never connected to the internet!), and from there copy it onto portable media to give to the municipal clerks to load into the individual voting machines.
As I spoke with them, I was trying hard to stay completely in a fact-gathering mode, to understand their point of view without influencing it. So I was trying hard to avoid asking follow-up questions like “Are you JOKING?!?!?).
But I do not have a poker face, and one clerk picked up on my discomfort. She patiently explained to me that it was safe to send voting-machine software over the internet because the Dominion website was secure and wouldn’t let her get to the software without a password. And because she downloads the software to a different computer–not the central county elections-management computer or any individual voting machine–she assured me that the local elections equipment stays “air-gapped” and secure.
I didn’t ask, but I imagined her thinking that any malicious code can be erased by waving the SD card through the air.
Yes, that is the level of IT sophistication typical of local election officials.
The fifth ICE user I spoke with was the atypical Lisa Freiberg, Fond du Lac County Clerk. Whew.
Freiberg has enough IT sophistication and backbone that, when Dominion suggested to her that she rely on them to write the program updates and download the software via internet, she refused. Instead, she obtained from Dominion software that she maintains on the county elections-management computer. She uses that software before each election to design the ballots and write the instructions the voting machines will use to count the votes. When I interviewed her in July 2018, she believed she was the only ICE user in the state who refuses delivery of the voting-machine software via the internet.
ICE is not the only voting system that Dominion offers or supports, and I don’t know if the company sends any other system’s software out over the internet. But even without being an IT professional, I can see some of the opportunities this practice might offer to those who would like to manipulate our elections.
When even the New York Times cannot protect its email from hackers, we cannot expect the deputy clerk in a rural Wisconsin county to know not to open an email containing malicious code that will allow hackers to intercept the next download from Dominion. Once they’ve got the rural county’s ICE software, they can use that knowledge to interfere with the next election in any other county that uses Dominion software.
This one problem could easily be fixed, as Freiberg demonstrated. Dominion ICE users could simply refuse to download software over the internet, and work with their vendor to find a different way.
Less easily fixed is Dominion’s way of doing business. Why did Freiberg even have to ask for an alternate method of obtaining the software? Does Dominion itself understand the risks to election security and voter confidence?
And it’s not just this one slip-up. Independent observers and experts have expressed serious concerns about the design of the system. Other serious concerns are:
The ICE system is designed in a way that would allow someone to program it to print additional votes on a ballot afterthe voter has cast it. This feature renders elections conducted on these machines unauditable, because the ballots were not secured from alteration after leaving the voters’ hands.
The ICE system incorporates a feature known to security advocates as “permission to cheat.” A voter who uses the touchscreen to mark his or her votes can choose to have the machine count the votes and drop the printed ballot into the bin without the voter’s review–essentially giving the computer programmers permission to cheat. Security advocates (and common sense) insist that voters MUST verify the integrity of the printed ballot if election results are to be trustworthy.
Arguably more than any other voting system, the Dominion ICE is the target of voter concern, even outrage. The most direct, immediate solution is for candidates and voters to demand that no more counties buy the ICE system, and to demand that their election officials who already use it follow the Fond du Lac county clerk’s example and refuse to download software over the internet.
Beyond that, we need to take action to make Dominion take security seriously or to prohibit use of their products. The ICE system could be decertified at either the state or federal level, and federal legislation could prohibit the use of voting systems capable of changing voters’ ballots after they have been cast.
Paper ballots can be manually counted in different ways–sort by candidate and then count the ballots; stack the ballots into groups of 20 and 100 and then have counters mark tally sheets as they go through the stack one-by-one; and more.
Affordable technology–a simple digital camera hooked up to a projector–can beat all these methods on each of the four attributes of a good manual-counting method.
1. Ballot security.
Ballots must not be altered by the manual count. Sorting and stacking methods require the ballots to be handled several times, by several people, and moved around tables. When ballots are projected, only one person needs to handle the ballots, only once, and can keep them on one table, in full view.
In a manual count, accuracy is established with redundant counts—two or more people must agree on each vote, reconciling any disagreement. When counters make errors in sort-and-stack or tally-sheet methods, finding and reviewing the problem ballot can take a lot of time and ballot-handling. With projected ballots, everyone sees the same vote at the same time, so ambiguous votes can be reconciled when they are first encountered.
Faster methods of manual counting help to restrain costs, because labor is the biggest cost. Quicker counting also makes the task more pleasant for both counters and observers. Projected-ballot manual counts have accurately counted votes in one race at a rate of 100 ballots every four minutes, including time to stop to compare paired counters’ totals and resolve any differences. Depending on ballot design, two races could go just as fast.
The value of a manual count depends upon how much trust it produces in candidates and voters. In traditional manual-count methods, observers cannot see ballots well enough to verify for themselves that the votes are being counted accurately and honestly. When the ballots are projected, observers see exactly what the official counters see. In addition, because projected-ballot counts require no ballot-handling by the counters, observers can be drafted on the spot as official counters–powerfully counteracting any distrust.
A tally sheet completed in full view of all counters and observers serves as a record of the manual count.
Quick summary: A recount in this week’s Supreme Court race would be a good idea for everyone involved. Verifying accuracy is a necessity if we want to protect our right to self-government from errors, glitches, and fraud. Even the seeming winner, Brian Hagedorn, would be better off if a recount removes the shadow of doubt from his legitimacy as winner. But because our legislature, egged on by our county clerks, tightened the recount law so extremely, it’s unlikely we’ll get one.
