The Election Guard we need isn’t one that Microsoft can provide. It’s human.

In brief:  Microsoft’s ElectionGuard is sophisticated technology that gives the public (e.g., voters, parties) the ability to detect signs of electronic vote tampering. This essay describes that product and its live-election test in Fulton, Wisconsin in February 2020. There are two take-away points.
First: Even if ElectionGuard successfully alerts its users to signs of trouble, election officials are unprepared to respond to those signs. We must disabuse ourselves of the fantasy that more or newer or shinier technology, by itself, can compensate for vulnerabilities that exist when no human takes managerial responsibility for the accuracy of the certified results.
Second: The trial run in Fulton created a rare circumstance: On this one day, in this one polling place, the managers in charge were truly committed to producing results of unquestionable accuracy—with no excuses, no whining, no blue smoke or mirrors. And they did, using two simple methods. The critical lesson of Fulton is this: When election managers truly want to, they can produce verified accurate results with minimal additional work and no new technology.


Captain Chesley (Sully) Sullenberger became the face of technology mastery when in January 2009 he safely landed 155 people in the Hudson River after his aircraft did not, shall we say, perform as expected. Later he commented:

“What we have learned is that automation does not decrease problems. It changes the nature of problems. As we use more and more technology in the cockpit, we must always make sure that humans are in complete control of the aircraft and its flight path.”

When it comes to election automation, Americans have not yet learned that lesson. On that future Election Night when the voting machines deliver incorrect vote totals, the election will crash and burn, because our officials are not prepared to take effective control to save it.

It’s a sign of America’s deep-seated desire to trust technology that many readers will dismiss this message unless I remind them of three basic and irrefutable facts.

  • First, any computer can be deliberately misprogrammed. Therefore, all voting systems are hackable, either by outsiders or by corrupt insiders. Insiders include the employees and contractors working for voting equipment vendors, service companies, and the local election offices.
  • Second, there is no surefire way to prevent all misprogramming, no matter how big the company or how lush the security budget. Computer systems of global corporations as big as Sony and as focused as the US Department of Homeland Security have been compromised. 
  • Finally, American voting-machine companies and our local election clerks have nowhere near the security resources of Sony or the DHS. Not even close. Knowing that malefactors found their way into those systems, it is delusional to imagine voting-equipment companies and town clerks can keep them out of our voting machines forever.

Therefore, responsible citizens accept the inevitable: Sooner or later, American voting machines will be deliberately programmed to miscount on Election Day.

And when that happens, as with US Airways Flight 1549, it will be human actions, not technology, that can save the election. If local officials quickly detect the miscounts and decisively correct them before certification, the election will be saved. If they do not, the election will be a total loss.

However, in most states including Wisconsin, election officials trust the voting machines and the programmers. Full stop. They make no effort to detect outcome-altering miscounts; they have no plans in place to correct the results if miscounts make themselves known. Occasionally, Wisconsin officials check a few randomly selected voting machines’ tallies against the paper ballots, but even if those audits notice one miscounting machine, the officials do not expand the audit to verify the outcome and do not claim to.

In short, we have no Captain Sullenbergers in the cockpit of our elections.


Josh Benaloh, Ph.D., Senior Cryptographer for Microsoft, thinks he has an antidote to the officials’ managerial passivity: Technology that will enable other people to detect miscounts. Staying with the Sullenberger analogy, he wants to enable each passenger independently to monitor the plane’s engine power and altitude.

It’s easy to trust Benaloh’s motives and his expertise. With boy-next-door good looks, Benaloh’s face carries a natural smile that disappears only when he frowns—and sometimes not even then. As whip-smart as they come, Benaloh has degrees from Massachusetts Institute of Technology and Yale, and his credentials as a forward-thinking innovator are impeccable: He wrote his doctoral dissertation on verifiable secret-ballot elections in 1987, more than a decade before computerized vote-counting was common, and three decades before election security came into public view as a serious concern. Ask anyone in the field to name the top 10 US experts, and Benaloh’s name is likely to be on their list.

Benaloh and I were among those present in Fulton, Wisconsin last February when a small election (only two races on the ballot) allowed the Microsoft team to demonstrate ElectionGuard, an election-security product Benaloh helped to develop with the company’s Defending Democracy program.  He and I spoke in total for more than two hours that day, during which he explained to me the purpose of ElectionGuard and the basics of how it works.

ElectionGuard is not a voting machine itself, but a program that can be installed on other voting systems, to work in parallel with them. In brief, ElectionGuard will enable voting systems to print a receipt for each voter.  The voter will cast the ballot as usual and leave with the receipt, which contains a ballot-tracking code. Later, they can visit a website, enter the code, and get a message: “Your vote was counted!” In addition, because Microsoft is providing the tabulation software free to the public, it will allow others—most likely, candidates’ campaigns—independently to verify the vote totals if they can get the electronic ballot files from the local officials. 

Benaloh convinced me that ElectionGuard’s use of advanced encryption methods will make it impossible for anyone to alter the digital record of the votes without leaving obvious evidence, which voters will be able to detect when they enter their ballot-tracking codes.

What he did not convince me of, to his polite but visible frustration that day, was that ElectionGuard will secure our election results or build voter confidence. (See note #1, at the end of this post.) But that’s nothing Benaloh’s inventions or Microsoft’s products can do, any more than Flight 1549’s cockpit dials could have landed that plane safely in the river if Captain Sullenberger not been ready and able to take charge.


To understand the types of miscounts that ElectionGuard is designed to detect, we need to understand voting-machine systems’ programmable components.

For the Fulton demonstration, equipment was provided by VotingWorks, a young nonprofit, open-source election-equipment vendor based in San Francisco. Benaloh told me that ElectionGuard can be used with hand-marked paper ballot systems, but for the Fulton set-up, voters used touchscreens, rather than pen-and-ink, to indicate their selections. The system included three main components:

  • A ballot-marking device (BMD) is a computer that displays the races and candidates to each voter on a touchscreen monitor. As voters make their selections by touching the display, the BMD translates those touches into digital data, which is transferred to…
  • A printer that produces a paper ballot. The paper ballot used in the Fulton demonstration was of the type that prints votes two ways—once in encoded data (in this case, a QR code) that will be counted, and separately in human-readable text. The voter takes the printed ballot and inserts it into…
  • A tabulator—which reads the votes encoded in the QR code, and records them in a digital file, along with all the other ballots it has read. At the end of the day, the tabulator will tally the votes for each candidate and print the totals on a poll tape. The tabulator might also transmit the vote totals to a central computer to be compiled with results from other polling places.

In normal use (though not in the Fulton demonstration), that whole set-up is managed through:

  • A central elections management computer, which in Wisconsin is operated by the county clerk. As the conduit for the software that is installed in the polling-place equipment, these central computers are the most likely target for malicious interference. For example, if a malefactor bribed a technician to install remote-access capability on Milwaukee County’s election management computer at some time in the past, that malefactor could alter the software on any or all of the hundreds of pieces of voting equipment in that county.

What types of hacks is ElectionGuard designed to detect?

Malefactors have two high-level options: They can create chaos with obvious malfunctions, or they can alter results while trying to postpone or escape detection.

Chaos-seeking malefactors might do things such as prevent the equipment from powering up on Election Day; make the BMDs print ballots the tabulators cannot read; or make the tabulators produce nonsensical results on Election Night. ElectionGuard could detect some of those problems but when the malefactor has already made sure the problem is obvious, ElectionGuard’s detection is not needed. Nor does ElectionGuard give managers any new options for responding to chaos.

But what if the malefactors try to postpone or even escape detection? In that case, ElectionGuard might or might not help. It depends on whether the malefactor hacked the BMD or the tabulator.  

Because ElectionGuard relies on the BMD’s digital interpretation of the votes, it cannot detect hacks that made the BMD misinterpret input (that is, the voters’ touches.) If the BMD misinterprets a touch on Alexander Hamilton’s name as a vote for Aaron Burr, ElectionGuard will, too. (Benaloh disagrees with this statement. See note #2.)

However, if the malefactor works with the tabulator rather than the BMD, ElectionGuard can enable detection.

When a voter inserts the paper ballot into the tabulator (with or without ElectionGuard), the tabulator interprets the votes recorded on that ballot; internally creates a digital record of each vote; and uses that record to tally results at the end of the day.

One of the ways a malefactor might intervene is this process is to make the tabulator look at the ballots with votes for Hamilton and record some of them, in its own memory, as votes for Burr. Then when the machine tallies the votes at the end of the day, Burr would be credited with some of Hamilton’s votes.

Without ElectionGuard, hand-counted audits are the only way to detect that problem. But when BMDs are equipped with ElectionGuard, each voter gets a separate, printed receipt with their ballot, as shown below. The ballot has a unique ballot ID number, and the receipt has a unique ballot tracking code, allowing ElectionGuard to match the two.

When the voters inserted their ballots into the tabulator, the tabulator worked as it normally would have without ElectionGuard, while ElectionGuard created a separate electronic record of the votes, in encrypted form, tagged with the unique tracking code.

Later, after Election Day, the voters are able to visit a website, enter their tracking code, and see a message. (Benaloh’s thoughts about who should host this website are in Note #3.) If the ElectionGuard record of that ballot matches the tabulator’s, the voter will see “Your vote was counted!”  (That is all it will tell them; it does not reveal even to the voter which candidate received the votes.) If the tabulator’s interpretation of the votes did not match the votes that ElectionGuard recorded, the voter would not receive the confirmation message.

And then what?

Well, that’s up to the election officials. Voters will start reporting problems the day following the election. Your guess is as good as mine about how many such reports each clerk will need before he or she stops assuming voter error and starts to question whether the equipment might be at fault. There is nothing in Wisconsin law or practice that requires clerks to take voters’ reports seriously.

Nor does anyone know what the clerks will do if they believe the voters’ reports of trouble—not even the clerks. Captain Sullenberger knew what to do when he realized his plane had lost its engines. But our election pilots trust their voting equipment so completely that they fly without emergency procedures.

Another way a malefactor might intervene would be to allow the tabulator to record the individual votes correctly in its own memory, but cause it to produce incorrect vote totals at the end of the day. That is, if 60% of the ballots contained a vote for Hamilton, the tabulator would correctly record each individual vote in its memory, but at the end of the day produce vote totals showing 60% of the votes going to Burr. In that case, ElectionGuard would tell every individual voter “Your vote was counted!,” which is, I suppose, true-ish.

But ElectionGuard would reveal that problem in a different way. Its open-source code enables anyone with programming skills to create their own verification tool. So if campaigns or political parties can get the election’s digital ballot files from the election officials, they will be able to tabulate the votes themselves. Microsoft will provide, free of charge, the source code needed to write those tabulation programs, even while the votes remain encrypted.

Currently, no one in Wisconsin verifies computer-generated vote totals, so ElectionGuard would be an improvement.

But will independent tabulation using ElectionGuard ever save a miscounted election? Probably not. At most, it will provoke expensive but futile lawsuits. The miscount won’t be corrected for at least two reasons.

First, it is highly unlikely election officials will allow access to the ballot files until after the results have been officially and finally certified, at which point no corrections are legally possible. And because there is no chance that a re-tabulation would lead to a correction, campaigns will be unlikely to bother. Benaloh agrees: “There would be minimal value in using ElectionGuard in a situation in which the election record is not made public until after certification.”

Second, even if clerks do release the ballot files immediately following Election Day, unofficial audits have no standing. Citizens’ groups that report miscounts are ignored. When such groups have documented miscounts in the past, officials did nothing; the press yawned; and the results were not corrected. The public has no credibility.

If one of the candidates’ campaigns used ElectionGuard to detect a miscount, there might be more sound and fury, but still no correction. Imagine, for example, that the Trump campaign had been able to use ElectionGuard in November 2020. If they had announced they’d found a miscount, officials would have issued statements saying that the campaign must have done it wrong. The Biden campaign would not have done their own re-tabulation; there is no reason why an Election-Night winner ever would. Instead, the Biden campaign, the officials, and the press would have insisted, correctly, that the Trump campaign’s only legal recourse was to demand a recount.

Unlike most candidates, Trump was able to force a partial recount, but that’s a rare situation. Recounts in Wisconsin are available only to second-place candidates who lose by less than a 1% margin, and even they must be able to pay the full estimated (and inflated) cost of the recount upfront in cash, unless they lost by less than 0.25%. Wisconsin Republicans will remember that, as close as the 2018 governor’s race was, and as widespread as concerns were about the City of Milwaukee’s atypical reporting, Scott Walker’s 1.1% loss margin prohibited him from even petitioning for a recount. ElectionGuard cannot change that.

In addition, a Wisconsin recount would be performed by running the ballots back through tabulators that have been ‘reprogrammed’ only to prevent them from printing out results for any but the recounted race. The tabulators’ second count would agree with the first and be accepted as confirmation, and the ElectionGuard results would be dismissed. When the buzzer sounds for the certification process, the victory will go to the malefactors.

So, sure, we can install ElectionGuard on America’s voting systems, and it will do no harm. When an election is hacked, it will be as helpful to voters as a set of cockpit dials on each seatback would have been for the passengers on Flight 1549: “Notice: This plane has lost all engine power.”

On that day, as with the Miracle on the Hudson, the only way to save the election will be for the professionals in the cockpit to take decisive, competent, manual control and bring the thing in for a safe, if atypical, landing.

Captain Sullenberger was prepared to do that. Our election clerks are not.

Fortunately, that is not the whole story. The Fulton demonstration did show how American election officials can make sure only correct winners are certified. It showed us what happens when those in control of the voting equipment really, truly, desperately, and sincerely want accurate election results. And that is the most important lesson of the Fulton demonstration.

When running a normal election (that is, when they are not demonstrating or testing new technology), officials need only to produce credible results. Notice I did not say accurate results. Fact is, they don’t normally have to prove accuracy to anyone, not even themselves.   

In that respect, the Fulton demonstration was a unique situation and uniquely instructive. Microsoft spent years and hundreds of thousands of dollars, drawing upon some of the best cyber-talent in the nation to develop ElectionGuard. For its first public demonstration, the organizers could not simply say “We believe the results are accurate because we trust the computers and you should, too.” In Fulton, they knew they had to prove accuracy. Otherwise, the whole thing would have been an embarrassing waste of time.

So they managed the polling place in a way that produced rock-solid results of unimpeachable accuracy. That effort required only two easy safeguards—one that verified BMD performance, and one that verified the tabulator. Neither used any new technology.

I’ll let Microsoft tell you about the safeguard that checked the tabulator’s accuracy:

“One of the things we wanted to do was … to make sure that the voters would never have to question that the results were accurate. There would be a hand-count of the paper ballots at the end of the day as the officially certified result. It took the poll workers maybe only 15 minutes to actually count the votes. We compared all three results (the voting-machine poll tape, the ElectionGuard tabulation, and the hand count) and all three matched, which was exactly what we were going for.”

Yes, when Microsoft the Global Tech Giant knew it had to produce accurate election results—leaving no shadow of a doubt—they hand-counted paper ballots. Or, more precisely, they counted the votes using two different methods and compared the results to make sure they matched.

It took them only 15 extra minutes. In larger elections, officials would not need to count every vote to verify the correct winner: Election authorities have developed methods that allow officials to confirm the right winners by hand-counting only a small sample of ballots—much like an exit poll that looks at ballots instead of interviewing voters.

But what about the BMD? How did the Fulton demonstrators ensure that the computer-generated ballots were accurate records of the voters’ selections?  

Verifying ballots’ accuracy is not an issue when voters mark their own ballots with a pen. If no vote is recorded as the voter touches pen to paper, the voters notice and tell the poll workers that the pen is out of ink. And if a voter touched a pen to one oval and a different oval turned black, the voters would positively flip out.

But when voters make their selections by touching a display on a computer monitor, it’s possible that the printed ballot could be missing votes or contain votes printed for the wrong candidate. Auditors and recounters are helpless to detect misprinted ballots because they have no way to know what the actual selections were. Only the voter can notice if that happens.

The problem is that touchscreen-using voters don’t review their printed ballots naturally, as hand-marking voters do. They need to be instructed or they will not do it. For example, both the cities of Madison and Milwaukee make heavy use of BMDs, but neither city instructs voters to verify the ballots. During the November 2020 election in those cities, I observed around 200 voters at six polling places as they used BMDs in early voting. Not one verified their printed ballot. If misprogramming or malfunction caused those BMDs to print any incorrect votes, no one will ever know and the true votes are lost forever.

To ensure that all Fulton ballots were voter-verified, organizers set up a ‘verification station’ between the printer and the tabulator, where a poll worker intercepted every voter and reminded them to read their ballot and make sure it was correct. With only two races on the ballot, every one of the 398 voters was willing and able to do that. 

But even with 100% voter verification, the Fulton event showed how election officials might allow voters to use a hacked BMD all day in a Wisconsin polling place. Four of the Fulton voters—slightly over 1 percent—noticed and reported incorrect votes. In each case, the voter and poll worker immediately assumed it was voter error—with no effort to rule out machine malfunction. But was it? Probably, but no one will ever know.

In contrast, managers with a passing level of quality-assurance expertise would not simply assume voter error, but would always be alert for misprinting BMDs. They would keep track of the number of voters reporting misprinted ballots; they would have decided ahead of time how many misprints would be considered indicative of a malfunctioning machine; and they would be prepared to take that BMD out of service.

But few real-world election officials are acquainted with real-world quality-assurance principles. Wherever BMDs are used in Wisconsin, the assumption is as it was in Fulton—to blame voter error for every noticed problem. If ever, say, 10% or more of the BMD-using voters at a polling place report misprinted ballots, election officials have no backup or recovery plans. Managers can choose to respond to signs of trouble; they can choose to respond in an improvised ineffective way, or they can choose to ignore them.

No technology, including ElectionGuard, can fix that. It’s not a problem with the technology; it’s a problem with the management practices.

A separate issue, which this blog has covered before, is the risky practice of encoding votes in a way that prevents voters from verifying them no matter how closely they study their ballots. ElectionGuard cannot help with that, either. That problem can be corrected only by redesigning the ballots so that the tabulators count the same recorded data that the voters verify, and vice-versa.

The tabulator will count the votes based on the information encoded in the QR code,
not the text the voter is able to verify. If an audit or recount using the votes recorded in the text produces different results than the results the tabulators produced using the votes recorded in the QR codes, and voter verification was not witnessed and documented by poll workers, no one has any way to tell whether the text or the QR code is correct.

We will not be able to secure election results until American voters and officials recognize that it is the officials’ responsibility—not Benaloh’s, not the vendors’, not the voters’, not the candidates’, not the lawyers’—to detect and correct any miscounts. 

But it will not be easy to get election officials to accept that responsibility. Whether from naivete or a willful desire to avoid buck-stops-here responsibility, election officials are happy to accept the vendors’ vision that technology can, all by itself, protect elections.

At the Fulton demonstration, I asked both the county clerk and the town clerk why they were willing to cooperate with Microsoft in demonstrating ElectionGuard. What did they see as its potential benefits?  

Like election officials everywhere, neither attempted to hide her faith that the voting equipment will always produce accurate results—they consider that faith a virtue. As a result, they are uninterested in solutions that allow them to detect and correct electronic miscounts because, through their eyes, that risk does not exist.

Instead, their answers focused on two other things: First, encouraging voters to trust the computers as unwarily as they do, and second, reducing their workload. County Clerk Lisa Tollefson told me her reason for hosting the demonstration was that she is “always interested in changes that might make the clerk’s job easier,” — not the answer you’d get from County Clerk Sullenberger.

What about voter confidence? For better or worse, actual security and voter confidence are separable. True security does not always create voter confidence, and voters can be confident even when security is weak. Both are necessary for well-run elections.

ElectionGuard might increase confidence among those voters who say: “Just give me a receipt for my ballot, and I will believe the election is secure.” They are likely to find it fun to visit a website, plug in a personal ballot-tracking code, and receive the confirmation message “Your vote was counted.”

But the voters’ confidence might fall back to baseline when they realize that ElectionGuard won’t confirm for whom the vote was counted. The stated reason for that is to prevent coercion and the buying and selling of votes, quaint considerations in an age of growing reliance on absentee ballots. (Benaloh shared some good thoughts on ballot privacy – see Note 4.)

Technicians like Benaloh who understand why ElectionGuard is trustworthy will believe the confirmation message is reliable, but they are not the ones for whom such reassurance is intended.  Everyone else will be in the same boat they are in now, having to trust the technology and the programmers. My guess is that once ElectionGuard’s novelty wears off, we will be right back where we are now, with skeptical voters being skeptical and trusting voters trusting.


When America finally decides that it really, truly does want secure elections–not just the appearance of security, not just voter confidence–we will stop piling technology upon technology and will instead make sure that that the humans in the election cockpit are responsible and accountable. This is what we will do:  

  • On Election Day, every voter who can use a pen will create a reliable record of their selections by hand-marking a paper ballot.
  • Those ballots will be quickly counted by computers and preliminary results released as soon as possible, just as they are now.  
  • Promptly following Election Day, the officials will conduct outcome-verifying audits by hand-counting enough of a sample to confirm that the voting machines identified the correct winners. They will be prepared to move quickly to full hand counts in the unlikely event the audit finds the machines were wrong. Only when the computers and the hand counts agree on the correct winners will final election results be certified.

With that simple system—for which our election officials already have all the technology they need—any would-be malefactor will need two entirely different sets of means and opportunity to mess with the results—one to hack the voting machines and the other to manipulate the hand-counted audits. That will deter 99.9% of any manipulation and will detect and correct the rest before the wrong person is sworn into office.

(I’ll give Benaloh the last words; see note #5.)


Notes

#1 – Josh Benaloh graciously and carefully reviewed three drafts (3!) of this blog post, and provided detailed, constructive feedback. I am very grateful. Of course, any remaining errors are mine. There are a few areas where I did not make changes in response to his comments, either because we disagree or because his valid comment didn’t fit into the flow of the argument I wanted to make. These comments provide the basis for the following notes.

#2 – Benaloh wrote: “It is not the case that ElectionGuard ‘cannot detect hacks that made the BMD misinterpret input (that is, the voters’ touches).’ In Fulton, human-readable ballots were produced.  Any recording or counting of ballots that was inconstant with this human-readable ballot was detectable.  I do not disagree that, in the Fulton instantiation, a voter may fail to notice a misinterpretation that results in a printed ballot that does not match the voter’s selections, and I fully agree that this is a legitimate concern.  However, I think that there is an important distinction between “undetected” and “undetectable ” – especially in this context.”

#3 – Regarding the hosting of the website that voters would visit to use their verification codes, Benaloh wrote: “I see minimal value in an individual voter going to an official election website to confirm a verification code.  Instead, I would envision third parties such as political parties, media, and watchdogs hosting copies of the election record against which voters could query.  There is far more value to me in having my preferred candidate or media outlet confirm that my vote is correctly included in the tally than for me to receive that assertion from an election official whom I may not trust.  Of course, if I trust no one, I can confirm the entire record – including my vote – entirely on my own.  In the small Fulton pilot, we had no leverage to encourage independent entities to establish such services; so the only verifier available was the one hosted by the town.”

#4 – Benaloh wrote: “I see not revealing individual vote contents as far more than a ‘quaint‘ notion.  Secret ballots were not introduced in the U.S. until the late nineteenth century, and before that time elections were rife with vote selling and coercion.  It would be easy to provide verifiability if we were not concerned about ballot privacy.  We could just post verification codes and voter selections without bothering with any encryption.  Although it is very difficult to quantify, I’ve seen numerous anecdotes of coercion (especially spousal coercion) associated with routine vote-by-mail and absentee voting.  Of course, voting without the benefit of a poll is preferable to not voting at all; but I believe that the protections offered by in person voting are critical to election integrity.  Just as you see audited HMPBs as your gold standard, I view verifiable in-person voting as mine.”

#5 – Benaloh wrote: “I agree wholeheartedly with your general thesis – that ultimate control and responsibility should be in the hands of people.  ElectionGuard is not intended as a solution but rather as a tool that can be used by election officials and the public to help achieve accurate outcomes.  To push on your Sullenberger analogy, when his engines failed he was not devoid of technology and left entirely to his own devices; instead, he was able to exploit other technologies to help him bring his plane a safe landing.  A human was, and should be, in ultimate control; but the availability of tools and technologies helped the human in control to overcome adversity.  I regard ElectionGuard as nothing more than a tool that can – depending upon the people who use it – be an effective aid or a superfluous nuisance.
“As such, I would posit that your ideal election design – HMPBs followed by a rigorous human audit – is only enhanced by the inclusion of ElectionGuard.  This is not just a pointless inclusion in a process that is already as strong as possible.  We have a crisis of confidence in U.S. elections today.  We have millions of voters who do not believe election results.  They do not believe their election officials (e.g.., Brad Raffensperger) and they do not trust their equipment vendors (e.g., Dominion and Smartmatic).  As such, they will not trust the results produced by your ideal scenario.
“While I share few of the views of these detractors, I am somewhat sympathetic to the reason for their suspicion.  From their perspectives, they gave their ballots to people they don’t trust who used equipment they don’t trust to produce results they don’t trust.  If ElectionGuard had been included with the systems they used to vote, they would have had means to confirm the accurate counting of their votes – despite their lack of trust in the people and systems (potentially including a lack of trust in the ElectionGuard component).  I’m old enough to remember Reagan’s overused “trust but verify” admonitions.  With ElectionGuard, voters can verify without trust.  Without it, voters who do not trust their officials and equipment are left with nothing.”

Do election officials listen to voters?

In brief: During the past nine years as I’ve advocated for better security for voting machines and the vote-tabulation process, I’ve observed a reflexive resistance by election officials to any suggestions for improvement. On matters relating to the voter-registration system, where federal pressure has been greater, they are reasonable. But when it comes to counting votes, they listen only to each other and to voting-machine vendors, and ignore authorities and cybersecurity experts. They seem particularly deaf to any suggestions from voters regarding security safeguards.

I’m testing that observation now, with a safeguard that is, undeniably, a no-brainer. The City of Madison currently puts thousands of early voters’ ballots at risk by neglecting a safeguard that is effective, easy, not controversial, very low cost, has no substitute, and is unanimously recommended by authorities. Madison could largely implement this safeguard with one memo to its poll workers. Will Madison even consider it? Will WEC even consider ordering it? I don’t know yet. This blog post explains the issue and my effort so far. I’ll update it as events unfold.


BMDs (ballot-marking devices) are computers that mark ballots for voters who cannot, or who are not allowed to, mark their ballots with pens.

Using computers to mark the ballots necessarily introduces some risks: Computers can be misprogrammed, and printers can malfunction. So there is always a possibility that votes might be omitted from the printed ballots; the wrong votes recorded; and that ballots could be misprinted in a way that makes the votes illegible to the computers that will count them (the ‘tabulators’).

There is a simple, cheap safeguard: Before each ballot is cast, review it to make sure it was printed correctly. That’s called ‘verification.’ Only the voter can verify because no one else knows what votes were supposed to be printed.

However, voters don’t verify unless they are instructed to do so. And in some cases (when the votes are printed in barcodes), voters need access to a barcode reader, and need to be told how to use it. It sounds complicated, but typically takes less than a minute.

It’s obviously careless to let computers print thousands of votes with no one checking to make sure they are printing them correctly. So I’m sure you won’t be surprised when I tell you that every professional election authority, plus the voting-machine manufacturers themselves, recommend routine voter verification.

But that’s not what Wisconsin does.

(Note: In an earlier post, this blog inventoried the pros and cons of general use of BMDs. This post will focus only on their management once a city has decided to put them into general use, not the overall wisdom of doing away with hand-marked ballots.)

WHY DO WE NEED VOTER VERIFICATION?

The problems we need to watch out for are:

  • votes that aren’t recorded at all;
  • votes that are recorded for the wrong candidate; and
  • votes that are recorded in ways the tabulator cannot understand.

When voters use pens, these problems either don’t exist or are easily corrected. When a pen fails to record a vote, the voter tells the poll worker “This pen is out of ink,” and the problem is fixed before it ruins any ballots. If when a voter touched their pen to one oval, a different oval turned black, that would be magic, not malfunction, and we don’t need to worry about it.

Voters using pens sometimes record votes the tabulators cannot read, for example by circling the candidate’s name instead of filling in the oval. But that problem cannot systemically ruin hundreds of ballots. In fact, only a tiny fraction of ballots are mismarked so badly modern tabulators cannot read them. In addition, the voter’s selection is usually obvious to a human recounter or auditor, and so not a problem even in close contests.

But when voters select their votes from a touchscreen and a computer prints the paper ballot, voters must make an extra effort to notice any problems while they still have an opportunity to fix them.

Wisconsin’s early voters, in particular, need to make this effort because they will not be present to mark a new ballot if their ballot is rejected by the tabulator. And because early ballots are not cast for days or even weeks after they are printed, misprinting BMDs could ruin thousands of ballots before the problem is noticed unless the early voters verify.

When only a small percentage of ballots are printed by BMDs, problems are less likely. BMDs used by only a few voters are not an attractive target for hackers. But heavily used BMDs are at greater risk of both hacking and malfunction, and voter verification becomes essential. If no one notices when a heavily-used BMD starts misprinting ballots, an election could be seriously disrupted or even ruined.

Therefore, when a city replaces its ballot-marking pens with ballot-marking computers for large numbers of its voters, it needs to add the step of voter verification to its polling-place procedures.

HOW IS VOTER VERIFICATION DONE?

When security-minded election officials use BMDs, they set up a ‘verification station’ near the BMD. As the voters carry their ballots from the printer to the table or machine where they will submit them, a poll worker invites each voter to pause, read the ballot, and tell the poll worker if it accurately recorded their selections.

Some BMDs print ballots on which the votes are encoded so that the voters cannot read them. (See an example below.) When votes are encoded, the verification station must be equipped with a reader, so that the ballot can be quickly inserted and the encoded votes displayed to the voter. (Yes, everyone knows the voter will still be unable to verify that what the barcode reader is telling them is truly what the barcodes say. But using the reader might catch at least printer flaws that could make the encoded votes unreadable. It’s better than no verification at all.)

Polling places with these procedures can successfully get most, or even all, of the voters to review their BMD ballots.

If at the end of their shift, the poll worker then signs an affidavit that they observed the voters verifying the ballots, the computer-generated ballots can be accepted as reliable evidence of the voters’ selections in even the most professionally conducted audits and recounts.

WHAT DO MADISON AND MILWAUKEE DO?

In November 2020, election-security advocates around the nation were worried about Wisconsin. Mark Shipley, an activist from California, came to Wisconsin shortly before the election to help out with any election-security efforts that voters might be doing here.

As early voting started, I told him what I’d been told: that Madison and Milwaukee normally use a barcoding BMD, the ExpressVote, in early voting but were not going to use it in November’s election because of pandemic worries related to touchscreens.

But after one day of observing in Milwaukee, he told me I was wrong. Not only were all the early voters using the barcoding BMDs, not a one had verified their ballot. I quickly called Madison and found they were using the BMDs, too.

So Mark and I met in Milwaukee to observe at two more polling places. It was as he’d reported. We spoke with the person in charge at each location. Not only were the poll workers failing to instruct voters about verification, no one had instructed the poll workers themselves about either the ballots or verification.

The next day, I observed at four polling places in Madison, and saw even worse. In some locations, poll workers were standing beside the BMD, pulling the ballot out of the printer before the voter could, and folding it before handing it to the voter, in a way that assertively prevented the voter from seeing their own ballot.


This is a sample ballot from a Georgia election, generated by the type of machine used in Madison and Milwaukee early voting. When the tabulator counts this ballot, it will look at only the barcodes, where (we hope) votes that match those printed as text are encoded. Notice that one of these barcodes is flawed, and may or may not be readable by the tabulator. The voter will be able to detect this by inserting the ballot into a barcode reader before submitting it.
Also, as an exercise in understanding the challenges of this type of BMD ballot, do you think you would be able to verify each of the last eleven votes if this was your ballot? What were Constitutional Amendments 3 and 4, anyway? Does this ballot record a ‘no selection made’ for the right one?

In Madison, I was able to chat with more poll workers, including those in charge, during lulls in the action. All told me the same thing: They had never been instructed about the need for voter verification and they did not know what the barcodes were for. A few didn’t even know there were barcodes on the ballots. None knew how a voter could check to make sure the barcodes were readable, so if a voter had asked, they wouldn’t have been able to answer. (The ExpressVote has a built-in barcode reader; the voter just re-inserts the printed ballot.)

I saw a few voters who glanced at their ballots before folding them and as they left, I asked what they had been looking for. They told me they were looking to make sure it was the ballot, and for ‘fold here’ instructions. None had checked whether all their votes had been recorded or whether any had been recorded incorrectly.

Failing to tell BMD-using voters about verification is a violation of even elementary safeguards when using the machines. When I described what I’d witnessed to a national Zoom conference shortly after the election, I could see the other participants’ jaws drop. Outside Wisconsin, officials understand the need for voter verification.

SO WHAT’S TO BE DONE?

Mark and I compared notes over the next few days, and I filed a formal complaint with the Wisconsin Elections Commission. Only I signed the complaint because Mark lives in California. The complaint focuses only on Madison’s practices, for two reasons:

  • Our notes were more detailed from the second day of our observation and therefore, in my opinion, a better foundation for a formal complaint, and
  • I had corresponded with Madison election officials several times in the past few years regarding their use of BMDs, but had never written to Milwaukee. Therefore, I knew Madison officials were knowingly ignoring the dangers because I myself had informed them. In contrast, I realized Milwaukee officials might still be naive, and a formal complaint didn’t seem to me to be the right way to start to educate them.

I didn’t want to file the complaint so close to Election Day, knowing the problem couldn’t be fixed in time to protect any of the early ballots and that the officials were busy. But I went ahead and filed it promptly anyway, because I hate it when people wait until after they know who won to complain about election practices. So, apparently, do the courts.

My complaint requested that in future elections Madison implement these common-sense and expert-recommended safeguards:

  • Give voters the option of hand-marking their own paper ballots, which could most easily be done by purchasing a blank-ballot printer for each early voting location. These machines can print ballots appropriate for any ward in the city, but allow the voters to record their own votes, AND
  • For those voters who choose to use the BMD, have poll workers inform them about the barcodes, instruct them to read the human-readable text after their ballot is printed to make sure it’s correct, and encourage each voter to use the barcode reader to verify as much as they can.

The City’s response was written by City Attorney Michael Haas (formerly administrator at the WEC) on behalf of City Clerk Maribeth Witzel-Behl. They did not deny anything we had observed, and did not offer any reason why they believe it’s a good practice to keep poll workers and voters in the dark about verification and barcodes.

Instead, the response can be summarized: “You’re right. We don’t train our poll workers about the ExpressVote ballots or to answer questions about them. The State approved the ExpressVote for use in Wisconsin, so we can use it any way we want. We do other safeguards that statutes require of us, but because the State doesn’t explicitly require us to enable voter verification, we don’t.”

The next step for me was to submit my comment on Madison’s response, which I did. I addressed my remarks to the Commissioners because I’ve heard them have a sensible discussion about the issue, while the Madison officials don’t seem to understand either the problem or the solution. For example, they seem to believe that telling voters about a barcode reader supplied by the manufacturer specifically for the voters’ use requires “in-depth familiarity with the inner workings of the equipment.”

I’m not sure what’s next. I haven’t been notified of any specific timeline for resolution. But there’s no urgency. The next election is about a month away (February 16), and Madison could mostly correct the problem with a memo to its poll workers. The memo would tell them about the barcodes and tell them to instruct each BMD-using voter to read the human-readable votes printed on their ballot and to re-insert the ballot so that the machine can confirm the barcodes are readable. Other steps, such as giving voters the option of hand-marked paper ballots, will take longer.

I don’t know if the whole Commission will discuss the issue in an open meeting, or when that would be scheduled if they did. I’ve never seen them discuss complaints in open meetings, and judging by the number they assigned to my complaint, 20-24, I’m guessing there were 23 other complaints filed before mine last year.

I’ll update this blog as I learn more and as events unfold.

Milwaukee and Madison voters: It will help if you contact your city election clerks and tell them you want them, at a minimum, to educate their poll workers and voters about the barcoding BMDs and to introduce polling-place procedures that enable BMD-using voters to verify their ballots. Madison: 608-266-4601; Milwaukee: 414-286-3491.

Voters who live in other cities should call their municipal clerk to ask about local use of BMDs (the two most common are called ‘ExpressVote’ and “ImageCast Evolution”, or ICE) and about whether or how they instruct voters to verify their computer-generated ballots.

If any Wisconsin voters want to organize any stronger actions, I can consult with you. Email me at kmk@wisconsinelectionintegrity.org.

Verifying a statewide election could be this easy and cheap.

Photo: Michigan election officials assess the results of a manual count of a sample of ballots for a risk-limiting audit in 2018. Photo credit: Berkeley Institute for Data Science, UC-Berkeley


Think of “risk-limiting audits” as low-effort exit polls.

Exit polls determine who won by asking randomly selected voters “Who did you vote for?” Risk-limiting audits work on the same principle to confirm the correct winners, but they do not involve talking to voters. Instead, RLAs pose the question directly to randomly selected paper ballots.

Either way, a small sample can provide statistical proof of who really won the election, independently of the vote-counting computers.

No one in Wisconsin now does risk-limiting audits. Sometimes local officials spot-check a few randomly selected voting machines, but to any sensible risk manager’s horror, none have any specific plans for what they will do if any of those random voting-machine audits ever detects a serious miscount. Risk-limiting audits, in contrast, always resolve any problems they detect.

The Wisconsin Elections Commission has shown some mild interest in the possibility of using outcome-verifying audits to secure our elections. Every sensible Wisconsin voter should be pressuring them to do more. Here is the memo I submitted to WEC in December 2019, to help them understand how very practical this effective safeguard could be.

There’s no one correct way to do a risk-limiting audit. Our election officials could sample individual ballots (less work) or entire polling places (more work). They could do nothing more than confirm the correct winner in one race (less work) or they could answer other questions at the same time (more work).

A risk-limiting audit of a statewide election in Wisconsin could be this easy and cheap:

1) After they close the polls on Election Night, poll workers would record how many ballots they seal into each bag. Using this information, the municipal clerk would create a “ballot manifest” (e.g., City of Abbotsford: Bag #1 – 234 ballots; Bag #2 – 122 ballots).

It’s unlikely anyone has ever counted, but a fair guess is that a big election produces around 4,750-5,000 sealed ballot bags statewide. One bag can contain a maximum of around 300 ballots but might contain fewer than 10.

2) The day after the election, every municipal clerk would send their ballot manifest to the Wisconsin Elections Commission. The WEC could create an online reporting form to make this task easy and quick. It wouldn’t need bullet-proof security if the municipal clerk also mailed a hard copy of the manifest to WEC, and WEC staff later verified them against each other.

3) The WEC would then assign a number to every ballot in the state. For example, ballot numbers 1-234 would be assigned to the first bag from the City of Abbotsford; numbers 235-356 to the second bag, all the way up to the last bag from the Town of Yuba, which might be assigned the numbers 2,673,149 – 2,673,308.

4) WEC staff would examine the preliminary election results for the statewide races and enter the results for the closest race into a statistical tool that has been endorsed by the American Statistical Association, tested, and used in other states. This would generate a sample size for the audit.

The size of the sample depends upon the Election-Night margin of victory. If the margin is large or normal, the sample size will be small. For example, the 2018 contest for the US Senate was neither close nor a landslide: 55.4% to 44.5%. A risk-limiting audit of that race would have needed an initial sample size of only 401 ballots across the entire state. However, officials could choose to select a larger sample to provide voters with ’emotional’ confidence in addition to statistical confidence.

An extremely close election such as the 2018 Governor’s race (49.5% to 48.4%) would have needed an initial sample of 37,841 ballots (out of almost 2.7 million cast). But it’s these races that officials legitimately need to be most careful about, and it’s the very close races that, when left unaudited, provoke the most candidate resentment and voter suspicion.

Wisconsin election officials have already demonstrated they can handle larger sample sizes. For comparison, the voting-machine spot-checks conducted after the November 2018 election required officials to count votes from 135,712 ballots — more than 3.5 times the number of ballots they would have needed for a risk-limiting audit. But because of the way WEC selected that sample and their instructions that auditors ignore voter intent, that effort did not confirm the correct winner in any race.

Wisconsin election officials counted 135,712 ballots in the random voting-machine spot-checks after the November 2018 election, but used a method that did not confirm the winner in any race.
A risk-limiting audit of the same election would likely have verified the correct winners in the statewide races with only 37,841 ballots.

And because races from the same ballot (as those two races were) do not need separate samples, a risk-limiting audit could have verified all the statewide contests on the ballot in that election–an accomplishment of enormous value to election security and voter confidence.

5) WEC would randomly select ballot numbers and then use the statewide ballot manifest to identify the bag in which each of the selected ballots is stored. For example, if ballot #284 turned up in the random sample, the WEC would know it is in the second bag from the City of Abbotsford. If the random selection turned up ballot #2,673,193, they would know it is in the last bag from the Town of Yuba.

6) At this point, WEC could ignore the hypothetical numbers they assigned to each ballot and tell the municipal clerks only the number of ballots to be randomly selected from each bag.
For example, the WEC would tell the City of Abbotsford clerk to randomly select one ballot from the second bag. The instructions for random selection could be something like: “In the presence of observers, pull the ballots out of the bag, set them in a stack on the table, let an observer from each political party cut the stack several times like a deck of cards, cut the stack two more times, and select the ballot at the bottom of the last cut.”
Other methods could be prescribed for jurisdictions that use machines that print flimsier forms of paper ballots.

7) The municipal clerk would display the selected ballot to the observers; fax it to the WEC; mark it with red ink indicating it was the ballot selected for the audit; put it on the top of the stack of ballots; and reseal the bag.

8) The WEC would conduct a publicly observed manual count of the faxed ballots and enter the results of that count into the standard risk-limiting audit formulas. If the proportion of votes for the Election-Night winner in the manual count is close enough to the proportion reported on Election Night, the result is confirmed. The audit would be concluded and the county canvasses could conduct their certification process as normal.

If the proportion of votes for the Election-Night winner differed too much, an additional sample would be drawn and counted. That process would be repeated until statistical confidence in a winner was established.
The WEC would need to adopt policies to govern what will happen in the rare event that the sample has to be expanded more than twice, or if the confidence level declines as the sample is enlarged. Likely, WEC would stop the audit, declare a lack of confidence in the preliminary Election-Night results, and order a full recount on its own initiative.

Other states’ election officials think their voters’ right to self-government through secure elections is worth at least that much time and effort.

If you think Wisconsin elections are worth the effort it takes to conduct a genuine risk-limiting audit, contact your county clerk and the Wisconsin Elections Commission to tell them so.

Wisconsin’s Election Security Council sees the gorilla.

The first meeting of the Wisconsin Elections Commission’s new Election Security Council was both reassuring and scary.

First, the good news. I’m genuinely not sure whether WEC created the council more to promote belief in security or to promote security itself. But whatever WEC’s intention, the members of the new council are there to promote security.

They uniformly exhibited a desire for actual security. Understandably, they showed some legitimate interest in appearances, but their primary concern seemed to be for real security.

Hang on to that idea as I describe the bad news. I do think intention matters.

The second piece of good news is that the members did not seem to share—even slightly—WEC’s hesitance to include voters on the council. (See note at the end of this post.)

A bit of background: the state election agency’s longstanding attitude toward citizen participation is not normal. After 30 years working as a state bureaucrat in three agencies and auditing dozens of others for the legislature, I know “normal.” Even agencies running unpopular programs like septic-tank regulation or state-forest timber harvest seek citizen participation as a routine matter of course.

In contrast, the WEC runs a popular function—people like elections—and yet they hide under their desks when someone mentions voter participation. I’ve never understood why; it makes no sense. I sincerely think that, overall, their objectives are in line with those of the voters.

Fortunately, the council members know normal. When WEC administrator Meagan Wolfe asked whether they wanted to add voter representatives to the council, the members’ brief discussion can be summarized: “Well, duh.”

The representative from the Wisconsin Counties Association, whose name I didn’t catch, pointed out that legislative advisory councils routinely include representatives from citizen groups. Then, after Wolfe said she would bring a detailed proposal for selecting voter representatives to the next meeting, Governor Evers’ representative, Jenny Dye, said that would be too late. The council’s work was “already short on public input,” she said, and it wouldn’t do to have the public members miss the first two meetings. WEC agreed to work out the details and get voters’ representatives to the table by the council’s December meeting.

Okay, now the bad news.

The level of naivete in the room was frightening. Among the utterances that made me shudder:

  • In the limited discussion of specific threats to election security, I heard reference only to external hackers. I detected no awareness that insider corruption (e.g., a rogue employee of a voting-machine company) is the single greatest threat to vote-counting security—one that our election clerks have no reliable defense against. When a representative from the Wisconsin Statewide Intelligence Center listed the threats to look for, he described only external threats. Later, WEC Assistant Administrator Richard Rydecki explained to me that was because external threats are the only ones WSIC has noticed. Well … yes … that is why the other threats are more serious. Wisconsin officials don’t have any way to detect unauthorized remote-control software in the county election-management computers or dicey Serbian programmers working for Dominion.
  • Hearing Mike Davis from the League of Wisconsin Municipalities open his question with “I don’t know much about elections administration, but…” Yikes! Municipalities run Wisconsin’s elections! (On the other hand: his ‘but…’ led into a question about what we do with our paper ballots—displaying that he has good intuitive sense about how we could be securing our elections from that rogue programmer or service technician.)

Ignorance doesn’t have to be a problem. No one was born knowing this stuff. They can learn.

However, WEC’s conduct of the meeting gave me some concern that the council members might not get the education they need.

Put it this way: If you convened a new council to get advice on election security, how would you have opened the first meeting? If it had been me, I would have started by describing the basic elements of a secure election system. Then, I would have given the council a quick overview of Wisconsin’s strengths and weaknesses vis-a-vis these elements–which are covered, and where are the weak spots or holes?

Instead, WEC staff presented a rosy overview of all the good things. When they were done, I’m guessing some council members were wondering why they were there, given that things are already as good as can be.

Wolfe wasn’t making stuff up–a lot of good security measures are already working. She was leaving stuff out—specifically, stuff relating to voting machines.

One fact is critical to understanding election security: Two separate systems must be secured. (See the chart below). These two systems have practically no overlap. They have different creators and different owners. They operate on different computers, managed by different agencies. They face different threats and require different safeguards.

WisVote–the voter-registration system–is secure, thanks to the good, hard work of the state elections agency. I wouldn’t trade our voter-registration system for any other in the nation.

Security for the vote-tabulation system–that is, our voting machines–is closer to an honor system.

Yet Wolfe danced over the tabulation system so lightly I’m not even sure she said the words “voting machine.” For example, one of her Powerpoint slides listed the steps in an “End-to-end Election Administration System.” The list went right from “prepare the poll lists” to “report results to the State.” I wonder whether any of the council members noticed the missing step: “Count the votes.”

I’ve seen this tunnel-vision focus on WisVote security from WEC staff many times before. Whenever they are asked about “election security” (with or without specific reference to voting machines), they respond by describing safeguards that protect only the WisVote system. Dozens of reporters have failed to notice.

But for some reason, I didn’t expect it to be on full display in the meeting today. Perhaps I was thinking that creating an advisory council was something like going to a therapist. You want help, right? So be honest about the problems that bring you there.

(Spoiler alert. If you’ve never taken the selective perception test where you watch a brief video and count the number of times a white-shirted team passes a basketball, do that before reading further. I don’t want to spoil anyone’s opportunity to experience this phenomenon firsthand.)

I’m not a mind reader and so cannot say how much of this relentless tunnel vision on WisVote security is strategic, and how much stems from the fact that tabulation-system security is simply not the WEC’s job.

But as I listened, I started to see WisVote as WEC’s white-shirted basketball team. They are so intently focused on it—absolutely, fully engrossed—that they cannot see the gorilla that is the tabulation system.

Here’s my best hope, and I think it’s a real possibility: I think this council might be able to provide WEC staff with more guidance and education than they realize they need.

After WEC staff had shared all the lovely information about WisVote security, they turned the microphone over to the council members. They asked each member to say a few words about their organization and describe how they see their role in election security over time.

The county clerks went first—and promptly ignored the instructions. Instead, they immediately started to talk about voting-machine security and the fact that they are not getting the IT support they need. Then the League of Municipalities representative popped in with his question about the role of paper ballots in securing election results.

The WEC staff may not see the gorilla, but it was the first and only thing council members wanted to talk about.

In summary, this seems like a good bunch of sensible people. In addition, on my way out, I had a quick but solid discussion with Rydecki about some nuts-and-bolts details regarding the sort of risk-limiting audits that could work to secure Wisconsin election results.

So progress is underway, and I’m okay with that.

* * *

NOTE: After reading this blog post in mid-November, Assistant Administrator Richard Rydecki reached out to explain what had appeared to me to be WEC’s hesitance to include members of the voting public on the new Election Security Council. Our conversation was easy and pleasant and provides a window into WEC’s thinking about its various stakeholders.

The idea to form such a council is not new. In early 2019, the WEC created its first election-security advisory committee, limiting membership to county and municipal clerks. So in March, both Wisconsin Election Integrity and the League of Women Voters of Wisconsin publicly urged the WEC to seek election-security advice from additional stakeholders. We suggested that they either expand that committee to include public representatives (particularly those with security expertise), or to form a separate election-security advisory group with broader membership.

I cannot speak for the LWV-WI, but WEI received no response. If the WEC gave the proposal even momentary consideration, it was quickly forgotten. Rydecki made no mention of it when he explained that the idea for this new election-security advisory council arose in June, in discussion among government officials at a Department of Homeland Security training exercise.

Apparently, the officials who proposed its creation did not mention anything at the time about public members. Nevertheless, Rydecki said, WEC staff did consider how public input might be handled. Some clerks “were not terribly enthused” about having public members on the Council and might not have agreed to participate if public members were included.

One option, according to Rydecki, was that officials’ trepidation might be accommodated by allowing a short period for public comment at the beginning of each meeting, as the Elections Commission itself does.

But ‘professional courtesy’ required WEC staff to refrain from making a ‘unilateral decision’ on how or whether anyone who is not a government official would participate. So WEC formed the council exclusively with government officials and then presented it with the question of how or whether it would have public participation.

I’ll let the reader decide whether that information supports or contradicts the observations I made, above, about WEC’s attitude about citizen participation.

Contact Senators NOW about election security

A coalition of national pro-democracy groups is calling for a national day of action for election security. Wisconsin voters need to respond. On or before Tuesday, Sept. 17 contact our two senators to let them know Americans deserve secure elections! Important legislation is stalled in the US Senate, and the senators need to MOVE.

Here is Ron Johnson’s contact page. Ask him to support election security action and to pressure Mitch McConnell to allow votes on the election-security legislation passed by the House.
Here is Tammy Baldwin’s contact page. Thank her for supporting election-security legislation.

Wisconsin has paper ballots, but our election results are not secure. Our county clerks do not use those paper ballots to verify the Election-Night results before they certify the final results. Several other states don’t even have paper ballots. That threatens us all.

The risks are real. Evidence is overwhelming. In 2016, Russian operatives hacked and probed American political campaigns and voter registration systems. But Russia isn’t the only problem–maybe not even the worst. Why would it be? American elections are an attractive target for many around the world and in our own country.  Hackers in China and Iran are showing interest and have launched thousands of attacks not just in the U.S., but in 26 countries, according to Microsoft, which has been helping detect and deter attacks for democracy-supporting organizations of all stripes. 

Many in the US Congress appreciate the need for REAL election security–and NOW. The House of Representatives has passed federal legislation that would make it possible for every state to have:
1) A voter-verified paper ballot for every vote; and
2) Robust ​manual​ election​ ​audits that detect and correct any false outcomes before election results are declared final.

But the US Senate isn’t working.

The House passed $600 million (in H.R. 3351) in election security funding for states and localities to use to secure our vote. While Republicans and Democrats had different proposals, nearly every representative in both parties voted to designated hundreds of millions of dollars for election security. Now it’s time for the Senate to write and pass its funding proposal.

But Mitch McConnell said. “I’m not going to do that.” He and his obedient cronies are blocking the legislation that would allow the states to protect our federal elections in 2020.

Every single U.S. Senator must stand up for democracy now. The Senate must pass funding for election security. They must include the House bill language so that the counties that are the most vulnerable are able to get the funds they need to secure our elections for all. 

The House voted to provide the states with funding for:

  • Paper Records: Every voter can ​​mark​ ​a paper​ ​ballot​ by hand or with an assistive device and verify their vote, so that there is a paper record of every vote cast.
  • Checking the Results: Officials subject ​machine-counted​ ​results​​ to​ a robust ​manual​ ​post-election​ ​audit,​ that can detect and correct false outcomes.
  • Secure Voter Data: Voter databases should be backed up offline, monitored and secured using best practices. Poll workers should be trained to ensure that voters can cast a vote in case of a hack or error.
  • Election websites and election management systems, as well as the vendors themselves also need to be more secure and resilient in the face of possible hacking attempts and computer error. 

FAQ

Q: To what extent can Mitch McConnell hold up the funding?
McConnell can fully block the funding if he wants to. But his spokesperson recently said they have not ruled out an appropriation for election security so national election-security advovates believe there is an opening. At the end of September the government must be funded so the Senate either must pass appropriations bills or agree to a continuing resolution with the House leadership. In either case, $600 million in election security funding for states and localities can and should be included.

Q: Isn’t this a federal mandate on state elections? 
States and localities have been pleading for funding from Congress for years now, and every state wants to be able to secure its elections. The House passed a strong bill with $600 million requiring the funding be spent on the areas of greatest vulnerabilities.

Q: The states got $380 million for election security in 2018 and they haven’t spent it all. Shouldn’t we wait until should spend it before getting more money.
States and counties are spending down the funds, they expect to spend 85% of the funds by the 2020 election. But in too many places it wasn’t enough to do a lot of the serious work. We want them to proceed quickly, but carefully so they actually are able to use the funds to make our elections more secure.

Q: My election official says the voting machines are not connected to the internet, how can they be hacked?
Sadly, our local election officials cannot promise that–they simply cannot know. They don’t have control over the security of the voting-machine manufacturers, where the software is developed. Election officials have no way to know whether those companies’ computers are on or off line. And if the software has been compromised before it even reaches the local officials, it doesn’t matter whether the local clerk keeps it secure.

In addition, it’s just not true that the voting machines are never connected to the internet. Local election officials often don’t understand what the voting machines are doing when they transmit results on Election Night. Almost all of our voting machines and the county elections computers use the internet during pre-election tests and then again for election-night reporting of the results. And on top of that, national cybersecurity sleuths recently found that nine Wisconsin counties had left their county elections computers on line continuously for as much as a year!

Q: We already have paper ballots, what do we need this funding for?
Paper ballots are only decorative if no one ever uses them to verify the voting machines’ accuracy. As things now stand, after a Wisconsin voter casts his or her ballot, chances are it will never be looked at again. It will be sealed up on Election Night and will stay sealed until it is destroyed two years later. In the meantime, the voting-machine tape will be assumed to be correct.

Unless the paper ballots are used in rigorous post-election audits comparing the votes on the paper with the numbers the machine reported, we can’t know for sure if the outcome of the election was correct.

The one huge hole in Wisconsin’s election security is that our officials do not routinely audit the results. The state elections agency could use this money to fund efforts to develop practical, reliable audit practices that fit with Wisconsin’s unique election-administration practices.

About those Russians…

In the past two weeks, three reporters have asked me to comment on Russian interference in US elections. Do I believe the Russians interfered with the 2016 election? Do I think they will try in 2020? And my least favorite: Do I think Russians are the worst threat to the voting machines?

I’ll answer the ‘worst’ question first: What the hell does it matter?  All threats are threats. Will it be a boring news story if our election is stolen by a Canadian anarchist living in his grandmother’s basement, or by a random computer glitch?

I’ll tell you what the worst threat is. It’s the threat that is literally the sum total of all other threats. Wisconsin county clerks are STILL not using the only safeguard effective against every voting-machine threat including the Russians: Using our paper ballots in prompt, routine, hand-counted audits that verify the correct winners.

