December 20, 2015 -- Before I retired, I worked in quality assurance for a program that delivered health care in clients’ homes. It was a human-services government program, so the provider agencies never had more than a a shoestring budget. Rarely was there only one right way to do anything.
Whether because of or in spite of that, most managers were willing to think and talk about quality improvement.
But there were always a few mangers who reflexively insisted, "Everything is already as good as it can possibly be, and I don't need any new ideas."
Now that I’m working in election integrity, I'm seeing a lot more of that second type of 'manager'.
Verifying computer output shouldn't be a novel idea. Wisconsin statutes require clerks to keep an ‘auditable’ paper record of every ballot, not a ‘decorative’ one, so we can safely infer that legislative intent had something to do with checking accuracy. No sensible person doubts the need to check accuracy, whether the output is our property tax bills or our election results.
Responsible election officials can converse about the practicalities: How many ballots do we have to examine before we can be confident we’ve identified the right winners? How can we do that in the time available? If I innovate, what opposition can I anticipate and who is willing to back me up?
Those managers' conversation focuses on reasonable problem-solving, not excuses for inaction.
But there are many election officials who, when they catch even a gentle breeze of change, batten down the hatches as if expecting a hurricane.
Late last month, I sent a for-your-information letter to each of the 61 municipal clerks in a county where we’re working on raising awareness of the need for verification and its practical solution.
Because many are sensitive to any hint of criticism, the letter made it clear that we were asking for change in only county procedures, not municipal ones. In describing what we would be asking of the county, I chose the most respectful, non-threatening, benign words possible without misleading them about the fact that we are asking for improvement.
The letter ended with an offer to visit the municipal clerk, at his or her convenience, to talk more about the issue.
Two weeks later, I found one response in my email inbox. After a few comments that revealed significant naiveté about the inherent limitations of the local clerks' IT security measures, the municipal clerk wrote:
I tire of these subtle (and sometimes blatant) indictments of a system where it is obvious that no one has taken the time to confer with the clerks first. Instead, they pattern advice on what is assumed to be true. Also, I get the impression someone is prepared to sell us some proprietary software to “fix” a non-problem.
Well, at least he responded. That put him ahead of the other sixty municipal clerks.
The devil on my shoulder wanted to respond by calling the writer's bluff by pointing out that if he was genuinely willing to confer, he could have accepted my offer to meet rather than complain that we’d never met.
But I shushed that suggestion. In my actual response, I explained some of the basics of prudent IT security as briefly as I could.
I did not bother to reiterate my offer to meet with him, and I don’t expect to hear back. When someone has boarded up all his mental doors and windows, my guess is that the best thing is to let him calm down in silence until he realizes there won’t be a hurricane.
The disheartening thing is that the people who are open to the breezes of change are not those who are in a position to implement improvements.
Voters and poll workers, to start with, are very interested when they learn that election results could be made safe from electronic miscounts. They know how much they have invested in elections, and how tragic it would be to lose it all to a computer glitch, when such a loss could easily be prevented.
State and national officials are interested, too. It's the national authorities' recommendations that we're trying to get local elections officials to heed.
Last July, when we gave a public demonstration of an efficient new verification method, attendance at the event included the director of the state Government Accountability Board and his chief elections manager; the director of the state League of Women Voters; and a nationally-renowned, federal-government-advising expert on election technology and computer-science professor from a neighboring state.
From within a 30-mile radius, we had also invited 3 county elections officials, 37 county board supervisors, and 61 municipal clerks. Not one of them showed up. Not one.
Among the I-have-a banana-in-my-ear responses I've received from local officials over the past few years:
- Every professional version of “I’m planning on washing my hair that night.” If an election is coming up within two months, they are too busy preparing to talk. If an election is more than two months away, they will be willing to talk about election administration issues when they are more timely. The City of Madison municipal clerk begged off attendance at one public meeting by saying she’d be too busy registering voters—at 8:00 PM. (She has a staff of seven.)
- They’re just so busy with everything else all the time, they cannot even read the invitation. One county board supervisor told me not to expect a response from any other county board supervisor because “We get so many emails we don’t read them.”
- It’s not my job: “You don’t need to talk to me because I’m (not on that committee; not in the majority; from a neighborhood too affected by Voter ID…).”
- And, of course, silence.
This cannot go on forever. We will get their attention somehow. For all our sakes, I hope it's before the next serious electronic miscount gives us cause to shout “I told you so!”
December 12, 2015 at 8:24pm -- Our local election officials do the best they can with voting-machine security--really, they do. They might or might not understand the dangers of illicit installation of wireless communications chips or software tampering, but they all know they need to keep those machines safely locked up between elections in town hall storage rooms, village police garages, and various other secure compartments.
I cannot count the times that local elections officials have earnestly reassured me of their diligence about that, and I sincerely believe every word. It seems rude to remind them that no matter how hard they try, they cannot count on having complete control, so I try to be gentle when I tell them that they still need to check the output for accuracy, just in case.
