The Election Guard we need isn’t one that Microsoft can provide. It’s human.

In brief:  Microsoft’s ElectionGuard is sophisticated technology that gives the public (e.g., voters, parties) the ability to detect signs of electronic vote tampering. This essay describes that product and its live-election test in Fulton, Wisconsin in February 2020. There are two take-away points.
First: Even if ElectionGuard successfully alerts its users to signs of trouble, election officials are unprepared to respond to those signs. We must disabuse ourselves of the fantasy that more or newer or shinier technology, by itself, can compensate for vulnerabilities that exist when no human takes managerial responsibility for the accuracy of the certified results.
Second: The trial run in Fulton created a rare circumstance: On this one day, in this one polling place, the managers in charge were truly committed to producing results of unquestionable accuracy—with no excuses, no whining, no blue smoke or mirrors. And they did, using two simple methods. The critical lesson of Fulton is this: When election managers truly want to, they can produce verified accurate results with minimal additional work and no new technology.


Captain Chesley (Sully) Sullenberger became the face of technology mastery when in January 2009 he safely landed 155 people in the Hudson River after his aircraft did not, shall we say, perform as expected. Later he commented:

“What we have learned is that automation does not decrease problems. It changes the nature of problems. As we use more and more technology in the cockpit, we must always make sure that humans are in complete control of the aircraft and its flight path.”

When it comes to election automation, Americans have not yet learned that lesson. On that future Election Night when the voting machines deliver incorrect vote totals, the election will crash and burn, because our officials are not prepared to take effective control to save it.

It’s a sign of America’s deep-seated desire to trust technology that many readers will dismiss this message unless I remind them of three basic and irrefutable facts.

  • First, any computer can be deliberately misprogrammed. Therefore, all voting systems are hackable, either by outsiders or by corrupt insiders. Insiders include the employees and contractors working for voting equipment vendors, service companies, and the local election offices.
  • Second, there is no surefire way to prevent all misprogramming, no matter how big the company or how lush the security budget. Computer systems of global corporations as big as Sony and as focused as the US Department of Homeland Security have been compromised. 
  • Finally, American voting-machine companies and our local election clerks have nowhere near the security resources of Sony or the DHS. Not even close. Knowing that malefactors found their way into those systems, it is delusional to imagine voting-equipment companies and town clerks can keep them out of our voting machines forever.

Therefore, responsible citizens accept the inevitable: Sooner or later, American voting machines will be deliberately programmed to miscount on Election Day.

And when that happens, as with US Airways Flight 1549, it will be human actions, not technology, that can save the election. If local officials quickly detect the miscounts and decisively correct them before certification, the election will be saved. If they do not, the election will be a total loss.

However, in most states including Wisconsin, election officials trust the voting machines and the programmers. Full stop. They make no effort to detect outcome-altering miscounts; they have no plans in place to correct the results if miscounts make themselves known. Occasionally, Wisconsin officials check a few randomly selected voting machines’ tallies against the paper ballots, but even if those audits notice one miscounting machine, the officials do not expand the audit to verify the outcome and do not claim to.

In short, we have no Captain Sullenbergers in the cockpit of our elections.


Josh Benaloh, Ph.D., Senior Cryptographer for Microsoft, thinks he has an antidote to the officials’ managerial passivity: Technology that will enable other people to detect miscounts. Staying with the Sullenberger analogy, he wants to enable each passenger independently to monitor the plane’s engine power and altitude.

It’s easy to trust Benaloh’s motives and his expertise. With boy-next-door good looks, Benaloh’s face carries a natural smile that disappears only when he frowns—and sometimes not even then. As whip-smart as they come, Benaloh has degrees from Massachusetts Institute of Technology and Yale, and his credentials as a forward-thinking innovator are impeccable: He wrote his doctoral dissertation on verifiable secret-ballot elections in 1987, more than a decade before computerized vote-counting was common, and three decades before election security came into public view as a serious concern. Ask anyone in the field to name the top 10 US experts, and Benaloh’s name is likely to be on their list.

Benaloh and I were among those present in Fulton, Wisconsin last February when a small election (only two races on the ballot) allowed the Microsoft team to demonstrate ElectionGuard, an election-security product Benaloh helped to develop with the company’s Defending Democracy program.  He and I spoke in total for more than two hours that day, during which he explained to me the purpose of ElectionGuard and the basics of how it works.

ElectionGuard is not a voting machine itself, but a program that can be installed on other voting systems, to work in parallel with them. In brief, ElectionGuard will enable voting systems to print a receipt for each voter.  The voter will cast the ballot as usual and leave with the receipt, which contains a ballot-tracking code. Later, they can visit a website, enter the code, and get a message: “Your vote was counted!” In addition, because Microsoft is providing the tabulation software free to the public, it will allow others—most likely, candidates’ campaigns—independently to verify the vote totals if they can get the electronic ballot files from the local officials. 

Benaloh convinced me that ElectionGuard’s use of advanced encryption methods will make it impossible for anyone to alter the digital record of the votes without leaving obvious evidence, which voters will be able to detect when they enter their ballot-tracking codes.

What he did not convince me of, to his polite but visible frustration that day, was that ElectionGuard will secure our election results or build voter confidence. (See note #1, at the end of this post.) But that’s nothing Benaloh’s inventions or Microsoft’s products can do, any more than Flight 1549’s cockpit dials could have landed that plane safely in the river if Captain Sullenberger not been ready and able to take charge.


To understand the types of miscounts that ElectionGuard is designed to detect, we need to understand voting-machine systems’ programmable components.

For the Fulton demonstration, equipment was provided by VotingWorks, a young nonprofit, open-source election-equipment vendor based in San Francisco. Benaloh told me that ElectionGuard can be used with hand-marked paper ballot systems, but for the Fulton set-up, voters used touchscreens, rather than pen-and-ink, to indicate their selections. The system included three main components:

  • A ballot-marking device (BMD) is a computer that displays the races and candidates to each voter on a touchscreen monitor. As voters make their selections by touching the display, the BMD translates those touches into digital data, which is transferred to…
  • A printer that produces a paper ballot. The paper ballot used in the Fulton demonstration was of the type that prints votes two ways—once in encoded data (in this case, a QR code) that will be counted, and separately in human-readable text. The voter takes the printed ballot and inserts it into…
  • A tabulator—which reads the votes encoded in the QR code, and records them in a digital file, along with all the other ballots it has read. At the end of the day, the tabulator will tally the votes for each candidate and print the totals on a poll tape. The tabulator might also transmit the vote totals to a central computer to be compiled with results from other polling places.

In normal use (though not in the Fulton demonstration), that whole set-up is managed through:

  • A central elections management computer, which in Wisconsin is operated by the county clerk. As the conduit for the software that is installed in the polling-place equipment, these central computers are the most likely target for malicious interference. For example, if a malefactor bribed a technician to install remote-access capability on Milwaukee County’s election management computer at some time in the past, that malefactor could alter the software on any or all of the hundreds of pieces of voting equipment in that county.

What types of hacks is ElectionGuard designed to detect?

Malefactors have two high-level options: They can create chaos with obvious malfunctions, or they can alter results while trying to postpone or escape detection.

Chaos-seeking malefactors might do things such as prevent the equipment from powering up on Election Day; make the BMDs print ballots the tabulators cannot read; or make the tabulators produce nonsensical results on Election Night. ElectionGuard could detect some of those problems but when the malefactor has already made sure the problem is obvious, ElectionGuard’s detection is not needed. Nor does ElectionGuard give managers any new options for responding to chaos.

But what if the malefactors try to postpone or even escape detection? In that case, ElectionGuard might or might not help. It depends on whether the malefactor hacked the BMD or the tabulator.  

Because ElectionGuard relies on the BMD’s digital interpretation of the votes, it cannot detect hacks that made the BMD misinterpret input (that is, the voters’ touches.) If the BMD misinterprets a touch on Alexander Hamilton’s name as a vote for Aaron Burr, ElectionGuard will, too. (Benaloh disagrees with this statement. See note #2.)

However, if the malefactor works with the tabulator rather than the BMD, ElectionGuard can enable detection.

When a voter inserts the paper ballot into the tabulator (with or without ElectionGuard), the tabulator interprets the votes recorded on that ballot; internally creates a digital record of each vote; and uses that record to tally results at the end of the day.

One of the ways a malefactor might intervene is this process is to make the tabulator look at the ballots with votes for Hamilton and record some of them, in its own memory, as votes for Burr. Then when the machine tallies the votes at the end of the day, Burr would be credited with some of Hamilton’s votes.

Without ElectionGuard, hand-counted audits are the only way to detect that problem. But when BMDs are equipped with ElectionGuard, each voter gets a separate, printed receipt with their ballot, as shown below. The ballot has a unique ballot ID number, and the receipt has a unique ballot tracking code, allowing ElectionGuard to match the two.

When the voters inserted their ballots into the tabulator, the tabulator worked as it normally would have without ElectionGuard, while ElectionGuard created a separate electronic record of the votes, in encrypted form, tagged with the unique tracking code.

Later, after Election Day, the voters are able to visit a website, enter their tracking code, and see a message. (Benaloh’s thoughts about who should host this website are in Note #3.) If the ElectionGuard record of that ballot matches the tabulator’s, the voter will see “Your vote was counted!”  (That is all it will tell them; it does not reveal even to the voter which candidate received the votes.) If the tabulator’s interpretation of the votes did not match the votes that ElectionGuard recorded, the voter would not receive the confirmation message.

And then what?

Well, that’s up to the election officials. Voters will start reporting problems the day following the election. Your guess is as good as mine about how many such reports each clerk will need before he or she stops assuming voter error and starts to question whether the equipment might be at fault. There is nothing in Wisconsin law or practice that requires clerks to take voters’ reports seriously.

Nor does anyone know what the clerks will do if they believe the voters’ reports of trouble—not even the clerks. Captain Sullenberger knew what to do when he realized his plane had lost its engines. But our election pilots trust their voting equipment so completely that they fly without emergency procedures.