The simple truth should be obvious. It is ridiculous to allow any computers to make any big decision unless you have a reliable way to detect and correct serious computer errors.  

Can you think of any other government agency that relies on computers and doesn’t have some way to notice if the computer screws up a big operation? No, you cannot. There isn’t one. Only election officials trust their computers that blindly, and demand our trust, too.

When Wisconsin’s county clerks declare election results final without verifying the correct winners, they are allowing computer programmers to pick the candidates who will govern us.1 They don’t supervise these programmers. They don’t know even know who or where they are.2

As to the other questions:  I don’t know whether the Russians or anyone else tampered with the voting machines in 2016 and 2018. No one does.

We don’t know because Wisconsin election officials didn’t check. 3 How is that not scandal enough?

Wisconsin’s election officials just seal our paper ballots on Election Night and leave them sealed until it’s time to destroy them two years later. No one ever knows if the paper ballots tell a different story than the computer tapes.

And I don’t know whether Russian criminals are planning to mess with the voting machines in 2020. I know that it is wise to assume they are. Most importantly, I know it will be criminally negligent if our county clerks make no effort to detect and correct any hacks that might get by the security system.

Call your Wisconsin County Clerk today and say: “Surely you understand that you cannot guarantee the security of our voting machines. Too much is outside your control. The only thing you can secure is the election results, and you can do that only by using our paper ballots in hand-counted audits during the county canvass to make sure you certify only the correct winners. Get busy now on developing audit procedures for the 2020 elections.”

– – –

1 A few Wisconsin county officials claim they “program their own voting machines” and imply that provides security. They don’t, and it doesn’t.
The county clerks ‘program’ the machines only in the sense that you ‘program’ a new cell phone with your personal address book and settings. If any are messing with the actual tabulation software, they are breaking federal law. Truth is, these county officials rely on the voting-machine company in the same way you rely on Samsung, Apple, or Nokia.

2 Example: In 2016, election-security advocates noticed that Dominion—the nation’s second-largest voting machine company, which counts many Wisconsin votes—was recruiting programmers in Serbia. The company’s official response was: “Like many of America’s largest technology companies, which develop some of the software for their products in places like Asia, India, Ireland and the Mideast, some of our software development is undertaken outside the U.S. and Canada, specifically, in Serbia, where we have conducted operations for 10 years.”

3 In the 2016 recount, half of Wisconsin’s presidential votes were “recounted” only by running the ballots back through voting machines programmed by the same people who programmed them for Election Day. These were the ballots in the state’s largest counties (except Dane)–the counties most at risk of hacking.
In the half that was hand-recounted, the recount found that more than 1 in every 170 votes had originally been miscounted. These errors were not deliberate and affected both major-party candidates equally. As a result, they did not change the outcome and the news media didn’t report it.
But notice this: even when that many votes had been miscountedup to 30% in some individual wardscounty clerks did not notice it in their regular canvass. They detected the incorrect vote totals only when forced to check their work with a recount. Unless our county clerks adopt routine audits, the same will happen when hackers put the Election-Night results outside Wisconsin’s microscopic recount threshold (0.25%). There won’t be a recount and the hackers will have successfully pulled off their crime.

Jump on this chance to improve Wisconsin election security!

Friday, March 30, 2018 – In defense of our right to self-government, please contact the Wisconsin Elections Commission in the next few days to tell them: Include routine election auditing in Wisconsin’s application for federal election-security funding.

Chances like this don’t come along very often. Congress sits on its hands for years, ignores problems, messes around, and then–when an issue is hot–throws some money at the states and says “Spend it quick!”

When that happens, states need to be able to grab the money and spend it on something worthwhile.

That is just what has happened with election security. Voters have been warning, shouting, complaining, and worrying for years about the dangers of poorly managed election technology, and then all of a sudden Congress awoke and leapt out of bed. (Thank you, Vladimir!) Last Friday, Congress passed a federal budget bill that includes $380 million for grants to the states for improving election security.*

Just short of $7 million of that is earmarked for Wisconsin–pending the Wisconsin Elections Commission’s submission of a plan for spending it.

Thirteen states should definitely spend their money to replace unauditable voting machines–the kind that don’t use or create a paper record of each ballot. But that’s not Wisconsin’s problem. Paperless vote-counting computers have always been illegal here.

Wisconsin’s big election-security hole–where we lag most other states–is not that our elections are unauditable. Wisconsin elections are simply unaudited.

Wisconsin is in relatively good shape on most other aspects of election security. The WEC has done a good job with those systems they control, which are the voter-registration system and the ‘canvass reporting system,’ the automated system that counties use to report results they have already counted and certified. In addition to having respectable security, both these systems also have effective backup in case of manipulation or failure. With same-day registration at the polls, hackers have to ask themselves how much effort they are going to waste deleting Wisconsin voters’ registrations when we will be able immediately to vote anyway, with only about five minutes’ re-registration inconvenience. And the canvass reporting system kicks in only after our votes have already been counted in the polling places and municipal clerks’ offices. Any hacking of that would be easily detectable and reversible, even without a serious audit effort.

But Wisconsin has no more security for our voting machines than any other state that uses paper ballots, and a paper trail is merely decorative if the ballots are sealed on Election Night and never seen again.

Our elections’ biggest unprotected vulnerability is that our county boards of canvass make a habit of declaring election results final without lifting a finger to check to see whether the vote-counting computers counted our votes correctly. That practice is justifiably illegal in 25 states (26 if you count D.C.) and contrary to every national election authority’s recommendation.

The practical solution: Wisconsin law provides county election officials with paper ballots and allows them to check accuracy before they certify, but they choose not to. The problem isn’t time or money. Wisconsin’s county clerks have as much time for the canvass as their counterparts in states that do audit, and modern election-audit methods are so efficient they could almost be funded from petty cash.

So we can only guess why our county officials continue to force us to trust our franchise to unaudited computer output–something they wouldn’t tolerate for a millisecond from their banks and ATMs. My best guess is that they’ve been allowed to ignore that basic managerial responsibility for so long that they fear they will find a host of problems when they start to look. Look at the panic this county official exhibited as she refused an observer’s request for verification during the 2016 recount. That level of distress looks to me like she knew the machines’ unreliability would be revealed if she allowed verification, so she refused to hand count “even five ballots.” And she was right: the machines were, in fact, miscounting and were later decertified by the Wisconsin Elections Commission.

What voters need to do: 
Contact the WEC and tell them that you want them to include funding for routine audits during the county canvass in Wisconsin’s federal grant application. WEC staff are up to date on national election-administration trends, and I believe they understand the need for, and practicality of, routine election audits. In addition, I sense that WEC Commissioners are favorably disposed to effective election audits and will do the right thing if enough citizens express interest and support.  

You can:

  • Tweet to @WI_Elections to say that you want to see county election audits in the application for federal funding;
  • Email Chair Mark Thomsen and Administrator Meagan Wolfe at elections@wi.gov. 
  • Snail-mail them at Wisconsin Elections Commission,  P.O. Box 7984, Madison, Wisconsin 53707-7984, with copies to U.S. Election Assistance Commission, 1335 East West Highway, Suite 4300, Silver Spring, MD 20910, and to Jill Lau, Chair, Wisconsin County Clerks Association, 421 Nebraska St, Sturgeon Bay, Wisconsin  54235.

If you want to do more, you can use these web-contact forms to tell Senator BaldwinSenator Johnson, and the US Election Assistance Commission that they, too, should encourage the WEC to seek funds for election auditing in Wisconsin.

Also, please, tell other voters about this so that they, too, can weigh in for election audits. The WEC hardly ever gets any citizen input on election security issues, and they will definitely sit up and take notice if they get a lot now. So go for it!

—-

* It would be unfair to accuse every member of Congress of inaction. Wisconsin’s very own Mark Pocan introduced an excellent elections-security bill, the Secure America’s Future Elections (SAFE) Act a year ago. As other representatives wake up to the issue, it’s still collecting new co-sponsors. If you live outside Wisconsin’s Second Congressional District, contact your congressperson today and ask them to sign on. If  you live in Rep. Pocan’s district, tell him “Thank you!”