But one Connecticut town clerk got the message loud and clear when she went to retrieve the voting machine for an upcoming election and, to her great dismay, found it festooned with crepe paper and cardboard skeletons. One of the town board members had accommodated a local high school club's request to use the town hall for a Halloween haunted house evening and had borrowed the janitor's key ring for the event. The dusty, dark storage room made a perfect place for the skeletons.
That Connecticut elections clerk retired to Wisconsin, and I ran into her at a party tonight. Her story was the most humorous I've heard, but it's unusual only in its colorful details. A Wisconsin county clerk once told me of returning from vacation to find the door to the room where the county election-management computer room hanging wide open. The county executive told her the cleaning crew had decided to take her vacation as an opportunity to clean that room. He apologized that they'd neglected to close the door when they left, but neither he nor the county clerk had realized the cleaning crew's master key worked on that door, too.
Towns, villages, and cities are run by normally competent and well-meaning people who generally do the very best we can expect of them. But management tasks are frequently handled by part-time employees or even volunteers, and executive oversight is provided by local elected officials who often have even less training and experience.
We cannot imagine we can protect our voting machines from tampering simply by demanding local elections officials maintain fool-proof security programs. It's just not within their power.
Transparent, rigorous post-election verification of voting machine output remains the only way local elections clerks, candidates, and voters can be sure that the machines performed accurately on Election Day--or discover if they did not in time to correct the output.
October 15, 2015 at 1:24pm -- If some genie were to happen by and offer me three wishes, I fear that before world peace, I'd ask to understand our election officials' lack of interest in verification, when I'm sure they all have the sense to know why banks audit to make sure their computers credited deposits to the correct accounts. It puzzles me deeply.
Yesterday. The chairman of Wisconsin's elections authority, the Government Accountability Board, was testifying before a legislative hearing to defend the agency's continued existence. One of his Republican executioners confronted him with the fact that the GAB had, for many years, neglected to perform statutorily required post-election audits. How could the Board, the questioner badgered, assure Wisconsin residents that their voting machines had counted correctly if they never did post-election audits?*
GAB Board Chairman Judge Gerald Nichol responded--right out in public, on the record, and apparently without embarrassment, "It is true we did not do the audits, but I don't find that too worrisome because our staff thoroughly tested the systems before they were approved for use in Wisconsin."
And--I'm not making this up--that answer appeared to satisfy his questioner.
Imagine what Judge Nichol or the legislator would have said if a banker testified, "We never audit, but I don't find that too worrisome because when we bought those computers, we tested one to make sure it was capable of counting correctly."
The over-the-top ridiculousness of that statement would be immediately evident to either of them in relation to a bank's computers, but neither seemed to think it in any way remarkable when the output in question was our election results.
Today. I went to a large-group training where about two dozen municipal clerks were in attendance. I had several opportunities for one-on-one chats, and I used them to feel a few officials out about their level of awareness of voting machine accuracy. I've learned to start such conversations with praise for their efforts in double-checking that the machines counted the right number of ballots--which they do quite well.
"I'm conducting sort of an informal survey about clerks' thoughts on voting machine accuracy," I would start. "I know you know for a fact that the machines always count the correct number of ballots--you've got that nailed down. But what's your level of trust that the machines counted the right number of votes?"
Most conversations go one of three ways from there. The worst conversations don't even get started (two tonight, but I've gotten this reaction on other occasions). The question explodes some landmine: "Our voting machines are accurate! We test and double test and maintain the very best security. Our election results are always accurate, I'd bet my life on it." Any follow-up question (e.g., Can you tell me what gives you that confidence?) will be met with only more anger, and the clerk or poll worker will walk away. The Topic Must Not Be Raised.
The second typical response is less emotional, but no more productive: Some election officials will be unable to understand the question no matter how you phrase and rephrase it. It's as if you are asking "What do you do when the sun comes up in the west?" They mentally rephrase the question into something that makes sense to them and start talking about that. The elections official will describe the process for checking that the machines counted the right number of ballots, and I'll politely wait until she is done, and then ask the question again more specifically: "Yes, but how often do you think the number of votes--that is, the number of votes for Jones, and the number for Smith--are correct or incorrect?" The elections official will repeat the explanation about verifying the number of ballots, or tell you how the machines reject over-votes, or how they check their addition during the municipal canvass, or some other thing. I'm usually the one that ends these conversation, because I start to feel I'm being mean.
The third most typical response is that they 'correct' the question rather than answering it. In a you-should-know-this tone, they will say something like: "The machines cannot miscount," or "Accuracy is the county canvass job." I had two of these conversations tonight. They don't go anywhere, either. Once this type of election official has decided you are just naive, they switch to an all-talk-no-listen mode.
Of seven or eight conversations I started tonight, only one unfolded into a genuine exchange of information. The clerk responded to my question with, "I would say I'm pretty close to 100% confident, but it does bother me we don't know for sure. I've never discovered any miscount in the pre-election test--that's what gives me confidence--but I know that doesn't guarantee they'll count right on Election Day." Wow. Town of York voters, you're in sensible hands.
For the life of me, I cannot understand this mental block. It would be easy to say "People are naive about computers," but this level of blindness affects their thinking about only voting machines--no other computers.
