For election officials

VotingMachineTest.jpg

Why won't voters trust the voting machines like we do?

As a Wisconsin elections official, you have probably wondered: Why do the same people who happily rely on computers at their banks, their jobs, and their grocery store check-out get suspicious when it comes to voting machine?

Wonder no longer. Just notice this: As customers, we are not asked to trust those other computers. The managers of those other computers don't operate on trust. They audit.

Bank managers don't ask their depositors to trust that the ATM credited their dollars to the right account. They reconcile every ATM daily and perform several other audits that will catch any computer or human errors. Bank managers will reverse any errors they find, even without waiting for anyone to demand or pay for a recount. 

Go ahead--think of any other computer. How about the grocery store scanner? The computer-metered gas pump? The video slot machine? The credit-card company? The computer that the city clerk uses to calculate the property tax bills?

Notice that every one of those managers uses some routine procedure or practice to notice when the computers mess up.

Election officials are alone, among all computer-dependent managers, in asking for our trust--and in trusting computers themselves.

If anyone started talking about Russian hacking of ATMs, bank managers would quickly disprove those rumors by producing the results of their routine audits. Yet debates about possible election hacking go on for literally years without election officials putting an end to them by proving accuracy.  If a voter asks for confirmation of accuracy, he or she is told that only a losing candidate can request such verification, and that if the suspected error was larger than 0.25%, the candidate will have to pay the full cost of the recount in cash before a quick deadline.

If voters don't trust voting machines, it's because they never see from you the same sort of rigorous accuracy-checking that they see from every other computer-dependent manager. 

But we've told them that the voting machines are not connected to the Internet!

Imagine your local fire chief told the newspaper that all the buildings in town are fireproof, so smoke detectors and sprinkler systems are unnecessary. Would that make you trust the fire chief?

No, it would make you worry about his competence and dedication. Well, that's the reaction you get when you tell voters that the voting machines are hack-proof.

Voters know there is no such thing as an unhackable computer system. They know that the voting machines are programmed by someone, somewhere, and that person might make a mistake and might be corrupt. They know that computers that worked right on Monday don't always work right on Tuesday.

Voters hear only naivete when they hear local officials say:

  • that voting machines' accuracy is guaranteed by pre-election testing and federal certification. Voters have all experienced a computer that worked right yesterday, but didn't today;
  • that a recount confirmed accuracy in a past election. Voters know that a correct August credit card statement doesn't guarantee an accurate September statement;
  • that counties use different kinds of machines, and so a computer hacker would need to hack them all. Voters know that one big county can swing the results in a statewide race, and even if it couldn't, they don't like to hear you talk as if you're comfortable with only one or two counties being hacked;
  • That local election officials can maintain more effective IT security than Target, Anthem, eBay, and Volkswagen--all of which have better, bigger IT departments than their county clerk and all of which, despite their superior IT resources, have either been hacked or engaged in tampering themselves.

On top of having fewer IT resources than the big corporations, local election officials face challenges that make security even harder for them:

  • Local election officials don't have full control of the voting-machine security. Large companies have start-to-finish control of their IT security. In contrast, you have control over only a small part of the security program for the voting machines. Voting-machine security is first the responsibility of the manufacturer; then the vendor; the service technician; the county clerk; the municipal clerk; and finally the poll workers.  Anyone along that chain can perform his or her own security responsibilities perfectly, but have no way of knowing whether the others were as careful.
  • Local election officials are forced to use proprietary software they cannot inspect. Elections systems approved for use in Wisconsin have been amply demonstrated to be capable of accurate counts. However, you are able to control only the coded setup instructions for each election (like loading your new cell phone with your preferences and your phone book), but you are prohibited from even inspecting the continuing integrity of the vote-counting software that comes loaded in the machines, the deep programming that makes them operate. If the software is flawed or compromised when it comes into your possession, you have no way of knowing.
  • Local election officials are forced to tolerate at least a few opportunities for software alteration. Even though you avoid connecting the voting machines or the central elections computer to the Internet on Election Day, you cannot be sure someone else hasn't connected them. You have no way of knowing whether remote-access capability has been installed on the election computers without your authorization (as happened with your Pennsylvania counterparts). And the need to set up the system for each new election creates a regular opportunity for the insertion of malicious or flawed code or unintended programming errors. Flawed code could be carried with the installation of requisite patches or updates, or could be transmitted through the PROM packs, flash drives, or other media that you must rely on to set the machines up for each election.

What will work for local elections officials is the same thing that works for the banks and grocery stores: Adopt routine procedures to ensure that when the rare but inevitable error does occur, it will be promptly detected and corrected.

Are routine election audits possible now in Wisconsin?

Yes. Under current state law, Wisconsin's county clerks and boards of canvass have the necessary paper records, the authority to access them, the ability to correct errors during the canvass, and more time for the canvass than their counterparts in many states that require pre-certification audits. WEC has confirmed that county and municipal clerks both have the authority to perform audits during their canvass.

Efficient audits that use modern methods of sampling and ballot display can be completed in just hours, at a low cost that might well fit in your current elections budget.

Full recounts are not necessary to verify that the voting machines identified the right winners--which is all that is necessary to build voter confidence.  

The first, most basic step is what's called ballot reconciliation, or reasonability checking. You do this step in part already, when you check to make sure the number of voters marked off in the poll book matches the number of ballots counted. A second step is less common among Wisconsin election clerks, but is recommended by the Wisconsin Elections Commission and by all professional elections authorities: Check to make sure the total number of votes in the top-of-the-ballot race is consistent with the number of ballots. During the municipal or county canvass, it should take no more than an hour at most to make sure that you are not certifying more votes than ballots, and that you notice any weirdly high undervote rates, which indicate possible machine malfunction. A rule of thumb is that the undervote rate in the top-of-the-ballot race should be no more than 0.5% (that is, no more than 1 in every 20 ballots contain no vote of any kind--regular, registered write-in, or scattering--for the top race.)

But checking for--and correcting--obvious tabulation errors does not prove that you're certifying the right winner. For that, you need to do a manual count of at least a valid sample of the ballots. This can be efficiently done by using modern methods of ballot sampling. The method most quickly gaining popularity among your counterparts in other states is called risk-limiting auditing. It was developed by the American Statistical Society has been widely accepted as effective and legitimate and was endorsed by the President's Commission on Elections Administration in 2014.

RLA allows verification of the outcome of a race (Who won?) without verifying the exact number of votes each candidate received, as is done in a recount. This enables verification of the important question--Are we swearing the right person into office?--by counting votes from only a small, randomly selected sample of ballots.  A full recount is not necessary for verification purposes.

Finally, very speedy and highly transparent manual counting of votes is possible with modern tools, specifically a document projector. By laying the ballots in a stack on the table, face up, underneath a document projector, only one person needs to touch the ballots while many people can view each ballot simultaneously. Assigning two counters to each candidate provides the redundancy necessary for accuracy. Using this method (or a similar method involving projection of the digital ballots images saved by modern op-scan machines), Wisconsin election auditors have demonstrated that votes in a single race can be accurately counted at a rate of 100 ballots every four minutes.


WEC staff has been studying election-audit practices used in other states and can provide more information and guidance to local election officials who want to introduce auditing into the local canvass process. In addition, national elections administration authorities have developed guidance for election officials who want to produce verified accurate election results: