Paper ballots can be manually counted in different ways–sort by candidate and then count the ballots; stack the ballots into groups of 20 and 100 and then have counters mark tally sheets as they go through the stack one-by-one; and more.
Affordable technology–a simple digital camera hooked up to a projector–can beat all these methods on each of the four attributes of a good manual-counting method.
1. Ballot security.
Ballots must not be altered by the manual count. Sorting and stacking methods require the ballots to be handled several times, by several people, and moved around tables. When ballots are projected, only one person needs to handle the ballots, only once, and can keep them on one table, in full view.
2. Accuracy.
In a manual count, accuracy is established with redundant counts—two or more people must agree on each vote, reconciling any disagreement. When counters make errors in sort-and-stack or tally-sheet methods, finding and reviewing the problem ballot can take a lot of time and ballot-handling. With projected ballots, everyone sees the same vote at the same time, so ambiguous votes can be reconciled when they are first encountered.
3. Speed.
Faster methods of manual counting help to restrain costs, because labor is the biggest cost. Quicker counting also makes the task more pleasant for both counters and observers. Projected-ballot manual counts have accurately counted votes in one race at a rate of 100 ballots every four minutes, including time to stop to compare paired counters’ totals and resolve any differences. Depending on ballot design, two races could go just as fast.
4. Transparency.
The value of a manual count depends upon how much trust it produces in candidates and voters. In traditional manual-count methods, observers cannot see ballots well enough to verify for themselves that the votes are being counted accurately and honestly. When the ballots are projected, observers see exactly what the official counters see. In addition, because projected-ballot counts require no ballot-handling by the counters, observers can be drafted on the spot as official counters–powerfully counteracting any distrust.
A tally sheet completed in full view of all counters and observers serves as a record of the manual count.
The Wisconsin Elections Commission met today, and I stayed for most of the agenda.
One agenda item had to do with fixing the snafus that caused a voter-registration list maintenance effort in 2017 to incorrectly ‘deactivate’ thousands of validly registered voters. (You may have heard such efforts described as ‘purges,’ a relatively pejorative term that is fitting whenever voter-list maintenance is used as a voter-suppression tactic.)
Among other things, so many voters were incorrectly removed from the registration lists that poll workers for the past several elections have had to work with two sets of poll books–the regular one for unaffected voters, and a supplemental list of voters who had been struck from the rolls but who would be allowed to vote if they showed up on Election Day and attested that they had not, in fact, moved.
There are dozens of reasons, it turns out, why State of Wisconsin computers got confused about whether these voters had moved. They have to do with things like registering a vehicle with your personal name but your business address, or buying a car for your college student in La Crosse and registering it there instead of where you vote. I won’t go into all the details. If you’re curious, you can read the staff report starting on page 72 of this document.
I spend a lot of time reading about election-integrity problems in other states. That means I read about a lot of skuzzy partisan machinations.
I also spend some time talking with local election officials. That, unfortunately, exposes me to much whining, excuse-making, buck-passing and “no law says I have to” attitude.
Here’s why the WEC discussion impressed me so much that I had to come home and write this blog post.
The discussion was pure, unadulterated problem-solving, start to finish. No one was looking for a partisan angle or opportunity. Not one single commissioner or staff member was whining. No energy was wasted on self-protective defensiveness, or on denying or minimizing the problems. I heard no attempts at buck-passing, no excuses.
Unlike what I hear when I talk to many local election officials about vote tabulation, no one at WEC was pointing out that statutes require them to do the work but don’t require them to do it right. It didn’t seem to cross any Commissioner’s mind to avoid their managerial obligation to detect, analyze, and correct problems until someone passes a law forcing them to do that, and paying them extra for it.
WEC commissioners and staff were straight-up committed to discovering the extent of the problems and what caused them, and to making sure they never happen again. Commissioners asked staff for hard data on error rates, and made sure that staff are not sending any more deactivation notices until the problems are fixed. Staff, for their part, were as committed to getting past problems corrected and future problems averted as the Commissioners were.
This is what responsible election administrators look like.
I wish all voters could have seen what I saw today. And I wish some reporter would write about it when good work gets done.
Posted by Karen McKim · November 25, 2018 10:31 PM
No city treasurer would refuse to check the accuracy of property-tax bills. No county executive would release a report on annual expenditures without double-checking its accuracy.
Most local officials don’t need anyone to pass a law telling them to check their work. They accept that as a basic managerial responsibility.
But the Wisconsin County Clerks Association is officially on record: They don’t want to.
And their work product is our election results.
The WCCA statement came in response to the Wisconsin Elections Commission’s September announcement that they were considering two election-security measures.
The Commission’s first proposal involved the only accuracy-checks the Commission has authority to order: audits of individual voting machines by municipal (not county) clerks. These audits are better than nothing, but they are limited to November elections in even-numbered years and check only a few random voting machines without confirming the winners in any race.
The Commission was considering ordering more machines audited than in previous years and requiring the audits to be completed before election results are declared final.
The Commission’s second proposal would move Wisconsin slightly in the direction of national election-security standards. The Commission was considering encouraging county clerks to perform audits of the type that if done widely, might confirm that Election-Night results had identified the right winner and enable clerks to correct the results if they had not.
WCCA’s response was swift, naïve, and irresponsible. The county clerks didn’t want the Commission to require, or even encourage, the county clerks to perform genuine election audits.
Perhaps sensing they are defending the losing side in a national trend (they are), the county clerks also described how they want to restrict this election safeguard:
They don’t wanna check accuracy until after they have certified final election results.
They don’t wanna check accuracy for any but the top race on the ballot.
And they want the State to pay extra if it even suggests they check accuracy.
I’m not making that up. The organization’s memo to the Wisconsin Elections Commission is reproduced, verbatim, below.