Some sort of reflexive emotional-defense denial is a possibility--the thought of incorrect election results is just so horrifying that they cannot permit its presence. Maybe, but most of an elections official's work is dedicated to preventing various mistakes and frauds. It's simply not believable to me that they could not already have accepted the idea that something could go wrong.
Different officials probably have different reasons. For example, it seems that those who react immediately with anger, taking offense that you would even ask about electronic miscounts, are at some level aware that they might be certifying inaccurate totals--otherwise, why would they be so defensive?
But the others--I genuinely cannot guess.
* Just for the record, with the audit procedures the Board uses, final Wisconsin election results are unprotected against electronic miscounts whether the Board does the audits or not. Even if they had done them, their procedures are not designed to detect and correct incorrect election outcomes. Among other problems, they use a too-small sample size and have no provision for expansion of the audit beyond a single precinct if a miscount was discovered. The audits are performed after election results are certified as final, so unaudited voting-machine output determines the 'winners' regardless.
June 07, 2015 at 10:55pm -- This weekend, the Wisconsin Grassroots Network allowed Wisconsin Election Integrity to use part of its booth at the annual state Democratic Convention. With a colorful pamphlet titled “How to Steal Wisconsin Elections” on one side, and “How to Protect Wisconsin Elections” on the other, I was able to start good conversations with more than 100 people, a large number of them involved in local elections administration in some capacity—mostly as poll workers or board of canvass members.
In general, the Democrats were skeptical whenever I offered the pamphlet with the “How to Steal” side up asking, “Want to know how to hack voting machines? The Republicans know, so you should, too.”
But when I turned the pamphlet over to reveal the “How to Protect” side, they were receptive, confirming my sense that people are tired of being told about problems they cannot solve, while they are ready to welcome constructive information about solutions.
Their reactions, after I’d given them the election-integrity elevator speech, confirmed that politically active people, like everyone else, typically assume our election results are routinely checked for accuracy and are shocked to learn they are not. Like all other sensible digital-age people, they immediately grasp the carelessness of that practice.
During the entire two days I staffed the booth, all but one of the conversations went very well, often ending with the person asking for more literature and promising to talk to their county clerk when they got home.
I ran into only one person who vigorously argued with me, and I hope you’re as disturbed as I was by who it was—or might have been.
After taking the pamphlet with a frown, one man listened to my short speech and flatly told me I was wrong. Voting machines are reliably accurate, he said, and he should know: Before he retired, he tested voting machines for the Wisconsin Government Accountability Board and for the State Elections Board before that.
I realize he could have been misrepresenting himself, but he might not have been. I recognized the GAB staff attitude toward citizen input and the talking points.
As he argued, he revealed either that he was painfully ill-informed about voting machines and IT security, or that he thought I was and could be distracted with misinformation. It was hard to tell.
For example, when I explained that the hacking information in the pamphlet was based on the findings of a national panel of voting-machine security experts, he said something along the lines of “The national experts’ findings are not applicable to Wisconsin. Wisconsin’s voting machines are programmed individually for each county—no hacker could get to all of them.”
I gently laid out the obvious logic for him: “A hack wouldn't need to affect all the machines everywhere. Mathematically, you could change a statewide outcome merely by making one big county already likely to go for your candidate go even more decisively. Pundits will simply say, "Oh, wow. That party did a great get-out-the-vote effort in that county!"
"And besides, the national experts says that the most likely, most dangerous hack would affect the source code, not the set-up for each election. It's the set-up that is done separately for each county--mostly by a few vendors. And the source code is programmed exclusively by the vendors.”
But he doubled down and insisted the source code is programmed individually into each voting machine by the counties.
We had drawn a few witnesses by now, so even though I suspected he knew it, I gave the basic explanation of the difference between programming the voting machine and setting it up for each election. (“When you get a new cell phone, it comes with lots of programming deep inside that neither you nor the salesperson touch as you set the phone up with your phone number and contacts.”)
I reminded him that the source code must be tested by independent laboratories and approved by the federal government and that once it is approved, no one is allowed to make changes. If the voting machines’ source code is being “programmed individually,” as he claimed, someone is breaking the law. The speed with which he gave up that line of argument indicated to me he knew that all along.
He then tried the recount defense—claiming that if anyone suspects election results are wrong, they can demand a recount. Again, not knowing whether he was genuinely naïve or was hoping I was, I explained Wisconsin recount law to him. He finally conceded, “Well, yes, they would have to pay for the recount.”
When I asked, “Would you trust a bank that refused to audit until someone suspected a problem, and even then, demanded that the person who suspected a problem paid for the audit?”, he moved on to his next point. We then danced through a set of well-worn arguments.
He: Local election officials store their machines securely.
Me: Local election officials have no control over the security of the software while it is with ES&S, Dominion, and Command Central, where it is most at risk.
He: But those companies have wonderful, effective security.
Me: Wisconsin election officials have no way to know what sorts of security those companies maintain. We do know they would be in the IT-security consulting business if they could do IT security better than Anthem, eBay, Target, and Sony.
He: There are no miscounts.
He: Well, those should have been caught in pre-election voting machine tests.
Me: Correct, but they were not. That’s why every human language has a word for ