Too scared even to talk?

Before I retired, I worked in quality assurance for a program that delivered health care and daily living support in clients’ homes. It was a non-military government program, so the provider agencies never had more than a skeleton staff on a shoestring budget. There was rarely only one right way to do anything. Whether because of or in spite of that, most managers were willing to think and talk about quality improvement.

But there were always a few who could be counted on to insist everything was already as good as they could make it, and would resist even learning about any new ideas.  

I’m seeing the more of these folk now that I’m working in volunteer election-integrity work.

Verifying computer output is not a novel idea; no sensible person doubts the need to check accuracy whether the output is our property tax bills or our election results. Wisconsin statutes require clerks to keep an ‘auditable’ paper record of every ballot, not a ‘decorative’ one, so we can safely infer that legislative intent had something to do with checking accuracy.

BreezeofChange.jpgElections officials who are willing to acknowledge those facts can converse fairly readily about the practical questions: How many ballots do we have to examine before we can be confident we’ve identified the right winners? How can we do that in the time available? If I innovate, what opposition can I anticipate and who is willing to back me up? No local official in Wisconsin that I know of has yet decided to make any improvement but with some, the conversation continues and focuses more on reasonable problem-solving than on rationalizing denial.

But there are many election officials who, when they catch even a whiff of change wafting in on a gentle breeze, batten down the hatches as if expecting a hurricane.

Late last month, I sent a for-your-information letter to each of the 61 municipal clerks in a county where we’re working on raising awareness of the need for verification and its practical solution. Because many are sensitive to any hint of criticism, the letter made it clear that we were asking for change in only county procedures, not municipal ones. In describing what we would be asking of the county, I chose the most respectful, non-threatening, benign words possible without misleading them about the fact that we are asking for improvement. The letter ended with an offer to visit the municipal clerk, at his or her convenience, to talk more about the issue.

Two weeks later, I found one response in my email inbox. After a few comments that revealed significant naiveté about the inherent limitations of the clerks' IT security measures, the municipal clerk wrote:

I tire of these subtle (and sometimes blatant) indictments of a system where it is obvious that no one has taken the time to confer with the clerks first. Instead, they pattern advice on what is assumed to be true.  Also, I get the impression someone is prepared to sell us some proprietary software to “fix” a non-problem.

Well, at least he responded. That put him ahead of all the others.

I shushed the devil on my shoulder that wanted to point out that if the writer had genuinely wanted to confer, he could have accepted my offer to meet rather than complaining that we’d never met.  In my actual response, I explained some of the basics of prudent IT security as briefly as I could, taking care to work in reference to having spoken with many clerks.

ConfidentHouse.jpgBut I did not bother to reiterate my offer to meet with him, and I don’t expect to hear back. When someone has boarded up all his mental doors and windows, my guess is that the best thing is to let him calm down in silence until he realizes there won’t be a hurricane.

The disheartening thing is that the people who are open to the breezes of change are not those who are in a position to implement improvements.

Voters and poll workers, to start with, are very interested when they learn that election results could be made safe from electronic miscounts. They know how much they have invested in elections, and how tragic it would be to lose it all to a computer glitch, when such a loss could easily be prevented.

State and national officials are interested, too. It's the national authorities' recommendations that we're trying to get local elections officials to heed. And last July, when we gave a public demonstration of an efficient new verification method, attendance at the event included the director of the state Government Accountability Board and his chief elections manager; the director of the state League of Women Voters; and a nationally-renowned, federal-government-advising expert on election technology and computer-science professor from a neighboring state.

From within a 30-mile radius, we had also invited 3 county elections officials, 37 county board supervisors, and 61 municipal clerks. Not one of them showed up. Not one.

Among the fingers-in-my-ears-I-can’t-hear-you responses received from local officials over the past few years:

  • Every excuse short of “I’m planning on washing my hair that night.” If an election is coming up within two months, they are too busy preparing to talk. If an election is more than two months away, they will be willing to talk about election administration issues when they are more timely.  One municipal clerk begged off attendance at a public meeting by saying she’d be too busy registering voters—at 8:00 PM. (She has a staff of seven.)
  • They’re just so busy with everything else all the time, they cannot even read the invitation. One county board supervisor told me not to expect a response from any other county board supervisor because “We get so many emails we don’t read them.”
  • It’s not my job: “You don’t need to talk to me because I’m (not on that committee; not in the majority; from a neighborhood too affected by Voter ID…).”
  • And, of course, silence.

This cannot go on forever. We will get their attention somehow, and for their sake, I hope it's before the next serious electronic miscount gives us cause to shout “I told you so!”

Add your reaction Share

What cardboard skeletons teach us about voting-machine security

Our local election officials do the best they can with voting-machine security--really, they do. They might or might not understand the dangers of illicit installation of wireless communications chips or software tampering, but they all know they need to keep those machines safely locked up between elections in town hall storage rooms, village police garages, and various other secure compartments.

I cannot count the times that local elections officials have earnestly reassured me of their diligence about that, and I sincerely believe every word. It seems rude to remind them that no matter how hard they try, they cannot count on having complete control, so I try to be gentle when I tell them that they still need to check the output for accuracy, just in case.

HalloweenDecor.jpgBut one Connecticut town clerk got the message loud and clear when she went to retrieve the voting machine for an upcoming election and, to her great dismay, found it festooned with crepe paper and cardboard skeletons. One of the town board members had accommodated a local high school club's request to use the town hall for a Halloween haunted house evening and had borrowed the janitor's key ring for the event. The dusty, dark storage room made a perfect place for the skeletons.

That Connecticut elections clerk retired to Wisconsin, and I ran into her at a party tonight. Her story was the most humorous I've heard, but it's unusual only in its colorful details. A Wisconsin county clerk once told me of returning from vacation to find the door to the room where the county election-management computer room hanging wide open. The county executive told her the cleaning crew had decided to take her vacation as an opportunity to clean that room. He apologized that they'd neglected to close the door when they left, but neither he nor the county clerk had realized the cleaning crew's master key worked on that door, too.

Towns, villages, and cities are run by normally competent and well-meaning people who generally do the very best we can expect of them. But management tasks are frequently handled by part-time employees or even volunteers, and executive oversight is provided by local elected officials who often have even less training and experience.

We cannot imagine we can protect our voting machines from tampering simply by demanding local elections officials maintain fool-proof security programs. It's just not within their power.

Transparent, rigorous post-election verification of voting machine output remains the only way local elections clerks, candidates, and voters can be sure that the machines performed accurately on Election Day--or discover if they did not in time to correct the output.

Add your reaction Share

Reason or rationalization? Arguments against verifying voting-machine output

Reasoning.jpgWhen my physical therapist asks why I didn’t do the prescribed exercises, I could reply, “Because they are uncomfortable, I am clumsy, and I feel like an idiot when I do them.” Those are the real reasons--not admirable, but honest.

But if I replied, “I don’t have room anywhere in my house;” or “Your instructions confused me,” those would be rationalizations—self-serving half-truths or untruths created for the purpose of either concealing my true motivations or deflecting the conversation.

Because there is no good reason for declaring unaudited voting-machine output to be final election results, anyone who defends the practice must argue based on 1) honest but weak reasons or 2) rationalizations.

Rationalization.jpgThe county clerk where I live rationalizes. Last week, a curious newspaper editor asked me to explain the clerk’s reasons for opposing verification, so I provided her with a long, defensive memo the clerk had written for county board supervisors and explained it line by line—850 words of pure rationalization. Verifying voting-machine output is ‘outside the law’ (No, it’s not.) It would require a full recount. (No, it wouldn’t.) Pre-election testing makes post-election checking unnecessary. (No, it doesn’t.)  I almost felt silly for wasting the editor’s time. I wanted to say, “Can I just tell you that these are all just excuses and red herrings, and offer you some facts instead?”

Other county clerks I’ve encountered give honest reasons for not verifying the accuracy of the voting machines’ output. A clerk in a nearby county once gave me a very heartfelt description of his fear of sparking partisan accusations of ‘tampering’ with the election record if he opened the ballot bags after they were sealed on Election Night.  His honesty gave us an opportunity to talk about the sorts of things supportive citizens could do to shield him from such attacks.

Yesterday, I chatted with another elections official. She earned my respect for her integrity, if not her insight, as she struggled for several minutes to articulate her reasons for opposing post-election audits: “Once we start to treat election results as something that can be open to question, where does it stop? We will audit and then someone will say “Yeah, well, the audit was rigged.” Then we’ll need to audit the audit and where does it end?”

The slippery-slope argument is always suspect, but deserves respect when it is someone's genuine concern.  And in part, she is right: A small proportion of sore losers will always find fault with the process, which will always have flaws. But they’re complaining now, so we have nothing to lose with them. And if we reject every improvement that won't please them, we can never move forward.

The vast majority of voters, however, will be more confident in election results if officials make at least one transparent, credible pass at verifying the accuracy of the computer output. Other public officials who audit their computer output don't have an unmanageable  problem with demands that they audit their audits. Finally, the difference between one audit and none at all is likely to make a world of difference to a would-be electronic thief as he considers whether to hack our vote-counting software.

I have a lot of respect for the reasoners, even if we disagree. Their well-motivated effort to articulate what they honestly see as problems and to stay engaged in the conversation is invaluable in moving forward. The rationalizers? I dunno. Constructive conversation with them is impaired if not impossible. After all, that is why people rationalize--to shut down productive conversation. And if they don't engage in problem-solving conversation, we just have to go around them to others. Although I genuinely dislike showing someone up to be foolish or dishonest, I don't yet see any other option.


Dane County, Wisconsin residents: Please visit this county citizen-feedback webpage, and vote for the petition seeking verification of our voting-machine output. (Use a desktop, laptop, or tablet--users say that the site does not yet work well on smartphones.) 

Add your reaction Share

Think of it as a critical administrative task, not a challenge to preliminary results

Verifying voting-machines output before declaring election results final is such a no-brainer, I find myself spending significant brain power trying to figure out why so many people cannot see that.

Take the computer out of the voting machine and into any other office in county government...or city government, or state, federal, private business or even your own home, and no one would dream of using its output to make a decision even half as consequential as who will govern us before they have verified the computer output was correct. Stick it in a voting machine, and everyone (except probably the hackers) sees it as some sort of Greek Oracle--whatever it prints out Must Be The Truth.

FourFatesCartoon.jpgIt's occurred to me that one problem might be that we all get caught up in elections as contests--this side versus that side. When preliminary results are announced on Election Night, those tagged as winners want to celebrate. The head-spinning rapidity with which candidates concede to unaudited computer tape may be a good indicator of how very much they just want it to be over once the voting-machine oracle has spoken. After all, they need to get back to finishing up their campaign-finance reports--those need to be accurate.

Instead of standing back, unemotionally, from the task and treating voting-machine output like we would any that supporting any other big decision, we perceive post-election verification as a continuation of the winners-and-losers drama. Instead of acting like sober grown-ups, we act like spectators at a ball game, condemning anyone who questions the ref. In the past two weeks, I've read a lot of online discussion of the odd results in Kentucky and Ohio. Nearly every discussion gets derailed into a discussion of people's motives for questioning the output or into evidence-free speculation on other reasons for the outcomes. I cannot think of any other circumstance in which people don't demand an answer to the first question, "Are we sure that's correct?" before, or at least while, speculating on other possibilities.

Yesterday, I introduced the topic of verifying voting-machine output to a sharp young democracy activist from Milwaukee. She is already deeply immersed in the fights for redistricting reform, getting the money out of politics, and even proportional representation. She seemed to catch on quickly, but after nodding and asking a few good questions, she asked, "So what makes you think there's a problem?"

She fully understood and accepted the fact that we routinely swear people into office on the basis of unverified computer output--but she didn't perceive that as a 'problem' unless I could present her with evidence that some competitor had been unfairly denied a victory. (I'm polite when I get this response, but one of these days: "I just informed you that no one would know if our elections were being stolen, and you respond by asking whether any elections have been stolen. Let me start again at the beginning...")

Election integrity activists need to point out that verification isn't necessary for the purpose of changing preliminary results; it's necessary to make sure they are, in fact, the results.

We need to speak relentlessly of post-election verification as a routine, basic administrative procedure, rather than as a challenge to this outcome or that. We need to point out the three-legged stool of a) ongoing security, b) pre-operation testing, and c) post-operation verification that every other computer-dependent manager relies upon, and point out that elections administrators are the only managers who pull off and discard that third leg.

A business manager doesn't wait for the owner to contest the bank deposit before he will agree to reconcile the receipts with the cash-register print-out. The city treasurer doesn't need citizens storming his office complaining of inaccurate property tax bills before he makes sure they are being calculated correctly. We don't need to demand a recount from our bank before they audit their books to confirm that all deposits were credited to the correct accounts.

Routine verification of computer output is standard administrative practice, not a continuation of a contentious political campaign.  

Add your reaction Share

Bike helmets and post-election verification

When I was a kid, bike helmets were unknown. I didn't get hurt and none of my friends got hurt in any way that didn't heal in a few weeks. We know better now, but whenever I put on a bike helmet, I still hear that little devil on my shoulder: "It's inconvenient." "It looks dorky." "I can't feel the wind in my hair." "I can't see as well." "I know how to be careful on a bike.” “I survived childhood without a helmet--what are the odds?"


But the world has changed since I was a kid. Experience and reason won out and nowadays, most of us not only have our kids wear helmets, but we wear them ourselves.

A conversation with a very reasonable municipal clerk yesterday reminded me of bike helmets.  The conversation ended well (usually does) but started the same way that 99.9% of these conversations do: with the otherwise sensible elections official reflexively running through a predictable list of objections:

  • "We do pre-election tests" (they quickly realize those tests cannot catch Election-Day miscounts, when you point it out);
  • "The county clerk programs our machines, not the voting-machine company" (they quickly realize setting the machine up for each election is different than programming it to count votes, when you point it out);
  • "We check and double check that the machines counted the right number of ballots" (they quickly acknowledge they don't check the accuracy of the VOTE count, when you point it out.)
  • "The machines are approved by the feds and by the GAB" and "We've done several recounts and always got the same result." (they quickly realize that says nothing about whether THIS machine worked right on THIS day in THIS contest, when you point it out).

When we realize we’ve been doing something stupidly dangerous, we seem hard wired to come up with reasons why we’re immune from danger or in control of events that we know are not truly controllable. I don't know any way around this human reflex.

One place where the analogy between bike helmets and verification of voting-machine output breaks down is that miscounted elections don’t leave blood on the street. Quite the opposite: even the most surprising voting-machine output fails to arouse alarm—heck, it doesn't even arouse curiosity. For example, Eric Cantor’s legislative career can get smashed to smithereens and no one thinks even to ask whether there was an accident or crime. (To this day, no one knows. But Virginia’s voting machines were investigated and decertified the following year when an obvious problem revealed itself: The machines stopped working when people tried to download music on cell phones in the polling place.) Kids would probably still be helmetless if we had a similar blind spot and lack of interest about childhood injuries.

It’s going to take patience, lots of talking, and unfortunately a few more obvious disasters. We have to continue to spread the word about accidents that revealed themselves (like Stoughton and Medford) and explain that all accidents likely aren’t as obvious; that thieves are always trying to steal, particularly from those they know won’t notice a theft; and that we need to start to take the responsible precautions we can--soon.

Add your reaction Share

Reality Bites: Election Officials' Remarks on Voting Machine Reliability

If some genie were to happen by and offer me three wishes, I fear that before world peace, I'd ask to understand our election officials' lack of interest in verification, when I'm sure they all have the sense to know why banks audit to make sure their computers credited deposits to the correct accounts. It puzzles me deeply.

clerksBlinders1.jpgYesterday. The chairman of Wisconsin's elections authority, the Government Accountability Board, was testifying before a legislative hearing to defend the agency's continued existence. One of his Republican executioners confronted him with the fact that the GAB had, for many years, neglected to perform statutorily required post-election audits. How could the Board, the questioner badgered, assure Wisconsin residents that their voting machines had counted correctly if they never did post-election audits?*

GAB Board Chairman Judge Gerald Nichol responded--right out in public, on the record, and apparently without embarrassment, "It is true we did not do the audits, but I don't find that too worrisome because our staff thoroughly tested the systems before they were approved for use in Wisconsin."

And--I'm not making this up--that answer appeared to satisfy his questioner.

Imagine what Judge Nichol or the legislator would have said if a banker testified, "We never audit, but I don't find that too worrisome because when we bought those computers, we tested one to make sure it was capable of counting correctly."

The over-the-top ridiculousness of that statement would be immediately evident to either of them in relation to a bank's computers, but neither seemed to think it in any way remarkable when the output in question was our election results.

ClerkBlinders2.jpgToday. I went to a large-group training where about two dozen municipal clerks were in attendance. I had several opportunities for one-on-one chats, and I used them to feel a few officials out about their level of awareness of voting machine accuracy. I've learned to start such conversations with praise for their efforts in double-checking that the machines counted the right number of ballots--which they do quite well.

"I'm conducting sort of an informal survey about clerks' thoughts on voting machine accuracy," I would start. "I know you know for a fact that the machines always count the correct number of ballots--you've got that nailed down. But what's your level of trust that the machines counted the right number of votes?"

Most conversations go one of three ways from there. The worst conversations don't even get started (two tonight, but I've gotten this reaction on other occasions). The question explodes some landmine: "Our voting machines are accurate! We test and double test and maintain the very best security. Our election results are always accurate, I'd bet my life on it." Any follow-up question (e.g., Can you tell me what gives you that confidence?) will be met with only more anger, and the clerk or poll worker will walk away. The Topic Must Not Be Raised.

The second typical response is less emotional, but no more productive: Some election officials will be unable to understand the question no matter how you phrase and rephrase it. It's as if you are asking "What do you do when the sun comes up in the west?" They mentally rephrase the question into something that makes sense to them and start talking about that. The elections official will describe the process for checking that the machines counted the right number of ballots, and I'll politely wait until she is done, and then ask the question again more specifically: "Yes, but how often do you think the number of votes--that is, the number of votes for Jones, and the number for Smith--are correct or incorrect?" The elections official will repeat the explanation about verifying the number of ballots, or tell you how the machines reject over-votes, or how they check their addition during the municipal canvass, or some other thing. I'm usually the one that ends these conversation, because I start to feel I'm being mean.

The third most typical response is that they 'correct' the question rather than answering it. In a you-should-know-this tone, they will say something like: "The machines cannot miscount," or "Accuracy is the county canvass job."  I had two of these conversations tonight. They don't go anywhere, either. Once this type of election official has decided you are just naive, they switch to an all-talk-no-listen mode.

Of seven or eight conversations I started tonight, only one unfolded into a genuine exchange of information. The clerk responded to my question with, "I would say I'm pretty close to 100% confident, but it does bother me we don't know for sure. I've never discovered any miscount in the pre-election test--that's what gives me confidence--but I know that doesn't guarantee they'll count right on Election Day."  Wow. Town of York voters, you're in sensible hands.

For the life of me, I cannot understand this mental block. It would be easy to say "People are naive about computers," but this level of blindness affects their thinking about only voting machines--no other computers.

Some sort of reflexive emotional-defense denial is a possibility--the thought of incorrect election results is just so horrifying that they cannot permit its presence. Maybe, but most of an elections official's work is dedicated to preventing various mistakes and frauds. It's simply not believable to me that they could not already have accepted the idea that something could go wrong.

Different officials probably have different reasons. For example, it seems that those who react immediately with anger, taking offense that you would even ask about electronic miscounts, are at some level aware that they might be certifying inaccurate totals--otherwise, why would they be so defensive?

But the others--I genuinely cannot guess.


* Just for the record, with the audit procedures the Board uses, final Wisconsin election results are unprotected against electronic miscounts whether the Board does the audits or not. Even if they had done them, their procedures are not designed to detect and correct incorrect election outcomes. Among other problems, they use a too-small sample size and have no provision for expansion of the audit beyond a single precinct if a miscount was discovered. The audits are performed after election results are certified as final, so unaudited voting-machine output determines the 'winners' regardless.

Read more
1 reaction Share

Quick FAQ about verification using digital images


What are the digital images?
Two types of voting machines approved for use in Wisconsin--the ES&S DS200 and the Dominion Imagecast system--preserve a digital image of each ballot at the moment it is cast. The votes, in fact, are read and counted as the machine 'looks at' the digital image, not the ballot. 
The machines can be set up to discard the digital images or preserve them. GAB has wisely required Wisconsin election officials to preserve them.

How are they stored?
We haven't yet worked with the Dominion images, but the DS200 images are stored on flashdrives--the same flashdrive that contains the set-up coding for the ballot. After polls close, the flashdrives should be transported securely to the county clerk. In Dane County, they are downloaded into a central computer, and copies can be made for any individual or group filing an open-records request. Dane County charges about $18, mostly to cover the cost of the new flashdrive they use for the copy.

Are the images clear?
The DS200 images are .pbm files with an impressive resolution: 3,856,896 pixels per each side of the ballot. The pixels are either black or white; there's no gray, so some of the gray-shaded areas can show up as funny patterns, but the votes themselves and things like the poll workers' initials show up clearly and precisely. 

Can the digital images be hacked?
Yes, of course. Data created or processed by a computer can be altered by a computer. The computer professionals we work with--John Washburn of Washburn Research, Prof. Douglas Jones of the University of Iowa, and Paul Lindquist, a Microsoft programmer who works with our group--all agree, however, that altering digital images would present multiple significant  challenges that traditional electronic vote-flipping does not. Washburn likened hacking only vote totals to climbing over a three-foot garden retaining wall, and hacking digital images to climbing over a castle wall. 
These difficulties include:

  1. Preparing ballot images before the election to substitute them for images of actual ballots would be highly detectable. You'd have to be able to duplicate the poll workers' initials; predict the turnout; and invent outcomes in every race, not just the one you want to hack.
  2. If an insider--say at the voting machine company--wanted to write a hack that would simply move a few pixels around (that is, moving the image of the voter's mark from one candidate to another), he or she would need to know the ballot layout before writing the hack. Because ballot layouts differ by jurisdiction and are not finalized until 6-8 weeks before each election, this both complicates the hack and reduces the window of opportunity for writing and distributing it.
  3. The processing power of voting machines is not great. They are usually designed to be as cheap as possible, and so are built with only enough processing power to do the relatively simple tasks they are designed to do. Altering digital images may (we don't know for sure until a truly independent professional assesses it) take more processing power than the machines possess. If someone did insert programming that made the machines alter the images before detecting votes and storing the image, that programming could noticeably slow the machine down or cause it to freeze up.
  4. The digital images could easily be altered, one by one, after the election. Based only on my own pretty-darn-good Photoshop skills, I'm guessing I could change the votes at a rate of 3-4 seconds per ballot, once I loaded them and the digital-image-editing software into my computer. Personally, I wouldn't know how to prevent evidence of the edit from being saved with the file, but I'm sure someone does. If someone was going to alter the outcome of an election using this method, however, he or she would need to have the access and skills to both hack the machines before Election Day to manipulate the vote totals, and then have access to the digital image files after Election Day to manipulate the images to match the totals he or she hacked into the machine. The best way to make sure a records custodian with hacking skills doesn't do this is to quickly make and distribute copies of the digital-image files after the polls close.

If the digital images can be hacked, what's the point in using them in verification? 
Neither human error nor unintentional malfunction would move pixels on a digital image from Candidate A to Candidate B, so any miscounts caused by unintentional error or malfunction will be detectable in a digital-image audit. In addition, no one will be trying to cover them up.

And we lose the deterrence value of the digital images if we don't use them in routine verification. If hackers know no one is ever going to look at the digital images, they won't need to bother with altering them; they will be able to use the easier vote-total-altering  hacks. 

 How can digital images be used in verification?
The Wisconsin Election Integrity Action Team has written read-only software (open source, provided for free to any clerk or citizen's group that wants to use it) that allows the digital images to be projected as a slide show. The images can be projected at a rate of 1, 1.5, or 2 seconds per ballot, and the projected image can zoom in on any section of the ballot. The slide show pauses after each 25 images to allow counters to verify subtotals. If you want to see what a vote-counting slide show looks like, check out this video, and skip to 19:40.

Without the need to sort, stack, straighten out, and flip over paper ballots, counting votes from a slide show is breathtakingly fast. A precinct with 1,200 ballots can easily be counted in under 45 minutes. The process is also fully transparent: Every observer can see exactly what the official counters see, and can count right along with them.

Can the digital images be checked against the paper ballots to make sure they are true copies?

They can and they should, but getting that done is going to take a lot of work--logistical work and psychological work. We'll have to get back to this after we get a few counties up and running with digital-image verification.

Logistical issue: The DS200 images don't contain any marks (that we know of) that would allow them to be matched to individual paper ballots. However, every ballot is unique in the placement and style of poll workers' initials, irregularities of stamps, and the voters' marks themselves. With careful, time-consuming work, I'm thinking you could match enough of the ballots from one precinct to that precinct's digital images to achieve confidence that they are the same or gather enough evidence to indicate a need to discard the digital images as flawed and verify the outcomes with the paper ballots instead. 

Psychological issue: Wisconsin's election officials, providing comfort and joy to potential election thieves everywhere, are terrified of unsealing ballot bags once they've been sealed on Election Night. They would much, much, much rather risk certifying the wrong winner than risk opening a sealed ballot bag for verification purposes. There's no question that they have the legal authority to open ballot bags for verification purposes if they choose to; it's only folklore that they don't. But they are convinced--down to their bone marrow--that irrational angry partisans will charge them with tampering with the ballots if they unseal the ballot bags, even if they do so in the presence of witnesses while religiously following instructions for maintaining a clear chain of custody. 