About delaying audits until after certification: The WCCA wrote that our paper ballots “should be treated like evidence and remain undisturbed” until after the clerks have certified the results. Join me in a prayer that the Trial Judges Association doesn’t have the same idea about the proper use of evidence. Imagine our courts refusing to look at evidence until after they’ve reached their verdict.
About auditing only the top race on the ballot: The WCCA wants to audit only the top race on the ballot, ever. This could be restated: “If you force us to protect the US Senate election, we will refuse to protect the Governor’s race.” Hackers are delighted to know ahead of time which races will be protected, and which will be on an honor system.
About making the state pay extra for accuracy: The WCCA clearly rejected the idea that accuracy is a normal managerial responsibility by demanding they be paid extra for it. Imagine a parks manager telling the county budget manager: “Here’s a statement of the user fees we collected. If you want me to make sure it’s right, you’ll need to pay extra.”
Straight-out lie: In a final Trumpian flourish, the memo’s author blatantly misrepresented the findings of a study by MIT, Harvard, and the UW Madison researchers (Learning from Recounts, 2017). The WCCA memo claimed the researchers had declared that “hand counts of election results are inherently inaccurate.” Compare that to the researchers’ actual words:
“…careful hand counting in a recount is the gold standard for assessing the true vote totals — in large part because of the greater focus on a single contest, more deliberate processing of ballots, and careful observation by campaign officials and other interested parties….”
* * *
Wisconsin statutes give the buck-stops-here responsibility for election results’ accuracy to the county clerks, and to no one else. Municipal clerks cannot verify results in federal, state, and county races; they have access to the ballots from only their own city, village, or town. The state elections agency is the legal custodian of no ballots at all; has only a few days after county certification before they must certify; and has no statutory authority to question results a county has certified.
We must insist the county clerks fulfill their responsibility. They have the paper ballots. They have the time. Modern election-audit practices would allow them to verify a few races on the ballot in just two or three days, while statutes allow them at least two weeks before they must certify the election. The only cost would be the hand-counters’ time at $10 or $12 an hour—a tiny fraction of the county’s elections-administration budget. They could randomly select just a few races for verification—just enough to deter election thieves in the races most liable to attract their interest.
And yet, collectively, they refuse.
Update: The Commission wisely ignored the WCCA’s whining and voted unanimously to encourage county clerks to start auditing during their canvass. And as the WCCA memo states, a few county clerks have begun voluntarily to incorporate hand-counted audits into their routine canvass procedures.
Every county clerk in Wisconsin received a memo on October 4, 2018 explaining the current nationwide move to election auditing and providing the clerks with instructions on how to get started.
Only voters, though, can make it happen. Voters who care about election security should contact their county clerk to find out whether their votes in future elections will be protected with hand-counted audits during the county canvass.
If not, the next election on February 19 will provide an excellent opportunity for your clerk to begin developing routine election-audit practices, since it will likely be a low-turnout election. Your county clerk has plenty of time before February to learn about the various methods of checking accuracy and work out his or her local procedures.
Reporter: “Does it bother you that what you’re showing is humbug?” PT Barnum: “Do these smiles seem humbug? It doesn’t matter where they come from if the joy is real.”
I recalled this dialogue from The Greatest Showman as I was observing a pre-election voting machine test in the City of Elroy, Wisconsin on Monday, August 6.
Conducted in every municipality before every election, these tests serve some necessary functions.
But as a safeguard against hacking, they are humbug—as authentic as a bearded lady whose facial hair is hanging from strings looped around her ears.
I’ve observed more than two dozen of these tests over the years. The ones I observed this week were typical. Even if you’re not an IT professional, I’ll bet you can pick out why these tests don’t protect Election-Day results from hacking—whether the hacker is an Internet cyber-crook or a corrupt voting-machine company insider.
Here, try it. Start by predicting what the hacker might try to do. First, do you think the hacker would make the malicious code miscount every single vote or only some votes?
You guessed ‘only some,’ and experts agree. When a blue-ribbon election-security task force convened by the Brennan Center for Justice worked out how a hacker would steal a statewide race in the imaginary State of Pennasota, they calculated that no hacker would likely alter more than 7.5% of the votes, or a little more than 1 in every 13. So if you want to detect hacking, your set of fake ballots—your ‘test deck’—should contain enough ballots to give each candidate at least 13 valid votes.
But Wisconsin municipal clerks typically create test decks with only one vote for each candidate—enough to catch only hacks that affect every single vote.
Second, do you suppose the hacker might instead allow the machines to count votes accurately all day, and then simply flip the candidates’ vote totals at the end of the day to give his guy the biggest total? You probably guessed yes, he might. So you would need to create a test deck that has a winner in each race, a different number of votes for each candidate.
Wisconsin municipal clerks’ pre-election test results typically contain a lot of ties–the same number of votes for each candidate in each race. Those test decks would not detect any vote-flipping hacks.
Finally, would the hacker’s malicious code kick in whenever the machine was turned on, or only on Election Day? This one is easy. Hacks would never trigger on any day other than Election Day.
This is the fatal flaw of pre-election testing as a safeguard against hacking. Hackers can program their code to trigger only when the calendar says it’s Election Day…or only when ballots are inserted at a rate typical of Election Day…or only when the machine has been operating continuously for more than eight hours…or only on some other telltale sign that real votes, not test votes, are being counted. As the Brennan Center Task Force report put it, trying to use tests like these to detect hacking would create a constantly escalating arms race between election officials trying to make the test look like a normal Election Day and hackers finding new ways to detect a test situation.
As a result, the Task Force didn’t bother even to mention pre-election testing as a safeguard in its list of six security recommendations.
Many of Wisconsin’s pre-election tests do not hide the fact that the machines are running in test mode, not Election-Day mode. The photo at right is a close-up of the voter-verifiable paper trail from an AVC Edge voting machine, programmed by Command Central, being tested in Juneau County before the August 14, 2018 primary. Notice that the voting machine printed “PRE-LAT PAPER RECORD” at the top of the ballot. ‘LAT’ is the computer professionals’ term for “logic and accuracy testing,” a basic routine whenever software has been updated. (I don’t know why Command Central calls it “PRE-LAT”.)
