I regularly write to county officials about the need for routine, transparent, timely verification of the output of Dane County's voting machines. I rarely get any response--occasionally a polite but negative RSVP if I invite them to a presentation. I don't really expect more, because the decision is entirely up to County Clerk Scott McDonell. Others--particularly pesky 'outsiders' (you might know them as 'voters')--don't have a say.
But today I got a polite and reasoned reply from Dane County Executive Joe Parisi, a former county clerk himself. He expressed his own "strong interest in assuring the accuracy and integrity of our elections," and commended the Wisconsin Election Action Team's "passion for this issue and for your commitment to ensuring that every vote counts," calling it "a noble and worthwhile cause."
So he shares our goals--that much is reassuring. I also appreciated the absence of the all-too-common reflexive defensiveness I've encountered from other officials.
Parisi was county clerk before risk-limiting audits and digital ballot images entered the national discussion, so it's not surprising he is not well-versed on the current and best thinking about management of electronic elections technology. He seems simply to accept what current County Clerk McDonell tells him about today's options. Parisi sent along to me a 'fact sheet' that McDonell prepared about a year ago, and Parisi's comments indicated that he considered it a useful, informative document.
McDonell has slightly updated the document since he first wrote it, but it remains a classic list of rationalizations given by those who defend the use of unaudited computer output as our final election results.
I've uploaded McDonell's arguments, verbatim, along with a point-by-point explanation of their shortcomings. Here are the highlights:
Naivete - Perhaps the most troubling feature is McDonell's apparent naivete about voting-machine vulnerabilities and recommended countermeasures. I think it's genuine, because judging from accounts of battles in other states over the appropriate management of elections technology, shallow understanding of IT issues is common among elections officials.
Like McDonell, many are professional politicians. The currency of their chosen profession is beliefs and appearances, not tough-minded facts and practical options. They seem almost blind to the possibility that they could--should--be exercising solid, independent administration of their voting-machine systems, such as by getting advice from IT professionals to assess the vendors' reassurances rather than passing them on, wholesale, to their constituents.
For example, McDonell seems to lift a line directly from the sales brochure when he writes, “The entire software package was tested in a federal laboratory before being certified by the state and federal government.” My guess is that McDonell is genuinely unaware of the well-known limitations of the private (not federal) testing laboratories and the federal certifications; the fact that there is never any independent verification that the software loaded into our voting machines is an unadulterated copy of the approved software; that voting-machine companies are allowed to make changes to the approved software without any review simply by stating it's a minor change; and that even if none of what I just wrote was true, it still wouldn't reduce the need to verify Election-Day output because so many other things can go wrong.
As Aviel Rubin, Johns Hopkins University expert on elections systems software and computer security wrote, "Computer scientists can make important contributions to the process (of protecting our elections) by learning about how elections run, but there's no realistic way for election officials to develop a technical understanding of their own computer systems. Despite their total lack of familiarity with cryptography, program verification, and formal risk analysis, elections officials don't hesitate to give their opinions on the security and reliability of their voting systems, and the press take their pronouncements as seriously as anything the computer experts say."
McDonell's 'fact sheet' displayed technological naivete in other ways, too--by confusing vendor-provided programming with pre-election ballot set-up when he argued that our voting machines are somehow protected against manipulation because he does the ballot set-up in-house; and by completely overlooking the possibilities of human error and machine malfunction--both of which Dane County experienced on his watch!--to concentrate exclusively on the risk of deliberate election fraud, among other garbled notions.
Blowing Smoke - A professional politician's talent for blowing smoke was also evident in the document. He wrote that:
- Dane County already has the best practices in the state--without reference to the fact that 20 other states have better practices;
- the Board of Canvass could audit if they choose to--without saying that they have ever actually done any such thing, or that the whole memo is, in fact, an argument against doing just that; and
- he compares the digital ballot images to the electronic tabulations to verify the equipment worked properly--without mentioning that he's tried to do that only twice in his tenure and is 2-for-0 in getting the results to match. (Not to worry--it was human error in the audits, not voting machine miscount.) But McDonell spot checks only two machines anyway--not enough to verify the correct outcomes--and does these comparisons only after he has signed the paperwork that forecloses any opportunity to challenge or correct the election results even if an error was detected.
And even on a topic a politician should know something about--appearances--McDonell's memo shows a lack of understanding (or worse, if you don't trust him). How is everyone in Dane County to know that the software is secure? Because McDonell has exclusive pre-election access: "The servers used to code the elections are only accessible by County Clerk staff." How do we know that the software was set up honestly for each new election? Because McDonell's staff "sets up our own ballots instead of using the vendor to do this task." And, from the report on his most recent spot-check: How are we to know no one tampered with the digital ballot images? Because the auditor sealed them in a security bag after working with them alone at home for 13 hours, after they'd been in McDonell's sole possession for eight weeks. The unspoken message is: "I trust me, so you should, too," with no hint of a professional manager's awareness of accepted standards for records security.
McDonell closes his memo by framing the issue as one of political PR: "As you can see we ensure that every vote is counted. Let’s work to get the word out that our elections are secure."
A professional manager would have written, "Let's work to verify that our elections are secure."
The difference between those two last sentences lies in what type of work one is willing and able to do--a politician's or an elections administrator's.