Another way a malefactor might intervene would be to allow the tabulator to record the individual votes correctly in its own memory, but cause it to produce incorrect vote totals at the end of the day. That is, if 60% of the ballots contained a vote for Hamilton, the tabulator would correctly record each individual vote in its memory, but at the end of the day produce vote totals showing 60% of the votes going to Burr. In that case, ElectionGuard would tell every individual voter “Your vote was counted!,” which is, I suppose, true-ish.

But ElectionGuard would reveal that problem in a different way. Its open-source code enables anyone with programming skills to create their own verification tool. So if campaigns or political parties can get the election’s digital ballot files from the election officials, they will be able to tabulate the votes themselves. Microsoft will provide, free of charge, the source code needed to write those tabulation programs, even while the votes remain encrypted.

Currently, no one in Wisconsin verifies computer-generated vote totals, so ElectionGuard would be an improvement.

But will independent tabulation using ElectionGuard ever save a miscounted election? Probably not. At most, it will provoke expensive but futile lawsuits. The miscount won’t be corrected for at least two reasons.

First, it is highly unlikely election officials will allow access to the ballot files until after the results have been officially and finally certified, at which point no corrections are legally possible. And because there is no chance that a re-tabulation would lead to a correction, campaigns will be unlikely to bother. Benaloh agrees: “There would be minimal value in using ElectionGuard in a situation in which the election record is not made public until after certification.”

Second, even if clerks do release the ballot files immediately following Election Day, unofficial audits have no standing. Citizens’ groups that report miscounts are ignored. When such groups have documented miscounts in the past, officials did nothing; the press yawned; and the results were not corrected. The public has no credibility.

If one of the candidates’ campaigns used ElectionGuard to detect a miscount, there might be more sound and fury, but still no correction. Imagine, for example, that the Trump campaign had been able to use ElectionGuard in November 2020. If they had announced they’d found a miscount, officials would have issued statements saying that the campaign must have done it wrong. The Biden campaign would not have done their own re-tabulation; there is no reason why an Election-Night winner ever would. Instead, the Biden campaign, the officials, and the press would have insisted, correctly, that the Trump campaign’s only legal recourse was to demand a recount.

Unlike most candidates, Trump was able to force a partial recount, but that’s a rare situation. Recounts in Wisconsin are available only to second-place candidates who lose by less than a 1% margin, and even they must be able to pay the full estimated (and inflated) cost of the recount upfront in cash, unless they lost by less than 0.25%. Wisconsin Republicans will remember that, as close as the 2018 governor’s race was, and as widespread as concerns were about the City of Milwaukee’s atypical reporting, Scott Walker’s 1.1% loss margin prohibited him from even petitioning for a recount. ElectionGuard cannot change that.

In addition, a Wisconsin recount would be performed by running the ballots back through tabulators that have been ‘reprogrammed’ only to prevent them from printing out results for any but the recounted race. The tabulators’ second count would agree with the first and be accepted as confirmation, and the ElectionGuard results would be dismissed. When the buzzer sounds for the certification process, the victory will go to the malefactors.

So, sure, we can install ElectionGuard on America’s voting systems, and it will do no harm. When an election is hacked, it will be as helpful to voters as a set of cockpit dials on each seatback would have been for the passengers on Flight 1549: “Notice: This plane has lost all engine power.”

On that day, as with the Miracle on the Hudson, the only way to save the election will be for the professionals in the cockpit to take decisive, competent, manual control and bring the thing in for a safe, if atypical, landing.

Captain Sullenberger was prepared to do that. Our election clerks are not.

Fortunately, that is not the whole story. The Fulton demonstration did show how American election officials can make sure only correct winners are certified. It showed us what happens when those in control of the voting equipment really, truly, desperately, and sincerely want accurate election results. And that is the most important lesson of the Fulton demonstration.

When running a normal election (that is, when they are not demonstrating or testing new technology), officials need only to produce credible results. Notice I did not say accurate results. Fact is, they don’t normally have to prove accuracy to anyone, not even themselves.   

In that respect, the Fulton demonstration was a unique situation and uniquely instructive. Microsoft spent years and hundreds of thousands of dollars, drawing upon some of the best cyber-talent in the nation to develop ElectionGuard. For its first public demonstration, the organizers could not simply say “We believe the results are accurate because we trust the computers and you should, too.” In Fulton, they knew they had to prove accuracy. Otherwise, the whole thing would have been an embarrassing waste of time.

So they managed the polling place in a way that produced rock-solid results of unimpeachable accuracy. That effort required only two easy safeguards—one that verified BMD performance, and one that verified the tabulator. Neither used any new technology.

I’ll let Microsoft tell you about the safeguard that checked the tabulator’s accuracy:

“One of the things we wanted to do was … to make sure that the voters would never have to question that the results were accurate. There would be a hand-count of the paper ballots at the end of the day as the officially certified result. It took the poll workers maybe only 15 minutes to actually count the votes. We compared all three results (the voting-machine poll tape, the ElectionGuard tabulation, and the hand count) and all three matched, which was exactly what we were going for.”

Yes, when Microsoft the Global Tech Giant knew it had to produce accurate election results—leaving no shadow of a doubt—they hand-counted paper ballots. Or, more precisely, they counted the votes using two different methods and compared the results to make sure they matched.

It took them only 15 extra minutes. In larger elections, officials would not need to count every vote to verify the correct winner: Election authorities have developed methods that allow officials to confirm the right winners by hand-counting only a small sample of ballots—much like an exit poll that looks at ballots instead of interviewing voters.

But what about the BMD? How did the Fulton demonstrators ensure that the computer-generated ballots were accurate records of the voters’ selections?  

Verifying ballots’ accuracy is not an issue when voters mark their own ballots with a pen. If no vote is recorded as the voter touches pen to paper, the voters notice and tell the poll workers that the pen is out of ink. And if a voter touched a pen to one oval and a different oval turned black, the voters would positively flip out.

But when voters make their selections by touching a display on a computer monitor, it’s possible that the printed ballot could be missing votes or contain votes printed for the wrong candidate. Auditors and recounters are helpless to detect misprinted ballots because they have no way to know what the actual selections were. Only the voter can notice if that happens.

The problem is that touchscreen-using voters don’t review their printed ballots naturally, as hand-marking voters do. They need to be instructed or they will not do it. For example, both the cities of Madison and Milwaukee make heavy use of BMDs, but neither city instructs voters to verify the ballots. During the November 2020 election in those cities, I observed around 200 voters at six polling places as they used BMDs in early voting. Not one verified their printed ballot. If misprogramming or malfunction caused those BMDs to print any incorrect votes, no one will ever know and the true votes are lost forever.

To ensure that all Fulton ballots were voter-verified, organizers set up a ‘verification station’ between the printer and the tabulator, where a poll worker intercepted every voter and reminded them to read their ballot and make sure it was correct. With only two races on the ballot, every one of the 398 voters was willing and able to do that. 

But even with 100% voter verification, the Fulton event showed how election officials might allow voters to use a hacked BMD all day in a Wisconsin polling place. Four of the Fulton voters—slightly over 1 percent—noticed and reported incorrect votes. In each case, the voter and poll worker immediately assumed it was voter error—with no effort to rule out machine malfunction. But was it? Probably, but no one will ever know.

In contrast, managers with a passing level of quality-assurance expertise would not simply assume voter error, but would always be alert for misprinting BMDs. They would keep track of the number of voters reporting misprinted ballots; they would have decided ahead of time how many misprints would be considered indicative of a malfunctioning machine; and they would be prepared to take that BMD out of service.

But few real-world election officials are acquainted with real-world quality-assurance principles. Wherever BMDs are used in Wisconsin, the assumption is as it was in Fulton—to blame voter error for every noticed problem. If ever, say, 10% or more of the BMD-using voters at a polling place report misprinted ballots, election officials have no backup or recovery plans. Managers can choose to respond to signs of trouble; they can choose to respond in an improvised ineffective way, or they can choose to ignore them.

No technology, including ElectionGuard, can fix that. It’s not a problem with the technology; it’s a problem with the management practices.

A separate issue, which this blog has covered before, is the risky practice of encoding votes in a way that prevents voters from verifying them no matter how closely they study their ballots. ElectionGuard cannot help with that, either. That problem can be corrected only by redesigning the ballots so that the tabulators count the same recorded data that the voters verify, and vice-versa.

The tabulator will count the votes based on the information encoded in the QR code,
not the text the voter is able to verify. If an audit or recount using the votes recorded in the text produces different results than the results the tabulators produced using the votes recorded in the QR codes, and voter verification was not witnessed and documented by poll workers, no one has any way to tell whether the text or the QR code is correct.

We will not be able to secure election results until American voters and officials recognize that it is the officials’ responsibility—not Benaloh’s, not the vendors’, not the voters’, not the candidates’, not the lawyers’—to detect and correct any miscounts. 

But it will not be easy to get election officials to accept that responsibility. Whether from naivete or a willful desire to avoid buck-stops-here responsibility, election officials are happy to accept the vendors’ vision that technology can, all by itself, protect elections.

At the Fulton demonstration, I asked both the county clerk and the town clerk why they were willing to cooperate with Microsoft in demonstrating ElectionGuard. What did they see as its potential benefits?  

Like election officials everywhere, neither attempted to hide her faith that the voting equipment will always produce accurate results—they consider that faith a virtue. As a result, they are uninterested in solutions that allow them to detect and correct electronic miscounts because, through their eyes, that risk does not exist.

Instead, their answers focused on two other things: First, encouraging voters to trust the computers as unwarily as they do, and second, reducing their workload. County Clerk Lisa Tollefson told me her reason for hosting the demonstration was that she is “always interested in changes that might make the clerk’s job easier,” — not the answer you’d get from County Clerk Sullenberger.

What about voter confidence? For better or worse, actual security and voter confidence are separable. True security does not always create voter confidence, and voters can be confident even when security is weak. Both are necessary for well-run elections.

ElectionGuard might increase confidence among those voters who say: “Just give me a receipt for my ballot, and I will believe the election is secure.” They are likely to find it fun to visit a website, plug in a personal ballot-tracking code, and receive the confirmation message “Your vote was counted.”

But the voters’ confidence might fall back to baseline when they realize that ElectionGuard won’t confirm for whom the vote was counted. The stated reason for that is to prevent coercion and the buying and selling of votes, quaint considerations in an age of growing reliance on absentee ballots. (Benaloh shared some good thoughts on ballot privacy – see Note 4.)

Technicians like Benaloh who understand why ElectionGuard is trustworthy will believe the confirmation message is reliable, but they are not the ones for whom such reassurance is intended.  Everyone else will be in the same boat they are in now, having to trust the technology and the programmers. My guess is that once ElectionGuard’s novelty wears off, we will be right back where we are now, with skeptical voters being skeptical and trusting voters trusting.


When America finally decides that it really, truly does want secure elections–not just the appearance of security, not just voter confidence–we will stop piling technology upon technology and will instead make sure that that the humans in the election cockpit are responsible and accountable. This is what we will do:  

  • On Election Day, every voter who can use a pen will create a reliable record of their selections by hand-marking a paper ballot.
  • Those ballots will be quickly counted by computers and preliminary results released as soon as possible, just as they are now.  
  • Promptly following Election Day, the officials will conduct outcome-verifying audits by hand-counting enough of a sample to confirm that the voting machines identified the correct winners. They will be prepared to move quickly to full hand counts in the unlikely event the audit finds the machines were wrong. Only when the computers and the hand counts agree on the correct winners will final election results be certified.

With that simple system—for which our election officials already have all the technology they need—any would-be malefactor will need two entirely different sets of means and opportunity to mess with the results—one to hack the voting machines and the other to manipulate the hand-counted audits. That will deter 99.9% of any manipulation and will detect and correct the rest before the wrong person is sworn into office.

(I’ll give Benaloh the last words; see note #5.)


Notes

#1 – Josh Benaloh graciously and carefully reviewed three drafts (3!) of this blog post, and provided detailed, constructive feedback. I am very grateful. Of course, any remaining errors are mine. There are a few areas where I did not make changes in response to his comments, either because we disagree or because his valid comment didn’t fit into the flow of the argument I wanted to make. These comments provide the basis for the following notes.

#2 – Benaloh wrote: “It is not the case that ElectionGuard ‘cannot detect hacks that made the BMD misinterpret input (that is, the voters’ touches).’ In Fulton, human-readable ballots were produced.  Any recording or counting of ballots that was inconstant with this human-readable ballot was detectable.  I do not disagree that, in the Fulton instantiation, a voter may fail to notice a misinterpretation that results in a printed ballot that does not match the voter’s selections, and I fully agree that this is a legitimate concern.  However, I think that there is an important distinction between “undetected” and “undetectable ” – especially in this context.”

#3 – Regarding the hosting of the website that voters would visit to use their verification codes, Benaloh wrote: “I see minimal value in an individual voter going to an official election website to confirm a verification code.  Instead, I would envision third parties such as political parties, media, and watchdogs hosting copies of the election record against which voters could query.  There is far more value to me in having my preferred candidate or media outlet confirm that my vote is correctly included in the tally than for me to receive that assertion from an election official whom I may not trust.  Of course, if I trust no one, I can confirm the entire record – including my vote – entirely on my own.  In the small Fulton pilot, we had no leverage to encourage independent entities to establish such services; so the only verifier available was the one hosted by the town.”

#4 – Benaloh wrote: “I see not revealing individual vote contents as far more than a ‘quaint‘ notion.  Secret ballots were not introduced in the U.S. until the late nineteenth century, and before that time elections were rife with vote selling and coercion.  It would be easy to provide verifiability if we were not concerned about ballot privacy.  We could just post verification codes and voter selections without bothering with any encryption.  Although it is very difficult to quantify, I’ve seen numerous anecdotes of coercion (especially spousal coercion) associated with routine vote-by-mail and absentee voting.  Of course, voting without the benefit of a poll is preferable to not voting at all; but I believe that the protections offered by in person voting are critical to election integrity.  Just as you see audited HMPBs as your gold standard, I view verifiable in-person voting as mine.”

#5 – Benaloh wrote: “I agree wholeheartedly with your general thesis – that ultimate control and responsibility should be in the hands of people.  ElectionGuard is not intended as a solution but rather as a tool that can be used by election officials and the public to help achieve accurate outcomes.  To push on your Sullenberger analogy, when his engines failed he was not devoid of technology and left entirely to his own devices; instead, he was able to exploit other technologies to help him bring his plane a safe landing.  A human was, and should be, in ultimate control; but the availability of tools and technologies helped the human in control to overcome adversity.  I regard ElectionGuard as nothing more than a tool that can – depending upon the people who use it – be an effective aid or a superfluous nuisance.
“As such, I would posit that your ideal election design – HMPBs followed by a rigorous human audit – is only enhanced by the inclusion of ElectionGuard.  This is not just a pointless inclusion in a process that is already as strong as possible.  We have a crisis of confidence in U.S. elections today.  We have millions of voters who do not believe election results.  They do not believe their election officials (e.g.., Brad Raffensperger) and they do not trust their equipment vendors (e.g., Dominion and Smartmatic).  As such, they will not trust the results produced by your ideal scenario.
“While I share few of the views of these detractors, I am somewhat sympathetic to the reason for their suspicion.  From their perspectives, they gave their ballots to people they don’t trust who used equipment they don’t trust to produce results they don’t trust.  If ElectionGuard had been included with the systems they used to vote, they would have had means to confirm the accurate counting of their votes – despite their lack of trust in the people and systems (potentially including a lack of trust in the ElectionGuard component).  I’m old enough to remember Reagan’s overused “trust but verify” admonitions.  With ElectionGuard, voters can verify without trust.  Without it, voters who do not trust their officials and equipment are left with nothing.”

Breaking: WEC might not comply with laws that don’t apply to it!

Summary: A lawsuit over voter registrations is getting a lot of publicity lately. In the frenzy to portray the issue as a huge menace to Wisconsin elections or voters, the news media is overlooking an important detail: The law that WEC, a state agency, is accused of not following applies only to municipal officials.

When I worked for the Legislative Audit Bureau, about 80% of the projects I supervised asked the question “Is this agency complying with the law?” It was my job to read the law; figure out what compliance would look like; find out whether the agency was doing that; and write a report telling the Legislature what I found and what, if anything, they might want to do about it.

Here’s an example. Municipal clerks (city, village, or town) are responsible for updating voter registrations. These records need to have current addresses. Sometime in the past, someone wrote a state law that seems to have been intended to help municipal clerks keep addresses up to date without causing either them or the voters much extra work.

“Municipalities” are cities, villages, and towns.

That law is still on the books as §6.50(3), Wis. Stats.   It requires all municipal officials—assessor, librarian, police chief, whoever—to tell the municipal clerk when they learn a local resident has moved. For example, the local water utility might know that some home’s account was switched to a new name, indicating that somebody moved. The law requires the water-utility manager to tell the municipal clerk about that.

Then, the law requires the municipal clerk to do one of two things. If the voter left town, the clerk must mail a first-class letter to the voter’s registration address. If the voter fails to respond to the letter within 30 days, the municipal clerk must deactivate that voter’s registration.

If the voter didn’t leave town, but only moved to another address within the municipality, the law requires the local clerk to update the address on the voter’s registration records and send a letter telling the voter of the correction.

Perhaps because the law requires the municipal officials to do this only when they receive reliable information, the law says nothing about what the clerk is supposed to do if the voter didn’t actually move. A sensible reading would be that the legislature intended just that: Nothing.

If a legislator had directed me, as one of their oversight staff, “Find out if they are complying with that law,” I would have trotted out to a few different cities, large and small, and started asking questions.

My first question would be: “How on god’s green earth are you supposed to know whether the person stayed in town or left?” If a water account is switched to a new homeowner, how is the municipal clerk supposed to know whether the first homeowner left town or moved to a utilities-paid apartment down the block? In short, it seems to me like a poorly written law. Such laws exist. More than a few of my real-life reports concluded with, “The agency is not complying, but that’s because you wrote a silly law. A better law might be…”

If I learned, however, the law is more workable than it seems, I’d have reviewed local records to look for evidence of compliance.

There are at least two things I Definitely. Would. Not. Have. Done.

First, I wouldn’t have expected any municipal official to go looking for people who only maybe moved. The law speaks only about reliable information that comes to the local officials through their normal work. Nothing in the law requires, for example, the librarian and the municipal clerk, on their own initiative, to compare the addresses on library cards and voter registrations; to consider any differences to be ‘reliable evidence’ of a move; or to threaten those voters with deactivation if they do not defend their current address.

Second—and I feel silly even saying this, because it is just so absurd—I would not have paid a visit to the Wisconsin Elections Commission to ask what that state agency was doing to comply with requirements that legislators had placed on municipal officials.

If I had given the Legislature a report concluding: “No state agencies are complying with the local governments’ statutory requirements,” I’d have been fired for wasting time on such obviously frivolous fieldwork.

The Wisconsin Elections Commission is a STATE agency, not a municipality.

But that, fellow voters and taxpayers, is what I have to write about in this blog post. Because a misguided law firm has sued a state agency, the WEC, for not complying with requirements that apply only to municipal officials.  

Yes, in real life: A law firm is accusing WEC of failing to comply with the law I just described–the one that requires municipal clerks (not WEC) to deactivate voter registrations within 30 days after the municipal clerks (not WEC) sent a notice to voters based on reliable information that the municipal clerks (not WEC) had received indicating that the voters had moved (information that WEC does not possess.)