This machine clearly knows it is counting test ballots, not real ones. Operating in test mode doesn’t render the test useless for things like catching innocent programming errors. But:
It is humbug for election clerks to fool themselves, or to fool the public, into thinking these pre-election tests provide any protection against hacking.
If we want to stop being fed humbug, we have to stop falling for it. If your local election officials tell you:
“Election results are protected by pre-election voting machine tests“, tell them that you know Wisconsin’s pre-election voting machine tests could not detect hacking any less obvious than that which in 2010 elected a cartoon robot to the Washington, DC school board.
“Election results are protected by keeping the machines unconnected from the Internet,” tell them that you know that they have no idea about what happens to the software before it comes into their control.
“Election results are protected by federal and state certification,” tell them you know that the software has been copied and updated many times since it was certified, and that no one has ever or will ever inspect the software that will count your votes on Election Day.
“Election results are protected by the audits we already do,” tell them that audits completed only after the canvass cannot possibly protect results they have already declared final (‘certified’).
The solution: Contact your county election office. In Milwaukee County, that’s the Elections Commission; in other counties, it’s the county clerk. Tell them: “This voter is done with humbug. I know that one and only one safeguard can protect our final election results. Use our paper ballots to detect and correct any electronic miscounts before you declare election results final. Start this November.”
Don’t expect your county official to be stubborn; several are already planning to check accuracy before they certify the November results as final. Find out if yours is one.
But if your county officials are not now planning to begin auditing, don’t accept excuses. They got a memo on August 1, 2018 from the Wisconsin Elections Commission that made it clear: “A post-election audit is a tool that could be implemented to confirm that results have been tabulated accurately,” and “post-election audits of the results may be conducted prior to certification of the canvass.” The Commission even gave them basic instructions they can follow.
No more humbug about election security. Tell your county officials today: “Time’s up. Pre-certification audits. This fall.”
You can also help by donating to help Wisconsin Election Integrity get the no-humbug word out to voters, officials, and media through our 2018 publicity campaign.
Just a few tweaks to WECs’ audit policy could make Wisconsin’s November 2018 elections the most secure since we started counting our votes with computers.
July 24, 2018 — There’s still time before the November 2018 elections for the Wisconsin Elections Commission (WEC) to put a patch on the state’s biggest, most dangerous election-security hole. Up to now, local election clerks haven’t been checking the voting machines’ Election-Day accuracy before the certify election results. They could be doing that easily, quickly, and cheaply.
To audit voting machines’ November 6 output, neither WEC nor the local clerks need to spend an extra penny over what they already have budgeted for that election. The WEC has to change only one policy at their September 25 meeting.
But voters have to speak up–now. We must tell the WEC to revise their policy regarding the voting-machine audits for 2018, and order those audits to be completed in every county before election results are declared final. The WEC can be reached at (608) 266-8005 or by e-mail at elections@wi.gov.
THE PROBLEM
We have paper ballots. And local officials have up to two weeks after each election to review (‘canvass’) them to make sure the results are correct before they declare the official winners (‘certify’).
But Wisconsin election clerks seal them in bags on Election Night. During their review, they look at the poll tapes, but leave the ballots sealed. Then they certify. They swear the winners into office. Twenty-two months later, they destroy the ballots.
Perpetually sealed paper ballots do not deter hackers; they protect them.
About half the states require officials to do at least a little auditing of computer-calculated Election-Day results before they certify. But in Wisconsin, state law merely allows, but does not require, accuracy checks.
When I ask county clerks why they don’t check Election-Day accuracy, I get answers like, “If we had to count votes manually, that would defeat the purpose of using the machines,” and “If these machines were capable of miscounting, the State wouldn’t let us use them.” And “We did a recount before and didn’t find that election had been hacked.” Basically, the people who manage our voting machines don’t believe they can be hacked. Or that they can malfunction. Or that humans sometimes make programming errors.
We can’t have kind of naiveté among our voting-machine managers.
THE SOLUTION
Since 2006, Wisconsin statutes have required the state elections agency to order voting-machine audits following November elections. That law, section 7.08(6) of the statutes, also orders local governments to do any audits the WEC tells them to do.
As is typical for laws like this, the statute leaves the details to the bureaucrats. How many voting machines to audit? When to audit? How to select the sample? Those decisions are left to the state elections agency.
But state elections officials have, before this year, denied the risk of an Election-Day hack. They were so confident, they didn’t think anyone needed to look for it. So they have never ordered the type of audits that would protect final election results from hackers.
But times have changed, and awareness of the complex risks–not limited to Russian hackers–has grown. WEC will be tweaking their voting-machine audit instructions soon, as they always do shortly before November general elections, and we voters have got to make sure they do it right this time.
We must demand two things.
First, the 2018 audit instructions need to tell local officials “Finish the audits during the county canvass so that you can correct any hacks or errors you might find.”
From 2006 through 2012, the State told local officials to wait to check accuracy until after they had certified the results. In 2014, state elections board members ordered their staff to stop prohibiting on-time audits. But they have never ordered timely audits—they merely stopped prohibiting them.
Second, we must demand that the WEC order audits of at least one voting machine in each county. More would be better, of course, but they’ve budgeted for only 100 voting-machine audits, and Wisconsin has 72 counties. So they can do this.
The sample selection method used in previous years is too odd to explain here. It has to do with making sure the sample contains five of each make and model of voting machine. The critical fact is that it has always left some counties out.
Wisconsin’s voting machines are, in all but a few counties, programmed at the county level. For the federal, state, and county races, the same vote-counting code is copied onto all the voting machines in a county. So there’s a good chance you could deter hackers by randomly selecting one machine in each county.
The best audit would, of course, include enough ballots to produce a statistically valid answer to “Are these the right winners?” But we’re down to the wire in 2018, and valid, respectable audits will probably need to wait until 2020. Until then, we need quick, better-than-nothing audits.
About cost: Funding for around 100 voting machine audits has already been budgeted–or should have been. Unless they increase the sample size, the WEC can order protective audits for the same price they are planning to pay for useless ones.
Just those two tweaks to WECs’ audit policy, and Wisconsin’s November 2018 elections will be the most secure in our state’s history since we started counting our votes with computers. They will be the first in which would-be hackers were put on notice: Any voting machine anywhere in the state might be randomly selected for an audit while there is still time to detect your mess and clean it up.
So: We must tell the WEC to order voting-machine audits in every county, and that they be completed before November 2018 election results are declared final.
This topic will be on their September 2018 meeting agenda, and they have asked for voters’ input.
The WEC can be reached at (608) 266-8005 or by e-mail at elections@wi.gov.
May 18, 2018 — Forget about whether Russians hacked election computers in 2016. We’ve got a bigger problem, and not much time to fix it. The November elections are less than six months away.
But the vote-counting system is separate. It resides on no computer that either of them can control, monitor, or inspect. It was outside their range of vision in 2016, and it’s outside their vision now. They don’t talk about voting-machine security because they don’t know.
Wisconsin’s vote-counting computers are controlled, protected, and monitored by our local election clerks and by three companies—ES&S, Dominion, and Command Central.
That’s all. No one else.
Local election clerks have exactly the level of IT sophistication you think they do. County clerks send our vote-counting software off to Nebraska or Colorado or Minnesota to be reprogrammed for each new election, with no way to notice if it comes back carrying malicious code. A few counties use an application supplied by those companies to reprogram the software themselves. They put a plastic seal on it when they’re done.
Wisconsin’s local election clerks will happily leave a service technician alone with a voting machine or the county’s election-management computer, with no way to notice if he installs malicious code or a wireless communications card. They put a plastic seal on the voting machines for Election Day.
Go ahead—ask them. They seal the software. They seal the machines. They seal the paper ballots that they could use—but don’t—to check the machines’ Election-Day accuracy.
And what about where the real danger lies—within the voting-machine companies? How well does their security guard against external hackers and corrupt insiders?
The companies themselves might not understand IT security. Professor Aviel Rubin of the Johns Hopkins University Information Security Institute checked with the major American voting-machine companies before the 2016 elections and discovered none employed “even one full-time trained expert in computer security.”
Congress, too, has been frustrated in its attempts to get straight answers about the companies’ security practices. When Congressman Ron Wyden tried to get answers from ES&S, he didn’t get a response from anyone with ‘security’ in their job title. Instead, a Senior Vice President for Governmental Relations replied, saying “At ES&S, security is the responsibility of not just one, but all who elect to work for our company.”
This governmental-relations expert reassured Rep. Wyden that ES&S had asked DHS “if they had knowledge of any such security issues involving ES&S to which they responded that they did not.” Well, whew.
ES&S—this company where every employee handles IT security and yet the vice president has to ask DHS to find out whether they’ve had a security breach—is the largest supplier of voting machines to Wisconsin. Just one of their machines—the DS200—counts more than 60% of Wisconsin’s votes, including votes from Milwaukee, Dane, Waukesha, and La Crosse Counties.
We cannot make the voting machine companies hire IT security staff before we elect a governor and a US senator in November.
And we cannot make our local election officials into IT sophisticates, ever.
But we can put an end to the honor system. That is, we can force our local election officials to use the paper ballots to detect and correct any miscounts before they declare election results final.
Our local election officials are the legal custodians of the paper ballots. They can unseal them anytime to count votes and make sure the voting machines counted right. At any time before the 2018 midterms, our local election officials could learn about results-audit practices already in use in other states and bring them to Wisconsin.
Do these three things today:
Contact WEC. Tell them to exercise leadership in getting county clerks to audit election results during the canvass. Tell them to use some of the federal HAVA funds; they’ll know what that is.
Contactyourlocalnewspapereditor. Tell him or her that you want to see local journalism take a sober look at voting-machine security right here in Wisconsin—and that doesn’t mean writing about plastic seals.
March 31, 2018 — Being a normally flawed human, I cannot resist starting this blog post with “As we have been saying for six years…”, Wisconsin’s “failure to carry out post-election audits that test the accuracy of election outcomes leaves the state open to undetected hacking and other Election Day problems.”
Boom.
The Center for American Progress released what is probably to date the most complete, sensible and (judging by their Wisconsin appendix) accurate report on national election security.
In speaking about Wisconsin, the report concludes: “To protect its elections against potential attack by sophisticated nation-states seeking to interfere in U.S. elections, Wisconsin should adopt robust post-election audits that have binding effect on election results.”
CAP researchers picked up on a feature of Wisconsin elections that in-state commentators have missed:
Problems with Wisconsin’s election security, along with possible solutions, are not visible unless you look beyond the state level and into the counties and municipalities.
Our state-level agency, the Wisconsin Elections Commission does not control the voting machines. They control only the systems that manage voter registration (WisVote) and that compile already-tabulated election results (the Canvass Reporting System, or CRS).
But the technology that counts Wisconsin’s votes is owned and operated by counties and municipalities–not the State.
It is the local clerks, not the WEC, who are responsible for pre-election protective security and for the managerial measures that would detect and correct any Election-Day miscounts.
Not only is pre-election security managed by non-IT professionals, Wisconsin’s entire vote-counting system lacks the ability even to detect miscounts, never mind correct them.
Wisconsin’s local election officials–bless their hearts–are not IT sophisticates. Asked about the threat of hacking, most will say something like what Sheboygan County Clerk Jon Dobson recently wrote to me: “The equipment is never connected to the Internet, (so) unless someone has figured out a way to hack through the unit’s power cord, our equipment is basically unhack-able.”
