Jump on this chance to improve Wisconsin election security!

Friday, March 30, 2018 – In defense of our right to self-government, please contact the Wisconsin Elections Commission in the next few days to tell them: Include routine election auditing in Wisconsin’s application for federal election-security funding.

Chances like this don’t come along very often. Congress sits on its hands for years, ignores problems, messes around, and then–when an issue is hot–throws some money at the states and says “Spend it quick!”

When that happens, states need to be able to grab the money and spend it on something worthwhile.

That is just what has happened with election security. Voters have been warning, shouting, complaining, and worrying for years about the dangers of poorly managed election technology, and then all of a sudden Congress awoke and leapt out of bed. (Thank you, Vladimir!) Last Friday, Congress passed a federal budget bill that includes $380 million for grants to the states for improving election security.*

Just short of $7 million of that is earmarked for Wisconsin–pending the Wisconsin Elections Commission’s submission of a plan for spending it.

Thirteen states should definitely spend their money to replace unauditable voting machines–the kind that don’t use or create a paper record of each ballot. But that’s not Wisconsin’s problem. Paperless vote-counting computers have always been illegal here.

Wisconsin’s big election-security hole–where we lag most other states–is not that our elections are unauditable. Wisconsin elections are simply unaudited.

Wisconsin is in relatively good shape on most other aspects of election security. The WEC has done a good job with those systems they control, which are the voter-registration system and the ‘canvass reporting system,’ the automated system that counties use to report results they have already counted and certified. In addition to having respectable security, both these systems also have effective backup in case of manipulation or failure. With same-day registration at the polls, hackers have to ask themselves how much effort they are going to waste deleting Wisconsin voters’ registrations when we will be able immediately to vote anyway, with only about five minutes’ re-registration inconvenience. And the canvass reporting system kicks in only after our votes have already been counted in the polling places and municipal clerks’ offices. Any hacking of that would be easily detectable and reversible, even without a serious audit effort.

But Wisconsin has no more security for our voting machines than any other state that uses paper ballots, and a paper trail is merely decorative if the ballots are sealed on Election Night and never seen again.

Our elections’ biggest unprotected vulnerability is that our county boards of canvass make a habit of declaring election results final without lifting a finger to check to see whether the vote-counting computers counted our votes correctly. That practice is justifiably illegal in 25 states (26 if you count D.C.) and contrary to every national election authority’s recommendation.

The practical solution: Wisconsin law provides county election officials with paper ballots and allows them to check accuracy before they certify, but they choose not to. The problem isn’t time or money. Wisconsin’s county clerks have as much time for the canvass as their counterparts in states that do audit, and modern election-audit methods are so efficient they could almost be funded from petty cash.

So we can only guess why our county officials continue to force us to trust our franchise to unaudited computer output–something they wouldn’t tolerate for a millisecond from their banks and ATMs. My best guess is that they’ve been allowed to ignore that basic managerial responsibility for so long that they fear they will find a host of problems when they start to look. Look at the panic this county official exhibited as she refused an observer’s request for verification during the 2016 recount. That level of distress looks to me like she knew the machines’ unreliability would be revealed if she allowed verification, so she refused to hand count “even five ballots.” And she was right: the machines were, in fact, miscounting and were later decertified by the Wisconsin Elections Commission.

What voters need to do: 
Contact the WEC and tell them that you want them to include funding for routine audits during the county canvass in Wisconsin’s federal grant application. WEC staff are up to date on national election-administration trends, and I believe they understand the need for, and practicality of, routine election audits. In addition, I sense that WEC Commissioners are favorably disposed to effective election audits and will do the right thing if enough citizens express interest and support.  

You can:

  • Tweet to @WI_Elections to say that you want to see county election audits in the application for federal funding;
  • Email Chair Mark Thomsen and Administrator Meagan Wolfe at elections@wi.gov. 
  • Snail-mail them at Wisconsin Elections Commission,  P.O. Box 7984, Madison, Wisconsin 53707-7984, with copies to U.S. Election Assistance Commission, 1335 East West Highway, Suite 4300, Silver Spring, MD 20910, and to Jill Lau, Chair, Wisconsin County Clerks Association, 421 Nebraska St, Sturgeon Bay, Wisconsin  54235.

If you want to do more, you can use these web-contact forms to tell Senator BaldwinSenator Johnson, and the US Election Assistance Commission that they, too, should encourage the WEC to seek funds for election auditing in Wisconsin.

Also, please, tell other voters about this so that they, too, can weigh in for election audits. The WEC hardly ever gets any citizen input on election security issues, and they will definitely sit up and take notice if they get a lot now. So go for it!

—-

* It would be unfair to accuse every member of Congress of inaction. Wisconsin’s very own Mark Pocan introduced an excellent elections-security bill, the Secure America’s Future Elections (SAFE) Act a year ago. As other representatives wake up to the issue, it’s still collecting new co-sponsors. If you live outside Wisconsin’s Second Congressional District, contact your congressperson today and ask them to sign on. If  you live in Rep. Pocan’s district, tell him “Thank you!”

Wisconsin’s county clerks need a better story

Main point: Wisconsin’s elections officials have been telling themselves a simple story–“The only threat to election results is Internet hacking, so we can keep elections safe just by keeping the voting machines unconnected.”

There’s an equally simple–but more true–story they could be telling themselves: “We don’t have the power to prevent every type of miscount, but we can keep elections safe anyway by using the paper ballots to detect and correct miscounts, regardless of cause.”


February 21, 2018  — In a recent newspaper article, I wrote that election officials should check the accuracy of our computer-tabulated election results as routinely as city treasurers check our computer-tabulated property tax bills.

That proposal is uncontroversial. Every national election expert promotes routine audits. So do other authorities, such as the US Department of Homeland Security. When presented with the idea that election clerks should verify the right winners before they declare election results final, every voter responds with either “Well, duh” or a wide-eyed “You mean they don’t do that now?!?!”

Wisconsin election officials, however, think that all the rest of us are wrong about that. In response to my article, I received the following email from the county clerk in a mid-sized Wisconsin county:

“Good afternoon, Ms. McKim: Please tell me if a piece of Wisconsin certified equipment has ever been hacked, or how one could even attempt to hack said equipment.  The equipment used in my county is never connected to the Internet. It’s not even connected to our county network. Unless someone has figured out a way to hack through the unit’s power cord, our equipment is basically unhackable.”

Except for that last word, my correspondent’s few facts are correct. It’s the same argument that county clerks have used for yearsLet’s review a few additional facts. You won’t need to be an IT security expert or a Russian hacker to see the possibilities…

First, Wisconsin’s county clerks need to know that voters don’t want their votes miscounted for any reason–not hacking, not human error, and not machine malfunction. Even if we believe you that you’ve perfected the world’s only unhackable computers, that’s no reason to fail to check of any other type of miscount.

Hacking might be a risk, but mistakes and malfunctions are a reality. Our voting machines are operated by a  lightly trained and lightly supervised temporary workforce. None get more than four days of on-the-job experience every year. Even the election managers—the municipal and county clerks—work only part-time on that task. The 2016 presidential recount—for most election officials, a once-in-a-career opportunity to check their work—revealed that more than 1 in every 170 votes were incorrectly certified in the original canvass—mostly because of human error.

My correspondent and his fellow clerks also know that electronic malfunctions have already miscounted Wisconsin votes. They know voting machines are manufactured to be affordable for local government budgets. Many are old. Among all the businesses and government offices you enter in a year, the polling place is where you are most likely to encounter a 10- or even 20-year-old computer. They know that just last year, the Wisconsin Elections Commission had to decertify one model of voting machine because it was so unreliable it failed to detect up to 30% of the valid votes in individual precincts–in an actual election, not a test.

And when it comes to tampering, they know that many insiders have both means and opportunity—even without an Internet connection. Private companies manufacture Wisconsin’s vote-counting computers, and independent service companies maintain them. Those companies do not allow anyone to inspect the software, updates, and patches they install.

And no one has the ability to enforce good security practices. No state or federal official oversees either the local officials’ or the companies’ internal security. If the computers used by the private companies to update the voting-counting software had poor security, no one but the companies and hackers would know.