* * *
April 5, 2019 – A statewide election decided by only 6,000 votes is frustrating for everyone. Accurate or not, it indicates no clear will of the people. Chances are last week’s Supreme Court race was determined by random events. Who got tied up at work and didn’t get to the polls? Who neglected to get a valid witness signature on their early ballot?
And of course, such a close result raises fears of manipulation.
I’ve been asked about what I think happened.
First, I can say with certainty that the vote totals are incorrect. Statewide results always are, not just on Election Night but even after the county clerks have certified them. Every recount always finds miscounts.
Few people know that the 2016 recount found at least 17,681 mis-tabulated votes, or 0.58% of the total, because news media highlighted only the change in the victory margin. That’s 1 miscounted vote for every 170 cast. In 2016, the errors were random—affecting all candidates—so correcting them did not change the outcome.
Why so many miscounted votes? Lots of reasons, caused by both man and machine. Our elections are administered by a temporary workforce, without serious IT expertise. Even the county clerks don’t work full time on elections. Most workers are only lightly trained and supervised; get no more than four days’ on-the-job experience every year; and work under enormous time pressure. Only in recounts do they examine their work to find out how well they did. They would have to be superhuman not to make lots of mistakes.
But back to this specific race. Were the miscounts bad enough to have identified the wrong winner? And were they random?
I see no obvious sign of hacked voting machines. When someone manipulates Wisconsin’s election computers to alter the outcome in a statewide race, they are most likely to mis-program the software for one or two of the big counties, and they will surely put the statewide result outside the recount margin.
But the unexpected results in this Supreme Court race came from northern Wisconsin, and the statewide result is so close that Lisa Neubauer can—if she can raise huge cash quickly—get a recount. If that was computer hacking, it took impressive effort (accessing several small counties’ systems) while also being incredibly clumsy (creating results that are subject to recount.)
If a mis-tabulation (either accidental or deliberate) flipped the outcome in this Supreme Court race, my nominee for the most likely culprit is mishandled early, absentee, and mail-in ballots.
The 2016 recount found widespread errors with absentee ballots, mostly officials rejecting envelopes they should have accepted and vice-versa. But there were other mistakes, too. In Dane County alone, the recount found more than 60 uncounted absentee ballots. Neither rejected nor cast, these ballots were simply overlooked on Election Day and later, during both the municipal and county canvasses.
So we know absentee and early ballots are often miscounted by mistake, and we know those mistakes are not noticed except in a recount. We also know that in elections as anywhere else, the best place to hide fraud is where no one looks for it, and where any oddities that are noticed are written off as human error.
So messing with absentee ballots would be a good way to manipulate a relatively small number of votes.
There are many ways to interfere with absentee, mailed-in, and early ballots. As we saw in North Carolina, you can intervene between the voter and the delivery of the ballot to the municipal clerk. (That’s one ‘hack’ that cannot be detected or corrected by a typical recount.)
Local officials can—must, in fact—exercise judgment (e.g., Is this handwriting legible?) when deciding whether to cast or reject an absentee ballot. And while they are exercising that judgment, they can see the name and address of the voter. That means they can make reasonable guesses about which candidate will get the votes if they decide the ballot can be cast. Implicit, unintentional bias almost certainly shapes some decisions; the effect could be much stronger with deliberate effort. Rarely does anyone review their judgments.
To be clear, I’ve seen nothing to indicate that such manipulation was done in this election or any other Wisconsin election, but it’s a fact that it could be done. A recount would clear that up for both those who suspect and those who deny any wrongdoing. If no recount occurs, we’ll just have to keep guessing.
But we are not likely to get a recount. For the past several years, the Legislature–urged on by the Wisconsin County Clerks Association–has tightened the recount law to make it nearly impossible to get a recount in a statewide race. Had an election held in April 2015 produced a victory margin of less than 0.50%, as this one did, Neubauer could have obtained a recount at no cost.
From the 2016 recount, we now know that a 0.58% error rate is a realistic expectation. So we can see why the old law, which made it easy to get a recount if the margin was 0.50%, was sensible. If unlike our legislators, we care about protecting our right to self-government against election errors, a recount is always wise when we could easily be declaring the wrong winner by mistake.
So we will all be well-served if Lisa Neubauer can quickly raise the cash—$2 million, based on the cost of the 2016 recount—that she’ll need to get a recount. The losing candidate is the only one who can buy a recount; our laws assume voters have no standing or interest in accuracy.
But neither she nor we should underestimate the effort needed to raise that much cash that quickly. To get the cash into WEC’s bank account by the deadline, she will need to raise it within about 60 hours of when WEC receives the last county’s official results. Jill Stein had a little longer to raise the money (legislators shortened the deadline after Stein showed it was possible), but this election is not drawing the sorts of national interest that helped Stein raise that much money that fast.
Having said all that, if the result in the Supreme Court race was ‘manipulated,’ my bet would not be on an outcome-flipping miscount, but on the success of a last-minute, under-the-radar, highly targeted, dark-money effort to motivate northern and rural voters to get out and vote for Hagedorn.
But as long as we allow that conduct to be legal (and we do), we cannot call it manipulation. If we want to put an end to that, we’re going to have to do more than complain about it. We’re going to have to fix campaign-finance laws. And to do that, we voters are going to have to get a constitutional amendment.
The Wisconsin Elections Commission met today, and I stayed for most of the agenda.
One agenda item had to do with fixing the snafus that caused a voter-registration list maintenance effort in 2017 to incorrectly ‘deactivate’ thousands of validly registered voters. (You may have heard such efforts described as ‘purges,’ a relatively pejorative term that is fitting whenever voter-list maintenance is used as a voter-suppression tactic.)
Among other things, so many voters were incorrectly removed from the registration lists that poll workers for the past several elections have had to work with two sets of poll books–the regular one for unaffected voters, and a supplemental list of voters who had been struck from the rolls but who would be allowed to vote if they showed up on Election Day and attested that they had not, in fact, moved.
There are dozens of reasons, it turns out, why State of Wisconsin computers got confused about whether these voters had moved. They have to do with things like registering a vehicle with your personal name but your business address, or buying a car for your college student in La Crosse and registering it there instead of where you vote. I won’t go into all the details. If you’re curious, you can read the staff report starting on page 72 of this document.
I spend a lot of time reading about election-integrity problems in other states. That means I read about a lot of skuzzy partisan machinations.
I also spend some time talking with local election officials. That, unfortunately, exposes me to much whining, excuse-making, buck-passing and “no law says I have to” attitude.
Here’s why the WEC discussion impressed me so much that I had to come home and write this blog post.
The discussion was pure, unadulterated problem-solving, start to finish. No one was looking for a partisan angle or opportunity. Not one single commissioner or staff member was whining. No energy was wasted on self-protective defensiveness, or on denying or minimizing the problems. I heard no attempts at buck-passing, no excuses.
Unlike what I hear when I talk to many local election officials about vote tabulation, no one at WEC was pointing out that statutes require them to do the work but don’t require them to do it right. It didn’t seem to cross any Commissioner’s mind to avoid their managerial obligation to detect, analyze, and correct problems until someone passes a law forcing them to do that, and paying them extra for it.
WEC commissioners and staff were straight-up committed to discovering the extent of the problems and what caused them, and to making sure they never happen again. Commissioners asked staff for hard data on error rates, and made sure that staff are not sending any more deactivation notices until the problems are fixed. Staff, for their part, were as committed to getting past problems corrected and future problems averted as the Commissioners were.
This is what responsible election administrators look like.
I wish all voters could have seen what I saw today. And I wish some reporter would write about it when good work gets done.
In brief: Jill Stein’s post-recount organization, Voting Justice, won a victory over voting machines companies ES&S and Dominion in Wisconsin. Stein will be allowed to bring in experts to examine the software for several models of voting machines, and those experts will be able to report their findings publicly. These machines are used not just in Wisconsin, but around the nation. That is all very good.
But this victory is only a breach in the wall of secrecy, not a demolition. Several factors will limit the benefits that will flow from this victory. If we’re going to secure future elections, we will need to thank Jill Stein and the Wisconsin Elections Commission–and keep on fighting.
An otherwise well-informed voter could be forgiven for not realizing that the 2016 Presidential recount effort, led by the Green Party’s Jill Stein, is still producing valuable results.
Corporate news media see elections as horse races. Once a winner is declared and the bets paid out, journalistic curiosity dies. Editors see no story in the poor overall quality of American election administration.
So the 2016 Presidential Recount—completed in Wisconsin, aborted in Michigan and Pennsylvania, not even attempted elsewhere—got a big media yawn when it did not change in the outcome.
Here’s some news you may have missed as a result:
Since 2016, the products of the recounts have supported organizers’ efforts to improve elections administration—with impressive success. In Pennsylvania, Stein’s organizers used a recount-related lawsuit to force that state to prohibit paperless voting machines and require routine election audits after future elections.
In Wisconsin, the recount produced a mountain of before-and-after data, from every polling place, for every candidate. Academics from MIT, Harvard, and the University of Wisconsin analyzed it. Although the recount increased neither Trump’s nor Clinton’s ultimate total by more than a few hundred votes, the researchers discovered that more than 17,600 votes had originally been miscounted—or 1 in every 170.
Those stunning findings were ignored by the news media, but the Wisconsin Elections Commission (WEC) took note. I believe that study contributed to their 2018 decision to encourage county clerks to improve embarrassingly weak canvass practices. (The ‘canvass’ is the weeks-long process after Election Day, during which local election officials should review the results to make sure they are correct.)
A unique Wisconsin law requires voting machine companies to place a copy of the actual vote-tabulating software in escrow after every election. Separate from the process of approving voting machines for sale, this requirement was originally intended to protect local governments’ voting-equipment investment. In case a company went out of business, the State would have a working copy of the most recently updated software as backup to keep the machines counting.
The law also requires the State to allow candidates to inspect the escrowed software if the candidates agree “to exercise the highest degree of reasonable care to maintain the confidentiality of all proprietary information.” The software in Wisconsin voting machines is the same as that used in other states, and any inspection could have national implications.
So the Stein campaign asked to inspect the software. They and WEC reached agreement on how Stein’s experts can examine the software without having the opportunity to steal the voting machine companies’ trade secrets. (I can hear the computer-security academics scoffing: “As if anyone would want to!”)
But when the voting-machine companies saw the agreement, ES&S and Dominion didn’t want to play by those rules. The two major players in Wisconsin’s voting-machine market wanted WEC to impose a gag order on Stein’s inspectors.
WEC said “No gag order.” The companies sued.
Their demand of the court was basically: “If you’re going to let Jill Stein’s experts examine our software, prohibit them from ever telling anyone their conclusions.” In other words, the voting machine companies wanted the judge to declare that the experts’ opinions were the companies’ proprietary trade secrets.
