May 31, 2018 -- Ask any Wisconsin official whether our elections are secure and you'll get this answer: "Our voting machines are never connected to the Internet; elections administration is decentralized; and the machines' designs were approved by the federal and state governments."
Go ahead—call your county clerk and ask. That is the answer you'll get. He or she sincerely believes those three safeguards protect Wisconsin elections.
Today, a consortium of national election-integrity groups released a new report: Securing the Nation’s Voting Machines: A Toolkit for Advocates and Election Officials.
Here's how many of the Wisconsin election officials' three favorite safeguards made the list recommended by the national authorities: None.
Here's why not:
- Voting machines are and always will be programmed by fallible, corruptible humans. Anyone who develops or loads the software can manipulate the vote totals without the Internet.
- You could hack into only one or two big counties' voting machines and swing a statewide election. In fact, county control of the voting machines might make hacking easier by increasing the number of vulnerable entry points. Besides, it's not really the local clerks who manage the machines anyway. It's three companies: Command Central, Dominion, and the biggest one, ES&S, which supplies the software that counts about 2 of every 3 Wisconsin votes.
- Federal and state approval of the voting machines' original design cannot secure the machine that counts your votes. The software was copied and updated dozens of times before it reached the machine in your polling place. No one ever inspects or approves the software that actually counts your votes.
What does protect elections: Paper ballots and audits.
Wisconsin has paper ballots, but not a single county clerk—not one—looks at those ballots before declaring election results final.
As long as our ballots are packed up on Election Night and kept under seal until they are destroyed 22 months later, Wisconsin elections are no safer than if we were using paperless touchscreen machines.
That's where Wisconsin's decentralized elections can help to protect our elections. State law gives every county clerk two weeks after a general elections—and more if they request it—to review the Election-Night results to make sure they are correct. The county clerks and their boards of canvass are free to adopt any review method they choose—it's up to them.
Any county or municipal clerk could, at any time he or she chooses, open the ballot bags and conduct a legitimate audit. It would be harder for municipal clerks, because they have only a week for review, and they certify only local races anyway. But county clerks have plenty of time to audit, and they certify the state and federal races—the ones most likely to be hacked.
Call your county clerk today and educate them. Tell them that the three safeguards they rely on are not really safeguards at all. Tell them to start—NOW—planning how they will verify the voting machines' Election-Day accuracy after future elections. If your county clerk doesn't know how, refer them to Securing the Nation’s Voting Machines: A Toolkit for Advocates and Election Officials, which has a good list of pointers and resources. Write to your local newspaper to make sure they cover this story.
Then, keep calling your county clerk until you get the answer Wisconsin voters deserve: "Yes, we will make sure your votes were counted correctly before we declare election results final."
May 18, 2018 -- Forget about whether Russians hacked election computers in 2016. We've got a bigger problem, and not much time to fix it. The November elections are less than six months away.
When the US Department of Homeland Security (DHS) and the Wisconsin Elections Commission (WEC) talk about "election security", they talk only about the voter-registration system. WEC operates that system, and DHS can monitor it.
But the vote-counting system is separate. It resides on no computer that either of them can control, monitor, or inspect. It was outside their range of vision in 2016, and it’s outside their vision now. They don’t talk about voting-machine security because they don't know.
Wisconsin’s vote-counting computers are controlled, protected, and monitored by our local election clerks and by three companies—ES&S, Dominion, and Command Central.
That's all. No one else.
Local election clerks have exactly the level of IT sophistication you think they do. County clerks send our vote-counting software off to Nebraska or Colorado or Minnesota to be reprogrammed for each new election, with no way to notice if it comes back carrying malicious code. A few counties use an application supplied by those companies to reprogram the software themselves. They put a plastic seal on it when they’re done.
Wisconsin’s local election clerks will happily leave a service technician alone with a voting machine or the county’s election-management computer, with no way to notice if he installs malicious code or a wireless communications card. They put a plastic seal on the voting machines for Election Day.
Go ahead—ask them. They seal the software. They seal the machines. They seal the paper ballots that they could use—but don’t—to check the machines’ Election-Day accuracy.
And what about where the real danger lies—within the voting-machine companies? How well does their security guard against external hackers and corrupt insiders?
The companies themselves might not understand IT security. Professor Aviel Rubin of the Johns Hopkins University Information Security Institute checked with the major American voting-machine companies before the 2016 elections and discovered none employed “even one full-time trained expert in computer security.”
Congress, too, has been frustrated in its attempts to get straight answers about the companies’ security practices. When Congressman Ron Wyden tried to get answers from ES&S, he didn't get a response from anyone with 'security' in their job title. Instead, a Senior Vice President for Governmental Relations replied, saying “At ES&S, security is the responsibility of not just one, but all who elect to work for our company.”
This governmental-relations expert reassured Rep. Wyden that ES&S had asked DHS "if they had knowledge of any such security issues involving ES&S to which they responded that they did not." Well, whew.
ES&S—this company where every employee handles IT security and yet the vice president has to ask DHS to find out whether they've had a security breach—is the largest supplier of voting machines to Wisconsin. Just one of their machines—the DS200—counts more than 60% of Wisconsin's votes, including votes from Milwaukee, Dane, Waukesha, and La Crosse Counties.
We cannot make the voting machine companies hire IT security staff before we elect a governor and a US senator in November.
And we cannot make our local election officials into IT sophisticates, ever.
But we can put an end to the honor system. That is, we can force our local election officials to use the paper ballots to detect and correct any miscounts before they declare election results final.
Our local election officials are the legal custodians of the paper ballots. They can unseal them anytime to count votes and make sure the voting machines counted right. At any time before the 2018 midterms, our local election officials could learn about results-audit practices already in use in other states and bring them to Wisconsin.
Do these three things today:
- Contact WEC. Tell them to exercise leadership in getting county clerks to audit election results during the canvass. Tell them to use some of the federal HAVA funds; they’ll know what that is.
