Summary: Wisconsin’s election officials have been informed of adversaries’ desires to sow chaos in American elections. And they have been informed of vulnerabilities in the voting-machine system that they cannot secure. And they have been informed of modern canvass practices capable of detecting and correcting any hacked results. And yet eight months before the Presidential election, Wisconsin’s election security plan still contains no mention of, or funding for, results-securing audits. This blog post is a last-ditch effort to motivate election officials to action by making sure that, if Wisconsin wakes up on November 4 to electoral chaos and no way to fix it, our election officials cannot claim they were not warned and could not have been prepared.
In 2012, former municipal clerk Jim Mueller spoke extemporaneously to a priority-setting conference of the Wisconsin Grassroots Network. I was there, but at the time naïve about election security.
Mueller told us that, as a local election official, he was required to sign a statement after every election attesting that the results were correct. He felt panic and despair when he realized Wisconsin’s election-administration procedures gave him no way to know whether that was true.
He explained that the voting-machine companies legally prohibit independent review of the vote-counting software. He told us that although the ballots are public records and local clerks their legal custodians, state election officials aggressively discouraged clerks from hand-counting the votes before they certified results. He described the blow-back from his fellow clerks when he proposed responsible review procedures. They didn’t want him to contradict their favorite labor-saving myth: Trust in the voting machines is a GoodThing.
Mueller’s passion led to the formation of Wisconsin Election Integrity. And for eight years, we’ve been pressuring the state elections agency—first the Government Accountability Board, now the Wisconsin Elections Commission—to promote canvass procedures that verify the correct winners before officials declare results final.
None of us present at WEI’s founding were aware of a growing national movement for secure elections. At that time, however, the federal Elections Assistance Commission was already funding pilot tests of an efficient, practical method of using paper ballots to quickly verify the correct winners, known as risk-limiting audits.
In 2020, awareness of the threats is fully mainstream. We’re no longer “conspiracy theorists” for acknowledging that no one can truly secure the voting machines. Vendors have testified under oath before Congress that the machines all contain programmable components manufactured in China, and that their technicians can and have installed unauthorized remote-access software on the county computers used to program the voting machines. It is those who deny the existence of vulnerabilities who are now considered irrational, not those who point them out.
Solutions have also become mainstream (at least outside Wisconsin). Federal agencies including the Department of Homeland Security are unanimous in promoting protective election audits. Groups as esteemed as the National Academies of Sciences promote routine outcome-securing audits. The House of Representatives has passed legislation that would require them. (It’s being blocked in the Senate by Mitch McConnell.)
As a result, this November officials in all or parts of as many as 20 other states will conduct audits that verify the correct winners. It’s unlikely any will detect hacked results because the protective audits’ primary value is deterrence: Why bother to mess with a state’s voting machines if officials are going to calmly detect and correct your handiwork before they declare the results final?
But in Wisconsin, if nothing changes between now and November, election officials will once again certify only unverified ‘winners’.
Sadly, half-measures have even made Wisconsin more, not less, attractive to chaos-seeking hackers. If WEC follows the same playbook in November that they have in the past, they will order municipal clerks to audit a few hundred randomly selected voting machines. But if those audits reveal a miscount, WEC has no plans for response and recovery before the certification deadline. They’ve developed no procedures capable of verifying the true winner. They’ve never said that the results of the hand-counted paper-ballot audit should be binding on the certified results.
Audit practices like those—designed only to reveal but not to correct any hacked results—make Wisconsin catnip for adversaries who want only to disrupt. Those adversaries want their handiwork to be detected. Then they want the system to freeze up, to be unable to regain its legitimacy, and collapse in recriminations and vicious legal battles. And it will. No matter how obvious the hack, attorneys for the Election-Night ‘winner’ are not going to smile and nod if WEC decides to prescribe novel canvass procedures only after seeing the Election-Night results.
The reason for this blog post is the same reason I testified yesterday at the WEC meeting, and it’s not a pretty one. I’m publishing this so that, if things go south next November, there is public proof that the Commission was warned. Because of the Commission’s resistance to giving voters a seat at the table during its deliberations, a ham-handed warning like this is the best a voter can do to motivate improvement.
WEC’s election-security plans contain no provision for results-securing audits because those plans are formulated inside a tightly closed feedback loop between local officials and WEC staff.
But local clerks are not knowledgeable about any security measures WEC does not teach them. For example, Commissioners spent significant time at yesterday’s meeting focusing on security education for the local clerks and expressing frustration with some who have not yet embraced even basic safeguards.
Yet nearly every page of the materials staff prepared for that meeting contained reference to local clerks’ input, opinions, surveys, and preferences—and none to voters’ or experts’. In one breath, the Commission was bemoaning the local clerks’ naivete and lack of commitment. In the next, they were relying on them as their exclusive source of security guidance.
For eight years, I and other WEI participants have written letters and testified in the five-minute blurbs the Commission allows. Last year, Chair Dean Knudson did ask me for a letter about risk-limiting audits, but because public input is the thing-they-must-not-admit, I received no response or even acknowledgment that they’d received it. In fact, I cannot remember ever receiving the Commission’s response to anything but legal open-records requests.
So, it comes to this icky way to try to get WEC to exercise leadership for truly results-securing audits, after eight years of polite requests. This blog post is evidence: If Wisconsin election officials still have no orderly procedures in place to detect and correct hacked results, and we wake up on November 4th to find that Trump has carried Wisconsin on the basis of enormous support in Milwaukee County, or that Sanders carried the state thanks to Waukesha County, the Wisconsin Elections Commission cannot say they were not warned, and could not have been prepared.
In brief: Vendors are promoting and officials are buying the idea that voters should give up their pens and mark ballots with computers known as ballot-marking devices, or BMDs. Why? How is that better than hand-marked paper ballots? As with many election-administration issues, the debate features strong opinions and little objective data. Much of the relevant research is conducted by people with a financial or professional interest in promoting BMD technology. Little is conducted by independent unbiased researchers, and only local print shops have a financial interest in promoting hand-marked paper ballots. In this blog post, I’ve tried to present the best arguments for BMDs and to cite unbiased data (I’ll edit it to add more as I find it.) Bottom line up front: BMDs are necessary for voters with disabilities, but when used by a majority of voters, they address only insignificant problems while introducing serious risks for both security and voter confidence, plus additional cost.
Everyone knows how to fill in an oval. We’ve completed standardized-test ‘bubble sheets’ since we were kids. And most of us understand that computers tabulate the results by reading (techies say ‘interpreting’) the marked ovals. So we understand, basically, how hand-marked paper ballots work.
Ballot-marking computers are less familiar. Originally promoted in the early 21st-century to enable voters with disabilities to mark ballots privately, manufacturers have more recently promoted ballot-marking devices (BMDs) for all voters. They used to call these machines ‘accessible’ machines; now they call them ‘universal’ machines. Voters select their candidates on a computer touchscreen or other electronic input device, and the computer prints a marked ballot. They then insert the ballot into a tabulator, sometimes archaically called an ‘opscan,’ which reads and tabulates it. BMDs used in Wisconsin include the ES&S ExpressVote and the Dominion ICE.
Many of the BMDs’ drawbacks are obvious, so I’ll skim over them in just five paragraphs. Anytime you replace any manual task with a computer, you introduce possibilities for new types of error, malfunction, and manipulation–and the need for new security practices to address those risks. Misprogramming could cause the BMDs to print votes for candidates other than those the voter selected, or to print no vote even though the voter made a selection. As with other elections technology, risks include mistakes or corruption by any of the many people within voting-machine companies and local election offices who have authorized access. If any of their operations are compromised, unauthorized people might get access, too.
In addition to the risks of misprinted ballots, there’s little debate that voting takes more time when each voter has to scroll through several screens; review their selections once on the touchscreen; and review them again after the ballot is printed. Add that to the fact that election clerks cannot quickly or cheaply increase the number of ballot-marking stations during heavy turnout elections or times of day, and you have a recipe for longer Election-Day lines.
But the most heated debate is over whether voters are able and willing to verify their computer-printed ballots. Elections must start with correctly marked ballots. With hand-marked ballots, voters reflexively verify the correct marks. As we lift our pen from the paper, it would take effort not to notice whether the pen made the mark we intended it to make. But when a computer marks our votes, verification requires the voters to make a separate, deliberate effort to check the computer’s output. BMDs place this critical security responsibility entirely on the voters: if the BMD starts misprinting votes, only voters—not poll workers, not auditors, not recounters—can notice.
But that’s not all: election officials must be prepared to act on voters’ reports of problems if the election is to be safe from misprinting BMDs. The unalterable fact is that BMD-based election results cannot be confirmed unless voters 1) reviewed the printed ballots; 2) noticed any problems; and 3) reported those problems to officials, and unless officials then 4) treated voters’ reports seriously and 5) took action to diagnose and correct any problems. This challenge is unique to elections: You cannot think of any other business or government function where managers responsible for the computers rely solely on customers to report problems, but then when customers do, the managers have no way to know whether the problem was with the computer or the customer. No one has yet demonstrated that any of those five things can be done reliably in real-world elections, and several … studies … indicate … they cannot.
Less obvious but just as unalterable is the fact that BMD-printed ballots cannot be used in the most critical type of election audit: one that seeks to verify which candidate was selected by most voters. BMD-printed ballots don’t work for those audits because they preserve no direct evidence of either the voters’ selections or their verification. (For a visual explanation of this point, see the image at the end of this post.) When BMD-printed ballots make up only a small proportion of the total ballots, an audit might still be able to confirm the correct winner. However, if a large proportion of the ballots provide no evidence of either the voters’ selections or their verification, anyone working to established professional audit standards must throw in the towel.
The benefits of BMDs are quickly evident only to those who have better-than-average knowledge of elections administration. Cynics say the manufacturers’ motive is simple. As states replace paperless machines, vendors see a revenue-enhancing opportunity of the sort that other companies might brag about in their annual stockholders’ reports. (“We’ve found a way to sell $5,000 computers instead of pens!“) But America’s major voting-machine companies are privately owned and have no stockholders, so even if this is their strategy, we can’t confirm it.
In public, BMD proponents usually point to a few legitimate problems they believe BMDs solve: Badly hand-marked ballots; the need to store multiple ballot versions at some polling places; and the needs of voters with disabilities. Officials and voters need to ask: “How serious are these problems, and do BMDs solve them better than less risky or less costly solutions?”
Arguments in favor of BMDs, Round 1: MESSY VOTERS
BMD proponents will tell you that messy hand-marked ballots are intolerable. My own county clerk is outspoken on this point. I don’t have a ready quote but if you ask him to share his thoughts on voters’ oval-marking abilities, his answer will make you ashamed you ever imagined your careless, stupid, sloppy fellow voters were capable of such a task.
Pen-wielding voters can get messy. They write random comments on their ballots and mark Xs over ovals instead of filling them in. Others get confused and mark too many candidates in one race. That’s called an overvote and if not caught, it disenfranchises the voter in that race. Hand-marking voters might accidentally skip a race, particularly if ballot design is poor. Finally, I’ve had a BMD proponent tell me that voters sometimes accidentally fill in the wrong oval, but I have no idea what sort of evidence could prove that or why that problem wouldn’t also occur with touchscreens.
I’ll come back to ballot design, but individual voters’ sloppiness does not threaten election outcomes. Only a tiny number of hand-marked votes are ruined in a way that could be prevented by using BMDs, and those errors affect all candidates randomly.
Yes, individual voters can be sloppy, but the truth is that tabulator technology (not BMDs) has already reduced this problem to insignificance. When a voter casts an overvoted ballot, the tabulator identifies the problem and gives the in-person voter a chance to correct it or cast it. (Mail-in voters are not present to fix overvoted ballots rejected by the tabulators, but BMDs can’t help them anyway.)
The tabulators’ ability to interpret idiosyncratically marked ovals has also become impressive in recent years. (There’s data on this; I’ll add it when I locate it.) Modern machines have no trouble reading any color or composition of ink. Professor Douglas Jones of the University of Iowa Computer Science Department told me he tests machines with everything up to and including glitter pens, and they perform well.
But most importantly, the problem of ambiguously or incorrectly marked ballots is very small to start with. Anyone who has participated in a hand count can tell you that probably only one hand-marked ballot in every 250 or so is oddly marked. Of those, only a tiny fraction are marked so badly as to render the vote uncountable. The Dane County Clerk (the one who so disdains voters’ ability to mark ovals) posts digital images of the ballots online, so if you have the storage space on your computer and the time, you can examine thousands of real ballots yourself. Try it: how many hand-marked ballots (on those linked files, the individual files ending in “i” for ‘image’) do you need to examine before you find one that is overvoted or mismarked in any way? Preventing that small a number of errors cannot possibly be worth the cost and risk of making everyone use a computer to mark their ballots.
Recount data are objective and can help us quantify the problem. In 2008, the state of Minnesota performed a recount of a US Senate race in which 2.9 million ballots were hand-counted. Advocates for both major candidates aggressively looked to find votes they could challenge. They found plenty of officials’ errors—misplaced ballots, mishandled absentee ballots, and more. But by the time they were done, they could find only 14 marked ovals that had to be adjudicated by the state elections board. That’s one fatally mismarked vote in every 206,111 votes, or 0.000485%. That is nowhere near enough to justify taking on the risks of computer-marked ballots.
Wisconsin’s 2016 recounters found many of the same problems. They did not record their findings as thoroughly as Minnesotans did, but not one of the 72 counties’ recount reports noted encountering even one ambiguously marked oval. The WEI hand count of 4,580 ballots in Racine County found no fatally mismarked ballots, either (other than carbonless ink, which is not a problem for modern tabulators.) So whatever Wisconsin voters’ error rate is, it is less than 0.022% (22 thousandths of one percent)–again, not enough to justify the risk of universal BMDs.
What little data BMD proponents have offered me to quantify the hand-mismarking rate has been irrelevant. David Becker, Executive Director of the Center for Election Innovation and Research (CEIR, a voting-equipment company) tweeted me a list of recounts he claimed had found decisive rates of voter error. I looked into each. None were reported to have found even minor levels of ballot-marking errors. As in the Minnesota and Wisconsin recounts, the significant reported causes of miscounts were officials’, not voters’, errors. When I gave him one more chance to provide data showing that voter errors have affected outcomes, he replied: “Facts are stubborn things … but still, there are many, many elections where ambiguous (hand-marked votes) exceeded the margin. Not even arguable. But happy to help point you in the right direction. I think we’ve reached the end of the constructiveness of this convo.”
That’s not the reply you get from someone who possesses evidence to prove his point.
If anyone were to compile data about hand-marking error rates to inform this debate, they would need to exclude mail-in ballots. Any poll worker knows mail-in ballots are prone to mishaps like soaking up coffee stains and getting fouled with envelope glue. But that’s not relevant to the advantages of BMDs, because BMDs cannot help at-home voters anyway. I’ve also had BMD proponents refer me to data about error rates on standardized tests’ bubble answer sheets. But I see no reason to assume the error rate in marking ballots (where ovals are directly beside candidates’ names) is similar to the error rate in taking standardized tests (where ovals and questions are on separate documents.)
Aside: Speaking of an analogy with standardized testing, imagine that the ACT and SAT companiesswitched to having students select their answers from a touchscreen; printing out the answer sheets with bubbles already marked, and telling the students they must verify the printed answers because managers have no way to tell if the machines accurately recorded their selections. See any problem?
In contrast to individual errors, poorly designed ballots are a more serious problem. Poor design can systematically disadvantage one candidate or favor another for every voter — not just the careless ones. It is, therefore, more likely to affect an outcome.
But poor design is a problem for both printed ballots and those displayed on a computer screen. Officials have designed printed ballots that ‘hid’ a race under a column of multilingual instructions, and have also designed BMD displays that forced voters to scroll onto additional screens to see the entire list of candidates. Printed ballots arguably have a small advantage because they can be printed in newspapers before the election, a practice that has, on occasion, enabled voters or candidates to identify design errors officials had overlooked. Either way, officials must learn and follow established guidance on ballot design.
Score so far: Preventing voter error gives a microscopically detectable advantage to BMDs. Mismarked ballots have been mostly resolved by tabulator technology except for some of the problems with mail-in ballots, which BMDs cannot help with anyway. Poor ballot design can be a serious threat but gives hand-marked paper ballots only a microscopic advantage, from the increased opportunity to detect problems before Election Day.
Arguments in favor of BMDs, Round 2: MULTIPLE BALLOT STYLES
For better or worse, both officials and voters have begun to embrace early offsite voting. Election officials want to set up voting sites several weeks before each election in places like libraries, to which voters can come from all over the city to cast their ballots. These are called ‘multi-ward sites.’
In any city, in any election, it’s possible that several different ‘ballot styles’ will be needed. Different areas of the city might be voting on different city council races. In gerrymandered states like Wisconsin, congressional district boundaries can cut through even the smallest municipality. When those municipalities set up multi-ward voting sites, each site must stock several different ballot styles. This creates more work for the poll workers at those sites, both in handing out the correct ballots and in keeping track of the ballot inventory (an important security practice.)
BMDs address that problem by electronically storing several different ballot styles. When the poll worker enters the voter’s ward number, a correctly programmed BMD will display the correct ballot for that voter.
However, every BMD manufacturer also sells blank-ballot-on-demand printers. These cheaper computers store multiple ballot styles, but they don’t mark the votes before they print the ballot.
Score for this round: No advantage for either. Multi-ward voting sites are a challenge with pre-printed blank ballots. But there’s a solution that doesn’t force us to accept the risks and cost of universal BMD use.
Arguments in favor of BMDs, Round 3: VOTERS WITH DISABILITIES
Spoiler: BMDs win this round, for people with disabilities. No other solution, even on the horizon, enables voters with vision or movement impairments to mark their ballots privately at the polling place. For this reason, BMDs are as indispensable as accessible parking spaces and public restroom stalls.
And there’s no disagreement that we need to make BMDs available to everyone even when we don’t encourage their use. Impairments can be temporary so it wouldn’t work to force BMD users to prove a disability, as we do with accessible parking spots. I once left my reading glasses behind when I went to vote and appreciated the opportunity to be able to enlarge the ballot so I could read it more confidently.
Some disability groups argue for universal BMD use out of a concern for what they call segregation. That argument falls apart when we consider how we handle all other public accommodations. We don’t rip out curbs and stairs when we accommodate wheelchair users with curb cuts, ramps, and elevators. Ripping out all the smaller restroom stalls to give everyone an accessible stall would increase cost and lengthen lines, just as it does with BMDs. If we handle polling-place accommodation the same way we handle other public accommodations, we can protect disability rights without degrading election security.
Another complaint, however, is confirmed when we compare it with other types of accommodations: Unreliable set-up of the BMDs. As with the occasional unshoveled accessible parking spot or curb cut, voters sometimes discover that the BMD hasn’t yet been turned on when they arrive at the polling place. But again, the problem could be addressed with less extreme measures, such as improving poll workers’ training and oversight. The League of Women Voters incorporates BMD set-up into their observation program (volunteer here!), as do disability groups. Voters who don’t use the BMD can help. If you have an extra five minutes to spend at the polling place, look to see whether the BMD is set up and ready to go. If not, ask to use it. It’ll take a few extra minutes of your time, but you will strike a blow for disability awareness.
BMD promoters also argue that users have more privacy when everyone uses the BMDs. Privacy is a genuine issue when only one or two voters use the BMD and the BMD prints ballots that contain only the voter’s selections, rather than full ballots with marked ovals. But some BMDs print ballots that are nearly indistinguishable from hand-marked paper ballots. Anyone trying to identify the sole BMD user’s ballot after poll closing would have to carefully examine every ballot cast that day, and even then could not be sure of finding the printed ballot.
On the other hand, BMD users’ ballots are more secure when there are only a few. When only one or two people in each polling place use the BMD, malicious actors could neither swing an election nor create chaos by tampering with the lightly used equipment. In contrast, widespread use makes BMDs a more attractive target for mischief.
Score for this round: BMDs must be preserved to accommodate people with disabilities. To preserve users’ privacy, only BMDs that print full ballots should be used. But for universal use, the advantage goes to hand-marked paper ballots. To bolster BMD security, their use should not exceed a small percentage of the voters.
RELATED ISSUES: ENCODED VOTES AND HYBRID MACHINES
I hope I’ve demonstrated that when discussing BMDs in general, we can logically examine actual problems, seek relevant evidence, and assess the costs and benefits of possible solutions. But for two specific types of BMDs—hybrid machines and encoding BMDs —I see no well-reasoned pro-and-con debate. Proponents can identify no consequential problems that justify the existence of these machines, even if they added no risk.
Hybrid machines combine ballot-marking devices and tabulators in one machine. Only their manufacturers are comfortable with the fact the machines are able to print votes on the ballots after the voter has cast them. Neither voters nor officials have any way under any circumstance to detect the alterations or to recover the true votes if they could detect the altered ballots. That’s unacceptable. Full stop.
As of August 2018 (WEC’s most recently updated inventory), hybrid machines (Dominion’s ImageCast Evolution) were in use in Door, Fond du La, Green, Ozaukee, Racine, Trempealeau, Vilas, Walworth, Washington, Waupaca, and Winnebago Counties.
Encoding BMDs record each vote twice on each ballot, once in barcode or QR code, and separately in a list of names for the voter to review. The tabulators count only the encoded votes, while voters can verify only the text. Encoding gives voters no choice but to trust that the countable votes were recorded correctly.
Encoding BMDs are in use in the counties listed above, plus those that use the ES&S ExpressVote: Columbia, Dane, Dodge, Douglas, Eau Claire, Jefferson, Kenosha, Lafayette, Milwaukee, Outagamie, Pierce, Sauk, St. Croix, and Waukesha, and perhaps more. Because the City of Madison encourages BMD use by early offsite voters, it is likely that more than 30% of Madison’s votes are now encoded.
The critical risk is obvious: How do either voters or officials know that the BMDs correctly encoded the voters’ Election-Day selections? The machines’ proponents will cavalierly tell you officials can detect any incorrectly encoded vote in an audit or recount (assuming the text vote was not also mis-recorded). Yes, they can. But they won’t. We do not yet live in a nation where election officials routinely audit or recount.
And give a thought to what would happen if a post-election audit did detect that encoded votes were different than the text-readable votes. Aside from the chaos that could have been avoided had voters been able to detect and report the misprints on Election Day, who is going — legally — to determine which of the two conflicting votes is valid?
Encoded-vote proponents naively assume lawyers, judges, and combative candidates will passively agree the text votes should be counted. But Wisconsin’s law explicitly allows ‘recounting’ by machine, and contains nothing that provides for counting one set of votes (the encoded ones) on Election Day and a different set (the ones in text) in a later audit or recount. I doubt any other state’s law does, either.
And if there was such a law, what would it say? Perhaps: “Only votes printed in voter-verifiable text may be counted in post-election reviews because audits and recounts must be convincing and decisive. But encoded votes are good enough for Election Day because … “?
In my experience with encoding proponents (emails, Twitter, and at WEC meetings), I’ve encountered none who could both describe and quantify any problem that encoded votes are designed to solve. Without that information, neither they nor we can assess whether the added risk is justified.
I shredded the vendors’ arguments put forth at WEC meetings in an earlier post. Since then I’ve had several discussions with encoded-vote advocates who put forth better arguments.
Ben Adida, Executive Director of VotingWorks, a nonprofit voting-equipment company, explained two reasons for encoding votes. First, it is “easier to get to a high level of reliability” in the tabulators’ interpretation of the marks when they are recorded in QR. In the context of our discussion, I understood him to mean that it’s easier for developers, and that he is speaking about QR codes in comparison to machine-printed ovals.
To assess whether this additional ease or reliability is worth sacrificing voter verifiability, we would need to compare data on tabulators’ error rate with marked ovals to their error rate with encoded votes. QR codes reduce the error rate from what to what? My sense, however, is such information is not worth digging for. If the tabulators were making any noticeable level of oval-reading errors, any real-world recount of marked-oval ballots would have detected it. None has. It is not a problem.
Adida’s second reason was: “More importantly … (if you) want voters to check (a BMD-printed ballot), a summary ballot is going to be much easier to check than a multi-page bubble ballot. And we really want voters to check their BMD ballot.”
In my opinion, that’s the best argument for ballot slips I’ve encountered (once you’ve accepted universal BMD use, that is.) However, we still need evidence before acting on it. I’ll keep an open mind, but my sense is that objective study would show that, regardless of the length of the ballot, voters’ reviews are more accurate when they can see the names of both the candidates they did and did not vote for. In particular, voters need to see the whole question to review their referendum votes.
Adida added that developers are working on the possibility that BMDs could print votes only once, in human-readable text, for tabulators that can reliably use optical character recognition (OCR) to count the same votes that voters are able to verify. When that technology is ready, in my opinion, the question of ballot slips’ safety could be revisited–though it still would not establish a need for ballot slips in place of full ballots.
Aside from Adida, encoding proponents with whom I’ve engaged rely heavily on motivated reasoning. For example, proponents often reflexively deflect discussion of BMDs’ undeniable flaws (e.g., voters cannot verify encoded votes) by tossing out irrelevant facts. For example, many have pointed out that voters cannot read the timing marks at the edges of printed paper ballots, either. True but irrelevant: the timing marks are not the input that voters must be able to verify. And if the tabulator misreads the timing marks, that’s a problem with the tabulator, not the ballot.