Clerks like Mr. Dobson are not being disingenuous. They genuinely believe that if they cannot see a way to hack the vote-tabulating technology, no one else can, either. Their trust in the voting-machine companies is complete and sincere.
For their education in IT security, Mr. Dobson and his colleagues rely almost entirely on the commercial reassurances of the voting-machine companies. They don’t seek the counsel of independent IT-security authorities who could explain the myriad number of ways an elections system can be compromised without Internet connection, particularly by insiders.
Wisconsin’s county clerks genuinely do not understand that elections software could be compromised by security lapses outside their vision or control–by the vendors, service companies, municipal clerks, and poll workers.
And as for Internet access, news hasn’t yet reached them from their counterparts in Pennsylvania, who found that a voting machine company had installed unauthorized remote access capability on their election computers without their knowledge–something that computer-security professionals had been warning of for years. Like the Wisconsin clerks, the Pennsylvania clerks had been blithely assuring reporters that voting machines were never connected to the Internet–without having checked. When I publicly asked him whether he ever checked Dane County’s machines for such unauthorized alterations, Clerk Scott McDonell said that the vendors had told him that would void the machines’ warranty so no, he doesn’t check. He is not fooling when he says he truly believes the machines to be so very secure that he can doesn’t have to check their accuracy before he declares election results final.
And that, fellow voters, is the level of IT naïvete that stands between motivated international hackers and our voting rights.
But we have to be realistic about what we can expect from local election officials. As Prof. Dan Wallach of the Rice University Computer Science Department explained, “You would not expect your local police department to be able to repel a foreign military power.”
What we canexpect of our local election officials–particularly our county clerks–is that they use the authority and resources already provided by Wisconsin law to manually check accuracy of the computer-tabulated vote totals before they certify election results final.
The only protection can come from using our paper ballots to check the machines’ Election-Day accuracy.
That’s the solution that 26 states already have in place, with varying degrees of rigor.
It’s the solution that we’ve been advocating for the past six years.
It’s the solution that the 2014 Presidential Commission on Elections Administration recommended.
And it’s the solution that the CAP report recommended for Wisconsin.
Wisconsin reporters and editors need to pick up on it now, too. They need to start asking county clerks the same hard questions about their security practices that they have been asking the WEC about theirs: How do you detect whether the technology worked as intended on Election Day? Do your security and recovery procedures meet national standards? What plans do you have in place for recovery if they fail?
Voters can ask, too. Pick up the phone. Call your county clerk. Get the facts right from him or her. Ask: “At the moment when you sign that certificate declaring the election results to be correct and true, what specifically have you done to verify that the voting machines counted correctly on Election Day?”
Among the 72 county election authorities in this state, not a one will answer: “I follow federal recommendations and conduct a valid post-election audit.”
Main point: Wisconsin’s elections officials have been telling themselves a simple story–“The only threat to election results is Internet hacking, so we can keep elections safe just by keeping the voting machines unconnected.”
There’s an equally simple–but more true–story they could be telling themselves: “We don’t have the power to prevent every type of miscount, but we can keep elections safe anyway by using the paper ballots to detect and correct miscounts, regardless of cause.”
February 21, 2018 — In a recent newspaper article, I wrote that election officials should check the accuracy of our computer-tabulated election results as routinely as city treasurers check our computer-tabulated property tax bills.
That proposal is uncontroversial. Every national election expert promotes routine audits. So do other authorities, such as the US Department of Homeland Security. When presented with the idea that election clerks should verify the right winners before they declare election results final, every voter responds with either “Well, duh” or a wide-eyed “You mean they don’t do that now?!?!”
Wisconsin election officials, however, think that all the rest of us are wrong about that. In response to my article, I received the following email from the county clerk in a mid-sized Wisconsin county:
“Good afternoon, Ms. McKim: Please tell me if a piece of Wisconsin certified equipment has ever been hacked, or how one could even attempt to hack said equipment. The equipment used in my county is never connected to the Internet. It’s not even connected to our county network. Unless someone has figured out a way to hack through the unit’s power cord, our equipment is basically unhackable.”
Except for that last word, my correspondent’s few facts are correct. It’s the same argument that county clerks have used for years. Let’s review a few additional facts. You won’t need to be an IT security expert or a Russian hacker to see the possibilities…
First, Wisconsin’s county clerks need to know that voters don’t want their votes miscounted for any reason–not hacking, not human error, and not machine malfunction. Even if we believe you that you’ve perfected the world’s only unhackable computers, that’s no reason to fail to check of any other type of miscount.
Hacking might be a risk, but mistakes and malfunctions are a reality. Our voting machines are operated by a lightly trained and lightly supervised temporary workforce. None get more than four days of on-the-job experience every year. Even the election managers—the municipal and county clerks—work only part-time on that task. The 2016 presidential recount—for most election officials, a once-in-a-career opportunity to check their work—revealed that more than 1 in every 170 votes were incorrectly certified in the original canvass—mostly because of human error.
My correspondent and his fellow clerks also know that electronic malfunctions have already miscounted Wisconsin votes. They know voting machines are manufactured to be affordable for local government budgets. Many are old. Among all the businesses and government offices you enter in a year, the polling place is where you are most likely to encounter a 10- or even 20-year-old computer. They know that just last year, the Wisconsin Elections Commission had to decertify one model of voting machine because it was so unreliable it failed to detect up to 30% of the valid votes in individual precincts–in an actual election, not a test.
And when it comes to tampering, they know that many insiders have both means and opportunity—even without an Internet connection. Private companies manufacture Wisconsin’s vote-counting computers, and independent service companies maintain them. Those companies do not allow anyone to inspect the software, updates, and patches they install.
And no one has the ability to enforce good security practices. No state or federal official oversees either the local officials’ or the companies’ internal security. If the computers used by the private companies to update the voting-counting software had poor security, no one but the companies and hackers would know.