- Contact your county clerk. Say you want the county canvass to make sure the voting machines identified the right winners before they certify the election results. If they don't know how, tell them to contact the Election Verification Network or the Verified Voting Foundation.
- Contact your local newspaper editor. Tell him or her that you want to see local journalism take a sober look at voting-machine security right here in Wisconsin—and that doesn't mean writing about plastic seals.
March 31, 2018 -- Being a normally flawed human, I cannot resist starting this blog post with "As we have been saying for six years...", Wisconsin's "failure to carry out post-election audits that test the accuracy of election outcomes leaves the state open to undetected hacking and other Election Day problems."
In speaking about Wisconsin, the report concludes: "To protect its elections against potential attack by sophisticated nation-states seeking to interfere in U.S. elections, Wisconsin should adopt robust post-election audits that have binding effect on election results."
CAP researchers picked up on a feature of Wisconsin elections that in-state commentators have missed:
Problems with Wisconsin's election security, along with possible solutions, are not visible unless you look beyond the state level and into the counties and municipalities.
Our state-level agency, the Wisconsin Elections Commission does not control the voting machines. They control only the systems that manage voter registration (WisVote) and that compile already-tabulated election results (the Canvass Reporting System, or CRS).
But the technology that counts Wisconsin's votes is owned and operated by counties and municipalities--not the State.
It is the local clerks, not the WEC, who are responsible for pre-election protective security and for the managerial measures that would detect and correct any Election-Day miscounts.
Not only is pre-election security managed by non-IT professionals, Wisconsin's entire vote-counting system lacks the ability even to detect miscounts, never mind correct them.
Wisconsin's local election officials--bless their hearts--are not IT sophisticates. Asked about the threat of hacking, most will say something like what Sheboygan County Clerk Jon Dobson recently wrote to me: "The equipment is never connected to the Internet, (so) unless someone has figured out a way to hack through the unit's power cord, our equipment is basically unhack-able."
Clerks like Mr. Dobson are not being disingenuous. They genuinely believe that if they cannot see a way to hack the vote-tabulating technology, no one else can, either. Their trust in the voting-machine companies is complete and sincere.
For their education in IT security, Mr. Dobson and his colleagues rely almost entirely on the commercial reassurances of the voting-machine companies. They don't seek the counsel of independent IT-security authorities who could explain the myriad number of ways an elections system can be compromised without Internet connection, particularly by insiders.
Wisconsin's county clerks genuinely do not understand that elections software could be compromised by security lapses outside their vision or control--by the vendors, service companies, municipal clerks, and poll workers.
And as for Internet access, news hasn't yet reached them from their counterparts in Pennsylvania, who found that a voting machine company had installed unauthorized remote access capability on their election computers without their knowledge--something that computer-security professionals had been warning of for years. Like the Wisconsin clerks, the Pennsylvania clerks had been blithely assuring reporters that voting machines were never connected to the Internet--without having checked. When I publicly asked him whether he ever checked Dane County's machines for such unauthorized alterations, Clerk Scott McDonell said that the vendors had told him that would void the machines' warranty so no, he doesn't check. He is not fooling when he says he truly believes the machines to be so very secure that he can doesn't have to check their accuracy before he declares election results final.
And that, fellow voters, is the level of IT naïvete that stands between motivated international hackers and our voting rights.
But we have to be realistic about what we can expect from local election officials. As Prof. Dan Wallach of the Rice University Computer Science Department explained, "You would not expect your local police department to be able to repel a foreign military power."
What we can expect of our local election officials--particularly our county clerks--is that they use the authority and resources already provided by Wisconsin law to manually check accuracy of the computer-tabulated vote totals before they certify election results final.
The only protection can come from using our paper ballots to check the machines' Election-Day accuracy.
That's the solution that 26 states already have in place, with varying degrees of rigor.
It's the solution that we've been advocating for the past six years.
It's the solution that the 2014 Presidential Commission on Elections Administration recommended.
It's the solution that Rep. Mark Pocan wisely wrote into his proposed federal legislation.
And it's the solution that the CAP report recommended for Wisconsin.
Wisconsin reporters and editors need to pick up on it now, too. They need to start asking county clerks the same hard questions about their security practices that they have been asking the WEC about theirs: How do you detect whether the technology worked as intended on Election Day? Do your security and recovery procedures meet national standards? What plans do you have in place for recovery if they fail?
Voters can ask, too. Pick up the phone. Call your county clerk. Get the facts right from him or her. Ask: "At the moment when you sign that certificate declaring the election results to be correct and true, what specifically have you done to verify that the voting machines counted correctly on Election Day?"
Among the 72 county election authorities in this state, not a one will answer: "I follow federal recommendations and conduct a valid post-election audit."
Friday, March 30, 2018 - In defense of our right to self-government, please contact the Wisconsin Elections Commission in the next few days to tell them: Include routine election auditing in Wisconsin's application for federal election-security funding.
Chances like this don't come along very often. Congress sits on its hands for years, ignores problems, messes around, and then--when an issue is hot--throws some money at the states and says "Spend it quick!"
When that happens, states need to be able to grab the money and spend it on something worthwhile.
That is just what has happened with election security. Voters have been warning, shouting, complaining, and worrying for years about the dangers of poorly managed election technology, and then all of a sudden Congress awoke and leapt out of bed. (Thank you, Vladimir!) Last Friday, Congress passed a federal budget bill that includes $380 million for grants to the states for improving election security.*
Just short of $7 million of that is earmarked for Wisconsin--pending the Wisconsin Elections Commission's submission of a plan for spending it.
Thirteen states should definitely spend their money to replace unauditable voting machines--the kind that don't use or create a paper record of each ballot. But that's not Wisconsin's problem. Paperless vote-counting computers have always been illegal here.
Wisconsin's big election-security hole--where we lag most other states--is not that our elections are unauditable. Wisconsin elections are simply unaudited.
Wisconsin is in relatively good shape on most other aspects of election security. The WEC has done a good job with those systems they control, which are the voter-registration system and the 'canvass reporting system,' the automated system that counties use to report results they have already counted and certified. In addition to having respectable security, both these systems also have effective backup in case of manipulation or failure. With same-day registration at the polls, hackers have to ask themselves how much effort they are going to waste deleting Wisconsin voters' registrations when we will be able immediately to vote anyway, with only about five minutes' re-registration inconvenience. And the canvass reporting system kicks in only after our votes have already been counted in the polling places and municipal clerks' offices. Any hacking of that would be easily detectable and reversible, even without a serious audit effort.
But Wisconsin has no more security for our voting machines than any other state that uses paper ballots, and a paper trail is merely decorative if the ballots are sealed on Election Night and never seen again.
Our elections' biggest unprotected vulnerability is that our county boards of canvass make a habit of declaring election results final without lifting a finger to check to see whether the vote-counting computers counted our votes correctly. That practice is justifiably illegal in 25 states (26 if you count D.C.) and contrary to every national election authority's recommendation.
The practical solution: Wisconsin law provides county election officials with paper ballots and allows them to check accuracy before they certify, but they choose not to. The problem isn't time or money. Wisconsin's county clerks have as much time for the canvass as their counterparts in states that do audit, and modern election-audit methods are so efficient they could almost be funded from petty cash.
So we can only guess why our county officials continue to force us to trust our franchise to unaudited computer output--something they wouldn't tolerate for a millisecond from their banks and ATMs. My best guess is that they've been allowed to ignore that basic managerial responsibility for so long that they fear they will find a host of problems when they start to look. Look at the panic this county official exhibited as she refused an observer's request for verification during the 2016 recount. That level of distress looks to me like she knew the machines' unreliability would be revealed if she allowed verification, so she refused to hand count "even five ballots." And she was right: the machines were, in fact, miscounting and were later decertified by the Wisconsin Elections Commission.
What voters need to do:
Contact the WEC and tell them that you want them to include funding for routine audits during the county canvass in Wisconsin's federal grant application. WEC staff are up to date on national election-administration trends, and I believe they understand the need for, and practicality of, routine election audits. In addition, I sense that WEC Commissioners are favorably disposed to effective election audits and will do the right thing if enough citizens express interest and support.
- Tweet to @WI_Elections to say that you want to see county election audits in the application for federal funding;
- Email Chair Mark Thomsen and Administrator Meagan Wolfe at firstname.lastname@example.org.
- Snail-mail them at Wisconsin Elections Commission, P.O. Box 7984, Madison, Wisconsin 53707-7984, with copies to U.S. Election Assistance Commission, 1335 East West Highway, Suite 4300, Silver Spring, MD 20910, and to Jill Lau, Chair, Wisconsin County Clerks Association, 421 Nebraska St, Sturgeon Bay, Wisconsin 54235.
If you want to do more, you can use these web-contact forms to tell Senator Baldwin, Senator Johnson, and the US Election Assistance Commission that they, too, should encourage the WEC to seek funds for election auditing in Wisconsin.
Also, please, tell other voters about this so that they, too, can weigh in for election audits. The WEC hardly ever gets any citizen input on election security issues, and they will definitely sit up and take notice if they get a lot now. So go for it!
* It would be unfair to accuse every member of Congress of inaction. Wisconsin's very own Mark Pocan introduced an excellent elections-security bill, the Secure America's Future Elections (SAFE) Act a year ago. As other representatives wake up to the issue, it's still collecting new co-sponsors. If you live outside Wisconsin's Second Congressional District, contact your congressperson today and ask them to sign on. If you live in Rep. Pocan's district, tell him "Thank you!"
Main point: Wisconsin's elections officials have been telling themselves a simple story--"The only threat to election results is Internet hacking, so we can keep elections safe just by keeping the voting machines unconnected."
There's an equally simple--but more true--story they could be telling themselves: "We don't have the power to prevent every type of miscount, but we can keep elections safe anyway by using the paper ballots to detect and correct miscounts, regardless of cause."
February 21, 2018 -- In a recent newspaper article, I wrote that election officials should check the accuracy of our computer-tabulated election results as routinely as city treasurers check our computer-tabulated property tax bills.
That proposal is uncontroversial. Every national election expert promotes routine audits. So do other authorities, such as the US Department of Homeland Security. When presented with the idea that election clerks should verify the right winners before they declare election results final, every voter responds with either “Well, duh” or a wide-eyed “You mean they don’t do that now?!?!”
Wisconsin election officials, however, think that all the rest of us are wrong about that. In response to my article, I received the following email from the county clerk in a mid-sized Wisconsin county:
"Good afternoon, Ms. McKim: Please tell me if a piece of Wisconsin certified equipment has ever been hacked, or how one could even attempt to hack said equipment. The equipment used in my county is never connected to the Internet. It's not even connected to our county network. Unless someone has figured out a way to hack through the unit's power cord, our equipment is basically unhackable."
Except for that last word, my correspondent’s few facts are correct. It's the same argument that county clerks have used for years. Let’s review a few additional facts. You won’t need to be an IT security expert or a Russian hacker to see the possibilities...
First, Wisconsin's county clerks need to know that voters don't want their votes miscounted for any reason--not hacking, not human error, and not machine malfunction. Even if we believe you that you've perfected the world's only unhackable computers, that's no reason to fail to check of any other type of miscount.
Hacking might be a risk, but mistakes and malfunctions are a reality. Our voting machines are operated by a lightly trained and lightly supervised temporary workforce. None get more than four days of on-the-job experience every year. Even the election managers—the municipal and county clerks—work only part-time on that task. The 2016 presidential recount—for most election officials, a once-in-a-career opportunity to check their work—revealed that more than 1 in every 170 votes were incorrectly certified in the original canvass—mostly because of human error.
My correspondent and his fellow clerks also know that electronic malfunctions have already miscounted Wisconsin votes. They know voting machines are manufactured to be affordable for local government budgets. Many are old. Among all the businesses and government offices you enter in a year, the polling place is where you are most likely to encounter a 10- or even 20-year-old computer. They know that just last year, the Wisconsin Elections Commission had to decertify one model of voting machine because it was so unreliable it failed to detect up to 30% of the valid votes in individual precincts--in an actual election, not a test.
And when it comes to tampering, they know that many insiders have both means and opportunity—even without an Internet connection. Private companies manufacture Wisconsin’s vote-counting computers, and independent service companies maintain them. Those companies do not allow anyone to inspect the software, updates, and patches they install.
And no one has the ability to enforce good security practices. No state or federal official oversees either the local officials' or the companies’ internal security. If the computers used by the private companies to update the voting-counting software had poor security, no one but the companies and hackers would know.
Between elections, the voting machines themselves reside in storage rooms all around the county. They are also off limits to inspection. I once asked another county clerk if he had ever inspected them for unauthorized wireless communications chips—something professionals warn about. That clerk told me that such an inspection would void the machines’ warranty. (Update: See the first comment below. The day after I wrote this blog post, the New York Times reported that county clerks in Pennsylvania--who DID have their elections technology independently inspected--discovered that ES&S technicians had installed unauthorized remote communications capacity.)
My correspondent knows all that. And yet he proclaims, on faith, that the vote-counting software exists in a state of virginal purity as each Election Day dawns.
I don’t believe this county clerk is stupid. I’d bet my mortgage he would know better than to patronize a bank where managers employ only temporary staff; rely on antiquated equipment; refuse to audit unless a customer pays the cost of a full recount; and proclaim the ATMs are always accurate merely because they are not connected directly to the Internet.
And aside from his resistance to rigorous auditing, I see no signs he is corrupt. So what is he thinking?
Like most other normal human beings, he might not be thinking anything.
Walter Fisher, of the Annenberg School for Communication, has studied the question: Why does thinking explain so little of our behavior? He concluded we are guided more by narratives—stories we tell ourselves—than by logical reasoning.
The human brain is a marvelous organ, but continuously encounters more twists and turns than it can process with its reasoning faculties.
So it invents stories. Some are true, some are false. But all are oversimplified because that’s their function—to help our brains make simple sense of complexity, to help us feel we’re in control.
My correspondent’s story fits that description: “Only one thing can produce incorrect vote totals: Internet hacking. So if we just keep voting machines offline on Election Day, our elections will be safe from hackers.”
Human error, malfunction, and insider corruption would complicate this narrative, so they are excluded. Not mentioned. Not seen.
County clerks have reason to embrace that narrative. Election administration is only one of their jobs, and they have only a few staff. The workforce on which they depend consists mainly of people who are hired by and report to someone else: municipal clerks; temps hired by the municipal clerks; and county canvassers sent by the two major political parties.
The county clerks’ own education and experience tends to be clerical or political, not managerial or technological. And because the State Constitution assigns certain duties only to them—no one else—they’re on their own. They are elected officials without a manager who can train and coach them, or share the blame when something goes wrong.
Sensible voters need to help our election managers switch to a new narrative. It needs to be simple. It needs to be clear.
It needs to give them courage to face up to their responsibilities as prudent managers of elections technology. I propose this one:
“As local election officials, we have the paper ballots and we control the canvass procedures.
If we just use those to check that we've identified the right winners, our elections will be safe from every risk.”
September 27, 2017 --
Main point: Public officials must keep the public both safe and calm.
The danger is when election officials' goal is reassurance, not safety.
Yesterday’s Wisconsin Elections Commission (WEC) meeting was packed with more cameras than I’d ever seen there. A few days earlier, the federal Department of Homeland Security announced that Russian-government backed hackers had tested the security of Wisconsin’s online voter registration system. They hadn’t gotten in. The ‘attack’ was, the computer experts say, like jiggling a locked door knob.
What voters get: “As you can see, it's a beautiful day, the beaches are open and people are having a wonderful time." - Mayor Vaughn, to a reporter.
“I don’t get it.” I told a reporter as the meeting got under way. “What's the news here? Hackers are continuously testing every computer system. The Russian government is known for cybercrime. It would be news if they were not testing the security of our elections systems.”
I don’t remember his response, other than it wasn’t convincing. I fear the real answer is that his editors know which stories get the web clicks.
The facts that WEC shared were as I expected. State officials from the WEC and the Wisconsin Division of Enterprise Technology (DET) explained their system of continuous defense against hacking of our voter registration system (which is separate from the tabulation system, also known as the voting machines). Millions of efforts to get into the registration system are detected every week, from anonymous Internet addresses all over the world. Unrecognized addresses are locked out and if that fails, any unauthorized changes will be promptly noticed and reversed. If that fails, daily backups are made so that if some malicious code ever causes the system suddenly to garble or erase our voter registrations on election morning, a correct version can be quickly brought up. If that fails, paper backups are printed immediately before each Election Day.
State officials were convincingly competent and straightforward. The story that later appeared in the paper made the federal officials, not the state ones, look like the Keystone Cops.
WEC and DET took the opportunity to explain the security of our voter registration system to the press—while the press was willing to listen. When officials are keeping us safe, reassuring the public is usually as easy and effective as just telling the truth.
The officials’ explanation about our voter registration system confirmed my trusting assumptions about its security.
But the security of our vote-counting software is a completely different story.
Our election officials' silence about security for that system should be a dead giveaway there's a shark in the water.
Like ‘baby’ in a pop song, election officials’ yesterday continuously repeated “We’re talking about the voter-registration system, not the vote-counting systems.” The reporters’ keyboards clicked along to the beat. Yeah, yeah, yeah. None seemed to notice the story within that silence on the vote-counting software.
Here's why we don't get convincing, impressive descriptions of the security system for our voting machines: Because it doesn't exist. At least when sharks are eating tourists, someone notices. But if anyone is hacking our voting machines, their crimes would go undetected as we swear their chosen victors into office.
Reassuring spin: "We've seen no evidence of tampering with the vote-counting system." The furor about Russian testing of our voter-registration system’s security was made possible by federal officials’ looking for it. No one--local, state, or federal--reviews Wisconsin's election results to make sure they are accurate. None of them make any efforts to detect any doorknob jiggling of our vote-counting software, which is proprietary and controlled by the voting-machine companies.
Reassuring spin: "Our decentralized vote-counting system makes hacking unlikely." After the vote-counting software is produced at the companies, it's downloaded to the dozens of computers that will be used to design the ballots for each election and to tell the voting machines how to read those ballots. These are the 'election management systems' that reside at the vendor's regional offices, the voting-machine service companies like Command Central, and in the offices of county election officials.
When election officials talk about the security of the vote-counting systems, they often refer to this decentralization. They say it makes the system harder to hack.
But they cannot possible imagine that, to tip a statewide race, a hacker would need to design a hack specifically for every type of voting machine used in Wisconsin and alter the results in every county. You can see the silliness of that--What's Russian for "Darn it, we missed Forest County. Well, maybe next year."? There are enough votes in Milwaukee County alone, or a few other counties, to control the outcome of most statewide races.
Not only does the decentralization provide little protection, it multiplies the possible entry points and places them in the physical control of an army of people with no particular IT security expertise, and often no access to any.
After the software is downloaded to the local election-management computers, it's revised for each new election and then copied onto removable drives--typically, the same sort of USB drive you can buy at the drugstore. The drives are then handed off to the municipal clerks, who load the software onto each voting machine.
On Election Day, it's in the physical control of the poll workers. At this point, we should probably be hoping that the possessors of the software have no IT expertise, rather than wishing that they did.
Between elections, the vote-counting computers are stored in very town, village, and city in the state, under conditions that the election officials themselves don't always control.
No one exercises any oversight of this disjointed system. Computer security expert Bruce Schneier told NPR's Science Friday that federal voting-system security standards were outdated long ago, and no one is now exercising any oversight even if the standards were current. Vendors can coach county clerks on how to maintain security, but they have no way of knowing whether the clerks follow their instructions. To my knowledge (and I asked when I can), no state or local official ever attempts to oversee or even ask about voting-machine company security. They wouldn't know how to evaluate it if they did, or any authority to force corrections.
Johns Hopkins University Computer Security Professor Aviel Rubin made a point of contacting the major voting-machine companies who count America's votes. He reported "I have yet to meet an American voting system manufacturer that employs even one full-time trained expert in computer security."
Reassuring spin: "Our voting machines are never connected to the Internet." This used to be true, but there's no machine on the market anymore without the capability of electronically transmitting results after the polls close. That, however, is not and never was the big risk. Connecting a voting machine to the Internet or to a cell phone tower after the polls close doesn't give a hacker any opportunity to alter a hard-copy poll tape you've already printed. Having observed more poll-closings than I can count and several canvass meetings, I can vouch for the fact that is the one hack our election officials would likely detect and could easily correct.
The vulnerability comes before the votes are counted, not after. The big risk of manipulation--in fact the one that forensic IT security experts deem the greatest--doesn't come from the Internet at all, but from insiders with authorized access to the software. Because no state or local election officials have the authority or ability to inspect the vote-tabulating software for integrity, even lightly sophisticated individuals--at the voting machine company, the service company, the local official's office, or anywhere along the chain of custody--could alter the software and not be noticed. Thousands of people have authorized access to our vote-counting software or hardware between every election. Many of them, in the testing laboratories, voting-machine companies and service companies, understand the code. Many of the others likely can be bought--they are humans.
But hackers without authorized access can get in. The vote-counting software is created, updated, and maintained not on each individual voting machine, but on computers that are almost certainly, at some time, connected to the Internet.
And local election officials have no way to tell whether and when the individual voting machines are communicating with other machines. Wireless communications capability can be installed inside any computer or voting machine--antenna and all--without their knowledge and controlled by anyone within transmission range. Local election officials never inspect the insides of the voting machines for surreptitiously installed wireless cards, and few would know what to look for if they did.
Reassuring spin: "No election has ever been hacked." The truth is, our election officials wouldn't know if one had. They don't use the one practical opportunity--checking the results against the paper ballots--to check the system's integrity. If any election ever has been hacked, it's likely no one noticed.
What voters need: “Smile, you son of a bitch.” – Martin Brody, to the shark.
Yet despite the widespread concern about the security of last year’s presidential election, not a single state had routine procedures in place to verify an accurate statewide vote count. Michigan, Pennsylvania, and Florida proved unable to document accuracy even when directly challenged, unable to get a recount even started.
Wisconsin did best. Every county at least double-checked things like the handling of absentee ballots, but only half of the vote totals were checked for accuracy. The other half were just run back through the same computers, so any electronic miscounts would have just been repeated. We know that some were miscounted twice.
State officials in Wisconsin recently scored a first, when in January they detected a few miscounting computers—after the winners from the previous November were already sworn into office. To their credit, they decertified the machines. They are still are not sure what caused the miscounts—they know ink color on the ballots contributed, and that from their size and randomness, the miscounts seem unlikely to be even a trial-run hack.
What to do?
Face it: State and local election officials will never have the authority, skill, or money to maintain strong IT security for our vote-counting software. It's just not going to happen. Elections are too intermittent, the workforce too temporary, the property taxpayers too stingy to make good security possible.
Our only hope for protecting our election results from hackers--and from malfunctions, glitches, and human operator error--is to notice and correct any miscounts before results are certified.
If the polls opened and voter registrations were garbled, we would notice. Perhaps that's why those responsible for the software are so vigilant--they know any laxity will get found out.
But we cannot sit by the television on Election Night and say “Hey! That’s not how we voted!” Voters have no way to tell honest election results from false ones. And maybe that's why checking accuracy is such a low priority for our election officials. If they don't detect the miscounts, they can keep saying--honestly--"We've never known an election to be hacked."
Most states now have paper ballots, or at least paper audit trails, that could be used to check the accuracy of the computer output. National election authorities have developed, and national officials endorsed, efficient methods that don't require a full hand count.
Every other public official takes responsibility for the accuracy of their work product. It's long past time for voters to insist their election officials do the same.
September 26, 2017 -- There’s good news and there’s … no-worse-than-usual news.
The good news is that today, the Wisconsin Elections Commission did what no Wisconsin elections agency has done since the introduction of computerized vote tabulation: They decertified a voting machine, the Optech Eagle.
And they did it for the best of reasons: It wasn’t counting our votes reliably. Now that so many ballots are marked in voters' homes, in all sorts of ink, the machine is "no longer meeting voters' and officials' expectations."
This is good. Not perfect, but good. The vote was unanimous. The Commissioners didn't debate whether the machine should be decertified, but how quickly. They didn’t vote to decertify immediately, but they soberly considered that possibility. And they did adopt some immediate safeguards.
As of today, all municipalities using the Optech Eagle must either count mailed-in ballots by hand, or re-make (that is, copy over) them using ink that can be detected by the machines. And they must keep doing that until they replace the machines, no later than December 31, 2018. In addition, if any contest tabulated by an Optech Eagle is recounted, it must be by a hand count.
This decision had several good angles to it.
First, the Commissioners’ comments, specifically mentioning Racine County, indicated that they accepted as true the reports of Liz Whitlock and the other observers during that recount, even though Racine County officials have not yet acknowledged any problems.
Granted, it would have taken chutzpah for the Commissioners actively to deny that Racine miscounted both the election and the recount, given all the hard evidence of similar miscounts from other counties and the weirdly high undervote rates that county's canvass signed off on.
But the culture of election officials, in Wisconsin and elsewhere, is to band together against concerned voters and, if not to deny their truth, at least ignore it. But in the discussion today, I did not pick up one whiff of the get-these-troublesome-citizens-out-of-here attitude to which we’re so accustomed. Good work, Liz and the rest of the Racine team! The State hears you, even if your clerk doesn't (yet).
Second, the instruction that any recount be conducted by hand shows more courage and commitment than I’ve seen from any public official in a while. Here’s why: If some county decides to contest that requirement, it’s likely that a court would decide that the WEC has no statutory authority to order a hand-counted recount. The Commissioners were aware of that when they voted, but went ahead anyway. Set aside the fact that recounts are a thing of the past in Wisconsin; I like the kind of leadership that says, “Let’s do the right thing and see if anyone tries to stop us.”
Third, the decision signifies a distinct break from the old Government Accountability Board’s attitude toward elections technology. The old GAB—both board and staff—seemed resistant to even the idea that voting machines could miscount. I remember talking with them about the Medford miscount, when misprogrammed machines ignored all straight-party ticket votes. About a third of that city’s votes in a presidential election were lost. GAB staff told me, with a pained expression, “You can’t blame that on the machines!”, as if I would hurt the machine’s feelings if it heard me say it needed to be audited. I can so easily imagine the old GAB Director Kevin Kennedy defending the Optech Eagle with such an argument.
But WEC Director Michael Haas and the Commissioners are willing to take a stand: A machine that cannot count a valid vote has got to go.
I know I may be giving WEC credit for understanding the obvious, but it is a change from the way they were talking only two years ago. And that's good.
The no-worse-than-usual news is, well, unsurprising.
- The staff analysis of decertification stressed cost and convenience for clerks above all other considerations—to the point where I sat there seriously trying to think of how we could frame the risk of election fraud as a cost issue.
- No one ever has investigated or resolved the causes of the worst Optech Eagle miscount. The WEC is just guessing it was the wrong ink. In Marinette, three voting machines missed 9.6%, 26.5%, and 30.8% of the votes on the ballots they processed. It's almost certain that ink had something to do with it, but if the voters marked their ballots at home, why did voters in one section of town use unreadable ink at more than three times the rate of another part of town? And to add to the mystery, the municipal clerk told me that most of the absentee ballots in all three precincts were in-person early voters who marked their ballots in her office. Why would she provide the wrong pen at all, never mind provide it at different rates to the voters from the different precincts? Finally, in the one municipality where WEC staff did do a serious investigation of the cause of an Optech Eagle miscount, they couldn't pin it entirely on ink. Something else is going on with those machines, and remaking the ballots might not fix it.
- Director Michael Haas, on at least two occasions today, referred respectfully to our testimony, and clearly understood what we were saying. But when he spoke most directly to the prospect of future routine election audits, he called it a ‘legislative issue.’ To me, that revealed his perception that Wisconsin’s local election clerks will not agree to verify election results unless forced by law. He’s probably correct, but that’s pretty darn sad. Thank goodness few other public officials take the same attitude toward their work product.
- In my oral testimony, I cited several instances in which county boards of canvass certified obviously incorrect vote totals. I also spoke of the hard fact that none ever verify the vote totals before they certify. Sure enough, like a patellar reflex, the municipal clerk who spoke next offered indignant testimony: “We do too care about accuracy,” though she offered no facts to back up that claim.
The truth of her statement depends on what she means by ‘care.’ I don’t doubt that she “feels concern or interest.“
But until she routinely verifies the vote totals before certifying them, she does not “exercise serious attention or effort to avoid damage or risk.”
So, WEC's attitude toward election accuracy is improving. But the local election officials still haven't mastered Step 1: Accept that you have a problem.
Inaccurate preliminary vote totals are not a problem--if miscounts
are detected and fixed before election results are declared final.
The problem is, as these incidents show, that Wisconsin's local election officials
are making no effort to detect and correct even obvious miscounts.
Have the hackers noticed that yet?
* * *
September 21, 2017 -- Following December's presidential recount, when county clerks reported corrected vote totals to the Wisconsin Elections Commission, they changed at least 17,681 votes from the totals they had previously reported.
Ward by ward, candidates sometimes got more votes, sometimes less. We don't know the full number of miscounted votes, because if recounters both subtracted and added votes to one candidate's total in a single ward, only the net change showed up in the revised totals. Election researchers at the UW-Madison, Harvard, and MIT worked with the data and estimated that in the original results, more than 1 in every 170 votes had been miscounted. *
If you can think of a way to miscount a valid vote, it's likely that somewhere a Wisconsin vote was miscounted like that.
The recount discovered hundreds of absentee ballots still in their envelopes, uncounted on Election Day.
Write-in votes had been treated with extraordinary carelessness. The recount discovered that 1 in every 7 of Evan McMullin's voters had been disenfranchised in the original count. Typos had erased nearly half the votes in precincts in Oneida and Milwaukee Counties. Votes had been double-counted in Eau Claire County.
The miscounts in Marinette, Outagamie, and Racine Counties are of particular interest to those who wonder whether Wisconsin's local election officials are attentive, prudent IT managers.
Those counties and others used a voting machine called the "Optech Eagle." This was once the workhorse of Wisconsin elections, but it never could read votes unless they were marked in an ink that contained carbon.
It didn't read non-carbon ink in 2016, either, when tens of thousands of voters submitted absentee ballots they had marked someplace other than a polling booth equipped with an approved marking device.
So on Election Night, results indicated that Racine County voters were weirdly uninterested in the presidential race. Across the rest of the state, only about 1 in every 130 voters (0.77%) left their ballots blank for president. But in Racine County, almost 1.8% of the ballots were counted as if they were blank. In the City of Racine, the rate was even higher--2.6%. In individual Racine County precincts, up to 1 in every 12 ballots was counted as blank.
In Outagamie County, too, Optech Eagles were telling election officials that dozens of voters had cast no vote for president. In one municipality there, the machine saw no vote for president on more than 1.4% of the ballots.
The machines in the City of Marinette took the prize. The machine that counted ballots cast by absentee voters in the City of Marinette's 7th and 8th Wards printed out results indicating no presidential vote on 9.6% of the ballots. The machine counting Wards 1, 3, and 5 saw no votes on 26.5% of the ballots.
And the machine counting Wards 2, 4, and 6 saw no presidential vote on 30.8% of the ballots it attempted to count.
To their discredit, local election officials either did not notice these obvious errors, or noticed them but chose not to correct them. Officials in these counties signed legal documents attesting that they had reviewed the election results and found them to be "correct and true." But in fact, they hadn't done that at all. At least not until the recount forced them to.
Marinette officials, who conducted their recount by hand, corrected their miscount in the recount. Outagamie officials recounted using the same machines and therefore did not detect their miscount until ordered to do a biennial voting-machine audit in January. By then, it was too late to correct the official vote totals.
Racine County officials still haven't resolved their weird vote totals. They recounted by machine and so certified the bizarre vote totals twice--once after the election and once after the recount--without ever checking to see why they were so weird. In fact, county election officials were so determined to trust unexamined computer output that they refused to check accuracy even after the machines could be seen to be visibly miscounting during the recount.
To their credit, staff of the Wisconsin Elections Commission took steps to figure out what was going on. In January, they asked Outagamie County to send their election materials, including the ballots, to Madison so that staff could examine them and make sure the miscounts were what everyone suspected: an inability to read the ink that many voters used to mark their ballots.
They concluded that ink almost certainly contributed to the miscounts, but that didn't explain all the missed votes. WEC staff concluded “This exercise did not produce a result that allowed staff with confidence to understand how the Optech Eagle treated these ballots.”
Something else, in addition to ink color, was going on, and they couldn't tell what it was.
In June, staff wrote a memo to Commission members, telling them "“The analysis of the performance of the Optech Eagle identified a significant limitation of the equipment.”
The Commission itself then did the right thing, too. They instructed staff to prepare a plan for decertifying the machine, to be decided next Tuesday at their September 26 meeting.
When the Optech Eagle is decertified, it will be illegal to use in Wisconsin. Municipalities will be forced to upgrade to newer machines with enhanced ability to count votes marked in any ink. And that will make our elections a little safer from miscounts. Professor Douglas W. Jones, of the University of Iowa Computer Sciences Department told me: "I've tested the newer machines with everything that I can imagine a voter using. Even glitter pens work, though I still wouldn't recommend them."
We cannot overlook the fact that two failures produced these miscounted election results.
First, the machines miscounted.
Second, local election officials certified those miscounts as "correct and true" anyway.
Replacing the unreliable voting machines with new ones will solve one limited problem. But no sensible person believes that no voting machine will ever again miscount Wisconsin votes. No computer system can do that, particularly when the computers are scattered among every Wisconsin city, village, and town; managed by an army of IT-naive temporary staff; and for which security is a responsibility split among vendors, service technicians, and local election officials.
How many elections did those old machines miscount before the recount revealed the problem to the general public?
And why didn't Wisconsin's election officials notice and correct this problem sooner?
Here's why: Statutes provide Wisconsin's local election officials with a review period following every election, called the 'canvass' during which they can review accuracy before they declare the election results final.
But the election officials don't actually review accuracy. Most clerks are more polite than you see on that Racine County video, but they all place the same blind faith in computer-calculated vote totals. Wisconsin's local election officials just point to the computer print-out and say "Oh, look who won."
On Election Night, when the City of Marinette machines produced such weird numbers, poll workers noted tabulation problems in their Election-Night written reports. Yet neither the city nor county clerks took corrective action. They knowingly certified results that were obviously missing hundreds of votes.
You won't find a county canvass anywhere in Wisconsin that does better. The Dane County clerk will tell you he's the only clerk in the state who checks machines' accuracy after every election (2 machines). But if you press, he will admit he doesn't do that during the canvass. He waits until after he has already legally sworn that the results are accurate and has declared them final.
If the WEC decides to decertify next Tuesday, we commend them for taking action to solve the Optech Eagle part of the problem. We are also asking that they take steps to solve the other half: we are asking the WEC to provide the county canvasses with more specific instructions and stronger encouragement to verify accuracy before certifying election results.
More than 20 other states have already built some kind of verification into their canvass procedures, and they do not declare election results final until they have confirmed accuracy. Wisconsin is no better off than states with paperless touchscreens if all we do is seal our paper ballots in bags and never use them to verify the vote totals.
At the very least, Wisconsin's county clerks need to begin to use simple, routine 'reasonability tests,' which are simple calculations they can do at their desks to look for vote totals that don't make any sense--and then resolve any anomalies they see.
If we have any dedicated county clerks who want to take the lead to bring Wisconsin's canvass procedures into the 21st Century, (ask yours!) our statutes already allow that clerk to adopt whatever canvass procedures he or she wants. National authorities stand ready to help with the implementation of modern methods of election auditing.
There is no reason for Wisconsin voters to continue to trust our right to self-government to anonymous computer programmers or whoever hacked in behind them, or to hope that some IT Fairy Godmother will from now on protect our voting machines from any more glitches.
Our election clerks could be checking accuracy if they chose to--and we need to insist that they do.
* Stephen Ansolabehere, Harvard University; Barry C. Burden and Kenneth R. Mayer, UW-Madison; Charles Stewart III, Massachusetts Institute of Technology - Learning from Recounts, Massachusetts Institute of Technology Political Science Department Research Paper No. 2017-12. July 2017.
July 11, 2017 -- The investigation of the 2014 Stoughton referendum miscount that I, Julie Crego, and Sue Trace did in 2015, in collaboration with Stoughton Municipal Clerk Lana Kropf, was recognized as "helpful" by the Civic Design Project, a joint effort of the User Experience Professionals Association and the Center for Civic Design.
They recommended a post from this blog to civic design professionals working in elections as "useful" because it "discusses the causes of incorrectly counted votes by paper ballot scanner and provides suggestions for proper ballot design and election day procedures to help prevent miscount errors."
June 20, 2017 -- When the legislature voted to abolish the old Government Accountability Board in December 2015, it’s hard to describe how very low my expectations were for its replacement, the Wisconsin Elections Commission. Against unified opposition from citizens and media, Republican legislators destroyed our nationally admired nonpartisan panel of retired judges and replaced them with a panel of appointees selected in an openly partisan process. Independents like me have no representatives on the new Commission, nor do any third-party voters. I thanked my lucky stars that Wisconsin law still gives most direct responsibility for election accuracy to the counties. For the new WEC, I allowed myself to do no more than hope their designed-to-deadlock structure would keep them from making very many bad decisions.
Today I sat through a full-day meeting of the WEC. They made decisions regarding maintenance of the voter registration lists and certification of a redesigned voting-machine system. They discussed how to move ahead with electronic poll books. They reviewed the results of the latest round of voting-machine audits.
I saw no harm done. I saw no deadlocked decisions. I saw a few differences of opinion, but no naïve observer could have picked out the Republican appointees from the Democratic. And, Lord help me, as I observed them holding a voting-machine vendor’s feet to the fire about some less-than-user-friendly features of new voting-machine software, I found myself thinking, “I don’t remember the old GAB being this willing and able to stick up for the voters.”
Before anyone thinks I’ve gone soft, there are things I think they could be doing better. For example, while their desire to stand up for voters’ ability to cast valid votes was evident, an equal desire for evidence that those votes are counted accurately—in every election, recount or no—is not yet visible. But the members of the old GAB were only a little farther ahead in their interest in bringing routinely verified accuracy to Wisconsin election results, so we’re no worse off.
But back to the good news. The presence of two bona fide former election clerks on the new Commission—Beverly Gill, former Burlington municipal clerk, and Julie Glancy, former Sheboygan County Clerk—seems to be keeping it real when discussion turns to questions of how things will play out in the polling place.
For example, it was the former election clerks who really put the ES&S representatives through their paces in the demonstration of a new electronic ballot-marking device. Knowing how often voters are unclear about Wisconsin’s open partisan primary ballot, they made sure the ES&S representatives demonstrated that the machine worked for naïve voters without causing confusion or irritating delay. It didn’t. I won’t describe the problems, because I don’t need to. The Commissioners voted to certify the system only on the condition that the problems were fixed. In their discussion, I saw nothing but concern for the voters’ ability easily to cast a valid ballot. Zero partisanship. (To be fair, the Commissioner who looks to be most partisan based on his resume full of party offices wasn’t there today.)
In other actions, the Commission discussed the current effort to update the voter-registration lists by sending postcards to people who had not voted for four years and ‘deactivating’ those who did not respond. Their questions of staff revealed sincere concern about the possibility of purging legitimate voters as a result of the statutorily-required maintenance effort. They asked detailed questions about how many registrations would likely be deactivated, why, and for whom, and gave staff instructions about information they want to see in the report when the project is complete.
And when staff gave them the news that one older-model voting machine, the Optech Eagle, was discovered in both the recount (Marinette County) and in the voting-machine audits (Outagamie County) to have missed a significant number of votes in November's election, the Commissioners did not miss a beat before discussing decertification. Decertification would force the 140 municipalities that still use the machine immediately to replace it, and staff had not raised that possibility. Instead, staff described their efforts to get local election officials to use a work-around for the ballots most at risk of being miscounted, and to coax the municipalities into replacing the machines. That wasn’t enough for the Commissioners, who instructed staff to prepare a memo on a possible decertification plan for their next meeting, in September.
I'll soon get back to poking and prodding about bringing 21st-century elections verification practices to Wisconsin, and I won't go too much longer (right now, in fact) before I point out that I shuddered a little when the Commissioners accepted a flat "No" from the ES&S vice president in response to "Have any of your machines ever been hacked?"
In my happy dreams, the Commissioners would have responded to that evidence-free boast by asking "How do you know?" To which the honest answer would be, "We don't, really, because most states, like Wisconsin, don't check." And then the Commission would get Colorado or the Election Verification Network on the phone and get to work on promoting routine county canvass procedures that verify accuracy instead of just trusting in it.
Well, enough of that. Tonight, I'm pretty happy that this looks like a Commission that can probably give it some good thought when they get around to it.