Also irrelevant is the fact that just as BMDs could be misprogrammed to print the wrong votes, paper ballots can be misprinted to put candidates’ names in different spots than the tabulators are programmed to find them. Again, true, but the risks are far from comparable. A misprinted-ballot fraud would have to involve or originate with the local printing company and involve several layers of conspirators to avoid detection during pre-election testing and distributing the misprinted ballots to polling places. It would, therefore, be limited to individual counties or municipalities. It is not comparable to a BMD hack that could originate in Omaha or Pyongyang and affect up to 55% of the BMDs in Wisconsin (the market share of the most popular model.)
When I argue like that, I know I have no truly solid points to make. It’s not earnest problem-solving discourse.
SO WHY DO OTHERWISE SENSIBLE PEOPLE SUPPORT THESE THINGS?
I’m not ready to say all, or even any, encoding proponents have corrupt motives. My most charitable guess is that the technology developers are like the proverbial children with hammers who perceive everything needs pounding. Where you and I see only minor blemishes, geeks perceive possibilities for major fun and profit. Intensely focused on bringing cutting-edge technology to the election-equipment market, they don’t pause to think about real-world issues such as the chaos that will blossom when litigious parties to a recount realize they can fight over which vote to count on each ballot.
I also suspect that developers, accustomed to working with private-sector businesses, overestimate the likelihood that local election officials will implement security practices the developers consider obvious and necessary. Elections are run by a small army of lightly trained, minimally supervised, part-time, temporary employees who get no more than four days on-the-job-experience every year. The officials who manage that army often exhibit a child-like trust in voting equipment that, in their own words, makes them reluctant to implement recommended security measures. The following are real quotes from real Wisconsin county clerks, which I’ve collected from newspaper articles, emails, and phone conversations over the past two years:
“I don’t need to audit to be very confident the results are accurate.”
“Honestly, I am not concerned about any kind of hacks into our system. Everything is hardwired.”
It’s an “irrational belief that Wisconsin’s highly decentralized and secure elections infrastructure is vulnerable to the kind of meddling that might overturn the will of the voters. All our software and hardware has been federally certified.”
“Why pay $8000 and more for a voting machine if you have to (check its accuracy)?”
Auditing “would defeat the purpose of having the voting machines.”
“Why should we audit? Things work well and when something works well, you don’t mess with it.”
Accustomed to working with private-sector executives who might lose their jobs if they did not implement manufacturer-recommended security measures, it’s quite possible that developers don’t understand they are selling equipment to officials who genuinely perceive no need to manage it professionally.
And why do election officials buy and promote the encoding BMDs and hybrid machines? As I write this, Pennsylvania officials are in court defending their decision to force encoding BMDs on all voters there. If I can get a copy of their briefs, I’ll know definitively what they put forth as their best arguments.
Based on what I already know — for both this and other issues — my most charitable guess is that election officials rely exclusively, even mindlessly, on vendors for information about the products’ risks and benefits. With little IT expertise of their own, they cannot ask sophisticated questions or notice what the salesperson is not saying. Example: for years, vendors were telling them the equipment was not connected to the internet, and election officials believed them, even as they instructed poll workers on how to wirelessly transmit election-night results to the county elections-management computer. Local election officials have no relationships with unbiased elections-technology professionals and no Consumer Reports-type counsel to inform voting machine purchases — pr at least none that the election officials accept as authoritative. Finally, they are too pressured by time and money do much other than grab the hand of the friendly voting-machine vendors and follow where they lead. The problem is exacerbated by the nature of the voting-machine market.
WHAT VOTERS CAN DO.
Encourage your local clerk to purchase only the minimum number of BMDs needed to ensure accessible polling places and to refrain from encouraging voters to use BMDs in situations like early voting.
Pressure your local clerk to adopt policies that: 1) enable poll workers to take voters’ report of misprinted ballots seriously; and 2) describe an effective response when voters report malfunctioning BMDs. The policies must be in writing and must be specific. They won’t help if all they say is: “if poll workers receive more than a few reports of misprinted ballots, they should report to the municipal clerk.” How many is more than a few? What will the municipal clerk to determine the nature and extent of the problem, and what will the clerk do if the BMDs are misprinting?
Mark your own ballot with a pen whenever you can. If you must use a BMD, be prepared to spend extra time at the polls to review it carefully. Ask for a copy of a regular paper ballot against which to check your BMD-printed ballot. (That will help you remember all the races and candidates.) If you find an error, don’t just assume you did something wrong. Insist the poll worker report it to the municipal clerk.
Join with others to get encoding and hybrid BMDs out of Wisconsin entirely. Email email@example.com, and I’ll contact you when we get enough people interested to start action through formal complaints or a lawsuit.
Photo: Michigan election officials assess the results of a manual count of a sample of ballots for a risk-limiting audit in 2018. Photo credit: Berkeley Institute for Data Science, UC-Berkeley
Think of “risk-limiting audits” as low-effort exit polls.
Exit polls determine who won by asking randomly selected voters “Who did you vote for?” Risk-limiting audits work on the same principle to confirm the correct winners, but they do not involve talking to voters. Instead, RLAs pose the question directly to randomly selected paper ballots.
Either way, a small sample can provide statistical proof of who really won the election, independently of the vote-counting computers.
No one in Wisconsin now does risk-limiting audits. Sometimes local officials spot-check a few randomly selected voting machines, but to any sensible risk manager’s horror, none have any specific plans for what they will do if any of those random voting-machine audits ever detects a serious miscount. Risk-limiting audits, in contrast, always resolve any problems they detect.
The Wisconsin Elections Commission has shown some mild interest in the possibility of using outcome-verifying audits to secure our elections. Every sensible Wisconsin voter should be pressuring them to do more. Here is the memo I submitted to WEC in December 2019, to help them understand how very practical this effective safeguard could be.
There’s no one correct way to do a risk-limiting audit. Our election officials could sample individual ballots (less work) or entire polling places (more work). They could do nothing more than confirm the correct winner in one race (less work) or they could answer other questions at the same time (more work).
A risk-limiting audit of a statewide election in Wisconsin
could be this easy and cheap:
1) After they close the polls on Election Night, poll workers would record how many ballots they seal into each bag. Using this information, the municipal clerk would create a “ballot manifest” (e.g., City of Abbotsford: Bag #1 – 234 ballots; Bag #2 – 122 ballots).
It’s unlikely anyone has ever counted, but a fair guess is that a big election produces around 4,750-5,000 sealed ballot bags statewide. One bag can contain a maximum of around 300 ballots but might contain fewer than 10.
2) The day after the election, every municipal clerk would send their ballot manifest to the Wisconsin Elections Commission. The WEC could create an online reporting form to make this task easy and quick. It wouldn’t need bullet-proof security if the municipal clerk also mailed a hard copy of the manifest to WEC, and WEC staff later verified them against each other.
3) The WEC would then assign a number to every ballot in the state. For example, ballot numbers 1-234 would be assigned to the first bag from the City of Abbotsford; numbers 235-356 to the second bag, all the way up to the last bag from the Town of Yuba, which might be assigned the numbers 2,673,149 – 2,673,308.
The size of the sample depends upon the Election-Night margin of victory. If the margin is large or normal, the sample size will be small. For example, the 2018 contest for the US Senate was neither close nor a landslide: 55.4% to 44.5%. A risk-limiting audit of that race would have needed an initial sample size of only 401 ballots across the entire state. However, officials could choose to select a larger sample to provide voters with ’emotional’ confidence in addition to statistical confidence.
An extremely close election such as the 2018 Governor’s race (49.5% to 48.4%) would have needed an initial sample of 37,841 ballots (out of almost 2.7 million cast). But it’s these races that officials legitimately need to be most careful about, and it’s the very close races that, when left unaudited, provoke the most candidate resentment and voter suspicion.
Wisconsin election officials have already demonstrated they can handle larger sample sizes. For comparison, the voting-machine spot-checks conducted after the November 2018 election required officials to count votes from 135,712 ballots — more than 3.5 times the number of ballots they would have needed for a risk-limiting audit. But because of the way WEC selected that sample and their instructions that auditors ignore voter intent, that effort did not confirm the correct winner in any race.
Wisconsin election officials counted 135,712 ballots in the random voting-machine spot-checks after the November 2018 election, but used a method that did not confirm the winner in any race. A risk-limiting audit of the same election would likely have verified the correct winners in the statewide races with only 37,841 ballots.
And because races from the same ballot (as those two races were) do not need separate samples, a risk-limiting audit could have verified all the statewide contests on the ballot in that election–an accomplishment of enormous value to election security and voter confidence.
5) WEC would randomly select ballot numbers and then use the statewide ballot manifest to identify the bag in which each of the selected ballots is stored. For example, if ballot #284 turned up in the random sample, the WEC would know it is in the second bag from the City of Abbotsford. If the random selection turned up ballot #2,673,193, they would know it is in the last bag from the Town of Yuba.
6) At this point, WEC could ignore the hypothetical numbers they assigned to each ballot and tell the municipal clerks only the number of ballots to be randomly selected from each bag. For example, the WEC would tell the City of Abbotsford clerk to randomly select one ballot from the second bag. The instructions for random selection could be something like: “In the presence of observers, pull the ballots out of the bag, set them in a stack on the table, let an observer from each political party cut the stack several times like a deck of cards, cut the stack two more times, and select the ballot at the bottom of the last cut.” Other methods could be prescribed for jurisdictions that use machines that print flimsier forms of paper ballots.
7) The municipal clerk would display the selected ballot to the observers; fax it to the WEC; mark it with red ink indicating it was the ballot selected for the audit; put it on the top of the stack of ballots; and reseal the bag.
8) The WEC would conduct a publicly observed manual count of the faxed ballots and enter the results of that count into the standard risk-limiting audit formulas. If the proportion of votes for the Election-Night winner in the manual count is close enough to the proportion reported on Election Night, the result is confirmed. The audit would be concluded and the county canvasses could conduct their certification process as normal.
If the proportion of votes for the Election-Night winner differed too much, an additional sample would be drawn and counted. That process would be repeated until statistical confidence in a winner was established. The WEC would need to adopt policies to govern what will happen in the rare event that the sample has to be expanded more than twice, or if the confidence level declines as the sample is enlarged. Likely, WEC would stop the audit, declare a lack of confidence in the preliminary Election-Night results, and order a full recount on its own initiative.
Other states’ election officials think their voters’ right to self-government through secure elections is worth at least that much time and effort.
If you think Wisconsin elections are worth the effort it takes to conduct a genuine risk-limiting audit, contact your county clerk and the Wisconsin Elections Commission to tell them so.
Last week, a reporter and I were discussing election hacks that might happen in Wisconsin. He has done his research and understands the threats. He posed an interesting question: What if hackers wanted only to create chaos and distrust, rather than change the outcome of a statewide election?
Hmmm…what would happen? I thought through the likely chain of events and realized it is not possible to create distrust by hacking a Wisconsin election — but not for the reason you would hope.
If this was a movie, it would be a black comedy with a twist ending. The big gasp would come when the election thieves (along with the viewers) realize the fatal flaw in the plan …
Scene 1 opens in the messy office of computer hackers. They are working for a foreign government that has its eyes on the US presidential election. They are celebrating because they just succeeded in compromising a small voting-machine service company in eastern Minnesota.
Scene 2 takes place in the Intelligence Headquarters of the foreign capital. The hackers are reporting their progress to the chief.
“The good news,” they say, “is that we know how to make that company provide compromised software to all its customers. Local election clerks will never know. They never inspect the software and their cute pre-election tests cannot detect hacks that activate only on Election Day.”
“The bad news is that the company controls only some of Wisconsin’s voting machines. They don’t have enough votes to deliver a statewide race.”
The hackers are surprised when the intelligence chief doesn’t care.
“No worries,” he says. “If we show we can hack the machines, we will destroy trust in the process. Whoever wins won’t have legitimacy.”
“Go for it,” he says. “Pick whoever you want to win. Just as long as it’s not the candidate the voters want.”
Scene 3 is back in the hackers’ office. The hackers are gleefully developing their plan.
As voters cast their ballots, the hackers will let the voting machines count their votes correctly.
But on Election Night, when the poll workers push “tabulate,” the computer will quickly flip the vote totals of the top two candidates in each primary. The voting machines will give the biggest vote total to the second-place finisher, and make the voters’ choice come in second. Not a single polling place in the entire area will report accurate results.
Scene 4 takes place on Election Night, April 7, 2020. Poll workers are gathered around a voting machine in a small city in western Wisconsin. The chief inspector pushes a button on the back as others eagerly watch the poll tape emerge. Expressions of surprise.
Cut to the Associated Press Election-Night newsroom. Much excitement. An editor shouts to a reporter: “Go figure out what’s up with Wisconsin’s rural voters! That’s not what anyone predicted they would do, in either party primary.”
Scene 5 consists of a montage of cable-news soundbites on Wednesday, April 8, 2020.
Questions abound: “What’s going on in rural Wisconsin? Why did the voters in both major-party primaries confound expectations?”
Guesses tumble out: Maybe voters lied to the pollsters about who they would vote for, or whether they would vote at all. Maybe hostile cross-over voting went both ways…maybe the leading candidates were too confident…
In Scene 6, viewers get the shocking revelation.
It’s now two weeks after the primary. A county clerk and two senior citizens sit in a drab conference room in a small county courthouse. They are finishing up the official canvass. The clerk says: “I printed out the certification statement. This is one election we won’t forget.”
They pass the paper around. Each one signs it. The hacked results are now official.
One of the board of canvass members remarks: “I’ve been doing elections work for 35 years, and voters still surprise me. Well, let’s go for a beer.”
Cut to the Intelligence HQ in the foreign capital. The Chief is furious; the hackers stare at their shoes.
The Chief slams his fist on the table: “You idiots chose a state where no one would even notice an election hack!!! Why didn’t you do this in Colorado or New Mexico?
“Are you nuts? How did you expect your hack to be noticed when Wisconsin’s paper ballots are sealed up on Election Night and never seen again?
“Didn’t you know that Wisconsin election officials never audit the primary elections?
“Didn’t you bother to notice that Wisconsin never recounts unless results are virtually tied?
“You bozos! Get out of my sight!”
The hackers leave. The chief smiles and picks up the phone.
“Mr. Secretary, good news. We just confirmed the people in Wisconsin trust whatever their computers tell them. No one will notice — not officials, not reporters, no one. Senate, Governor, President, whatever you want. ”
He hangs up the phone and calls his assistant in. “Contact the team who has compromised that big company, ES&S. Tell them to add Wisconsin to the list for November.”
* * *
Wisconsin’s local election officials do not stand a chance against sophisticated international cybercriminals. Too much is outside their control. Too many vulnerabilities, known and unknown, threaten the tabulators. Securing Election-Night results is a wishful fantasy.
But Election-Night results are preliminary and unofficial. Final results are the ones that matter and that could be secured — relatively easily, too. County clerks could use the paper ballots and their administrative authority to order hand counts. Simple audits could verify the winners while the clerks still have time to correct any miscounts.
The Wisconsin Elections Commission orders scattered audits of individual voting machines after November elections. That’s grounds for some hope. But even with improvements made in 2018, if these audits ever detect a miscount, they are as likely to cause chaos as to prevent it. They are not rigorous enough to verify the correct winners and are not binding on final results. Officials have no agreed-upon procedures for what they will do if auditors detect that the Election-Night results were miscounted.
Contact your Wisconsin County Clerk. Tell him or her to develop written canvass procedures — NOW — to verify the correct winners in the 2020 elections before they certify the final results.