I'd rather stay away from bullying our public officials, but any clerk who makes that argument is telling us, loud and clear: "I make my policy decisions only in deference to irrational angry bullying; I don't respond to reason and polite requests." Let's work with them cordially for as long as we can, but if any clerk continues to use this excuse as his or her reason for refusing to ensure election results are accurate, responsible citizens will need to criticize and bully them harder than the irrational partisans do.

1 reaction Share

Why Dane County? Why not?

Dane.jpgRecently, WORT invited me and Dane County Clerk Scott McDonell to be interviewed during the same noon-hour program. I came prepared to talk about the need to verify voting-machine output; McDonell was prepared to talk about voter suppression; and call-in questions took the conversation in even other directions.

Despite the disjointed conversation, McDonell got across the point that while the voting-machine software is in his control, he maintains pre-election security for our voting machines as well as any county clerk. I agreed he could be right about that.

I got across the point that, regardless of ongoing security, routinely checking computer output is a universal, basic IT management practice—one that is not now done for Dane County elections.

Just common sense, but nevertheless, sitting across the desk from host Yuri Rashkin, I got the feeling I wasn’t making much sense to him. Our short conversation after the show confirmed that.

Read more
Add your reaction Share

If you smell something

JonStewart1-small.jpg(Updated after publication; see note at end.) When Jon Stewart signed off last night, his parting gift was a bit of sound advice. “Bullshit is everywhere,” he said. “So if you smell something, say something.”

Political bullshit, Stewart explained, comes in three flavors. First, it's used to make bad things sound like good things, like when politicians call it "The Patriot Act" instead of the "We're Going To Read All Your Email Act." Second, politicians use bullshit to hide bad things under piles of complexity, like using reams of complex regulations to make it look as if Congress is trying to control the bankers. Third is the 'bullshit of infinite complexity,' when they try to pretend action is impossible until we get more information, like when climate-change deniers pretend more research is needed.

Okay, Jon, this is for you: I smell something, and I'm saying something.

Take a look at this recent public-information memo from Dane County Clerk Scott McDonell and tell me what you smell.  I’m pretty sure anyone with basic knowledge of elections administration or computers will, as I do, detect a distinct odor of...complexity. Technical and procedural details are being used to avoid acknowledging a simple fact: No one routinely checks the accuracy of our voting machines' output before the county board of canvass declares election results final.


Add your reaction Share

Abnormal psychology? No, just normal human foibles.

HowToSteal-Patriot.jpgThis weekend, the Wisconsin Grassroots Network allowed the Election Integrity Action Team to use part of its booth at the annual state Democratic Convention. With a colorful pamphlet titled “How to Steal Wisconsin Elections” on one side, and “How to Protect Wisconsin Elections” on the other, I was able to start good conversations with more than 100 people, a large number of them involved in local elections administration in some capacity—mostly as poll workers or board of canvass members.

In general, the Democrats were skeptical whenever I offered the pamphlet with the “How to Steal” side up asking, “Want to know how to hack voting machines? The Republicans know, so you should, too.”

 But when I turned the pamphlet over to reveal the “How to Protect” side, they were  receptive, confirming my sense that people are tired of being educated about problems they cannot solve, while they are ready to welcome constructive information about solutions. 

Their reactions, after I’d given them the election-integrity elevator speech, confirmed that politically active people, like everyone else, typically assume our election results are routinely checked for accuracy and are shocked to learn they are not. Like all other sensible digital-age people, they immediately grasp the carelessness of that practice.

HowToProtect-Patriot.jpgDuring the entire two days I staffed the booth, all but one of the conversations went very well, often ending with the person asking for more literature and promising to talk to their county clerk when they got home.

I ran into only one person who vigorously argued with me, and I hope you’re as disturbed as I was by who it was—or might have been.

After taking the pamphlet with a frown, one man listened to my short speech and flatly told me I was wrong. Voting machines are reliably accurate, he said, and he should know: Before he retired, he tested voting machines for the Wisconsin Government Accountability Board and for the State Elections Board before that.

I realize he could have been misrepresenting himself, but he might not have been. I recognized the GAB staff attitude toward citizen input and their talking points.

As he argued, he revealed either that he was painfully ill-informed about voting machines and IT security, or that he thought I was and could be distracted with misinformation.  It was hard to tell.

For example, when I explained that the hacking information in the pamphlet was based on the findings of a national panel of voting-machine security experts, he said something along the lines of “The national experts’ findings are not applicable to Wisconsin. Wisconsin’s voting machines are programmed individually for each county—no hacker could get to all of them.”

I gently redirected him: “A hack wouldn't need to affect all the machines everywhere. Mathematically, you could change a statewide outcome merely by making one big county already likely to go for your candidate go even more decisively. Pundits will simply say, "Oh, wow. That party did a great get-out-the-vote effort in that county!"

"And besides, the national experts says that the most likely, most dangerous hack would affect the source code, not the set-up for each election. It's the set-up that is done separately for each county. The source code is programmed by just a few vendors.”

But he doubled down and insisted the source code is programmed individually into each voting machine by the counties.

We had drawn a few witnesses by now, so even though I suspected he knew it, I gave the basic explanation of the difference between programming the voting machine and setting it up for each election. (“When you get a new cell phone, it comes with lots of programming deep inside that neither you nor the salesperson touch as you set the phone up with your phone number and contacts.”)   I reminded him that the source code must be tested by independent laboratories and approved by the federal government and that once approved, no one is allowed to make changes.  If the voting machines’ source code is being “programmed individually,” as he claimed, someone is breaking the law. The speed with which he gave up that line of argument indicated to me he knew that all along.

He then tried the recount defense—claiming that if anyone suspects election results are wrong, they can demand a recount. Again, not knowing whether he was genuinely naïve or was hoping I was, I explained Wisconsin recount law. He finally conceded, “Well, yes, they would have to pay for the recount.” 

When I asked, “Would you trust a bank that refused to verify your check had been deposited to the right account unless you paid for the audit?”, he moved on to his next point. We then danced through a set of well-worn arguments.

He: Local election officials store their machines securely.

Me: Local election officials have no control over the security of the software while it is with ES&S, Dominion, and Command Central.

He: But those companies have wonderful, effective security.

Me: They would be in the IT-security consulting business if they could do IT security better than Anthem, eBay, Target, and Sony.

He: There are no miscounts.

Me: (Stoughton, Medford.)

He: Well, those should have been caught in pre-election voting machine tests.

Me: Right, but they were not. That’s why every human language has a word for ‘mistake,’ and why we need routinely to check Election-Day output for accuracy.

He: But you cannot just assume the computers are miscounting.

Me: Right. Just like you cannot assume they are counting accurately. Just like your municipal treasurer does not assume she’ll find errors as she spot checks the computer-generated property-tax bills before putting them in the mail. But she does it anyway because that’s what prudent managers do.

He: There’s not enough time or money for full recounts.

Me: No one is talking about full recounts. If you’ll stop arguing for a moment, I can tell you about sampling and risk-limiting auditing.

He: But you cannot assume any sample is representative.

Me: Right; that's why you calculate probability.

Of course, the conversation ended before he accepted the common-sense national consensus on routine verification of voting-machine output—but that was what I expected. You can tell when someone is engaging in sincere let’s-share-what-we-know conversation and when they are simply staking out a defensive position and reflexively contradicting everything you say. He was clearly doing the latter, so I let him leave when he ran out of breath. Who knows—maybe he went to his hotel room that night, gave the matter some sober thought, and moved slightly toward acceptance.

After he left, the handful of people who had been entertained by the exchange asked a few sincere questions and stayed for more information, so it turned out to be a useful exchange even if my antagonist never finds his way to common sense.

He might have been lying about having formerly tested voting machines for GAB, but I’m not lying when I say this sort of reaction is common (though far from universal) among Wisconsin elections officials from the state level on down. I had a very similar encounter with a municipal clerk just about a week before.

There’ s no need to condemn elections officials for this intellectual obstinacy, because psychological denial is a universal human foible. These men and women have likely certified dozens of elections without verifying accuracy, so it must be a real kick in the gut when they first realize how dangerous that is. When you introduce the notion they might have inadvertently certified hacked voting-machine output, I’m sure it feels to them as if you just suggested their spouse might be unfaithful.

In all but extraordinary human beings, that sort of unwelcome news creates an intolerable amount of cognitive dissonance and pretty much shuts down logical processing, at least for a while. None of us can process new information when our brain is fully occupied generating any possible excuse why the information might not be true.

So we need to be patient, to a point. I suggest that point will arrive sometime before November 2016, when we will need to insist on the resolution of our own cognitive dissonance, which comes from being forced to trust our sacred right to self-government to unaudited computer output.

Add your reaction Share