Report on the Development of Procedures for Verifying with Digital Ballot Images

ISlideShow.jpgt's time to start gearing up for the citizens' audits that will verify the electronically tabulated results of the 2016 elections, in Dane County and any other Wisconsin counties where people want to join the effort to improve management of Wisconsin's elections technology.

Almost all large Wisconsin counties now use voting machines that automatically, immediately preserve a digital image of every ballot.

In any of these counties the county clerk or involved  citizens could choose to use the images in astoundingly efficient, transparent manual counts to verify the accuracy of the voting-machine output.

The Wisconsin Election Action Team demonstrated the method after the February and April elections in Dane County last year, and will be conducting similar public demonstrations after the 2016 elections.

We have released a report that describes the procedures, benefits and risks of Using Automatically Created Digital Ballot Images to Verify Voting-Machine Output in Wisconsin. (Catchy title, that!)  In this report, you will find: 

  • A technical description of the digital ballot images created by the ES&S DS200 and a picture of one of the images;
  • A layperson's description of 'risk-limiting auditing,' the technique that allows audits to count just a sample of the ballots while still achieving statistical certainty that the correct winners were identified (or not);
  • A step-by-step description of an efficient, transparent process for conducting a citizens' audit; and
  • A frank discussion of the limitations and risks of using digital ballot images for this purpose.

Please pass this along to your friends who live in Dane County and encourage them to mark their calendars for Saturday, March 12, to attend a public, transparent post-election audit that will verify Dane County's results in the February 16 Supreme Count primary and perhaps a few other races. The location wil be announced later--follow Wisconsin Election Integrity on Facebook.

Residents of other Wisconsin counties, please read this report and consider whether you could help to organize a similar citizens' audit in your own county, particularly if you live in one of Wisconsin's larger counties that use optical-scan voting systems. If you can, please contact us at, and we can provide you with the necessary software, instructions, and pointers.

Add your reaction Share

How do good people go so wrong? What can we do about it? Lessons from the Volkswagen fraud

Dozens if not hundreds of Volkswagen employees must have known of the recently detected emissions software fraud  that continued for six years and affected 11 million cars around the world.

And yet the fraud was not revealed by a whistle-blower; it was discovered by outsiders.  How could Volkswagen management have coerced so many otherwise reasonable, ethical people into silent cooperation over so long a time?  Or did they deliberately hire only crooks?

I’m writing about the Volkswagen fraud in this blog because it raises two big questions relevant to elections: First, is it plausible that voting machine companies could perpetrate a similar sort of fraud?  Second, is it plausible that their customers, local election officials, wouldn’t notice?

ComputerFraudCircuitBoard.jpgNow, I don’t run around claiming fraud I cannot prove. I have a natural-born skeptic’s aversion to making accusations without conclusive evidence. Years working at Wisconsin’s Legislative Audit Bureau—an investigative and oversight agency--only sharpened that instinct.  At the same time, my hard-wired respect for hard facts also makes me dubious about election officials’ claims that they can ensure 100% correct results every time without routine verification. No other computer-dependent manager makes such an extraordinary demand on my trust.  I am acutely aware that when it comes to electronic elections fraud, the only elections we are sure were not miscounted (arguably) are the very few that were recounted. Considering what is at stake, that is a very serious problem.

Back to the questions. First, with regard to the voting-machine companies, the Volkswagen affair clearly demonstrates the plausibility of systemic fraud by companies that manufacture, sell, or service computerized equipment, whether it’s cars or voting machines. Fraud is particularly feasible when they demand proprietary secrecy for their software, and when they sell their product to consumers who have no particular information technology expertise--like local government election officials.  

For example, a voting-machine company could routinely install clandestine wireless communications capability on each of its voting machines, in case the company ever feels the need to fix a bug (or an election) without the knowledge of local election officials. The vendors know that local officials never inspect the equipment in any way that might discover the chip, because they don’t want to appear to be ‘tampering with the machines.’ (See footnote.)  And IT experts tell us that is only one of several ways voting-machine company insiders could alter election results if they chose to.

With regard to the second question—the local election officials’ willingness to allow possible fraud to go undetected: That’s readily answered. We know they are willing.  They grant vendors proprietary secrecy for their software, so no election official ever inspects the vote-tabulating software loaded into any machine. And yet, knowing they did not and cannot inspect the software, the vast majority of jurisdictions—including all Wisconsin counties—routinely neglect to verify the accuracy of electronically tabulated results. My previous post in this blog described the puzzling refusal of many officials even to learn about their practical options for detecting miscounts.

But why?