Between elections, the voting machines themselves reside in storage rooms all around the county. They are also off limits to inspection. I once asked another county clerk if he had ever inspected them for unauthorized wireless communications chips—something professionals warn about. That clerk told me that such an inspection would void the machines’ warranty. (Update: See the first comment below. The day after I wrote this blog post, the New York Times reported that county clerks in Pennsylvania–who DID have their elections technology independently inspected–discovered that ES&S technicians had installed unauthorized remote communications capacity.)

My correspondent knows all that. And yet he proclaims, on faith, that the vote-counting software exists in a state of virginal purity as each Election Day dawns.

I don’t believe this county clerk is stupid. I’d bet my mortgage he would know better than to patronize a bank where managers employ only temporary staff; rely on antiquated equipment; refuse to audit unless a customer pays the cost of a full recount; and proclaim the ATMs are always accurate merely because they are not connected directly to the Internet.

And aside from his resistance to rigorous auditing, I see no signs he is corrupt. So what is he thinking?

Like most other normal human beings, he might not be thinking anything.

Walter Fisher, of the Annenberg School for Communication, has studied the question: Why does thinking explain so little of our behavior? He concluded we are guided more by narratives—stories we tell ourselves—than by logical reasoning.

OnlyHackers.jpg

The human brain is a marvelous organ, but continuously encounters more twists and turns than it can process with its reasoning faculties.

So it invents stories. Some are true, some are false. But all are oversimplified because that’s their function—to help our brains make simple sense of complexity, to help us feel we’re in control.

My correspondent’s story fits that description: “Only one thing can produce incorrect vote totals: Internet hacking. So if we just keep voting machines offline on Election Day, our elections will be safe from hackers.”

Human error, malfunction, and insider corruption would complicate this narrative, so they are excluded. Not mentioned. Not seen.

County clerks have reason to embrace that narrative. Election administration is only one of their jobs, and they have only a few staff. The workforce on which they depend consists mainly of people who are hired by and report to someone else: municipal clerks; temps hired by the municipal clerks; and county canvassers sent by the two major political parties.

The county clerks’ own education and experience tends to be clerical or political, not managerial or technological. And because the State Constitution assigns certain duties only to them—no one else—they’re on their own. They are elected officials without a manager who can train and coach them, or share the blame when something goes wrong.

Sensible voters need to help our election managers switch to a new narrative. It needs to be simple. It needs to be clear.

It needs to give them courage to face up to their responsibilities as prudent managers of elections technology. I propose this one:

“As local election officials, we have the paper ballots and we control the canvass procedures. 

If we just use those to check that we’ve identified the right winners, our elections will be safe from every risk.”

Election officials give us only reassurance. We want security.

September 27, 2017 —

Main point: Public officials must keep the public both safe and calm. 
The danger is when election officials’ goal is reassurance, not safety.

Yesterday’s Wisconsin Elections Commission (WEC) meeting was packed with more cameras than I’d ever seen there. A few days earlier, the federal Department of Homeland Security announced that Russian-government backed hackers had tested the security of Wisconsin’s online voter registration system. They hadn’t gotten in. The ‘attack’ was, the computer experts say, like jiggling a locked door knob.

What voters get: “As you can see, it’s a beautiful day, the beaches are open and people are having a wonderful time.” – Mayor Vaughn, to a reporter.

“I don’t get it.” I told a reporter as the meeting got under way. “What’s the news here? Hackers are continuously testing every computer system. The Russian government is known for cybercrime. It would be news if they were not testing the security of our elections systems.”

I don’t remember his response, other than it wasn’t convincing. I fear the real answer is that his editors know which stories get the web clicks.

The facts that WEC shared were as I expected. State officials from the WEC and the Wisconsin Division of Enterprise Technology (DET) explained their system of continuous defense against hacking of our voter registration system (which is separate from the tabulation system, also known as the voting machines). Millions of efforts to get into the registration system are detected every week, from anonymous Internet addresses all over the world. Unrecognized addresses are locked out and if that fails, any unauthorized changes will be promptly noticed and reversed. If that fails, daily backups are made so that if some malicious code ever causes the system suddenly to garble or erase our voter registrations on election morning, a correct version can be quickly brought up. If that fails, paper backups are printed immediately before each Election Day.

State officials were convincingly competent and straightforward. The story that later appeared in the paper made the federal officials, not the state ones, look like the Keystone Cops. 

