Voting machines are subject to the same normal vulnerabilities as any other computer: human error in set-up or operation; unexpected mechanical or electronic malfunction; and malicious manipulation by either insiders or hackers. Reasonable people consider these simple facts of life to be nothing scandalous, surprising, or newsworthy.
What many citizens find newsworthy, however, is that Wisconsin's local elections officials do not check the computers' output for accuracy before they declare it to be our final election results, a practice prohibited in at least 20 other states. Verification is allowed (not required) under current Wisconsin law. Verification does not need to be a full recount; with reasonable procedures, verification can be efficient and practical.
Do voting machines really miscount? Why?
This booklet tells the story of three actual, well-documented miscounts: one caused by human error; one by machine malfunction; and one by hackers.
Wisconsin journalists in particular should familiarize themselves with first story, the Stoughton referendum miscount of November 2014, which provides a recent, local, and illustrative example of several different problems that unexpectedly affect voting-machine output.
How might electronic election fraud be accomplished?
Short answer: The thing about hacking is that if we always knew in advance how they will do it, there wouldn't be any hacking. If hackers can get into Anthem, Sony, and the US Office of Personnel Management, they can hack into little ES&S of Omaha, Nebraska or our county clerk's office. And corrupt insiders (the historic bane of election integrity in the US and elsewhere) don't even need to hack in--they can alter the software whenever they want.
Longer answer: If you're among those who need to know how hackers or corrupt insiders could compromise our voting systems before you believe it's possible, start reading on page 20 of this document, The Machinery of Democracy: Voting System Security, Accessibility, Usability, and Cost, the 2006 report of the Brennan Center's Voting Technology Assessment Project.
In short, the most likely of multiple possible schemes is that a current or former employee of a voting-machine company, voting-machine service company, or testing laboratory will use his or her insider's knowledge to write and distribute malicious programming that would: 1) operate only once to flip vote totals on Election Day rather than flipping individual votes throughout the day or during pre-election testing; 2) allow the machine to report the correct number of ballots while changing only the number of votes for each candidate; and 3) flip only the smallest number of votes necessary to put the results outside the recount margin while not arousing suspicion.
State and local elections officials don't have the expertise, time, or authority to examine voting-machine software for evidence of insider hacking, and nothing Wisconsin elections official now do would have detected such a hack, if any has ever been successful.
But routine verification could provide reliable detection--or better yet, effective deterrence--of any future unauthorized programming.
National election authorities' views on routine verification
"Post-election audits are a best practice of elections administration in general, and especially so when it comes to the performance of voting technology. The Commission recommends that jurisdictions audit the election machinery following each election to ensure both that the vote totals match the votes cast and that any problems related to machinery are reported and resolved." Page 66, The American Voting Experience: Report and Recommendations of the Presidential Commission on Election Administration, January 2014
"Generally, audits can be divided into two categories: (1) reviews of processes and procedures that contribute to an orderly and fair election and (2) verification of the vote counts. The former can be conducted periodically … Verification of vote counts should occur after every election.” Page 4, Report on Election Auditing, Election Audits Task Force of the League of Women Voters of the US, January 2009.
"A solid automatic routine audit can go a long way toward making the least difficult attacks much more difficult. Specifically, (routine verification of output) would force an attacker to involve hundreds more participants in the attack." Page 29, The Machinery of Democracy: Voting System Security, Accessibility, Usability, and Cost, the 2006 report of the Brennan Center's Voting Technology Assessment Project.
"Well-designed and properly performed post-election audits can significantly mitigate the threat of error, and should be considered integral to any vote counting system. (C)ounting votes on paper records (to) check on the accuracy of election results and resolving discrepancies (is) arguably the most economical component of a quality voting system, adding a very small cost for a large set of benefits." Page 3, Principles and Best Practices for Post-Election Audits, Multiple organizations, working with ElectionAudits.org, 2008
Current law, current practice, and GAB's role
Wisconsin's elections officials currently practice multiple pre-election security measures and a few post-election procedures intended to promote accurate election results. None of these are harmful; most are prudent and necessary. However, none fulfill the critical function of reliably detecting electronic miscounts while they can still be corrected. This document contains a brief discussion of the current responsibilities and practices of Wisconsin's various election officials, and what they could be doing under current law.
What are we recommending?
The Wisconsin Election Integrity Action Team is recommending that Wisconsin county clerks (individually or as a group) develop and adopt procedures for routine, transparent, statistically valid verification of electronically tabulated outcomes to be completed before county certification of election results.
These procedures should meet nationally recognized standards for verification, including use of the efficient sampling method developed by the American Statistical Association, known as risk-limiting audits.
In addition, we have no objection to verification performed with the digital ballot images created by the ES&S DS200 system and by Dominion Voting's ImageCast system, rather than with our voter-marked paper ballots, if the verification is performed promptly enough to reduce opportunity for tampering with the images. We recognize the possibility that malicious programming could cause the machines to create digital images that are not true copies of the voter-marked ballots, but digital images have dramatic, decisive advantages for transparency and efficiency, and county clerks could adopt procedures to spot-check the integrity of the digital images.
For more information:
Contact Karen McKim, Coordinator