The laws that actually do apply to WEC require it to follow the procedures of a multistate compact known as ERIC. Once every two years, ERIC compares Wisconsin’s voter-registration files to files maintained by other state agencies such as the Department of Transportation. ERIC then gives WEC a list of people who have reported different addresses to different agencies.  For example, a person who had registered to vote in Milwaukee but who had avoided Milwaukee’s wheel taxes by registering their cars using the address of their Northwoods cabin would have earned a spot on ERIC’s imprecisely named “Movers List.”

WEC knows, from their long experience with this sort of administrative task, that rough information such as the ERIC list is far from reliable evidence of moving. They know how to clear it up, although it takes some patience. For example, they flag those people on the poll book to make sure the voters are asked to clear up the address question the next time they show up to vote. And if the voter never again shows up to vote at that address, their registration will be deactivated through a different process.

WEC’s boring compliance with this routine administrative procedure was ignored by the press as WEC worked on it over the past summer and fall. But as soon as a lawsuit was filed, the press has been all over it, spinning a partisan angle as hard as they can and parroting an inflated click-bait 234,000-voter figure. Thousands of those voters have already re-registered or updated their addresses, so the number of voters at risk of deactivation is nowhere near that many.  

Because I attend WEC meetings regularly, I realized the small effect this list-maintenance exercise would have for actual elections, no matter how it turns out.

First, understand my perspective: I spend most of my time working to get election officials to pay attention to something that theatens all 3 million voters: Wisconsin does not yet employ methods that would enable election officials to detect and correct the effects of voting-machine hacks. So even 234,000 seems to me like a junior-varsity number.

Still, there are other reasons I cannot see these voters as a huge threat to Wisconsin elections: Many other safeguards reduce the risk of voter fraud to an inconsequential level. And if these particular voters are attempting fraud, they are being flamboyantly inept. They were not going to be able to vote in two places by using their vehicle registration as if it was a voter registration.  

On the other side, we have to appreciate the ease with which people can register at the polls—especially (excuse me) people such as those who have cars to register and two addresses from which to register them. Among any voters who might be incorrectly deactivated, few will have their ability to vote impaired by anything worse than a few minutes’ delay. (To be clear: Any judge would be outside the law to order deactivation of any registrations in the absence of reliable information that the voter has moved. What I’m saying is that, if one does, the effect on actual voters will not be anywhere close to the levels that devout partisans fear or hope for.)

So it wasn’t until today that I sat down and read through the complaint and looked up the statute it references—actually even quotes. Anyone can read that law and see that it applies to municipal officials, not to a state agency. Check it out for yourself—the complaint accurately quotes the law. It’s the paragraph numbered ‘10’ on page three of the complaint. In that law, you will see nine references to municipal officials and not one to WEC.  

As irritated as I am with the media for their breathlessly misleading coverage, I am furious about the lawsuit. It is wasting your tax dollars and mine by asking the courts to address this bogus issue and making the WEC defend itself. I’d sputter about the lawyers’ and judge’s apparent inability to use their legal education, but reading that statute requires only elementary-school reading skills and a man-on-the-street understanding that WEC commissioners are not municipal clerks.

Postscript: Pollyanna that I am, I have to note the silver lining. This whole episode has provided a great opportunity to publicize one of Wisconsin’s treasures, our eminently usable and convenient voter-registration and election-information website, MyVote. Click on that link to see solid, up-to-date information about elections in general and your own voter registration in particular. And yes, if you were on the ERIC list, you’ll see that, and you can fix it.

About those Russians…

In the past two weeks, three reporters have asked me to comment on Russian interference in US elections. Do I believe the Russians interfered with the 2016 election? Do I think they will try in 2020? And my least favorite: Do I think Russians are the worst threat to the voting machines?

I’ll answer the ‘worst’ question first: What the hell does it matter?  All threats are threats. Will it be a boring news story if our election is stolen by a Canadian anarchist living in his grandmother’s basement, or by a random computer glitch?

I’ll tell you what the worst threat is. It’s the threat that is literally the sum total of all other threats. Wisconsin county clerks are STILL not using the only safeguard effective against every voting-machine threat including the Russians: Using our paper ballots in prompt, routine, hand-counted audits that verify the correct winners.

The simple truth should be obvious. It is ridiculous to allow any computers to make any big decision unless you have a reliable way to detect and correct serious computer errors.  

Can you think of any other government agency that relies on computers and doesn’t have some way to notice if the computer screws up a big operation? No, you cannot. There isn’t one. Only election officials trust their computers that blindly, and demand our trust, too.

When Wisconsin’s county clerks declare election results final without verifying the correct winners, they are allowing computer programmers to pick the candidates who will govern us.1 They don’t supervise these programmers. They don’t know even know who or where they are.2

As to the other questions:  I don’t know whether the Russians or anyone else tampered with the voting machines in 2016 and 2018. No one does.

We don’t know because Wisconsin election officials didn’t check. 3 How is that not scandal enough?

Wisconsin’s election officials just seal our paper ballots on Election Night and leave them sealed until it’s time to destroy them two years later. No one ever knows if the paper ballots tell a different story than the computer tapes.

And I don’t know whether Russian criminals are planning to mess with the voting machines in 2020. I know that it is wise to assume they are. Most importantly, I know it will be criminally negligent if our county clerks make no effort to detect and correct any hacks that might get by the security system.

Call your Wisconsin County Clerk today and say: “Surely you understand that you cannot guarantee the security of our voting machines. Too much is outside your control. The only thing you can secure is the election results, and you can do that only by using our paper ballots in hand-counted audits during the county canvass to make sure you certify only the correct winners. Get busy now on developing audit procedures for the 2020 elections.”

– – –

1 A few Wisconsin county officials claim they “program their own voting machines” and imply that provides security. They don’t, and it doesn’t.
The county clerks ‘program’ the machines only in the sense that you ‘program’ a new cell phone with your personal address book and settings. If any are messing with the actual tabulation software, they are breaking federal law. Truth is, these county officials rely on the voting-machine company in the same way you rely on Samsung, Apple, or Nokia.

2 Example: In 2016, election-security advocates noticed that Dominion—the nation’s second-largest voting machine company, which counts many Wisconsin votes—was recruiting programmers in Serbia. The company’s official response was: “Like many of America’s largest technology companies, which develop some of the software for their products in places like Asia, India, Ireland and the Mideast, some of our software development is undertaken outside the U.S. and Canada, specifically, in Serbia, where we have conducted operations for 10 years.”

3 In the 2016 recount, half of Wisconsin’s presidential votes were “recounted” only by running the ballots back through voting machines programmed by the same people who programmed them for Election Day. These were the ballots in the state’s largest counties (except Dane)–the counties most at risk of hacking.
In the half that was hand-recounted, the recount found that more than 1 in every 170 votes had originally been miscounted. These errors were not deliberate and affected both major-party candidates equally. As a result, they did not change the outcome and the news media didn’t report it.
But notice this: even when that many votes had been miscountedup to 30% in some individual wardscounty clerks did not notice it in their regular canvass. They detected the incorrect vote totals only when forced to check their work with a recount. Unless our county clerks adopt routine audits, the same will happen when hackers put the Election-Night results outside Wisconsin’s microscopic recount threshold (0.25%). There won’t be a recount and the hackers will have successfully pulled off their crime.

Projected Ballot Counting

Paper ballots can be manually counted in different ways–sort by candidate and then count the ballots; stack the ballots into groups of 20 and 100 and then have counters mark tally sheets as they go through the stack one-by-one; and more.

Affordable technology–a simple digital camera hooked up to a projector–can beat all these methods on each of the four attributes of a good manual-counting method.

1.  Ballot security.

Ballots must not be altered by the manual count.  Sorting and stacking methods require the ballots to be handled several times, by several people, and moved around tables. When ballots are projected, only one person needs to handle the ballots, only once, and can keep them on one table, in full view.

2.  Accuracy.

In a manual count, accuracy is established with redundant counts—two or more people must agree on each vote, reconciling any disagreement.  When counters make errors in sort-and-stack or tally-sheet methods, finding and reviewing the problem ballot can take a lot of time and ballot-handling. With projected ballots, everyone sees the same vote at the same time, so ambiguous votes can be reconciled when they are first encountered.

3.  Speed.

Faster methods of manual counting help to restrain costs, because labor is the biggest cost. Quicker counting also makes the task more pleasant for both counters and observers. Projected-ballot manual counts have accurately counted votes in one race at a rate of 100 ballots every four minutes, including time to stop to compare paired counters’ totals and resolve any differences. Depending on ballot design, two races could go just as fast.

4.  Transparency.

The value of a manual count depends upon how much trust it produces in candidates and voters. In traditional manual-count methods, observers cannot see ballots well enough to verify for themselves that the votes are being counted accurately and honestly. 
When the ballots are projected, observers see exactly what the official counters see. In addition, because projected-ballot counts require no ballot-handling by the counters, observers can be drafted on the spot as official counters–powerfully counteracting any distrust.

A tally sheet completed in full view of all counters and observers serves as a record of the manual count.

A pdf document containing step-by-step instructions is here.

What might a recount discover?

Quick summary: A recount in this week’s Supreme Court race would be a good idea for everyone involved. Verifying accuracy is a necessity if we want to protect our right to self-government from errors, glitches, and fraud. Even the seeming winner, Brian Hagedorn, would be better off if a recount removes the shadow of doubt from his legitimacy as winner. But because our legislature, egged on by our county clerks, tightened the recount law so extremely, it’s unlikely we’ll get one.

* * *

April 5, 2019 – A statewide election decided by only 6,000 votes is frustrating for everyone. Accurate or not, it indicates no clear will of the people. Chances are last week’s Supreme Court race was determined by random events. Who got tied up at work and didn’t get to the polls? Who neglected to get a valid witness signature on their early ballot?

And of course, such a close result raises fears of manipulation. 

I’ve been asked about what I think happened.

First, I can say with certainty that the vote totals are incorrect. Statewide results always are, not just on Election Night but even after the county clerks have certified them. Every recount always finds miscounts.

Few people know that the 2016 recount found at least 17,681 mis-tabulated votes, or 0.58% of the total, because news media highlighted only the change in the victory margin. That’s 1 miscounted vote for every 170 cast. In 2016, the errors were random—affecting all candidates—so correcting them did not change the outcome.

Why so many miscounted votes? Lots of reasons, caused by both man and machine. Our elections are administered by a temporary workforce, without serious IT expertise. Even the county clerks don’t work full time on elections. Most workers are only lightly trained and supervised; get no more than four days’ on-the-job experience every year; and work under enormous time pressure. Only in recounts do they examine their work to find out how well they did.  They would have to be superhuman not to make lots of mistakes. 

But back to this specific race. Were the miscounts bad enough to have identified the wrong winner? And were they random?

I see no obvious sign of hacked voting machines. When someone manipulates Wisconsin’s election computers to alter the outcome in a statewide race, they are most likely to mis-program the software for one or two of the big counties, and they will surely put the statewide result outside the recount margin.

But the unexpected results in this Supreme Court race came from northern Wisconsin, and the statewide result is so close that Lisa Neubauer can—if she can raise huge cash quickly—get a recount. If that was computer hacking, it took impressive effort (accessing several small counties’ systems) while also being incredibly clumsy (creating results that are subject to recount.) 

If a mis-tabulation (either accidental or deliberate) flipped the outcome in this Supreme Court race, my nominee for the most likely culprit is mishandled early, absentee, and mail-in ballots.

The 2016 recount found widespread errors with absentee ballots, mostly officials rejecting envelopes they should have accepted and vice-versa. But there were other mistakes, too. In Dane County alone, the recount found more than 60 uncounted absentee ballots. Neither rejected nor cast, these ballots were simply overlooked on Election Day and later, during both the municipal and county canvasses.

So we know absentee and early ballots are often miscounted by mistake, and we know those mistakes are not noticed except in a recount. We also know that in elections as anywhere else, the best place to hide fraud is where no one looks for it, and where any oddities that are noticed are written off as human error.

So messing with absentee ballots would be a good way to manipulate a relatively small number of votes.

There are many ways to interfere with absentee, mailed-in, and early ballots. As we saw in North Carolina, you can intervene between the voter and the delivery of the ballot to the municipal clerk. (That’s one ‘hack’ that cannot be detected or corrected by a typical recount.)

But once a ballot has been delivered, it can still be rejected on several grounds.

Local officials can—must, in fact—exercise judgment (e.g., Is this handwriting legible?) when deciding whether to cast or reject an absentee ballot.  And while they are exercising that judgment, they can see the name and address of the voter. That means they can make reasonable guesses about which candidate will get the votes if they decide the ballot can be cast. Implicit, unintentional bias almost certainly shapes some decisions; the effect could be much stronger with deliberate effort. Rarely does anyone review their judgments.

To be clear, I’ve seen nothing to indicate that such manipulation was done in this election or any other Wisconsin election, but it’s a fact that it could be done. A recount would clear that up for both those who suspect and those who deny any wrongdoing.  If no recount occurs, we’ll just have to keep guessing.

But we are not likely to get a recount. For the past several years, the Legislature–urged on by the Wisconsin County Clerks Association–has tightened the recount law to make it nearly impossible to get a recount in a statewide race. Had an election held in April 2015 produced a victory margin of less than 0.50%, as this one did, Neubauer could have obtained a recount at no cost.

From the 2016 recount, we now know that a 0.58% error rate is a realistic expectation. So we can see why the old law, which made it easy to get a recount if the margin was 0.50%, was sensible. If unlike our legislators, we care about protecting our right to self-government against election errors, a recount is always wise when we could easily be declaring the wrong winner by mistake. 

So we will all be well-served if Lisa Neubauer can quickly raise the cash—$2 million, based on the cost of the 2016 recount—that she’ll need to get a recount. The losing candidate is the only one who can buy a recount; our laws assume voters have no standing or interest in accuracy.

But neither she nor we should underestimate the effort needed to raise that much cash that quickly. To get the cash into WEC’s bank account by the deadline, she will need to raise it within about 60 hours of when WEC receives the last county’s official results. Jill Stein had a little longer to raise the money (legislators shortened the deadline after Stein showed it was possible), but this election is not drawing the sorts of national interest that helped Stein raise that much money that fast.

Having said all that, if the result in the Supreme Court race was ‘manipulated,’ my bet would not be on an outcome-flipping miscount, but on the success of a last-minute, under-the-radar, highly targeted, dark-money effort to motivate northern and rural voters to get out and vote for Hagedorn.

But as long as we allow that conduct to be legal (and we do), we cannot call it manipulation. If we want to put an end to that, we’re going to have to do more than complain about it. We’re going to have to fix campaign-finance laws. And to do that, we voters are going to have to get a constitutional amendment.  

I wish you had seen this.

The Wisconsin Elections Commission met today, and I stayed for most of the agenda.

One agenda item had to do with fixing the snafus that caused a voter-registration list maintenance effort in 2017 to incorrectly ‘deactivate’ thousands of validly registered voters. (You may have heard such efforts described as ‘purges,’ a relatively pejorative term that is fitting whenever voter-list maintenance is used as a voter-suppression tactic.)

Among other things, so many voters were incorrectly removed from the registration lists that poll workers for the past several elections have had to work with two sets of poll books–the regular one for unaffected voters, and a supplemental list of voters who had been struck from the rolls but who would be allowed to vote if they showed up on Election Day and attested that they had not, in fact, moved.

There are dozens of reasons, it turns out, why State of Wisconsin computers got confused about whether these voters had moved. They have to do with things like registering a vehicle with your personal name but your business address, or buying a car for your college student in La Crosse and registering it there instead of where you vote. I won’t go into all the details. If you’re curious, you can read the staff report starting on page 72 of this document.

I spend a lot of time reading about election-integrity problems in other states. That means I read about a lot of skuzzy partisan machinations.

I also spend some time talking with local election officials. That, unfortunately, exposes me to much whining, excuse-making, buck-passing and “no law says I have to” attitude.

Here’s why the WEC discussion impressed me so much that I had to come home and write this blog post.

The discussion was pure, unadulterated problem-solving, start to finish. No one was looking for a partisan angle or opportunity. Not one single commissioner or staff member was whining. No energy was wasted on self-protective defensiveness, or on denying or minimizing the problems. I heard no attempts at buck-passing, no excuses.

Unlike what I hear when I talk to many local election officials about vote tabulation, no one at WEC was pointing out that statutes require them to do the work but don’t require them to do it right. It didn’t seem to cross any Commissioner’s mind to avoid their managerial obligation to detect, analyze, and correct problems until someone passes a law forcing them to do that, and paying them extra for it.

WEC commissioners and staff were straight-up committed to discovering the extent of the problems and what caused them, and to making sure they never happen again. Commissioners asked staff for hard data on error rates, and made sure that staff are not sending any more deactivation notices until the problems are fixed. Staff, for their part, were as committed to getting past problems corrected and future problems averted as the Commissioners were.

This is what responsible election administrators look like.

I wish all voters could have seen what I saw today. And I wish some reporter would write about it when good work gets done.

Voting-machine source code: a ray of light, not yet full sunshine

Posted by Karen McKim · January 12, 2019 10:31 AM

In brief: Jill Stein’s post-recount organization, Voting Justice, won a victory over voting machines companies ES&S and Dominion in Wisconsin. Stein will be allowed to bring in experts to examine the software for several models of voting machines, and those experts will be able to report their findings publicly. These machines are used not just in Wisconsin, but around the nation. That is all very good.

But this victory is only a breach in the wall of secrecy, not a demolition. Several factors will limit the benefits that will flow from this victory. If we’re going to secure future elections, we will need to thank Jill Stein and the Wisconsin Elections Commission–and keep on fighting.


An otherwise well-informed voter could be forgiven for not realizing that the 2016 Presidential recount effort, led by the Green Party’s Jill Stein, is still producing valuable results.

Corporate news media see elections as horse races. Once a winner is declared and the bets paid out, journalistic curiosity dies.  Editors see no story in the poor overall quality of American election administration.

So the 2016 Presidential Recount—completed in Wisconsin, aborted in Michigan and Pennsylvania, not even attempted elsewhere—got a big media yawn when it did not change in the outcome. 

Here’s some news you may have missed as a result:

Since 2016, the products of the recounts have supported organizers’ efforts to improve elections administration—with impressive success.  In Pennsylvania, Stein’s organizers used a recount-related lawsuit to force that state to prohibit paperless voting machines and require routine election audits after future elections.

In Wisconsin, the recount produced a mountain of before-and-after data, from every polling place, for every candidate. Academics from MIT, Harvard, and the University of Wisconsin analyzed it.  Although the recount increased neither Trump’s nor Clinton’s ultimate total by more than a few hundred votes, the researchers discovered that more than 17,600 votes had originally been miscounted—or 1 in every 170.  

Those stunning findings were ignored by the news media, but the Wisconsin Elections Commission (WEC) took note. I believe that study contributed to their 2018 decision to encourage county clerks to improve embarrassingly weak canvass practices. (The ‘canvass’ is the weeks-long process after Election Day, during which local election officials should review the results to make sure they are correct.)

Wisconsin organizers also used the recount results successfully to encourage the WEC to prohibit further use of one particularly unreliable model of voting machine, after the recount caught it ignoring votes marked on as many as one-third of the ballots.

And now, Stein’s organization, Voting Justice, has achieved victory in a recount-related lawsuit that will throw some much-needed light on voting-machine software.

A unique Wisconsin law requires voting machine companies to place a copy of the actual vote-tabulating software in escrow after every election. Separate from the process of approving voting machines for sale, this requirement was originally intended to protect local governments’ voting-equipment investment. In case a company went out of business, the State would have a working copy of the most recently updated software as backup to keep the machines counting.

The law also requires the State to allow candidates to inspect the escrowed software if the candidates agree “to exercise the highest degree of reasonable care to maintain the confidentiality of all proprietary information.”  The software in Wisconsin voting machines is the same as that used in other states, and any inspection could have national implications.