In a well-researched and well-written article in the most recent Atlantic Magazine, What Was Volkswagen Thinking?, business journalist Jerry Useem provides insight into both the corporations and their customers.

Using examples of actual corporate conduct both good and bad, the article explains how otherwise ethical employees of a company, such as a voting-machine company, could go for years without saying anything about their machines’ hack-ability, and why otherwise responsible election officials could choose to trust the machines’ Election-Day accuracy based on nothing more than a determined will to believe.

People within an organization, Useem explains, fall prey to “a cultural drift in which circumstances classified as not okay are slowly reclassified as okay.” In response to pressures and expectations in their workplace, otherwise competent people come to see careless conduct as admirable flexibility. They begin to tolerate excessive risk-taking as if it was creative experimentation. Withholding damaging information starts to feel like prudent discretion. Actual fraud is mentally redefined to be practical adaptation to circumstances.

The derailment usually starts at the top. Useen notes the obvious: in many cases, management is simply dishonest, as seems to have been the case with Volkswagen, and as many election-integrity activists fear when they point to voting machine companies owned by active partisans.

But management might be honest and just as genuinely self-deluded as their employees. Upper-level management might have made ‘fantastic commitments’ without being aware that the company’s employees could not fulfill them without cheating. From my own experience with contracting and procurement, I also suspect impetus to cheat can arise from customers’ demands.

For example, one Wisconsin county clerk has written he does not allow updates or patches to that county’s voting-machine software. If this is true, it’s easy to see how the vendor would be tempted to install wireless communications capability in that county’s voting machines. And why not? The company needs occasionally to update and patch the software, and the county clerk will never discover the communications chip. It would be the only way the company could keep the machines up to date without upsetting the clerk. And once that chip is there, every employee who knows about it is on nothing stronger than an honor system not to alter the election results, because output isn't routinely verified in Wisconsin.

Once expectations are clear, employees will try to conform their behavior. And that behavior is comfortable only when they also bring their perceptions and beliefs into compliance.

For example, an in-depth study following the Challenger space-shuttle explosion found that engineers had observed O-ring failure--the cause of the disaster--in many previous tests; had reported it; and had repeatedly been pressured to endorse more risk as acceptable. Compliantly, they had rewritten their reports to approve looser and looser standards. Then, just before the fatal flight, freezing temperatures convinced the engineers to issue a “No Launch” recommendation. However:

“The data they faxed to NASA to buttress (their no-launch recommendation) were the same data they had earlier used to argue that the space shuttle was safe to fly. NASA pounced on the inconsistency. (Faced with the) script they themselves had built in the preceding years, (the engineers) buckled. The “no-launch” recommendation was reversed to “launch.”

Useem explains that the engineers and managers “were not merely acting as if nothing was wrong. They believed it, bringing to mind Orwell’s concept of doublethink, the method by which a bureaucracy conceals evil not only from the public but from itself.”

That could explain why so many otherwise responsible election officials seem to shut down when you try to talk to them about examining voting-machine output for accuracy. We look at them and think, “You’ve got so very much invested in the elections—all those security measures, all those pre-election tests--how could you not want to check to make sure everything came out right on Election Day?”

But they look at all their hard work and think, “I promised everyone it would work. My career will be over if it doesn’t work. It’s got to work. I’m sure it worked.” Useem explains what happens next:

Even without stress, people tend to underestimate the probability of future bad events. Put them under emotional stress ... and this tendency gets amplified. People will favor decisions that preempt short-term social discomfort even at the cost of heightened long-term risk.

So how do we help election officials break out of this mindset? How do we increase their fear of a ‘future bad event’ that could cause them ‘short-term social discomfort’?

Oddly enough, it is not the risk of a miscounted election occurring that causes their fear; it is the risk of a miscount being detected. Most computer-dependent managers--not election officials--realistically expect that if they do not catch a computer error, someone else will. For them, routine audits reduce fear. But miscounting voting machines don’t blow up like space shuttles, and candidates cannot take voting machines out for test drives between elections. Therefore, in the absence of post-election verification, election officials have no realistic fear of anyone discovering a miscount. The idea of an audit has the opposite effect on them: their fear goes from nothing to, well, something.

That’s why transparent, high-quality citizens’ audits are critical. Even if they cannot be completed before the identified winners are sworn into office, they will still serve a useful purpose of increasing election officials’ realistic expectation (okay, fear) that any miscounts will be detected—if not by them, by someone else.  That will create for them the same discomfort felt by bankers, city treasurers, grocery store owners, and all the other computer-dependent managers who fear embarrassment or worse if they don’t notice the computer error and correct it before someone else does.