Dane County Circuit Court Judge Stephen Elke backed the WEC and turned the voting machine companies down. Likely sensing the main reason why any company would seek such a gag order, the judge wrote:
By way of example, a nutritionist might be given access to the secret formula for Coca-cola, which is undeniably a trade secret. It would not be a disclosure of that trade secret for the nutritionist to say, “After seeing the secret formula, I can tell you that Coca-cola is unhealthy and I would never let my own children drink it.”
This is a breakthrough. To my knowledge, independent experts have never before been able to examine “the software components that were used to record and tally the votes in an election” with the approval and support of the state elections agency. That software is defined as “the vote-counting source code, the table structures, modules, program narratives, and other human-readable instructions used to count votes.”
Whatever the inspectors find, the voting-machine companies will not be able to say “But the software you saw was only for review purposes. We had fixed that problem in the operational software.” If they make that claim, they’re admitting they violated the Wisconsin law that required them to provide the State with the software that was used in the election.
And what will their inspection find? Smart money would lay odds on serious problems. You need to know only the basics about profit-seeking corporations and low-bid procurement to predict flaws and holes in a product that the manufacturers believed was eternally protected from scrutiny.
We’ll have to wait to see how well the inspectors can describe those problems without violating their pledge to maintain secrecy about the details of the coding. However, this is the best opportunity so far.
A final benefit is, I believe, this decision’s effect on efforts in other states to compel independent examination of vote-tabulating software. With this precedent, those efforts will be more likely to go forward and more likely to succeed. Wisconsin has shown that states can require voting machine companies to allow inspection of the software that will count our votes.
The wall of secrecy surrounding the “black box” voting-machine programs has been breached. But it has not been torn down. The Stein team grabbed the opportunity that presented itself and made the most of it, but the benefits have limitations.
The first limitation is that this is a one-time event. If no other candidate ever demands to inspect the software, it will never again be inspected. We don’t yet have routine quality assurance.
Second, this decision does nothing, in itself, to banish proprietary software from public elections. If we want to get any closer to open-source software and routine quality assurance inspections, we’re going to have to force this review’s eventual findings into the public’s and legislators’ awareness. We’re going to have to do that ourselves. Count on the news media to maintain their willful blindness to any news, however shocking, that lacks a Republican vs. Democrat partisan angle.
Third, while this review will be able to identify any defects or vulnerabilities in the master copy of each systems software, the inspectors won’t be able to tell whether the election was hacked.
Computer programs can be manipulated in ways that are undetectable to even expert forensic analysts. In Brave New Ballot, Johns Hopkins University computer-science professor Aviel Rubin recounted how he annually provides his graduate computer-forensics students with programming he has hacked at the level of the binary code (that is, the ones and zeroes that underlie the human-readable source code). Years go by between the times when a grad student detects the hacked code, and grad students have been able to stump him, too.
Neither voting-machine companies nor election officials will be able to provide Stein’s inspectors with the software that actually counted votes on Election Day. In a “precinct-count” state like Wisconsin, computer tabulation takes place in thousands of separate computers—at least one at every polling place. Before each election, those machines’ software is copied, recopied, and modified for the many different sets of races and candidates that appear on the jurisdictions’ different ballots. In counties that use the Dominion ImageCast Evolution system (with the exception of Fond du Lac County), the software has even been transmitted over the internet from the Colorado manufacturer to the county clerk. Therefore, to confirm with certainty that the software in every machine was compliant in even one election, inspectors would have to obtain access to the thousands of copies. No one is in a position to collect all that software in a single place, and Stein’s experts wouldn’t have time to review it even if it could be collected.
Voting machines can be made to mis-tabulate without altering the source code that Stein’s experts will review. For example, a corrupt or lazy service technician could have installed unauthorized remote-access capability in the county elections computer (as Pennsylvania clerks discovered, to their dismay, in 2014) or in individual voting machines. Later, someone could have taken control of the machines’ output (that is, our election results) simply bypassing or overriding the authorized software.
The best possible outcome of these reviews would be that the experts will find the weaknesses, report them out, and motivate legislatures nationwide to adopt laws requiring open-source software and routine independent software inspection in every local jurisdiction in every election.
But even if that happens, it will not close and lock the door against outcome-altering mis-tabulation of our votes.
The only effective protection against hacked elections remains what it has always been: Routine, manual verification of the correct winners, using paper ballots, completed before the results are declared final.
Routine detection-and-correction is the onlysecurity measure strong enough to deter hacking while also protecting final election results against undetected error and malfunction.
It is the only way surely to protect the true voice of the people.
December 19, 2018 — “As the secret ballot transformed elections in the last century,” said Joseph Hall, Chief Technologist for the Center for Democracy and Technology, “risk-limiting audits are going to transform elections in this century.”
In a few years, Americans will look back, aghast, at our current election management. We will be amazed that we ever trusted vote-tabulating computers so much that we routinely declared winners without checking results for evidence of fraud, glitches, or human error. We will consider routine verification to be an indispensable part of managing elections, just as cash-register reconciliation is now for managing the corner convenience store.
In preparation for that day, it’s time to understand: What is a “risk-limiting audit”?
First, a risk-limiting audit is not a specific set of steps or statistical calculations. Like “home-heating system,” the term describes a function, not a method. If a system heats your home, it’s a home-heating system. If it doesn’t, it’s not. A wood-burning stove is a home-heating system. Electrified tile floors are a home-heating system. Triple-pane windows and attic insulation are not.
A risk-limiting audit is any review that imposes a precise limit, such as 10%, on the risk of certifying incorrect results in the event that Election-Night results identified the wrong winner. Any review that accomplishes that is a risk-limiting audit. If it doesn’t, it’s not. For example, pre-election voting-machine tests and hand-counting to verify a few voting machines’ results are good. But even when completed correctly, they do not precisely limit the risk that officials will detect and correct any outcome-altering miscounts.
(Though it’s not part of the official definition of risk-limiting audit, I’ll mention the other side of the coin. In the event that Election-Night results identified the right winner, a risk-limiting audit does not reduce the risk that officials will certify the wrong one. That risk stays at zero.)
You might be surprised that statistical analysis is not a required feature of risk-limiting audits. A full recount uses no statistical methods and if done correctly, limits the risk of declaring the wrong winner to zero. Therefore, it’s a risk-limiting audit. But full recounts require too much effort to be used routinely. So to reduce the time and effort needed to confirm elections, most types of risk-limiting audits use random sampling for selection and statistical processes for analysis.
Another feature of risk-limiting audits is manual inspection of voter-verified paper ballots. Until some as-yet-uninvented technology comes along, we can verify the computers’ verdicts only by comparing them against something that didn’t come from a computer. That is, we need direct human observation of the paper ballots that were marked, or at least verified, by the voters themselves.
Finally, the word ‘audit’ doesn’t mean what you probably think it means. Outside elections, independent auditors perform audits after auditees have completed the work. In contrast, a risk-limiting audit is completed by the responsible officials as part of their work of certifying election results. A post-certification review might provide useful information for the next election, but it cannot limit the risk that the wrong winner was certified in this one. Risk-limiting audits probably should have been called ‘risk-limiting reconciliation’ or ‘risk-limiting verification,’ but it’s too late to change that now.
In brief, the exercise uses playing cards to represent ballots containing votes for Black or Red. The cards are sorted into piles representing precincts; a sample is randomly drawn from across all participating precincts. Each card either builds or reduces confidence in the Election-Night results, until a pre-determined acceptable level of confidence is achieved—or is not. To do this exercise, you’ll need:
two decks of playing cards;
a pencil; and
a random-number generator.
Note: the statistics in this exercise are realistic but not precise; they are for illustration purposes only. A real election audit would use a sample size and confidence level calculated for the results being audited.
Example #1: When Election-Night results are correct
The first illustration will show how a risk-limiting audit plays out when Election-Night results identified the correct winner.
1. Get two decks of playing cards. They don’t need to be the same design, but the same shape and size will make them easier to work with. From one deck, remove the jokers and set the hearts aside. This leaves 39 cards in this deck—26 black ‘votes’ and 13 red.
2. From the other deck, remove the jokers and set aside both the hearts and diamonds. This leaves 26 cards in this deck, all black.
3. Shuffle all 65 cards together, but not thoroughly. Actual ballots will not be thoroughly shuffled; your cards don’t need to be, either.
4. Separate the cards into six stacks to represent precincts. You don’t need to make them the same size. In the real world, some precincts have more voters than others. Label the stacks “Precinct A,” “Precinct B,” and so on up to “Precinct F.”
5. Count the cards in each precinct consecutively and write the numbers on the labels. For example, if Precinct A has 12 cards, you will write “1-12” on that label. Then start Precinct B’s count with 13, so that Precinct B’s label will be something like “13-23.” Precinct C will be something like “24-35,” and so forth. If you’ve counted correctly, the last card in Precinct F will be 65. Some vocabulary: A list of precincts indicating the number of ballots in each (e.g., Precinct D has 13 ballots) is a “ballot manifest.” When you assign a unique number to each ballot (e.g., Precinct D contains the 36th through the 48th ballot), it becomes a “ballot look-up table.”
Now, imagine you’re the official who is responsible for certifying this election. You know the possibility of an outcome-altering Election-Night miscount is remote. Nevertheless, you want to: 1) deter fraud in future elections, 2) demonstrate to the voters that local elections are secure against even remote risks; and 3) make sure you don’t miss even a remote possibility of declaring the wrong winner.
So you’ve decided to give yourself at least a 90% chance of detecting any outcome-altering miscount before you declare the official winner. In other words, you have decided to impose a 10% limit on the risk that you will fail to notice and correct any such miscount. (You could choose a different level of risk, if you wish.) If the machines identified the correct winner, there is a 0% chance an audit will reverse that.
Initial Election-Night results indicated that Black got 80% of the vote and Red got 20%. While you haven’t looked at any ballots yet, you know how many were cast. Using that information, you consult with a statistician or the risk-limiting audit website to find out how big your manually counted sample needs to be to confirm the right winner or to detect the wrong one.
In a real risk-limiting audit, you would be told a specific number of ballots to draw for the first sample—up to a few hundred, depending on the margin of victory and the number of ballots cast in the race. Your statistician or the RLA website could also generate random numbers for you, to determine which ballots to draw for the sample. For this demonstration, let’s imagine you were told to select 10 ballots.
6. Create a score sheet with columns for the random number, the color of the card, a confidence score for each card, and a running confidence total.
8. Then find each card. For example, if the first randomly selected ballot was #38, you would check the ballot look-up table and see that card #38 is the third card in precinct D. Look at that card, record its color in the second column, and replace it.
If the sampled card was black, it builds confidence that the preliminary results were correct when they identified Black as the winner. Note +5 confidence points for that card in the third column, and add 5 points to the confidence total in the fourth column.
If the sampled card was red, it reduces confidence in the preliminary results. Note –10 confidence points in the third column, and subtract 10 points from the confidence total in the fourth column.
9. When you’ve recorded the color of each card in the sample, look at your total confidence score. If it is 25 or higher, you have statistically confirmed, with 90% confidence or more, that no Election-Day miscount identified the wrong winner. You can end the audit and certify the results.
The photo below shows that this audit could have stopped after the eighth card, because the confidence score reached 25 at that point. On average, an audit like this would need to inspect 14 cards to reach a confidence level of 25—if, that is, the Election Night result was correct.
If your confidence score is less than 25, select another random ballot, and another, until the total confidence level reaches 25. (Or until you realize that you messed up the first two steps of this exercise and are working with a deck in which there are actually more red than black cards.)
#2: When Election-Night results are incorrect
The second part of this exercise shows what happens when Election-Night results were wrong.
1. Retrieve the red cards you set aside, so that you are using all 104 cards from both decks. Shuffle them together. Again, this does not need to be a thorough shuffle. Some ‘precincts’ can be mostly red and some mostly black.
2. Separate the cards into 9 stacks of differing sizes to represent precincts. As in step 5 above, count the cards in each stack to create a ballot look-up table.
3. In this exercise, we know the election was a tie. But in a real election, we would not know that, because the computers told us that Black won, and we have not yet inspected any ballots. So we would give the same information to the statistician or RLA website that we did in the previous example—that is, an 80% victory for Black. Given that situation, the instructions we receive would be the same: Select a random sample of 10 ballots by generating 10 random numbers—this time, between 1 and 104, because we have more ‘ballots.’
4. As in the first exercise, use the ballot look-up table to find each card selected for the sample. Note the color of each and confidence points on the tally sheet. Check to see whether the total confidence score reached 25. In this case, it did not. It is possible that your first sample reached a confidence score of 25 or more. If so, your audit incorrectly confirmed a miscounted election. This can happen—statistical confidence is not the same as rock-solid certainty. A 90% confidence target means that 10% of the time it will be wrong. To calm your nerves, think of this from the point of view of election thieves who see a 90% chance that their handiwork will be noticed and corrected.
5. If the total confidence score is less than 25, you have not yet confirmed the Election-Night results, so you will need to expand the sample by inspecting more random ballots.
When the Election Night results are wrong, the more ballots you sample, the lower your confidence level will sink. As shown in the photo, as more and more ballots are inspected, it becomes more and more apparent that the preliminary results are just not right.
Election officials who conduct risk-limiting audits of real elections adopt written policies that address this possibility. A sensible policy, for example, might dictate that the audit will stop if it fails to confirm the outcome with two additional samples, and the effort will instead be put into a manual count of 100% of the ballots.
About sample size, statistical confidence, and emotional confidence
One concept should now be clear: A random sample of ballots is a miniature version of the entire election. The same winner will emerge from both–if both are accurately counted.
In the first exercise above, Black had more votes in the whole set of ballots from which the sample was drawn. As a result, more of the randomly selected ballots contained votes for Black than for Red. In the second exercise, Black did NOT have more votes than Red, and so we could not confirm a Black victory no matter how many ballots we randomly drew.
In other words, when preliminary election results have identified the correct winner, inspection of a relatively small number of randomly selected ballots provides strong evidence of accuracy. Conversely, if preliminary election results identified the wrong winner, inspecting a random sample of ballots will reveal the problem before officials certify the election.
Once we see that random samples reflect the true results, the next question is what size sample works best. Smaller samples reduce work, but increase uncertainty. Larger samples provide more confidence, but are more work.
This demonstration started with samples of 10 cards, which in the 65-card ‘election’ was a little more than 15% of the ballots. In a real election audit, the initial sample size would not need to be anything close to 15% of total ballots, particularly if the preliminary results indicated an outcome as decisive as this one.
To work through a real-life example, let’s look at the 2018 race for US Congress in Wisconsin’s First Congressional District. This reasonably close and hotly contested race filled the seat being vacated by former Speaker Paul Ryan. The actual results were: 325,003 total ballots; 177,490 votes for Steil; 137,507 for Bryce; and 10,006 for Yorgan.
When you plug these results along with a 10% risk limit into the online tools for ballot-polling RLAs, statistical operations built into that tool predict that you will likely be able to confirm Steil’s victory, if Steil actually won, with an initial sample of only 301 ballots. That’s only one-tenth of one percent of the 325,003 total ballots. If Steil did not truly win, auditing 301 ballots would produce results more like the second example above–forcing officials to keep expanding the sample until it was obvious that the Election-Night results were incorrect. (Instead of using +5, -10, and 25 total points as indicators of confidence, officials would have counted the votes in the sample and could have used the online tools to assess the results. See the section titled “Should more ballots be audited?” at the bottom of this page.)
If election officials did not believe that 301 ballots would provide voters with enough subjective confidence in the result (as opposed to statistical confidence), they could have selected a smaller risk limit. In this congressional election, a 5% risk limit would have needed an initial random sample of 389 ballots; a 1% risk limit, a random sample of 594 ballots. Or, election officials could adopt an audit policy that every initial sample will contain either enough ballots to support a 5% risk limit, or 1,000 ballots, whichever is greater.
Other lessons from this exercise
This exercise highlighted risk-limiting audits’ tightly focused purpose—to detect and correct any outcome-altering miscounts. This purpose is critical for election security and for voter confidence, but does not solve all problems. Election officials must perform other types of reviews to determine the cause of any miscounts and to monitor other important issues, including:
The presence of any miscounts that may have disenfranchised some voters without affecting the outcome;
The accuracy of any single precinct’s or voting machine’s tabulation;
The quality of any of the processes that determine which ballots were cast and accepted, such as issues with voter registration or ID, or whether all and only valid absentee ballots were accepted and counted.
In addition, this exercise simulated only one type of risk-limiting audit, known as a “ballot-polling audit.” Depending upon the size of the election, the type of records created by the voting-equipment, and other factors, election officials might decide to use a different type of RLA, such as a “comparison risk-limiting audit” or a Bayesian audit. Election officials do not need to read and digest the scholarly articles. Federal officials, staff in jurisdictions that have experience with auditing, and other experts are willing to help local election clerks understand the options well enough to make the right choices and get started with election auditing. A local election official can likely find useful help as close as the nearest local government official who has expertise related to auditing or quality assurance.
This exercise also probably raised some implementation questions: How can election officials draw a random sample in a election for which ballots are stored in sealed bags across hundreds of municipalities? How do you know how big your sample needs to be if you want to verify the outcomes in two or more races? Election officials who have started with risk-limiting audits have tackled these questions, and more solutions are being worked out with each new election. The solutions are not always easy or obvious, but local election officials who want to try their hand at risk-limiting audits need only to ask those with experience.
Finally, this exercise demonstrated that even risk-limiting audits might, on occasion, fail to detect miscounted election results. A 90% chance that serious fraud will be detected and corrected is the same thing as a 10% chance it will not be.
That highlights the need to keep two other facts in mind. First, a 90% chance of detecting fraud is better than the 0% chance that non-auditing election officials and their voters now tolerate. Second, the audits’ greatest value is, arguably, deterrence. When would-be election thieves contemplate a 90% risk of getting caught, there’s a good chance that election officials will have no electronic election fraud to detect.electionscounting votesWisconsinrisk-limiting auditsdemonstratio
Posted by Karen McKim · November 25, 2018 10:31 PM
No city treasurer would refuse to check the accuracy of property-tax bills. No county executive would release a report on annual expenditures without double-checking its accuracy.
Most local officials don’t need anyone to pass a law telling them to check their work. They accept that as a basic managerial responsibility.
But the Wisconsin County Clerks Association is officially on record: They don’t want to.
And their work product is our election results.
The WCCA statement came in response to the Wisconsin Elections Commission’s September announcement that they were considering two election-security measures.
The Commission’s first proposal involved the only accuracy-checks the Commission has authority to order: audits of individual voting machines by municipal (not county) clerks. These audits are better than nothing, but they are limited to November elections in even-numbered years and check only a few random voting machines without confirming the winners in any race.
The Commission was considering ordering more machines audited than in previous years and requiring the audits to be completed before election results are declared final.
The Commission’s second proposal would move Wisconsin slightly in the direction of national election-security standards. The Commission was considering encouraging county clerks to perform audits of the type that if done widely, might confirm that Election-Night results had identified the right winner and enable clerks to correct the results if they had not.
WCCA’s response was swift, naïve, and irresponsible. The county clerks didn’t want the Commission to require, or even encourage, the county clerks to perform genuine election audits.
Perhaps sensing they are defending the losing side in a national trend (they are), the county clerks also described how they want to restrict this election safeguard:
They don’t wanna check accuracy until after they have certified final election results.
They don’t wanna check accuracy for any but the top race on the ballot.
And they want the State to pay extra if it even suggests they check accuracy.
I’m not making that up. The organization’s memo to the Wisconsin Elections Commission is reproduced, verbatim, below.
About delaying audits until after certification: The WCCA wrote that our paper ballots “should be treated like evidence and remain undisturbed” until after the clerks have certified the results. Join me in a prayer that the Trial Judges Association doesn’t have the same idea about the proper use of evidence. Imagine our courts refusing to look at evidence until after they’ve reached their verdict.
About auditing only the top race on the ballot: The WCCA wants to audit only the top race on the ballot, ever. This could be restated: “If you force us to protect the US Senate election, we will refuse to protect the Governor’s race.” Hackers are delighted to know ahead of time which races will be protected, and which will be on an honor system.
About making the state pay extra for accuracy: The WCCA clearly rejected the idea that accuracy is a normal managerial responsibility by demanding they be paid extra for it. Imagine a parks manager telling the county budget manager: “Here’s a statement of the user fees we collected. If you want me to make sure it’s right, you’ll need to pay extra.”
Straight-out lie: In a final Trumpian flourish, the memo’s author blatantly misrepresented the findings of a study by MIT, Harvard, and the UW Madison researchers (Learning from Recounts, 2017). The WCCA memo claimed the researchers had declared that “hand counts of election results are inherently inaccurate.” Compare that to the researchers’ actual words:
“…careful hand counting in a recount is the gold standard for assessing the true vote totals — in large part because of the greater focus on a single contest, more deliberate processing of ballots, and careful observation by campaign officials and other interested parties….”
