Why don’t voters trust the voting machines as much as officials do?

As a Wisconsin elections official, you have probably wondered: Why do the same people who happily rely on computers at their banks, their jobs, and their grocery store check-out get suspicious when it comes to voting machines?

This is why:  The managers of those other computers don’t ask us to trust. They have routine (that is, all the time) practices that allow them to notice computer errors. You don’t. Election officials are alone, among all computer-dependent managers, in trusting computers — and in demanding trust from their ‘customers.’

If people started talking about hacked ATMs, bank managers could quickly disprove those rumors, without demanding trust from anyone. Yet debates about possible election hacking go on for literally years — because election officials don’t routinely check accuracy.  Yes, Wisconsin election officials occasionally spot-check a few random individual voting machines. But those audits don’t confirm the right winners in any election.

And yes, Wisconsin officials are occasionally forced to do a recount. But that verifies only that one race. If a voter asks the clerk to prove accuracy in any other race, he or she is told that only a losing candidate can get a free audits, and only if the suspected error was smaller than 0.25%. If the error was larger than that but smaller than 1%, the candidate will have to pay the full cost of the recount in cash before a quick deadline. And if the voter suspects an error larger than 1%, he or she will just have to trust the computers, because Wisconsin law does not allow recounts when the margin is greater than that.

It’s your signature on that certification statement.  
The law allows you to check accuracy before you sign it.

The Legislature knows that computer glitches, hacks, or other unanticipated electronic miscounts will occasionally affect preliminary election results. They did not–do not–intend for miscounts to be certified as our final election results. It’s irrational to assume they did. They gave someone the responsibility to catch and correct miscounts.

But who?

The Legislature gave you, municipal clerks, the responsibility for municipal contests. The Legislature gave you, county boards of canvass, the responsibility for federal, state, and county contests.

The Legislature gave you the responsibility to review election results and certify them as correct. No one else. The buck stops with you.

If it ever comes out that the wrong winner was sworn into office, it’s your signature on that certification of election. No one else’s.

The Legislature did not prescribe any specific canvass procedures or methods–they left that to you. There’s no law requiring you to double-check the addition–but you do. There’s no law requiring you to maintain a chain of custody with sealed bags–but you do. There’s no law requiring you to compare the number of ballots to the number of voters marked off on the poll book–but you do. There’s no law telling you to review inspectors’ statements for indications of problems–but you do. 

In fact, very little of what you do in your regular canvass procedures is specified in law. So the fact that there is no law specifically saying, “Oh, and by the way–check to make sure the voting machines identified the right winners” doesn’t mean that you don’t have the authority to do that if you choose to.

You are the legal custodian of the election records. You alone have responsibility to review and certify election results. You need specific laws directing you to check election accuracy no more than you need a specific law directly you to reconcile the cash register tape and the cash drawer before you deposit your office’s receipts.

Voters and candidates are depending on you to be a responsible manager. Responsible managers check the accuracy of their work product before they sign off on it.

But the voting machines haven’t miscounted before. What could go wrong?

What would you think of your local fire chief if he told you that if your home hasn’t caught fire yet, smoke detectors and sprinkler systems are unnecessary? Now imagine what voters think of election officials who dismiss the need for routine protective audits by saying “No election has been hacked yet.”

Voters know there is no such thing as an unhackable computer system. They know that the voting machines are programmed by someone, somewhere, and that person might make a mistake and might be corrupt. They know that computers that worked right on Monday don’t always work right on Tuesday.

Voters hear only naivete when they hear local officials say:

  • that voting machines’ accuracy is guaranteed by pre-election testing and federal certification. Voters have all experienced a computer that worked right yesterday, but didn’t today;
  • that a recount confirmed accuracy in a past election. Voters know that a correct August credit card statement doesn’t guarantee an accurate September statement;
  • that counties use different kinds of machines, and so a computer hacker would need to hack them all. Voters know that one big county can swing the results in a statewide race, and even if it couldn’t, they don’t like to hear you talk as if you’re comfortable with only one or two counties being hacked;
  • That local election officials can maintain more effective IT security than Target, Anthem, eBay, and Volkswagen–all of which have better, bigger IT departments than their county clerk and all of which, despite their superior IT resources, have either been hacked or engaged in tampering themselves.

On top of having fewer IT resources than the big corporations, local election officials face challenges that make security even harder for them:

  • Local election officials don’t have full control of the voting-machine security. Large companies have start-to-finish control of their IT security. In contrast, you have control over only a small part of the security program for the voting machines. Voting-machine security is first the responsibility of the manufacturer; then the vendor; the service technician; the county clerk; the municipal clerk; and finally the poll workers.  Anyone along that chain can perform his or her own security responsibilities perfectly, but have no way of knowing whether the others were as careful.
  • Local election officials are forced to use proprietary software they cannot inspect. Elections systems approved for use in Wisconsin have been amply demonstrated to be capable of accurate counts. However, you are able to control only the coded setup instructions for each election (like loading your new cell phone with your preferences and your phone book), but you are prohibited from even inspecting the continuing integrity of the vote-counting software that comes loaded in the machines, the deep programming that makes them operate. If the software is flawed or compromised when it comes into your possession, you have no way of knowing.
  • Local election officials are forced to tolerate at least a few opportunities for software alteration. Even though you avoid connecting the voting machines or the central elections computer to the Internet on Election Day, you cannot be sure someone else hasn’t connected them. You have no way of knowing whether remote-access capability has been installed on the election computers without your authorization (as happened with your Pennsylvania counterparts). And the need to set up the system for each new election creates a regular opportunity for the insertion of malicious or flawed code or unintended programming errors. Flawed code could be carried with the installation of requisite patches or updates, or could be transmitted through the PROM packs, flash drives, or other media that you must rely on to set the machines up for each election.

What will work for local elections officials is the same thing that works for the banks and grocery stores: Adopt routine procedures to ensure that when the rare but inevitable error does occur, it will be promptly detected and corrected.

But are routine election audits possible in Wisconsin?

Yes. Wisconsin’s county clerks and boards of canvass have the necessary paper records, the authority to access them, the ability to correct errors during the canvass, and more time for the canvass than their counterparts in many states that require pre-certification audits. WEC has confirmed that county and municipal clerks both have the authority to perform audits during their canvass.

Efficient audits that use modern methods of sampling and ballot display can be completed in just hours, at a low cost that might well fit in your current elections budget.

Full recounts are not necessary to verify that the voting machines identified the right winners–which is all that is necessary to build voter confidence.  

The first, most basic step is what’s called ballot reconciliation, or reasonability checking. You do this step in part already, when you check to make sure the number of voters marked off in the poll book matches the number of ballots counted. A second step is less common among Wisconsin election clerks, but is recommended by the Wisconsin Elections Commission and by all professional elections authorities: Check to make sure the total number of votes in the top-of-the-ballot race is consistent with the number of ballots. During the municipal or county canvass, it should take no more than an hour at most to make sure that you are not certifying more votes than ballots, and that you notice any weirdly high undervote rates, which indicate possible machine malfunction. A rule of thumb is that the undervote rate in the top-of-the-ballot race should be no more than 0.5% (that is, no more than 1 in every 20 ballots contain no vote of any kind–regular, registered write-in, or scattering–for the top race.)

But checking for–and correcting–obvious tabulation errors does not prove that you’re certifying the right winner. For that, you need to do a manual count of at least a valid sample of the ballots. This can be efficiently done by using modern methods of ballot sampling. The method most quickly gaining popularity among your counterparts in other states is called risk-limiting auditing. It was developed by the American Statistical Society has been widely accepted as effective and legitimate and was endorsed by the President’s Commission on Elections Administration in 2014. 

RLA allows verification of the outcome of a race (Who won?) without verifying the exact number of votes each candidate received, as is done in a recount. This enables verification of the important question–Are we swearing the right person into office?–by counting votes from only a small, randomly selected sample of ballots.  A full recount is not necessary for verification purposes.

Finally, very speedy and highly transparent manual counting of votes is possible with modern tools, specifically a document projector. By laying the ballots in a stack on the table, face up, underneath a document projector, only one person needs to touch the ballots while many people can view each ballot simultaneously. Assigning two counters to each candidate provides the redundancy necessary for accuracy. Using this method (or a similar method involving projection of the digital ballots images saved by modern op-scan machines), Wisconsin election auditors have demonstrated that votes in a single race can be accurately counted at a rate of 100 ballots every four minutes.

WEC staff has been studying election-audit practices used in other states and can provide more information and guidance to local election officials who want to introduce auditing into the local canvass process. In addition, national elections administration authorities have developed guidance for election officials who want to produce verified accurate election results:

Projecting the paper ballots–in essence, turning a manual count into a slide show–can greatly improve accuracy, speed, and transparency, while protecting the ballots from excessive handling by many people. Instructions are here.