Between elections, the voting machines themselves reside in storage rooms all around the county. They are also off limits to inspection. I once asked another county clerk if he had ever inspected them for unauthorized wireless communications chips—something professionals warn about. That clerk told me that such an inspection would void the machines’ warranty. (Update: See the first comment below. The day after I wrote this blog post, the New York Times reported that county clerks in Pennsylvania–who DID have their elections technology independently inspected–discovered that ES&S technicians had installed unauthorized remote communications capacity.)
My correspondent knows all that. And yet he proclaims, on faith, that the vote-counting software exists in a state of virginal purity as each Election Day dawns.
I don’t believe this county clerk is stupid. I’d bet my mortgage he would know better than to patronize a bank where managers employ only temporary staff; rely on antiquated equipment; refuse to audit unless a customer pays the cost of a full recount; and proclaim the ATMs are always accurate merely because they are not connected directly to the Internet.
And aside from his resistance to rigorous auditing, I see no signs he is corrupt. So what is he thinking?
Like most other normal human beings, he might not be thinking anything.
Walter Fisher, of the Annenberg School for Communication, has studied the question: Why does thinking explain so little of our behavior? He concluded we are guided more by narratives—stories we tell ourselves—than by logical reasoning.
The human brain is a marvelous organ, but continuously encounters more twists and turns than it can process with its reasoning faculties.
So it invents stories. Some are true, some are false. But all are oversimplified because that’s their function—to help our brains make simple sense of complexity, to help us feel we’re in control.
My correspondent’s story fits that description: “Only one thing can produce incorrect vote totals: Internet hacking. So if we just keep voting machines offline on Election Day, our elections will be safe from hackers.”
Human error, malfunction, and insider corruption would complicate this narrative, so they are excluded. Not mentioned. Not seen.
County clerks have reason to embrace that narrative. Election administration is only one of their jobs, and they have only a few staff. The workforce on which they depend consists mainly of people who are hired by and report to someone else: municipal clerks; temps hired by the municipal clerks; and county canvassers sent by the two major political parties.
The county clerks’ own education and experience tends to be clerical or political, not managerial or technological. And because the State Constitution assigns certain duties only to them—no one else—they’re on their own. They are elected officials without a manager who can train and coach them, or share the blame when something goes wrong.
Sensible voters need to help our election managers switch to a new narrative. It needs to be simple. It needs to be clear.
It needs to give them courage to face up to their responsibilities as prudent managers of elections technology. I propose this one:
“As local election officials, we have the paper ballots and we control the canvass procedures.
If we just use those to check that we’ve identified the right winners, our elections will be safe from every risk.”
“If an Elmwood Park poll worker had been grabbing the ballot from every twentieth voter and ripping it up, while county election officials looked on and did nothing, this result would have been pretty much the same.”
“The poll workers were not throwing out votes,” Racine voter Scott Farnsworth explained. “The problem is that county canvass officials have no process in place to notice or correct predictable electronic miscounts.”
Farnsworth participated in a hand count of ballots from last November’s presidential election, held at the Racine County Courthouse on November 14 and 15. County Clerk Wendy Christensen and county staff displayed the ballots to about two dozen volunteer vote-counters in response to Farnsworth’s open-records request.
The Citizens’ Audit was necessary because on Election Day, the voting machines indicated a weirdly high percentage of ballots contained no presidential vote. This is called the ‘undervote’ rate. But within two weeks, the County Board of Canvass had certified those totals as final–without checking their accuracy.
“A few voters always decide to leave the race blank,” explained Karen McKim, coordinator of the statewide group, “but not one in twenty. Anyone could see that those results were flawed before looking at even one ballot.”
Yet a few weeks later, in the Wisconsin recount, the county officials did not actually recount the votes. They merely ran the ballots back through the machines, which had not been reprogrammed. Observers noticed the machines were not counting all the votes, and again the machines’ totals indicated suspiciously high undervote rates. But again the county officials certified the flawed results, again without checking their accuracy.
Organized by Wisconsin Election Integrity and financed by a successful GoFundMe campaign, the citizens’ audit counted votes from six wards.
The audit found that county-certified vote totals had missed 2.5% of the valid presidential votes across all six wards–1 in every 40 votes.
The highest error rate was in the City of Racine’s Ward 26, where election officials failed to count 6.1% of the votes, even during the recount. More than 1 in every 17 voters were disenfranchised in that ward. Detailed results are here, for each candidate and ward.
Wisconsin Elections Commission officials believe the voting machines failed to detect the votes because voters had marked ballots with types of ink that the machines could not detect. After other counties hand-counted the recount and discovered the high rates of missed votes, the WEC decertified the machines (prohibited their future use in Wisconsin) in late September.
County Clerk Wendy Christensen has not yet publicly explained why the county board of canvassers chose twice to certify the results as ‘correct and true’ without checking, despite the obviously suspicious number of missing votes.
“We needed the manual count to get the truth,” said Village of Pleasant Prairie voter Liz Whitlock, who was among the recount observers who could see the voting machines missing votes.
Racine municipalities are in the process of replacing the unreliable voting machines. However, new machines do not eliminate the need for routine accuracy checks. Any computer, including both new and old voting machines, is continuously at risk of producing flawed output. Threats include both sophisticated international hackers and more mundane problems such as human programming error and random computer malfunction.
“Other local government officials make a habit of checking their computers’ accuracy,” said Whitlock. “You don’t see citizen volunteers having to audit computer-tabulated property tax bills or county park receipts. Election officials need to accept similar routine responsibility for the accuracy of our computer-tabulated vote totals.”
What needs to be done–before November 2018!
Before the audit, Farnsworth had said, “The 2016 election is over and done. This is about our future elections.”
In Racine County, as in other Wisconsin counties, a county board of canvass bears responsibility for the accuracy of results in statewide races such as president. That board consists of the elected county clerk and an appointed representative from each of the two major parties.
Current state law leaves it to these county boards to select the procedures they will use to review and approve preliminary election results. Wisconsin’s county clerks could, without any legislative action, start immediately to check accuracy.
At a minimum, they should follow the Wisconsin Election Commission’s written advice to check to see whether “there is a large difference between the total number of voters and the votes cast” in the top-of-the-ballot race. WEC has already warned the county election officials that “a large drop off between these two numbers might signal a problem with the voting equipment.” Because WEC has no oversight responsibility for the elected county clerks, citizen observation at canvass meetings is critical to ensure that county officials begin to follow basic instructions.
But Wisconsin candidates and voters deserve more than the minimum that our county officials can get away with.
In Wisconsin and elsewhere, local election officials cannot effectively preventelectronic miscounts, including hacking. Lacking IT expertise and authority to maintain full control of the software, they must rely on others—primarily voting machine vendors and service technicians—to maintain security.
But in states that use paper ballots—including Wisconsin—local election officials can detect and correct any miscounted preliminary election results, even if they cannot fully protect the voting machines or their software. By checking the vote totals against the paper ballots, they can prevent any miscounts or fraud from ruining an election.
And that is just what election-administration authorities recommend they do. In August 2017, the US Elections Assistance Commission wrote, “Carefully conducted post-election audits mitigate error and check the accuracy of election results. Comprehensive and transparent post-election audits raise the level of public confidence in the electoral process.”
Outside Wisconsin, other states are moving rapidly ahead to implement effective election-verification practices. Wisconsin’s county clerks could implement more prudent canvass practices now, with no change in state law.
Wisconsin Election Integrity urges Wisconsin county clerks to adopt modern effective audit methods to catch and correct fraudulent or incorrect election results.
We encourage every Wisconsin voter to contact his or her municipal and county clerk to demand verification before election results are declared final.
Additional relevant information:
Wisconsin’s biennial voting machine audits, mandated by statute, are completed only after the identified winners have been sworn into office and do not include enough machines to verify any statewide outcomes. Those audits are designed to audit voting equipment, not election results.
Pre-election voting machine tests cannot prevent Election-Day miscounts, particularly those caused by electronic manipulation, which would be designed to flip or ignore votes only on Election Day.
The 2016 recount did not verify voting-machine accuracy for about half the ballots in the state. All the largest counties except Dane—including Milwaukee, Waukesha, Brown, Walworth, Washington, Rock, Racine, and Kenosha—‘recounted’ by running the ballots back through the voting machines. Even with only half the ballots actually recounted, county officials changed at least 17,681 votes between the results they originally certified as ‘correct and true’ and the results they certified after the recount.
A discussion of standards for accurate vote counting, and why we need to watch for miscounts even when they don’t change the outcome of the election.
Finally, for an enlightening discussion of the merits of hand-counting versus machine counting, with nationally renowned experts discussing Wisconsin’s elections, read this edited transcript of a hearing in Dane County Court on November 29, 2016. The Judge decided that state law prevented her from orderingcounties to hand count, but the Judge also made it clear that: 1) county boards of canvass may choose to hand count; and 2) all the evidence supported hand counts as the only reliable way to verify computer-tabulated election results.
Main point: Public officials must keep the public both safe and calm. The danger is when election officials’ goal is reassurance, not safety.
Yesterday’s Wisconsin Elections Commission (WEC) meeting was packed with more cameras than I’d ever seen there. A few days earlier, the federal Department of Homeland Security announced that Russian-government backed hackers had tested the security of Wisconsin’s online voter registration system. They hadn’t gotten in. The ‘attack’ was, the computer experts say, like jiggling a locked door knob.
What voters get: “As you can see, it’s a beautiful day, the beaches are open and people are having a wonderful time.” – Mayor Vaughn, to a reporter.
“I don’t get it.” I told a reporter as the meeting got under way. “What’s the news here? Hackers are continuously testing every computer system. The Russian government is known for cybercrime. It would be news if they were not testing the security of our elections systems.”
I don’t remember his response, other than it wasn’t convincing. I fear the real answer is that his editors know which stories get the web clicks.
The facts that WEC shared were as I expected. State officials from the WEC and the Wisconsin Division of Enterprise Technology (DET) explained their system of continuous defense against hacking of our voter registration system (which is separate from the tabulation system, also known as the voting machines). Millions of efforts to get into the registration system are detected every week, from anonymous Internet addresses all over the world. Unrecognized addresses are locked out and if that fails, any unauthorized changes will be promptly noticed and reversed. If that fails, daily backups are made so that if some malicious code ever causes the system suddenly to garble or erase our voter registrations on election morning, a correct version can be quickly brought up. If that fails, paper backups are printed immediately before each Election Day.
State officials were convincingly competent and straightforward. The story that later appeared in the paper made the federal officials, not the state ones, look like the Keystone Cops.
WEC and DET took the opportunity to explain the security of our voter registration system to the press—while the press was willing to listen. When officials are keeping us safe, reassuring the public is usually as easy and effective as just telling the truth.
The officials’ explanation about our voter registration system confirmed my trusting assumptions about its security.
But the security of our vote-counting software is a completely different story.
Our election officials’ silence about security for thatsystem should be a dead giveaway there’s a shark in the water.
Like ‘baby’ in a pop song, election officials’ yesterday continuously repeated “We’re talking about the voter-registration system, not the vote-counting systems.” The reporters’ keyboards clicked along to the beat. Yeah, yeah, yeah. None seemed to notice the story within that silence on the vote-counting software.
Here’s why we don’t get convincing, impressive descriptions of the security system for our voting machines: Because it doesn’t exist. At least when sharks are eating tourists, someone notices. But if anyone is hacking our voting machines, their crimes would go undetected as we swear their chosen victors into office.