So the Stein campaign asked to inspect the software. They and WEC reached agreement on how Stein’s experts can examine the software without having the opportunity to steal the voting machine companies’ trade secrets. (I can hear the computer-security academics scoffing: “As if anyone would want to!”)

But when the voting-machine companies saw the agreement, ES&S and Dominion didn’t want to play by those rules. The two major players in Wisconsin’s voting-machine market wanted WEC to impose a gag order on Stein’s inspectors.

WEC said “No gag order.” The companies sued.

Their demand of the court was basically: “If you’re going to let Jill Stein’s experts examine our software, prohibit them from ever telling anyone their conclusions.” In other words, the voting machine companies wanted the judge to declare that the experts’ opinions were the companies’ proprietary trade secrets.

Dane County Circuit Court Judge Stephen Elke backed the WEC and turned the voting machine companies down. Likely sensing the main reason why any company would seek such a gag order, the judge wrote:

By way of example, a nutritionist might be given access to the secret formula for Coca-cola, which is undeniably a trade secret. It would not be a disclosure of that trade secret for the nutritionist to say, “After seeing the secret formula, I can tell you that Coca-cola is unhealthy and I would never let my own children drink it.”

This is a breakthrough. To my knowledge, independent experts have never before been able to examine “the software components that were used to record and tally the votes in an election” with the approval and support of the state elections agency. That software is defined as “the vote-counting source code, the table structures, modules, program narratives, and other human-readable instructions used to count votes.”

Whatever the inspectors find, the voting-machine companies will not be able to say “But the software you saw was only for review purposes. We had fixed that problem in the operational software.” If they make that claim, they’re admitting they violated the Wisconsin law that required them to provide the State with the software that was used in the election.

And what will their inspection find? Smart money would lay odds on serious problems. You need to know only the basics about profit-seeking corporations and low-bid procurement to predict flaws and holes in a product that the manufacturers believed was eternally protected from scrutiny.

We’ll have to wait to see how well the inspectors can describe those problems without violating their pledge to maintain secrecy about the details of the coding. However, this is the best opportunity so far.

A final benefit is, I believe, this decision’s effect on efforts in other states to compel independent examination of vote-tabulating software. With this precedent, those efforts will be more likely to go forward and more likely to succeed.  Wisconsin has shown that states can require voting machine companies to allow inspection of the software that will count our votes.

The wall of secrecy surrounding the “black box” voting-machine programs has been breached. But it has not been torn down. The Stein team grabbed the opportunity that presented itself and made the most of it, but the benefits have limitations.

The first limitation is that this is a one-time event. If no other candidate ever demands to inspect the software, it will never again be inspected. We don’t yet have routine quality assurance.

Second, this decision does nothing, in itself, to banish proprietary software from public elections. If we want to get any closer to open-source software and routine quality assurance inspections, we’re going to have to force this review’s eventual findings into the public’s and legislators’ awareness. We’re going to have to do that ourselves. Count on the news media to maintain their willful blindness to any news, however shocking, that lacks a Republican vs. Democrat partisan angle.

Third, while this review will be able to identify any defects or vulnerabilities in the master copy of each systems software, the inspectors won’t be able to tell whether the election was hacked.

  • Computer programs can be manipulated in ways that are undetectable to even expert forensic analysts. In Brave New Ballot, Johns Hopkins University computer-science professor Aviel Rubin recounted how he annually provides his graduate computer-forensics students with programming he has hacked at the level of the binary code (that is, the ones and zeroes that underlie the human-readable source code). Years go by between the times when a grad student detects the hacked code, and grad students have been able to stump him, too.

  • Neither voting-machine companies nor election officials will be able to provide Stein’s inspectors with the software that actually counted votes on Election Day. In a “precinct-count” state like Wisconsin, computer tabulation takes place in thousands of separate computers—at least one at every polling place.  Before each election, those machines’ software is copied, recopied, and modified for the many different sets of races and candidates that appear on the jurisdictions’ different ballots.     
    In counties that use the Dominion ImageCast Evolution system (with the exception of Fond du Lac County), the software has even been transmitted over the internet from the Colorado manufacturer to the county clerk.  
    Therefore, to confirm with certainty that the software in every machine was compliant in even one election, inspectors would have to obtain access to the thousands of copies. No one is in a position to collect all that software in a single place, and Stein’s experts wouldn’t have time to review it even if it could be collected.

  • Voting machines can be made to mis-tabulate without altering the source code that Stein’s experts will review. For example, a corrupt or lazy service technician could have installed unauthorized remote-access capability in the county elections computer (as Pennsylvania clerks discovered, to their dismay, in 2014) or in individual voting machines. Later, someone could have taken control of the machines’ output (that is, our election results) simply bypassing or overriding the authorized software.

The best possible outcome of these reviews would be that the experts will find the weaknesses, report them out, and motivate legislatures nationwide to adopt laws requiring open-source software and routine independent software inspection in every local jurisdiction in every election.

But even if that happens, it will not close and lock the door against outcome-altering mis-tabulation of our votes.

The only effective protection against hacked elections remains what it has always been: Routine, manual verification of the correct winners, using paper ballots, completed before the results are declared final.

Routine detection-and-correction is the only security measure strong enough to deter hacking while also protecting final election results against undetected error and malfunction.

It is the only way surely to protect the true voice of the people.

An Illustrated Introduction to Risk-Limiting Audits

Posted by Karen McKim · December 19, 2018 2:21 PM

December 19, 2018 — “As the secret ballot transformed elections in the last century,” said Joseph Hall, Chief Technologist for the Center for Democracy and Technology, “risk-limiting audits are going to transform elections in this century.”

 In a few years, Americans will look back, aghast, at our current election management. We will be amazed that we ever trusted vote-tabulating computers so much that we routinely declared winners without checking results for evidence of fraud, glitches, or human error.  We will consider routine verification to be an indispensable part of managing elections, just as cash-register reconciliation is now for managing the corner convenience store.

In preparation for that day, it’s time to understand: What is a “risk-limiting audit”?

First, a risk-limiting audit is not a specific set of steps or statistical calculations. Like “home-heating system,” the term describes a function, not a method. If a system heats your home, it’s a home-heating system. If it doesn’t, it’s not. A wood-burning stove is a home-heating system. Electrified tile floors are a home-heating system. Triple-pane windows and attic insulation are not.

A risk-limiting audit is any review that imposes a precise limit, such as 10%, on the risk of certifying incorrect results in the event that Election-Night results identified the wrong winner. Any review that accomplishes that is a risk-limiting audit. If it doesn’t, it’s not. For example, pre-election voting-machine tests and hand-counting to verify a few voting machines’ results are good. But even when completed correctly, they do not precisely limit the risk that officials will detect and correct any outcome-altering miscounts.

(Though it’s not part of the official definition of risk-limiting audit, I’ll mention the other side of the coin. In the event that Election-Night results identified the right winner, a risk-limiting audit does not reduce the risk that officials will certify the wrong one. That risk stays at zero.)

You might be surprised that statistical analysis is not a required feature of risk-limiting audits. A full recount uses no statistical methods and if done correctly, limits the risk of declaring the wrong winner to zero. Therefore, it’s a risk-limiting audit. But full recounts require too much effort to be used routinely. So to reduce the time and effort needed to confirm elections, most types of risk-limiting audits use random sampling for selection and statistical processes for analysis.

Another feature of risk-limiting audits is manual inspection of voter-verified paper ballots. Until some as-yet-uninvented technology comes along, we can verify the computers’ verdicts only by comparing them against something that didn’t come from a computer. That is, we need direct human observation of the paper ballots that were marked, or at least verified, by the voters themselves.

Finally, the word ‘audit’ doesn’t mean what you probably think it means. Outside elections, independent auditors perform audits after auditees have completed the work. In contrast, a risk-limiting audit is completed by the responsible officials as part of their work of certifying election results. A post-certification review might provide useful information for the next election, but it cannot limit the risk that the wrong winner was certified in this one. Risk-limiting audits probably should have been called ‘risk-limiting reconciliation’ or ‘risk-limiting verification,’ but it’s too late to change that now.

Try it yourself…

In December 2018, national election-security leaders came together at an Election Audit Summit in Boston, organized by the MIT/Caltech Voting Technology Project. Dr. Philip Stark of the University of California-Berkeley, who originated the concept of risk-limiting audits, led participants through a demonstration. The instructions below are adapted from Dr. Stark’s handout, Audit Simulation for Auditing Summit

In brief, the exercise uses playing cards to represent ballots containing votes for Black or Red. The cards are sorted into piles representing precincts; a sample is randomly drawn from across all participating precincts. Each card either builds or reduces confidence in the Election-Night results, until a pre-determined acceptable level of confidence is achieved—or is not. To do this exercise, you’ll need:

  • two decks of playing cards;
  • scratch paper;
  • a pencil; and
  • a random-number generator.  

Note: the statistics in this exercise are realistic but not precise; they are for illustration purposes only. A real election audit would use a sample size and confidence level calculated for the results being audited.

Example #1: When Election-Night results are correct

The first illustration will show how a risk-limiting audit plays out when Election-Night results identified the correct winner.

1. Get two decks of playing cards. They don’t need to be the same design, but the same shape and size will make them easier to work with. From one deck, remove the jokers and set the hearts aside. This leaves 39 cards in this deck—26 black ‘votes’ and 13 red.

2.  From the other deck, remove the jokers and set aside both the hearts and diamonds. This leaves 26 cards in this deck, all black.

3. Shuffle all 65 cards together, but not thoroughly. Actual ballots will not be thoroughly shuffled; your cards don’t need to be, either.

4.  Separate the cards into six stacks to represent precincts. You don’t need to make them the same size. In the real world, some precincts have more voters than others. Label the stacks “Precinct A,” “Precinct B,” and so on up to “Precinct F.”

5.  Count the cards in each precinct consecutively and write the numbers on the labels. For example, if Precinct A has 12 cards, you will write “1-12” on that label. Then start Precinct B’s count with 13, so that Precinct B’s label will be something like “13-23.” Precinct C will be something like “24-35,” and so forth. If you’ve counted correctly, the last card in Precinct F will be 65. 
Some vocabulary: A list of precincts indicating the number of ballots in each (e.g., Precinct D has 13 ballots) is a “ballot manifest.” When you assign a unique number to each ballot (e.g., Precinct D contains the 36th through the 48th ballot), it becomes a “ballot look-up table.”

Now, imagine you’re the official who is responsible for certifying this election. You know the possibility of an outcome-altering Election-Night miscount is remote. Nevertheless, you want to: 1) deter fraud in future elections, 2) demonstrate to the voters that local elections are secure against even remote risks; and 3) make sure you don’t miss even a remote possibility of declaring the wrong winner.

So you’ve decided to give yourself at least a 90% chance of detecting any outcome-altering miscount before you declare the official winner. In other words, you have decided to impose a 10% limit on the risk that you will fail to notice and correct any such miscount. (You could choose a different level of risk, if you wish.) If the machines identified the correct winner, there is a 0% chance an audit will reverse that.

Initial Election-Night results indicated that Black got 80% of the vote and Red got 20%. While you haven’t looked at any ballots yet, you know how many were cast.  Using that information, you consult with a statistician or the risk-limiting audit website to find out how big your manually counted sample needs to be to confirm the right winner or to detect the wrong one.

In a real risk-limiting audit, you would be told a specific number of ballots to draw for the first sample—up to a few hundred, depending on the margin of victory and the number of ballots cast in the race. Your statistician or the RLA website could also generate random numbers for you, to determine which ballots to draw for the sample. For this demonstration, let’s imagine you were told to select 10 ballots.

6.  Create a score sheet with columns for the random number, the color of the card, a confidence score for each card, and a running confidence total.

7.  Generate ten random numbers between 1 and 65. Write them in the first column. These are the ballots you need to inspect. 

8. Then find each card. For example, if the first randomly selected ballot was #38, you would check the ballot look-up table and see that card #38 is the third card in precinct D. Look at that card, record its color in the second column, and replace it.

  • If the sampled card was black, it builds confidence that the preliminary results were correct when they identified Black as the winner. Note +5 confidence points for that card in the third column, and add 5 points to the confidence total in the fourth column.
  • If the sampled card was red, it reduces confidence in the preliminary results. Note 10 confidence points in the third column, and subtract 10 points from the confidence total in the fourth column.

9.  When you’ve recorded the color of each card in the sample, look at your total confidence score. If it is 25 or higher, you have statistically confirmed, with 90% confidence or more, that no Election-Day miscount identified the wrong winner. You can end the audit and certify the results.

The photo below shows that this audit could have stopped after the eighth card, because the confidence score reached 25 at that point. On average, an audit like this would need to inspect 14 cards to reach a confidence level of 25—if, that is, the Election Night result was correct.

If your confidence score is less than 25, select another random ballot, and another, until the total confidence level reaches 25. (Or until you realize that you messed up the first two steps of this exercise and are working with a deck in which there are actually more red than black cards.)

#2: When Election-Night results are incorrect

The second part of this exercise shows what happens when Election-Night results were wrong.

1.  Retrieve the red cards you set aside, so that you are using all 104 cards from both decks. Shuffle them together. Again, this does not need to be a thorough shuffle. Some ‘precincts’ can be mostly red and some mostly black.

2.  Separate the cards into 9 stacks of differing sizes to represent precincts. As in step 5 above, count the cards in each stack to create a ballot look-up table.

3.  In this exercise, we know the election was a tie. But in a real election, we would not know that, because the computers told us that Black won, and we have not yet inspected any ballots. So we would give the same information to the statistician or RLA website that we did in the previous example—that is, an 80% victory for Black. Given that situation, the instructions we receive would be the same: Select a random sample of 10 ballots by generating 10 random numbers—this time, between 1 and 104, because we have more ‘ballots.’

4.  As in the first exercise, use the ballot look-up table to find each card selected for the sample. Note the color of each and confidence points on the tally sheet. Check to see whether the total confidence score reached 25. In this case, it did not.
It is possible that your first sample reached a confidence score of 25 or more. If so, your audit incorrectly confirmed a miscounted election. This can happen—statistical confidence is not the same as rock-solid certainty. A 90% confidence target means that 10% of the time it will be wrong. To calm your nerves, think of this from the point of view of election thieves who see a 90% chance that their handiwork will be noticed and corrected.

5.  If the total confidence score is less than 25, you have not yet confirmed the Election-Night results, so you will need to expand the sample by inspecting more random ballots.


When the Election Night results are wrong, the more ballots you sample, the lower your confidence level will sink. As shown in the photo, as more and more ballots are inspected, it becomes more and more apparent that the preliminary results are just not right.

Election officials who conduct risk-limiting audits of real elections adopt written policies that address this possibility. A sensible policy, for example, might dictate that the audit will stop if it fails to confirm the outcome with two additional samples, and the effort will instead be put into a manual count of 100% of the ballots.

About sample size, statistical confidence, and emotional confidence

One concept should now be clear: A random sample of ballots is a miniature version of the entire election.  The same winner will emerge from both–if both are accurately counted.

In the first exercise above, Black had more votes in the whole set of ballots from which the sample was drawn. As a result, more of the randomly selected ballots contained votes for Black than for Red. In the second exercise, Black did NOT have more votes than Red, and so we could not confirm a Black victory no matter how many ballots we randomly drew.

In other words, when preliminary election results have identified the correct winner, inspection of a relatively small number of randomly selected ballots provides strong evidence of accuracy. Conversely, if preliminary election results identified the wrong winner, inspecting a random sample of ballots will reveal the problem before officials certify the election.

Once we see that random samples reflect the true results, the next question is what size sample works best. Smaller samples reduce work, but increase uncertainty. Larger samples provide more confidence, but are more work.

This demonstration started with samples of 10 cards, which in the 65-card ‘election’ was a little more than 15% of the ballots. In a real election audit, the initial sample size would not need to be anything close to 15% of total ballots, particularly if the preliminary results indicated an outcome as decisive as this one. 

To work through a real-life example, let’s look at the 2018 race for US Congress in Wisconsin’s First Congressional District. This reasonably close and hotly contested race filled the seat being vacated by former Speaker Paul Ryan. The actual results were: 325,003 total ballots; 177,490 votes for Steil; 137,507 for Bryce; and 10,006 for Yorgan.

When you plug these results along with a 10% risk limit into the online tools for ballot-polling RLAs, statistical operations built into that tool predict that you will likely be able to confirm Steil’s victory, if Steil actually won, with an initial sample of only 301 ballots. That’s only one-tenth of one percent of the 325,003 total ballots. If Steil did not truly win, auditing 301 ballots would produce results more like the second example above–forcing officials to keep expanding the sample until it was obvious that the Election-Night results were incorrect. (Instead of using +5, -10, and 25 total points as indicators of confidence, officials would have counted the votes in the sample and could have used the online tools to assess the results. See the section titled “Should more ballots be audited?” at the bottom of this page.)

If election officials did not believe that 301 ballots would provide voters with enough subjective confidence in the result (as opposed to statistical confidence), they could have selected a smaller risk limit. In this congressional election, a 5% risk limit would have needed an initial random sample of 389 ballots; a 1% risk limit, a random sample of 594 ballots. Or, election officials could adopt an audit policy that every initial sample will contain either enough ballots to support a 5% risk limit, or 1,000 ballots, whichever is greater.

Other lessons from this exercise

This exercise highlighted risk-limiting audits’ tightly focused purpose—to detect and correct any outcome-altering miscounts. This purpose is critical for election security and for voter confidence, but does not solve all problems. Election officials must perform other types of reviews to determine the cause of any miscounts and to monitor other important issues, including:

  • The presence of any miscounts that may have disenfranchised some voters without affecting the outcome;
  • The accuracy of any single precinct’s or voting machine’s tabulation;
  • The quality of any of the processes that determine which ballots were cast and accepted, such as issues with voter registration or ID, or whether all and only valid absentee ballots were accepted and counted.

In addition, this exercise simulated only one type of risk-limiting audit, known as a “ballot-polling audit.” Depending upon the size of the election, the type of records created by the voting-equipment, and other factors, election officials might decide to use a different type of RLA, such as a “comparison risk-limiting audit” or a Bayesian audit. Election officials do not need to read and digest the scholarly articles. Federal officials, staff in jurisdictions that have experience with auditing, and other experts are willing to help local election clerks understand the options well enough to make the right choices and get started with election auditing. A local election official can likely find useful help as close as the nearest local government official who has expertise related to auditing or quality assurance. 

This exercise also probably raised some implementation questions: How can election officials draw a random sample in a election for which ballots are stored in sealed bags across hundreds of municipalities? How do you know how big your sample needs to be if you want to verify the outcomes in two or more races? Election officials who have started with risk-limiting audits have tackled these questions, and more solutions are being worked out with each new election. The solutions are not always easy or obvious, but local election officials who want to try their hand at risk-limiting audits need only to ask those with experience.

Finally, this exercise demonstrated that even risk-limiting audits might, on occasion, fail to detect miscounted election results. A 90% chance that serious fraud will be detected and corrected is the same thing as a 10% chance it will not be.

That highlights the need to keep two other facts in mind. First, a 90% chance of detecting fraud is better than the 0% chance that non-auditing election officials and their voters now tolerate. Second, the audits’ greatest value is, arguably, deterrence. When would-be election thieves contemplate a 90% risk of getting caught, there’s a good chance that election officials will have no electronic election fraud to detect.electionscounting votesWisconsinrisk-limiting auditsdemonstratio

Wisconsin County Clerks Association doesn’t wanna.

Posted by Karen McKim · November 25, 2018 10:31 PM

No city treasurer would refuse to check the accuracy of property-tax bills. 
No county executive would release a report on annual expenditures without double-checking its accuracy.

Most local officials don’t need anyone to pass a law telling them to check their work.  They accept that as a basic managerial responsibility.

But the Wisconsin County Clerks Association is officially on record: They don’t want to.

And their work product is our election results.

The WCCA statement came in response to the Wisconsin Elections Commission’s September announcement that they were considering two election-security measures.

The Commission’s first proposal involved the only accuracy-checks the Commission has authority to order: audits of individual voting machines by municipal (not county) clerks. These audits are better than nothing, but they are limited to November elections in even-numbered years and check only a few random voting machines without confirming the winners in any race.

The Commission was considering ordering more machines audited than in previous years and requiring the audits to be completed before election results are declared final.

The Commission’s second proposal would move Wisconsin slightly in the direction of national election-security standards. The Commission was considering encouraging county clerks to perform audits of the type that if done widely, might confirm that Election-Night results had identified the right winner and enable clerks to correct the results if they had not. 

WCCA’s response was swift, naïve, and irresponsible.  The county clerks didn’t want the Commission to require, or even encourage, the county clerks to perform genuine election audits.

Perhaps sensing they are defending the losing side in a national trend (they are), the county clerks also described how they want to restrict this election safeguard:

  • They don’t wanna check accuracy until after they have certified final election results.
  • They don’t wanna check accuracy for any but the top race on the ballot.
  • And they want the State to pay extra if it even suggests they check accuracy.

I’m not making that up. The organization’s memo to the Wisconsin Elections Commission is reproduced, verbatim, below.

About delaying audits until after certification: The WCCA wrote that our paper ballots “should be treated like evidence and remain undisturbed” until after the clerks have certified the results. Join me in a prayer that the Trial Judges Association doesn’t have the same idea about the proper use of evidence. Imagine our courts refusing to look at evidence until after they’ve reached their verdict. 

About auditing only the top race on the ballot: The WCCA wants to audit only the top race on the ballot, ever. This could be restated: “If you force us to protect the US Senate election, we will refuse to protect the Governor’s race.” Hackers are delighted to know ahead of time which races will be protected, and which will be on an honor system.

About making the state pay extra for accuracy: The WCCA clearly rejected the idea that accuracy is a normal managerial responsibility by demanding they be paid extra for it. Imagine a parks manager telling the county budget manager: “Here’s a statement of the user fees we collected. If you want me to make sure it’s right, you’ll need to pay extra.”

Straight-out lie: In a final Trumpian flourish, the memo’s author blatantly misrepresented the findings of a study by MIT, Harvard, and the UW Madison researchers (Learning from Recounts, 2017). The WCCA memo claimed the researchers had declared that “hand counts of election results are inherently inaccurate.” Compare that to the researchers’ actual words:

“…careful hand counting in a recount is the gold standard for assessing the true vote totals — in large part because of the greater focus on a single contest, more deliberate processing of ballots, and careful observation by campaign officials and other interested parties….”

 *  *  *

Wisconsin statutes give the buck-stops-here responsibility for election results’ accuracy to the county clerks, and to no one else. Municipal clerks cannot verify results in federal, state, and county races; they have access to the ballots from only their own city, village, or town. The state elections agency is the legal custodian of no ballots at all; has only a few days after county certification before they must certify; and has no statutory authority to question results a county has certified.

We must insist the county clerks fulfill their responsibility. They have the paper ballots. They have the time. Modern election-audit practices would allow them to verify a few races on the ballot in just two or three days, while statutes allow them at least two weeks before they must certify the election.  The only cost would be the hand-counters’ time at $10 or $12 an hour—a tiny fraction of the county’s elections-administration budget.  They could randomly select just a few races for verification—just enough to deter election thieves in the races most liable to attract their interest.

And yet, collectively, they refuse.

Update: The Commission wisely ignored the WCCA’s whining and voted unanimously to encourage county clerks to start auditing during their canvass. And as the WCCA memo states, a few county clerks have begun voluntarily to incorporate hand-counted audits into their routine canvass procedures.

Every county clerk in Wisconsin received a memo on October 4, 2018 explaining the current nationwide move to election auditing and providing the clerks with instructions on how to get started.  

Only voters, though, can make it happen. Voters who care about election security should contact their county clerk to find out whether their votes in future elections will be protected with hand-counted audits during the county canvass.  

If not, the next election on February 19 will provide an excellent opportunity for your clerk to begin developing routine election-audit practices, since it will likely be a low-turnout election. Your county clerk has plenty of time before February to learn about the various methods of checking accuracy and work out his or her local procedures.

Insist on it.  

PT Barnum-style election security

Reporter: “Does it bother you that what you’re showing is humbug?” 
PT Barnum: “Do these smiles seem humbug? It doesn’t matter where they come from if the joy is real.” 

I recalled this dialogue from The Greatest Showman as I was observing a pre-election voting machine test in the City of Elroy, Wisconsin on Monday, August 6.

Conducted in every municipality before every election, these tests serve some necessary functions.

But as a safeguard against hackingthey are humbug—as authentic as a bearded lady whose facial hair is hanging from strings looped around her ears. 

Nevertheless, because the tests make some voters and reporters feel confident, they are touted as a security measure.

I’ve observed more than two dozen of these tests over the years. The ones I observed this week were typical. Even if you’re not an IT professional, I’ll bet you can pick out why these tests don’t protect Election-Day results from hacking—whether the hacker is an Internet cyber-crook or a corrupt voting-machine company insider.  

Here, try it. Start by predicting what the hacker might try to do. First, do you think the hacker would make the malicious code miscount every single vote or only some votes?

You guessed ‘only some,’ and experts agree. When a blue-ribbon election-security task force convened by the Brennan Center for Justice worked out how a hacker would steal a statewide race in the imaginary State of Pennasota, they calculated that no hacker would likely alter more than 7.5% of the votes, or a little more than 1 in every 13. So if you want to detect hacking, your set of fake ballots—your ‘test deck’—should contain enough ballots to give each candidate at least 13 valid votes.

But Wisconsin municipal clerks typically create test decks with only one vote for each candidate—enough to catch only hacks that affect every single vote.

Second, do you suppose the hacker might instead allow the machines to count votes accurately all day, and then simply flip the candidates’ vote totals at the end of the day to give his guy the biggest total? You probably guessed yes, he might. So you would need to create a test deck that has a winner in each race, a different number of votes for each candidate.

Wisconsin municipal clerks’ pre-election test results typically contain a lot of ties–the same number of votes for each candidate in each race. Those test decks would not detect any vote-flipping hacks.

Finally, would the hacker’s malicious code kick in whenever the machine was turned on, or only on Election Day? This one is easy. Hacks would never trigger on any day other than Election Day.

This is the fatal flaw of pre-election testing as a safeguard against hacking. Hackers can program their code to trigger only when the calendar says it’s Election Day…or only when ballots are inserted at a rate typical of Election Day…or only when the machine has been operating continuously for more than eight hours…or only on some other telltale sign that real votes, not test votes, are being counted. As the Brennan Center Task Force report put it, trying to use tests like these to detect hacking would create a constantly escalating arms race between election officials trying to make the test look like a normal Election Day and hackers finding new ways to detect a test situation.

As a result, the Task Force didn’t bother even to mention pre-election testing as a safeguard in its list of six security recommendations.

Many of Wisconsin’s pre-election tests do not hide the fact that the machines are running in test mode, not Election-Day mode. The photo at right is a close-up of the voter-verifiable paper trail from an AVC Edge voting machine, programmed by Command Central, being tested in Juneau County before the August 14, 2018 primary. Notice that the voting machine printed “PRE-LAT PAPER RECORD” at the top of the ballot. ‘LAT’ is the computer professionals’ term for “logic and accuracy testing,” a basic routine whenever software has been updated. (I don’t know why Command Central calls it “PRE-LAT”.)

This machine clearly knows it is counting test ballots, not real ones. Operating in test mode doesn’t render the test useless for things like catching innocent programming errors.  But:

It is humbug for election clerks 
to fool themselves, or to fool the public, 
into thinking these pre-election tests 
provide any protection against hacking.
 

If we want to stop being fed humbug, we have to stop falling for it. If your local election officials tell you:

  • Election results are protected by pre-election voting machine tests“, tell them that you know Wisconsin’s pre-election voting machine tests could not detect hacking any less obvious than that which in 2010 elected a cartoon robot to the Washington, DC school board.
  • Election results are protected by keeping the machines unconnected from the Internet,” tell them that you know that they have no idea about what happens to the software before it comes into their control.
  • Election results are protected by federal and state certification,” tell them you know that the software has been copied and updated many times since it was certified, and that no one has ever or will ever inspect the software that will count your votes on Election Day.
  • Election results are protected by the audits we already do,” tell them that audits completed only after the canvass cannot possibly protect results they have already declared final (‘certified’).

The solution: Contact your county election office. In Milwaukee County, that’s the Elections Commission; in other counties, it’s the county clerk. Tell them: 
“This voter is done with humbug. I know that one and only one safeguard can protect our final election results. 
Use our paper ballots to detect and correct any electronic miscounts before you declare election results final. Start this November.”

Don’t expect your county official to be stubborn; several are already planning to check accuracy before they certify the November results as final. Find out if yours is one.

But if your county officials are not now planning to begin auditing, don’t accept excuses. They got a memo on August 1, 2018 from the Wisconsin Elections Commission that made it clear: “A post-election audit is a tool that could be implemented to confirm that results have been tabulated accurately,” and “post-election audits of the results may be conducted prior to certification of the canvass.” The Commission even gave them basic instructions they can follow.

No more humbug 
about election security. 
Tell your county officials 
today: “Time’s up. 
Pre-certification audits. 
This fall.”


You can also help by donating to help Wisconsin Election Integrity get the no-humbug word out to voters, officials, and media through our 2018 publicity campaign.

And you can email the Wisconsin Elections Commission at elections@wi.gov to encourage them to mandate pre-certification audits in every county, at their September 25 meeting.electionshackingWisconsinauditssecurityvoting machineselection technology