Note:   I know of no requirement that anyone inspect Wisconsin's voting machines to verify they have no wireless communications capability. Over the years, I’ve asked several Wisconsin election officials if they inspect the machines anyway and have not had any tell me that they do. If anyone reading this has any first-hand knowledge of any local officials’ inspection practices that include checking for wireless communications capability, please email me at

Add your reaction Share

Too scared even to talk?

Before I retired, I worked in quality assurance for a program that delivered health care and daily living support in clients’ homes. It was a non-military government program, so the provider agencies never had more than a skeleton staff on a shoestring budget. There was rarely only one right way to do anything. Whether because of or in spite of that, most managers were willing to think and talk about quality improvement.

But there were always a few who could be counted on to insist everything was already as good as they could make it, and would resist even learning about any new ideas.  

I’m seeing the more of these folk now that I’m working in volunteer election-integrity work.

Verifying computer output is not a novel idea; no sensible person doubts the need to check accuracy whether the output is our property tax bills or our election results. Wisconsin statutes require clerks to keep an ‘auditable’ paper record of every ballot, not a ‘decorative’ one, so we can safely infer that legislative intent had something to do with checking accuracy.

BreezeofChange.jpgElections officials who are willing to acknowledge those facts can converse fairly readily about the practical questions: How many ballots do we have to examine before we can be confident we’ve identified the right winners? How can we do that in the time available? If I innovate, what opposition can I anticipate and who is willing to back me up? No local official in Wisconsin that I know of has yet decided to make any improvement but with some, the conversation continues and focuses more on reasonable problem-solving than on rationalizing denial.

But there are many election officials who, when they catch even a whiff of change wafting in on a gentle breeze, batten down the hatches as if expecting a hurricane.

Late last month, I sent a for-your-information letter to each of the 61 municipal clerks in a county where we’re working on raising awareness of the need for verification and its practical solution. Because many are sensitive to any hint of criticism, the letter made it clear that we were asking for change in only county procedures, not municipal ones. In describing what we would be asking of the county, I chose the most respectful, non-threatening, benign words possible without misleading them about the fact that we are asking for improvement. The letter ended with an offer to visit the municipal clerk, at his or her convenience, to talk more about the issue.

Two weeks later, I found one response in my email inbox. After a few comments that revealed significant naiveté about the inherent limitations of the clerks' IT security measures, the municipal clerk wrote:

I tire of these subtle (and sometimes blatant) indictments of a system where it is obvious that no one has taken the time to confer with the clerks first. Instead, they pattern advice on what is assumed to be true.  Also, I get the impression someone is prepared to sell us some proprietary software to “fix” a non-problem.

Well, at least he responded. That put him ahead of all the others.

I shushed the devil on my shoulder that wanted to point out that if the writer had genuinely wanted to confer, he could have accepted my offer to meet rather than complaining that we’d never met.  In my actual response, I explained some of the basics of prudent IT security as briefly as I could, taking care to work in reference to having spoken with many clerks.

ConfidentHouse.jpgBut I did not bother to reiterate my offer to meet with him, and I don’t expect to hear back. When someone has boarded up all his mental doors and windows, my guess is that the best thing is to let him calm down in silence until he realizes there won’t be a hurricane.

The disheartening thing is that the people who are open to the breezes of change are not those who are in a position to implement improvements.

Voters and poll workers, to start with, are very interested when they learn that election results could be made safe from electronic miscounts. They know how much they have invested in elections, and how tragic it would be to lose it all to a computer glitch, when such a loss could easily be prevented.

State and national officials are interested, too. It's the national authorities' recommendations that we're trying to get local elections officials to heed. And last July, when we gave a public demonstration of an efficient new verification method, attendance at the event included the director of the state Government Accountability Board and his chief elections manager; the director of the state League of Women Voters; and a nationally-renowned, federal-government-advising expert on election technology and computer-science professor from a neighboring state.

From within a 30-mile radius, we had also invited 3 county elections officials, 37 county board supervisors, and 61 municipal clerks. Not one of them showed up. Not one.

Among the fingers-in-my-ears-I-can’t-hear-you responses received from local officials over the past few years:

  • Every excuse short of “I’m planning on washing my hair that night.” If an election is coming up within two months, they are too busy preparing to talk. If an election is more than two months away, they will be willing to talk about election administration issues when they are more timely.  One municipal clerk begged off attendance at a public meeting by saying she’d be too busy registering voters—at 8:00 PM. (She has a staff of seven.)
  • They’re just so busy with everything else all the time, they cannot even read the invitation. One county board supervisor told me not to expect a response from any other county board supervisor because “We get so many emails we don’t read them.”
  • It’s not my job: “You don’t need to talk to me because I’m (not on that committee; not in the majority; from a neighborhood too affected by Voter ID…).”
  • And, of course, silence.

This cannot go on forever. We will get their attention somehow, and for their sake, I hope it's before the next serious electronic miscount gives us cause to shout “I told you so!”

Add your reaction Share

What cardboard skeletons teach us about voting-machine security

Our local election officials do the best they can with voting-machine security--really, they do. They might or might not understand the dangers of illicit installation of wireless communications chips or software tampering, but they all know they need to keep those machines safely locked up between elections in town hall storage rooms, village police garages, and various other secure compartments.

I cannot count the times that local elections officials have earnestly reassured me of their diligence about that, and I sincerely believe every word. It seems rude to remind them that no matter how hard they try, they cannot count on having complete control, so I try to be gentle when I tell them that they still need to check the output for accuracy, just in case.

HalloweenDecor.jpgBut one Connecticut town clerk got the message loud and clear when she went to retrieve the voting machine for an upcoming election and, to her great dismay, found it festooned with crepe paper and cardboard skeletons. One of the town board members had accommodated a local high school club's request to use the town hall for a Halloween haunted house evening and had borrowed the janitor's key ring for the event. The dusty, dark storage room made a perfect place for the skeletons.

That Connecticut elections clerk retired to Wisconsin, and I ran into her at a party tonight. Her story was the most humorous I've heard, but it's unusual only in its colorful details.

Towns, villages, and cities are run by normally competent and well-meaning people who generally do the very best we can expect of them. But management tasks are frequently handled by part-time employees or even volunteers, and executive oversight is provided by local elected officials who often have even less training and experience.

We cannot imagine we can protect our voting machines from tampering simply by demanding local elections officials maintain fool-proof security programs. It's just not within their power.

Transparent, rigorous post-election verification of voting machine output remains the only way local elections clerks, candidates, and voters can be sure that the machines performed accurately on Election Day--or discover if they did not in time to correct the output.

2 reactions Share

Reason or rationalization? Arguments against verifying voting-machine output

Reasoning.jpgWhen my physical therapist asks why I didn’t do the prescribed exercises, I could reply, “Because they are uncomfortable, I am clumsy, and I feel like an idiot when I do them.” Those are the real reasons--not admirable, but honest.

But if I replied, “I don’t have room anywhere in my house;” or “Your instructions confused me,” those would be rationalizations—self-serving half-truths or untruths created for the purpose of either concealing my true motivations or deflecting the conversation.

Because there is no good reason for declaring unaudited voting-machine output to be final election results, anyone who defends the practice must argue based on 1) honest but weak reasons or 2) rationalizations.

Rationalization.jpgThe county clerk where I live rationalizes. Last week, a curious newspaper editor asked me to explain the clerk’s reasons for opposing verification, so I provided her with a long, defensive memo the clerk had written for county board supervisors and explained it line by line—850 words of pure rationalization. Verifying voting-machine output is ‘outside the law’ (No, it’s not.) It would require a full recount. (No, it wouldn’t.) Pre-election testing makes post-election checking unnecessary. (No, it doesn’t.)  I almost felt silly for wasting the editor’s time. I wanted to say, “Can I just tell you that these are all just excuses and red herrings, and offer you some facts instead?”

Other county clerks I’ve encountered give honest reasons for not verifying the accuracy of the voting machines’ output. A clerk in a nearby county once gave me a very heartfelt description of his fear of sparking partisan accusations of ‘tampering’ with the election record if he opened the ballot bags after they were sealed on Election Night.  His honesty gave us an opportunity to talk about the sorts of things supportive citizens could do to shield him from such attacks.

Yesterday, I chatted with another elections official. She earned my respect for her integrity, if not her insight, as she struggled for several minutes to articulate her reasons for opposing post-election audits: “Once we start to treat election results as something that can be open to question, where does it stop? We will audit and then someone will say “Yeah, well, the audit was rigged.” Then we’ll need to audit the audit and where does it end?”

The slippery-slope argument is always suspect, but deserves respect when it is someone's genuine concern.  And in part, she is right: A small proportion of sore losers will always find fault with the process, which will always have flaws. But they’re complaining now, so we have nothing to lose with them. And if we reject every improvement that won't please them, we can never move forward.

The vast majority of voters, however, will be more confident in election results if officials make at least one transparent, credible pass at verifying the accuracy of the computer output. Other public officials who audit their computer output don't have an unmanageable  problem with demands that they audit their audits. Finally, the difference between one audit and none at all is likely to make a world of difference to a would-be electronic thief as he considers whether to hack our vote-counting software.

I have a lot of respect for the reasoners, even if we disagree. Their well-motivated effort to articulate what they honestly see as problems and to stay engaged in the conversation is invaluable in moving forward. The rationalizers? I dunno. Constructive conversation with them is impaired if not impossible. After all, that is why people rationalize--to shut down productive conversation. And if they don't engage in problem-solving conversation, we just have to go around them to others. Although I genuinely dislike showing someone up to be foolish or dishonest, I don't yet see any other option.


Dane County, Wisconsin residents: Please visit this county citizen-feedback webpage, and vote for the petition seeking verification of our voting-machine output. (Use a desktop, laptop, or tablet--users say that the site does not yet work well on smartphones.) 

Add your reaction Share

Think of it as a critical administrative task, not a challenge to preliminary results

Verifying voting-machines output before declaring election results final is such a no-brainer, I find myself spending significant brain power trying to figure out why so many people cannot see that.

Take the computer out of the voting machine and into any other office in county government...or city government, or state, federal, private business or even your own home, and no one would dream of using its output to make a decision even half as consequential as who will govern us before they have verified the computer output was correct. Stick it in a voting machine, and everyone (except probably the hackers) sees it as some sort of Greek Oracle--whatever it prints out Must Be The Truth.

FourFatesCartoon.jpgIt's occurred to me that one problem might be that we all get caught up in elections as contests--this side versus that side. When preliminary results are announced on Election Night, those tagged as winners want to celebrate. The head-spinning rapidity with which candidates concede to unaudited computer tape may be a good indicator of how very much they just want it to be over once the voting-machine oracle has spoken. After all, they need to get back to finishing up their campaign-finance reports--those need to be accurate.

Instead of standing back, unemotionally, from the task and treating voting-machine output like we would any that supporting any other big decision, we perceive post-election verification as a continuation of the winners-and-losers drama. Instead of acting like sober grown-ups, we act like spectators at a ball game, condemning anyone who questions the ref. In the past two weeks, I've read a lot of online discussion of the odd results in Kentucky and Ohio. Nearly every discussion gets derailed into a discussion of people's motives for questioning the output or into evidence-free speculation on other reasons for the outcomes. I cannot think of any other circumstance in which people don't demand an answer to the first question, "Are we sure that's correct?" before, or at least while, speculating on other possibilities.

Yesterday, I introduced the topic of verifying voting-machine output to a sharp young democracy activist from Milwaukee. She is already deeply immersed in the fights for redistricting reform, getting the money out of politics, and even proportional representation. She seemed to catch on quickly, but after nodding and asking a few good questions, she asked, "So what makes you think there's a problem?"

She fully understood and accepted the fact that we routinely swear people into office on the basis of unverified computer output--but she didn't perceive that as a 'problem' unless I could present her with evidence that some competitor had been unfairly denied a victory. (I'm polite when I get this response, but one of these days: "I just informed you that no one would know if our elections were being stolen, and you respond by asking whether any elections have been stolen. Let me start again at the beginning...")

Election integrity activists need to point out that verification isn't necessary for the purpose of changing preliminary results; it's necessary to make sure they are, in fact, the results.

We need to speak relentlessly of post-election verification as a routine, basic administrative procedure, rather than as a challenge to this outcome or that. We need to point out the three-legged stool of a) ongoing security, b) pre-operation testing, and c) post-operation verification that every other computer-dependent manager relies upon, and point out that elections administrators are the only managers who pull off and discard that third leg.

A business manager doesn't wait for the owner to contest the bank deposit before he will agree to reconcile the receipts with the cash-register print-out. The city treasurer doesn't need citizens storming his office complaining of inaccurate property tax bills before he makes sure they are being calculated correctly. We don't need to demand a recount from our bank before they audit their books to confirm that all deposits were credited to the correct accounts.

Routine verification of computer output is standard administrative practice, not a continuation of a contentious political campaign.  

Add your reaction Share

Bike helmets and post-election verification

When I was a kid, bike helmets were unknown. I didn't get hurt and none of my friends got hurt in any way that didn't heal in a few weeks. We know better now, but whenever I put on a bike helmet, I still hear that little devil on my shoulder: "It's inconvenient." "It looks dorky." "I can't feel the wind in my hair." "I can't see as well." "I know how to be careful on a bike.” “I survived childhood without a helmet--what are the odds?"


But the world has changed since I was a kid. Experience and reason won out and nowadays, most of us not only have our kids wear helmets, but we wear them ourselves.

A conversation with a very reasonable municipal clerk yesterday reminded me of bike helmets.  The conversation ended well (usually does) but started the same way that 99.9% of these conversations do: with the otherwise sensible elections official reflexively running through a predictable list of objections:

  • "We do pre-election tests" (they quickly realize those tests cannot catch Election-Day miscounts, when you point it out);
  • "The county clerk programs our machines, not the voting-machine company" (they quickly realize setting the machine up for each election is different than programming it to count votes, when you point it out);
  • "We check and double check that the machines counted the right number of ballots" (they quickly acknowledge they don't check the accuracy of the VOTE count, when you point it out.)
  • "The machines are approved by the feds and by the GAB" and "We've done several recounts and always got the same result." (they quickly realize that says nothing about whether THIS machine worked right on THIS day in THIS contest, when you point it out).

When we realize we’ve been doing something stupidly dangerous, we seem hard wired to come up with reasons why we’re immune from danger or in control of events that we know are not truly controllable. I don't know any way around this human reflex.

One place where the analogy between bike helmets and verification of voting-machine output breaks down is that miscounted elections don’t leave blood on the street. Quite the opposite: even the most surprising voting-machine output fails to arouse alarm—heck, it doesn't even arouse curiosity. For example, Eric Cantor’s legislative career can get smashed to smithereens and no one thinks even to ask whether there was an accident or crime. (To this day, no one knows. But Virginia’s voting machines were investigated and decertified the following year when an obvious problem revealed itself: The machines stopped working when people tried to download music on cell phones in the polling place.) Kids would probably still be helmetless if we had a similar blind spot and lack of interest about childhood injuries.

It’s going to take patience, lots of talking, and unfortunately a few more obvious disasters. We have to continue to spread the word about accidents that revealed themselves (like Stoughton and Medford) and explain that all accidents likely aren’t as obvious; that thieves are always trying to steal, particularly from those they know won’t notice a theft; and that we need to start to take the responsible precautions we can--soon.

Add your reaction Share

Reality Bites: Election Officials' Remarks on Voting Machine Reliability

If some genie were to happen by and offer me three wishes, I fear that before world peace, I'd ask to understand our election officials' lack of interest in verification, when I'm sure they all have the sense to know why banks audit to make sure their computers credited deposits to the correct accounts. It puzzles me deeply.

clerksBlinders1.jpgYesterday. The chairman of Wisconsin's elections authority, the Government Accountability Board, was testifying before a legislative hearing to defend the agency's continued existence. One of his Republican executioners confronted him with the fact that the GAB had, for many years, neglected to perform statutorily required post-election audits. How could the Board, the questioner badgered, assure Wisconsin residents that their voting machines had counted correctly if they never did post-election audits?*

GAB Board Chairman Judge Gerald Nichol responded--right out in public, on the record, and apparently without embarrassment, "It is true we did not do the audits, but I don't find that too worrisome because our staff thoroughly tested the systems before they were approved for use in Wisconsin."

And--I'm not making this up--that answer appeared to satisfy his questioner.

Imagine what Judge Nichol or the legislator would have said if a banker testified, "We never audit, but I don't find that too worrisome because when we bought those computers, we tested one to make sure it was capable of counting correctly."

The over-the-top ridiculousness of that statement would be immediately evident to either of them in relation to a bank's computers, but neither seemed to think it in any way remarkable when the output in question was our election results.

ClerkBlinders2.jpgToday. I went to a large-group training where about two dozen municipal clerks were in attendance. I had several opportunities for one-on-one chats, and I used them to feel a few officials out about their level of awareness of voting machine accuracy. I've learned to start such conversations with praise for their efforts in double-checking that the machines counted the right number of ballots--which they do quite well.

"I'm conducting sort of an informal survey about clerks' thoughts on voting machine accuracy," I would start. "I know you know for a fact that the machines always count the correct number of ballots--you've got that nailed down. But what's your level of trust that the machines counted the right number of votes?"

Most conversations go one of three ways from there. The worst conversations don't even get started (two tonight, but I've gotten this reaction on other occasions). The question explodes some landmine: "Our voting machines are accurate! We test and double test and maintain the very best security. Our election results are always accurate, I'd bet my life on it." Any follow-up question (e.g., Can you tell me what gives you that confidence?) will be met with only more anger, and the clerk or poll worker will walk away. The Topic Must Not Be Raised.

The second typical response is less emotional, but no more productive: Some election officials will be unable to understand the question no matter how you phrase and rephrase it. It's as if you are asking "What do you do when the sun comes up in the west?" They mentally rephrase the question into something that makes sense to them and start talking about that. The elections official will describe the process for checking that the machines counted the right number of ballots, and I'll politely wait until she is done, and then ask the question again more specifically: "Yes, but how often do you think the number of votes--that is, the number of votes for Jones, and the number for Smith--are correct or incorrect?" The elections official will repeat the explanation about verifying the number of ballots, or tell you how the machines reject over-votes, or how they check their addition during the municipal canvass, or some other thing. I'm usually the one that ends these conversation, because I start to feel I'm being mean.

The third most typical response is that they 'correct' the question rather than answering it. In a you-should-know-this tone, they will say something like: "The machines cannot miscount," or "Accuracy is the county canvass job."  I had two of these conversations tonight. They don't go anywhere, either. Once this type of election official has decided you are just naive, they switch to an all-talk-no-listen mode.

Of seven or eight conversations I started tonight, only one unfolded into a genuine exchange of information. The clerk responded to my question with, "I would say I'm pretty close to 100% confident, but it does bother me we don't know for sure. I've never discovered any miscount in the pre-election test--that's what gives me confidence--but I know that doesn't guarantee they'll count right on Election Day."  Wow. Town of York voters, you're in sensible hands.

For the life of me, I cannot understand this mental block. It would be easy to say "People are naive about computers," but this level of blindness affects their thinking about only voting machines--no other computers.

Some sort of reflexive emotional-defense denial is a possibility--the thought of incorrect election results is just so horrifying that they cannot permit its presence. Maybe, but most of an elections official's work is dedicated to preventing various mistakes and frauds. It's simply not believable to me that they could not already have accepted the idea that something could go wrong.

Different officials probably have different reasons. For example, it seems that those who react immediately with anger, taking offense that you would even ask about electronic miscounts, are at some level aware that they might be certifying inaccurate totals--otherwise, why would they be so defensive?

But the others--I genuinely cannot guess.


* Just for the record, with the audit procedures the Board uses, final Wisconsin election results are unprotected against electronic miscounts whether the Board does the audits or not. Even if they had done them, their procedures are not designed to detect and correct incorrect election outcomes. Among other problems, they use a too-small sample size and have no provision for expansion of the audit beyond a single precinct if a miscount was discovered. The audits are performed after election results are certified as final, so unaudited voting-machine output determines the 'winners' regardless.

Read more
1 reaction Share

Quick FAQ about verification using digital images


What are the digital images?
Two types of voting machines approved for use in Wisconsin--the ES&S DS200 and the Dominion Imagecast system--preserve a digital image of each ballot at the moment it is cast. The votes, in fact, are read and counted as the machine 'looks at' the digital image, not the ballot. 
The machines can be set up to discard the digital images or preserve them. GAB has wisely required Wisconsin election officials to preserve them.

How are they stored?
We haven't yet worked with the Dominion images, but the DS200 images are stored on flashdrives--the same flashdrive that contains the set-up coding for the ballot. After polls close, the flashdrives should be transported securely to the county clerk. In Dane County, they are downloaded into a central computer, and copies can be made for any individual or group filing an open-records request. Dane County charges about $18, mostly to cover the cost of the new flashdrive they use for the copy.

Are the images clear?
The DS200 images are .pbm files with an impressive resolution: 3,856,896 pixels per each side of the ballot. The pixels are either black or white; there's no gray, so some of the gray-shaded areas can show up as funny patterns, but the votes themselves and things like the poll workers' initials show up clearly and precisely. 

Can the digital images be hacked?
Yes, of course. Data created or processed by a computer can be altered by a computer. The computer professionals we work with--John Washburn of Washburn Research, Prof. Douglas Jones of the University of Iowa, and Paul Lindquist, a Microsoft programmer who works with our group--all agree, however, that altering digital images would present multiple significant  challenges that traditional electronic vote-flipping does not. Washburn likened hacking only vote totals to climbing over a three-foot garden retaining wall, and hacking digital images to climbing over a castle wall. 
These difficulties include:

  1. Preparing ballot images before the election to substitute them for images of actual ballots would be highly detectable. You'd have to be able to duplicate the poll workers' initials; predict the turnout; and invent outcomes in every race, not just the one you want to hack.
  2. If an insider--say at the voting machine company--wanted to write a hack that would simply move a few pixels around (that is, moving the image of the voter's mark from one candidate to another), he or she would need to know the ballot layout before writing the hack. Because ballot layouts differ by jurisdiction and are not finalized until 6-8 weeks before each election, this both complicates the hack and reduces the window of opportunity for writing and distributing it.
  3. The processing power of voting machines is not great. They are usually designed to be as cheap as possible, and so are built with only enough processing power to do the relatively simple tasks they are designed to do. Altering digital images may (we don't know for sure until a truly independent professional assesses it) take more processing power than the machines possess. If someone did insert programming that made the machines alter the images before detecting votes and storing the image, that programming could noticeably slow the machine down or cause it to freeze up.
  4. The digital images could easily be altered, one by one, after the election. Based only on my own pretty-darn-good Photoshop skills, I'm guessing I could change the votes at a rate of 3-4 seconds per ballot, once I loaded them and the digital-image-editing software into my computer. Personally, I wouldn't know how to prevent evidence of the edit from being saved with the file, but I'm sure someone does. If someone was going to alter the outcome of an election using this method, however, he or she would need to have the access and skills to both hack the machines before Election Day to manipulate the vote totals, and then have access to the digital image files after Election Day to manipulate the images to match the totals he or she hacked into the machine. The best way to make sure a records custodian with hacking skills doesn't do this is to quickly make and distribute copies of the digital-image files after the polls close.

If the digital images can be hacked, what's the point in using them in verification? 
Neither human error nor unintentional malfunction would move pixels on a digital image from Candidate A to Candidate B, so any miscounts caused by unintentional error or malfunction will be detectable in a digital-image audit. In addition, no one will be trying to cover them up.

And we lose the deterrence value of the digital images if we don't use them in routine verification. If hackers know no one is ever going to look at the digital images, they won't need to bother with altering them; they will be able to use the easier vote-total-altering  hacks. 

 How can digital images be used in verification?
The Wisconsin Election Integrity Action Team has written read-only software (open source, provided for free to any clerk or citizen's group that wants to use it) that allows the digital images to be projected as a slide show. The images can be projected at a rate of 1, 1.5, or 2 seconds per ballot, and the projected image can zoom in on any section of the ballot. The slide show pauses after each 25 images to allow counters to verify subtotals. If you want to see what a vote-counting slide show looks like, check out this video, and skip to 19:40.

Without the need to sort, stack, straighten out, and flip over paper ballots, counting votes from a slide show is breathtakingly fast. A precinct with 1,200 ballots can easily be counted in under 45 minutes. The process is also fully transparent: Every observer can see exactly what the official counters see, and can count right along with them.

Can the digital images be checked against the paper ballots to make sure they are true copies?

They can and they should, but getting that done is going to take a lot of work--logistical work and psychological work. We'll have to get back to this after we get a few counties up and running with digital-image verification.

Logistical issue: The DS200 images don't contain any marks (that we know of) that would allow them to be matched to individual paper ballots. However, every ballot is unique in the placement and style of poll workers' initials, irregularities of stamps, and the voters' marks themselves. With careful, time-consuming work, I'm thinking you could match enough of the ballots from one precinct to that precinct's digital images to achieve confidence that they are the same or gather enough evidence to indicate a need to discard the digital images as flawed and verify the outcomes with the paper ballots instead. 

Psychological issue: Wisconsin's election officials, providing comfort and joy to potential election thieves everywhere, are terrified of unsealing ballot bags once they've been sealed on Election Night. They would much, much, much rather risk certifying the wrong winner than risk opening a sealed ballot bag for verification purposes. There's no question that they have the legal authority to open ballot bags for verification purposes if they choose to; it's only folklore that they don't. But they are convinced--down to their bone marrow--that irrational angry partisans will charge them with tampering with the ballots if they unseal the ballot bags, even if they do so in the presence of witnesses while religiously following instructions for maintaining a clear chain of custody. 

I'd rather stay away from bullying our public officials, but any clerk who makes that argument is telling us, loud and clear: "I make my policy decisions only in deference to irrational angry bullying; I don't respond to reason and polite requests." Let's work with them cordially for as long as we can, but if any clerk continues to use this excuse as his or her reason for refusing to ensure election results are accurate, responsible citizens will need to criticize and bully them harder than the irrational partisans do.

1 reaction Share

Why Dane County? Why not?

Dane.jpgRecently, WORT invited me and Dane County Clerk Scott McDonell to be interviewed during the same noon-hour program. I came prepared to talk about the need to verify voting-machine output; McDonell was prepared to talk about voter suppression; and call-in questions took the conversation in even other directions.

Despite the disjointed conversation, McDonell got across the point that while the voting-machine software is in his control, he maintains pre-election security for our voting machines as well as any county clerk. I agreed he could be right about that.

I got across the point that, regardless of ongoing security, routinely checking computer output is a universal, basic IT management practice—one that is not now done for Dane County elections.

Just common sense, but nevertheless, sitting across the desk from host Yuri Rashkin, I got the feeling I wasn’t making much sense to him. Our short conversation after the show confirmed that.

Read more
Add your reaction Share