Reassuring spin: “We’ve seen no evidence of tampering with the vote-counting system.” The furor about Russian testing of our voter-registration system’s security was made possible by federal officials’ looking for it. No one–local, state, or federal–reviews Wisconsin’s election results to make sure they are accurate. None of them make any efforts to detect any doorknob jiggling of our vote-counting software, which is proprietary and controlled by the voting-machine companies.
Reassuring spin: “Our decentralized vote-counting system makes hacking unlikely.” After the vote-counting software is produced at the companies, it’s downloaded to the dozens of computers that will be used to design the ballots for each election and to tell the voting machines how to read those ballots. These are the ‘election management systems’ that reside at the vendor’s regional offices, the voting-machine service companies like Command Central, and in the offices of county election officials.
When election officials talk about the security of the vote-counting systems, they often refer to this decentralization. They say it makes the system harder to hack.
But they cannot possible imagine that, to tip a statewide race, a hacker would need to design a hack specifically for every type of voting machine used in Wisconsin and alter the results in every county. You can see the silliness of that–What’s Russian for “Darn it, we missed Forest County. Well, maybe next year.”? There are enough votes in Milwaukee County alone, or a few other counties, to control the outcome of most statewide races.
Not only does the decentralization provide little protection, it multiplies the possible entry points and places them in the physical control of an army of people with no particular IT security expertise, and often no access to any.
After the software is downloaded to the local election-management computers, it’s revised for each new election and then copied onto removable drives–typically, the same sort of USB drive you can buy at the drugstore. The drives are then handed off to the municipal clerks, who load the software onto each voting machine.
On Election Day, it’s in the physical control of the poll workers. At this point, we should probably be hoping that the possessors of the software have no IT expertise, rather than wishing that they did.
No one exercises any oversight of this disjointed system. Computer security expert Bruce Schneier told NPR’s Science Friday that federal voting-system security standards were outdated long ago, and no one is now exercising any oversight even if the standards were current. Vendors can coach county clerks on how to maintain security, but they have no way of knowing whether the clerks follow their instructions. To my knowledge (and I asked when I can), no state or local official ever attempts to oversee or even ask about voting-machine company security. They wouldn’t know how to evaluate it if they did, or any authority to force corrections.
Johns Hopkins University Computer Security Professor Aviel Rubin made a point of contacting the major voting-machine companies who count America’s votes. He reported “I have yet to meet an American voting system manufacturer that employs even one full-time trained expert in computer security.”
Reassuring spin: “Our voting machines are never connected to the Internet.” This used to be true, but there’s no machine on the market anymore without the capability of electronically transmitting results after the polls close. That, however, is not and never was the big risk. Connecting a voting machine to the Internet or to a cell phone tower after the polls close doesn’t give a hacker any opportunity to alter a hard-copy poll tape you’ve already printed. Having observed more poll-closings than I can count and several canvass meetings, I can vouch for the fact that is the one hack our election officials would likely detect and could easily correct.
The vulnerability comes before the votes are counted, not after. The big risk of manipulation–in fact the one that forensic IT security experts deem the greatest–doesn’t come from the Internet at all, but from insiders with authorized access to the software. Because no state or local election officials have the authority or ability to inspect the vote-tabulating software for integrity, even lightly sophisticated individuals–at the voting machine company, the service company, the local official’s office, or anywhere along the chain of custody–could alter the software and not be noticed. Thousands of people have authorized access to our vote-counting software or hardware between every election. Many of them, in the testing laboratories, voting-machine companies and service companies, understand the code. Many of the others likely can be bought–they are humans.
But hackers without authorized access can get in. The vote-counting software is created, updated, and maintained not on each individual voting machine, but on computers that are almost certainly, at some time, connected to the Internet.
And local election officials have no way to tell whether and when the individual voting machines are communicating with other machines. Wireless communications capability can be installed inside any computer or voting machine–antenna and all–without their knowledge and controlled by anyone within transmission range. Local election officials never inspect the insides of the voting machines for surreptitiously installed wireless cards, and few would know what to look for if they did.
Reassuring spin: “No election has ever been hacked.” The truth is, our election officials wouldn’t know if one had. They don’t use the one practical opportunity–checking the results against the paper ballots–to check the system’s integrity. If any election ever has been hacked, it’s likely no one noticed.
What voters need: “Smile, you son of a bitch.” – Martin Brody, to the shark.
Yet despite the widespread concern about the security of last year’s presidential election, not a single state had routine procedures in place to verify an accurate statewide vote count. Michigan, Pennsylvania, and Florida proved unable to document accuracy even when directly challenged, unable to get a recount even started.
Wisconsin did best. Every county at least double-checked things like the handling of absentee ballots, but only half of the vote totals were checked for accuracy. The other half were just run back through the same computers, so any electronic miscounts would have just been repeated. We know that some were miscounted twice.
State officials in Wisconsin recently scored a first, when in January they detected a few miscounting computers—after the winners from the previous November were already sworn into office. To their credit, they decertified the machines. They are still are not sure what caused the miscounts—they know ink color on the ballots contributed, and that from their size and randomness, the miscounts seem unlikely to be even a trial-run hack.
What to do?
Face it: State and local election officials will never have the authority, skill, or money to maintain strong IT security for our vote-counting software. It’s just not going to happen. Elections are too intermittent, the workforce too temporary, the property taxpayers too stingy to make good security possible.
Our only hope for protecting our election results from hackers–and from malfunctions, glitches, and human operator error–is to notice and correct any miscounts before results are certified.
If the polls opened and voter registrations were garbled, we would notice. Perhaps that’s why those responsible for the software are so vigilant–they know any laxity will get found out.
But we cannot sit by the television on Election Night and say “Hey! That’s not how we voted!” Voters have no way to tell honest election results from false ones. And maybe that’s why checking accuracy is such a low priority for our election officials. If they don’t detect the miscounts, they can keep saying–honestly–“We’ve never known an election to be hacked.”
Every other public official takes responsibility for the accuracy of their work product. It’s long past time for voters to insist their election officials do the same.