* * *
Wisconsin statutes give the buck-stops-here responsibility for election results’ accuracy to the county clerks, and to no one else. Municipal clerks cannot verify results in federal, state, and county races; they have access to the ballots from only their own city, village, or town. The state elections agency is the legal custodian of no ballots at all; has only a few days after county certification before they must certify; and has no statutory authority to question results a county has certified.
We must insist the county clerks fulfill their responsibility. They have the paper ballots. They have the time. Modern election-audit practices would allow them to verify a few races on the ballot in just two or three days, while statutes allow them at least two weeks before they must certify the election. The only cost would be the hand-counters’ time at $10 or $12 an hour—a tiny fraction of the county’s elections-administration budget. They could randomly select just a few races for verification—just enough to deter election thieves in the races most liable to attract their interest.
And yet, collectively, they refuse.
Update: The Commission wisely ignored the WCCA’s whining and voted unanimously to encourage county clerks to start auditing during their canvass. And as the WCCA memo states, a few county clerks have begun voluntarily to incorporate hand-counted audits into their routine canvass procedures.
Every county clerk in Wisconsin received a memo on October 4, 2018 explaining the current nationwide move to election auditing and providing the clerks with instructions on how to get started.
Only voters, though, can make it happen. Voters who care about election security should contact their county clerk to find out whether their votes in future elections will be protected with hand-counted audits during the county canvass.
If not, the next election on February 19 will provide an excellent opportunity for your clerk to begin developing routine election-audit practices, since it will likely be a low-turnout election. Your county clerk has plenty of time before February to learn about the various methods of checking accuracy and work out his or her local procedures.
We need to talk about how we can defend election officials from partisan allegations of corruption, when they are guilty only of poor, careless, and ineffective elections management.
I hope you perceived that sentence to be as goofy as I intended it. What I really want to know is when we voters are going to demand high-quality election administration. When poorly operated polling places make voting difficult, when ballots are mishandled or when votes are miscounted, I don’t care which party it hurts or whether it was fraud or incompetence.
I want it fixed.
Following every election, my Facebook news feed fills with reports of sloppy election-management practices. If partisans can find a way to use an incident to their advantage (and they always can), that’s all they want to talk about.
I spent last Saturday morning in New Berlin at a meeting of grassroots conservative voters who are loudly disgusted with Milwaukee’s election administration. They freely alleged corruption and fraud, which I think unlikely, but I appreciate their anger and distrust.
Their candidate for governor lost by 30,849 votes on a night when the City of Milwaukee took hours longer than expected to process 47,000 absentee ballots. City officials explained that they needed to copy more than 2,000 of those ballots by hand because the original ballots were too damaged for the machines to read.
How can anyone expect emotionally invested partisans to refrain from yelling “Corruption!” when something like that happens?
So election officials promptly apologized. They admitted they knew ahead of time exactly how many absentee ballots they would need to process. They accepted full responsibility and started an immediate investigation. They made a public commitment that in future elections, absentee ballots will be processed as smoothly in Milwaukee as elsewhere.
I’m being goofy again. They did no such thing. That’s the kind of response we’d expect from a city treasurer who had sluggishly processed 47,000 property tax payments because 2,000 had been mangled.
In reality, the first response from election officials was that the incident was “routine,” hardly a confidence-building defense. Then, Milwaukee Elections Director Neil Albrecht reframed concerns about management as insults to the workers, and blamed Republicans for not passing legislationthat would allow municipal clerks to run the voting machines continuously for weeks before each election. (He did not, however, offer a solution to the as-yet-unresolved details of how security and accuracy safeguards can be maintained when voting machines are in active operation for a six-week period instead of just one day.)
No sensible observer of politics will be surprised when I report that the Republicans in the meeting I attended spoke of using this incident to restrict all early and absentee voting around the entire state. They further mused about reviewing all Milwaukee absentee ballots to make sure the envelope signatures match those on file. They spoke of demanding a randomly selected ballot be thrown out for every ballot disqualified by a non-matching signature. (That’s called a ‘drawdown’ and is legal under current Wisconsin law.) Going after mismatched signatures has been used in other states to get votes thrown out or to make voters jump through hoops to preserve their votes.
Of course, such a process, if done only in Milwaukee County, would throw out many more Democratic votes than Republican votes. That’s why throwing out the ballots of randomly selected innocent voters while creating no consequences for the responsible managers looks like a ‘solution’ through their eyes.
So we’ve got a situation in which the Democrats are using this incident to push for running the voting machines continuously for six weeks, damn the security issues. The Republicans are using it to push for measures that would suppress legitimate Milwaukee votes.
Who is talking about better election administration? Who is asking why Milwaukee officials were prepared to count fewer ballots than they knew they had on hand? Did they not hire enough workers? Did they not assign enough equipment? Were their procedures less efficient than they could have been? Who is demanding to know why Milwaukee had, proportionately, more spoiled ballots than other counties, or what can be done to fix that?
No one. We don’t hold our election managers to the same standards we hold other local government managers. Can you imagine what would happen to a city treasurer who defended comparable news about processing property-tax payments by calling it ‘routine’? When transactions are conducted in votes rather than dollars, our expectations of the managers plummet.
When we tolerate–even excuse—elections mismanagement, partisans will always take advantage. To use this case as an example, it is easy to see that people who want to expand early voting should aggressively work to make it as well-managed as possible, not to defend its mismanagement as unavoidable or routine.
Partisanship will never go away; tribalism is what humans do. But our election officials could stop insisting that voters accept poor planning and accidents as routine. If we want to hush the partisan complaints, we must hold our election managers to higher standards of care and competence.