WEC and DET took the opportunity to explain the security of our voter registration system to the press—while the press was willing to listen. When officials are keeping us safe, reassuring the public is usually as easy and effective as just telling the truth.

The officials’ explanation about our voter registration system confirmed my trusting assumptions about its security.

But the security of our vote-counting software is a completely different story

Our election officials’ silence about security for that system should be a dead giveaway there’s a shark in the water.

Like ‘baby’ in a pop song, election officials’ yesterday continuously repeated “We’re talking about the voter-registration system, not the vote-counting systems.” The reporters’ keyboards clicked along to the beat. Yeah, yeah, yeah. None seemed to notice the story within that silence on the vote-counting software.

Here’s why we don’t get convincing, impressive descriptions of the security system for our voting machines: Because it doesn’t exist. At least when sharks are eating tourists, someone notices. But if anyone is hacking our voting machines, their crimes would go undetected as we swear their chosen victors into office.

Reassuring spin: “We’ve seen no evidence of tampering with the vote-counting system.” The furor about Russian testing of our voter-registration system’s security was made possible by federal officials’ looking for it. No one–local, state, or federal–reviews Wisconsin’s election results to make sure they are accurate. None of them make any efforts to detect any doorknob jiggling of our vote-counting software, which is proprietary and controlled by the voting-machine companies.

Reassuring spin: “Our decentralized vote-counting system makes hacking unlikely.” After the vote-counting software is produced at the companies, it’s downloaded to the dozens of computers that will be used to design the ballots for each election and to tell the voting machines how to read those ballots. These are the ‘election management systems’ that reside at the vendor’s regional offices, the voting-machine service companies like Command Central, and in the offices of county election officials.

When election officials talk about the security of the vote-counting systems, they often refer to this decentralization. They say it makes the system harder to hack.

But they cannot possible imagine that, to tip a statewide race, a hacker would need to design a hack specifically for every type of voting machine used in Wisconsin and alter the results in every county. You can see the silliness of that–What’s Russian for “Darn it, we missed Forest County. Well, maybe next year.”? There are enough votes in Milwaukee County alone, or a few other counties, to control the outcome of most statewide races.

Not only does the decentralization provide little protection, it multiplies the possible entry points and places them in the physical control of an army of people with no particular IT security expertise, and often no access to any.

After the software is downloaded to the local election-management computers, it’s revised for each new election and then copied onto removable drives–typically, the same sort of USB drive you can buy at the drugstore. The drives are then handed off to the municipal clerks, who load the software onto each voting machine.

On Election Day, it’s in the physical control of the poll workers. At this point, we should probably be hoping that the possessors of the software have no IT expertise, rather than wishing that they did.

Between elections, the vote-counting computers are stored in very town, village, and city in the state, under conditions that the election officials themselves don’t always control.

No one exercises any oversight of this disjointed system. Computer security expert Bruce Schneier told NPR’s Science Friday that federal voting-system security standards were outdated long ago, and no one is now exercising any oversight even if the standards were current. Vendors can coach county clerks on how to maintain security, but they have no way of knowing whether the clerks follow their instructions. To my knowledge (and I asked when I can), no state or local official ever attempts to oversee or even ask about voting-machine company security. They wouldn’t know how to evaluate it if they did, or any authority to force corrections.

Johns Hopkins University Computer Security Professor Aviel Rubin made a point of contacting the major voting-machine companies who count America’s votes. He reported “I have yet to meet an American voting system manufacturer that employs even one full-time trained expert in computer security.”

Reassuring spin: “Our voting machines are never connected to the Internet.” This used to be true, but there’s no machine on the market anymore without the capability of electronically transmitting results after the polls close. That, however, is not and never was the big risk. Connecting a voting machine to the Internet or to a cell phone tower after the polls close doesn’t give a hacker any opportunity to alter a hard-copy poll tape you’ve already printed. Having observed more poll-closings than I can count and several canvass meetings, I can vouch for the fact that is the one hack our election officials would likely detect and could easily correct. 

The vulnerability comes before the votes are counted, not after. The big risk of manipulation–in fact the one that forensic IT security experts deem the greatest–doesn’t come from the Internet at all, but from insiders with authorized access to the software. Because no state or local election officials have the authority or ability to inspect the vote-tabulating software for integrity, even lightly sophisticated individuals–at the voting machine company, the service company, the local official’s office, or anywhere along the chain of custody–could alter the software and not be noticed. Thousands of people have authorized access to our vote-counting software or hardware between every election. Many of them, in the testing laboratories, voting-machine companies and service companies, understand the code. Many of the others likely can be bought–they are humans.

But hackers without authorized access can get in. The vote-counting software is created, updated, and maintained not on each individual voting machine, but on computers that are almost certainly, at some time, connected to the Internet.

And local election officials have no way to tell whether and when the individual voting machines are communicating with other machines. Wireless communications capability can be installed inside any computer or voting machine–antenna and all–without their knowledge and controlled by anyone within transmission range. Local election officials never inspect the insides of the voting machines for surreptitiously installed wireless cards, and few would know what to look for if they did.

Reassuring spin: “No  election has ever been hacked.” The truth is, our election officials wouldn’t know if one had. They don’t use the one practical opportunity–checking the results against the paper ballots–to check the system’s integrity. If any election ever has been hacked, it’s likely no one noticed.

What voters need: “Smile, you son of a bitch.” – Martin Brody, to the shark.

Yet despite the widespread concern about the security of last year’s presidential election, not a single state had routine procedures in place to verify an accurate statewide vote count. Michigan, Pennsylvania, and Florida proved unable to document accuracy even when directly challenged, unable to get a recount even started.

Wisconsin did best. Every county at least double-checked things like the handling of absentee ballots, but only half of the vote totals were checked for accuracy. The other half were just run back through the same computers, so any electronic miscounts would have just been repeated. We know that some were miscounted twice.

State officials in Wisconsin recently scored a first, when in January they detected a few miscounting computers—after the winners from the previous November were already sworn into office. To their credit, they decertified the machines. They are still are not sure what caused the miscounts—they know ink color on the ballots contributed, and that from their size and randomness, the miscounts seem unlikely to be even a trial-run hack.

What to do?

Face it: State and local election officials will never have the authority, skill, or money to maintain strong IT security for our vote-counting software. It’s just not going to happen. Elections are too intermittent, the workforce too temporary, the property taxpayers too stingy to make good security possible.

Our only hope for protecting our election results from hackers–and from malfunctions, glitches, and human operator error–is to notice and correct any miscounts before results are certified.

If the polls opened and voter registrations were garbled, we would notice. Perhaps that’s why those responsible for the software are so vigilant–they know any laxity will get found out.

But we cannot sit by the television on Election Night and say “Hey! That’s not how we voted!” Voters have no way to tell honest election results from false ones. And maybe that’s why checking accuracy is such a low priority for our election officials. If they don’t detect the miscounts, they can keep saying–honestly–“We’ve never known an election to be hacked.”

Most states now have paper ballots, or at least paper audit trails, that could be used to check the accuracy of the computer output. National election authorities have developed, and national officials endorsed, efficient methods that don’t require a full hand count.

Every other public official takes responsibility for the accuracy of their work product. It’s long past time for voters to insist their election officials do the same.

WEC acknowledges machines can miscount, decertifies a voting machine

September 26, 2017 —  There’s good news and there’s … no-worse-than-usual news.

The good news is that today, the Wisconsin Elections Commission did what no Wisconsin elections agency has done since the introduction of computerized vote tabulation: They decertified a voting machine, the Optech Eagle.

And they did it for the best of reasons: It wasn’t counting our votes reliably. Now that so many ballots are marked in voters’ homes, in all sorts of ink, the machine is “no longer meeting voters’ and officials’ expectations.”

This is good. Not perfect, but good. The vote was unanimous. The Commissioners didn’t debate whether the machine should be decertified, but how quickly.  They didn’t vote to decertify immediately, but they soberly considered that possibility. And they did adopt some immediate safeguards.

As of today, all municipalities using the Optech Eagle must either count mailed-in ballots by hand, or re-make (that is, copy over) them using ink that can be detected by the machines. And they must keep doing that until they replace the machines, no later than December 31, 2018. In addition, if any contest tabulated by an Optech Eagle is recounted, it must be by a hand count.

This decision had several good angles to it.

First, the Commissioners’ comments, specifically mentioning Racine County, indicated that they accepted as true the reports of Liz Whitlock and the other observers during that recount, even though Racine County officials have not yet acknowledged any problems.

Granted, it would have taken chutzpah for the Commissioners actively to deny that Racine miscounted both the election and the recount, given all the hard evidence of similar miscounts from other counties and the weirdly high undervote rates that county’s canvass signed off on.

But the culture of election officials, in Wisconsin and elsewhere, is to band together against concerned voters and, if not to deny their truth, at least ignore it.  But in the discussion today, I did not pick up one whiff of the get-these-troublesome-citizens-out-of-here attitude to which we’re so accustomed. Good work, Liz and the rest of the Racine team! The State hears you, even if your clerk doesn’t (yet).

Second, the instruction that any recount be conducted by hand shows more courage and commitment than I’ve seen from any public official in a while. Here’s why: If some county decides to contest that requirement, it’s likely that a court would decide that the WEC has no statutory authority to order a hand-counted recount. The Commissioners were aware of that when they voted, but went ahead anyway. Set aside the fact that recounts are a thing of the past in Wisconsin; I like the kind of leadership that says, “Let’s do the right thing and see if anyone tries to stop us.”

Third, the decision signifies a distinct break from the old Government Accountability Board’s attitude toward elections technology. The old GAB—both board and staff—seemed resistant to even the idea that voting machines could miscount. I remember talking with them about the Medford miscount, when misprogrammed machines ignored all straight-party ticket votes. About a third of that city’s votes in a presidential election were lost. GAB staff told me, with a pained expression, “You can’t blame that on the machines!”, as if I would hurt the machine’s feelings if it heard me say it needed to be audited. I can so easily imagine the old GAB Director Kevin Kennedy defending the Optech Eagle with such an argument.

But WEC Director Michael Haas and the Commissioners are willing to take a stand: A machine that cannot count a valid vote has got to go.

I know I may be giving WEC credit for understanding the obvious, but it is a change from the way they were talking only two years ago. And that’s good.

The no-worse-than-usual news is, well, unsurprising.

  • The staff analysis of decertification stressed cost and convenience for clerks above all other considerations—to the point where I sat there seriously trying to think of how we could frame the risk of election fraud as a cost issue.

  • No one ever has investigated or resolved the causes of the worst Optech Eagle miscount. The WEC is just guessing it was the wrong ink. In Marinette, three voting machines missed 9.6%, 26.5%, and 30.8% of the votes on the ballots they processed. It’s almost certain that ink had something to do with it, but if the voters marked their ballots at home, why did voters in one section of town use unreadable ink at more than three times the rate of another part of town? And to add to the mystery, the municipal clerk told me that most of the absentee ballots in all three precincts were in-person early voters who marked their ballots in her office. Why would she provide the wrong pen at all, never mind provide it at different rates to the voters from the different precincts? Finally, in the one municipality where WEC staff did do a serious investigation of the cause of an Optech Eagle miscount, they couldn’t pin it entirely on ink. Something else is going on with those machines, and remaking the ballots might not fix it. 

  • Director Michael Haas, on at least two occasions today, referred respectfully to our testimony, and clearly understood what we were saying. But when he spoke most directly to the prospect of future routine election audits, he called it a ‘legislative issue.’ To me, that revealed his perception that Wisconsin’s local election clerks will not agree to verify election results unless forced by law. He’s probably correct, but that’s pretty darn sad. Thank goodness few other public officials take the same attitude toward their work product.

  • In my oral testimony, I cited several instances in which county boards of canvass certified obviously incorrect vote totals. I also spoke of the hard fact that none ever verify the vote totals before they certify. Sure enough, like a patellar reflex, the municipal clerk who spoke next offered indignant testimony: “We do too care about accuracy,” though she offered no facts to back up that claim.

    The truth of her statement depends on what she means by ‘care.’ I don’t doubt that she “feels concern or interest.“ 

    But until she routinely verifies the vote totals before certifying them, she does not “exercise serious attention or effort to avoid damage or risk.”

    So, WEC’s attitude toward election accuracy is improving. But the local election officials still haven’t mastered Step 1: Accept that you have a problem.

WEC likely to decertify Optech Eagle – and we’re asking for more.

Inaccurate preliminary vote totals are not a problem–if miscountsare detected and fixed before election results are declared final. 
The problem is, as these incidents show, that Wisconsin’s local election officials 
are making no effort to detect and correct even obvious miscounts.
Have the hackers noticed that yet?

* * * 

September 21, 2017 —  Following December’s presidential recount, when county clerks reported corrected vote totals to the Wisconsin Elections Commission, they changed at least 17,681 votes from the totals they had previously reported.

Ward by ward, candidates sometimes got more votes, sometimes less. We don’t know the full number of miscounted votes, because if recounters both subtracted and added votes to one candidate’s total in a single ward, only the net change showed up in the revised totals.  Election researchers at the UW-Madison, Harvard, and MIT worked with the data and estimated that in the original results, more than 1 in every 170 votes had been miscounted. *

If you can think of a way to miscount a valid vote, it’s likely that somewhere a Wisconsin vote was miscounted like that.

The recount discovered hundreds of absentee ballots still in their envelopes, uncounted on Election Day.

Write-in votes had been treated with extraordinary carelessness. The recount discovered that 1 in every 7 of Evan McMullin’s voters had been disenfranchised in the original count. Typos had erased nearly half the votes in precincts in Oneida and Milwaukee Counties. Votes had been double-counted in Eau Claire County.

The miscounts in Marinette, Outagamie, and Racine Counties are of particular interest to those who wonder whether Wisconsin’s local election officials are attentive, prudent IT managers.

Those counties and others used a voting machine called the “Optech Eagle.” This was once the workhorse of Wisconsin elections, but it never could read votes unless they were marked in an ink that contained carbon.

It didn’t read non-carbon ink in 2016, either, when tens of thousands of voters submitted absentee ballots they had marked someplace other than a polling booth equipped with an approved marking device.

So on Election Night, results indicated that Racine County voters were weirdly uninterested in the presidential race. Across the rest of the state, only about 1 in every 130 voters (0.77%) left their ballots blank for president. But in Racine County, almost 1.8% of the ballots were counted as if they were blank. In the City of Racine, the rate was even higher–2.6%.  In individual Racine County precincts, up to 1 in every 12 ballots was counted as blank.

In  Outagamie County, too, Optech Eagles were telling election officials that dozens of voters had cast no vote for president. In one municipality there, the machine saw no vote for president on more than 1.4% of the ballots.

The machines in the City of Marinette took the prize. The machine that counted ballots cast by absentee voters in the City of Marinette’s 7th and 8th Wards printed out results indicating no presidential vote on 9.6% of the ballots. The machine counting Wards 1, 3, and 5 saw no votes on 26.5% of the ballots.

And the machine counting Wards 2, 4, and 6 saw no presidential vote on 30.8% of the ballots it attempted to count.

To their discredit, local election officials either did not notice these obvious errors, or noticed them but chose not to correct them. Officials in these counties signed legal documents attesting that they had reviewed the election results and found them to be “correct and true.” But in fact, they hadn’t done that at all. At least not until the recount forced them to.

Marinette officials, who conducted their recount by hand, corrected their miscount in the recount. Outagamie officials recounted using the same machines and therefore did not detect their miscount until ordered to do a biennial voting-machine audit in January. By then, it was too late to correct the official vote totals.

Racine County officials still haven’t resolved their weird vote totals. They recounted by machine and so certified the bizarre vote totals twice–once after the election and once after the recount–without ever checking to see why they were so weird. In fact, county election officials were so determined to trust unexamined computer output that they refused to check accuracy even after the machines could be seen to be visibly miscounting during the recount.   

To their credit, staff of the Wisconsin Elections Commission took steps to figure out what was going on. In January, they asked Outagamie County to send their election materials, including the ballots, to Madison so that staff could examine them and make sure the miscounts were what everyone suspected: an inability to read the ink that many voters used to mark their ballots.

They concluded that ink almost certainly contributed to the miscounts, but that didn’t explain all the missed votes. WEC staff concluded “This exercise did not produce a result that allowed staff with confidence to understand how the Optech Eagle treated these ballots.”

Something else, in addition to ink color, was going on, and they couldn’t tell what it was.

In June, staff wrote a memo to Commission members, telling them ““The analysis of the performance of the Optech Eagle identified a significant limitation of the equipment.”

The Commission itself then did the right thing, too. They instructed staff to prepare a plan for decertifying the machine, to be decided next Tuesday at their September 26 meeting.

When the Optech Eagle is decertified, it will be illegal to use in Wisconsin. Municipalities will be forced to upgrade to newer machines with enhanced ability to count votes marked in any ink. And that will make our elections a little safer from miscounts. Professor Douglas W. Jones, of the University of Iowa Computer Sciences Department told me: “I’ve tested the newer machines with everything that I can imagine a voter using. Even glitter pens work, though I still wouldn’t recommend them.”

We cannot overlook the fact that two failures produced these miscounted election results.

First, the machines miscounted.

Second, local election officials certified those miscounts as “correct and true” anyway.

Replacing the unreliable voting machines with new ones will solve one limited problem. But no sensible person believes that no voting machine will ever again miscount Wisconsin votes. No computer system can do that, particularly when the computers are scattered among every Wisconsin city, village, and town; managed by an army of IT-naive temporary staff; and for which security is a responsibility split among vendors, service technicians, and local election officials.

How many elections did those old machines miscount before the recount revealed the problem to the general public?

And why didn’t Wisconsin’s election officials notice and correct this problem sooner?

Here’s why: Statutes provide Wisconsin’s local election officials with a review period following every election, called the ‘canvass’  during which they can review accuracy before they declare the election results final.

But the election officials don’t actually review accuracy. Most clerks are more polite than you see on that Racine County video, but they all place the same blind faith in computer-calculated vote totals. Wisconsin’s local election officials just point to the computer print-out and say “Oh, look who won.”

On Election Night, when the City of Marinette machines produced such weird numbers, poll workers noted tabulation problems in their Election-Night written reports. Yet neither the city nor county clerks took corrective action. They knowingly certified results that were obviously missing hundreds of votes.

You won’t find a county canvass anywhere in Wisconsin that does better. The Dane County clerk will tell you he’s the only clerk in the state who checks machines’ accuracy after every election (2 machines). But if you press, he will admit he doesn’t do that during the canvass. He waits until after he has already legally sworn that the results are accurate and has declared them final.

If the WEC decides to decertify next Tuesday, we commend them for taking action to solve the Optech Eagle part of the problem. We are also asking that they take steps to solve the other half: we are asking the WEC to provide the county canvasses with more specific instructions and stronger encouragement to verify accuracy before certifying election results.

More than 20 other states have already built some kind of verification into their canvass procedures, and they do not declare election results final until they have confirmed accuracy. Wisconsin is no better off than states with paperless touchscreens if all we do is seal our paper ballots in bags and never use them to verify the vote totals.

At the very least, Wisconsin’s county clerks need to begin to use simple, routine ‘reasonability tests,’ which are simple calculations they can do at their desks to look for vote totals that don’t make any sense–and then resolve any anomalies they see.

If we have any dedicated county clerks who want to take the lead to bring Wisconsin’s canvass procedures into the 21st Century, (ask yours!) our statutes already allow that clerk to adopt whatever canvass procedures he or she wants. National authorities stand ready to helpwith the implementation of modern methods of election auditing. 

There is no reason for Wisconsin voters to continue to trust our right to self-government to anonymous computer programmers or whoever hacked in behind them, or to hope that some IT Fairy Godmother will from now on protect our voting machines from any more glitches. 

Our election clerks could be checking accuracy if they chose to–and we need to insist that they do.

—-

* Stephen Ansolabehere, Harvard University; Barry C. Burden and Kenneth R. Mayer, UW-Madison; Charles Stewart III, Massachusetts Institute of Technology –  Learning from Recounts, Massachusetts Institute of Technology Political Science Department Research Paper No. 2017-12. July 2017.

We did good!

July 11, 2017 — The investigation of the 2014 Stoughton referendum miscount that I, Julie Crego, and Sue Trace did in 2015, in collaboration with Stoughton Municipal Clerk Lana Kropf, was recognized as “helpful” by the Civic Design Project, a joint effort of the User Experience Professionals Association and the Center for Civic Design

They recommended a  post from this blog to civic design professionals working in elections as “useful” because it “discusses the causes of incorrectly counted votes by paper ballot scanner and provides suggestions for proper ballot design and election day procedures to help prevent miscount errors.”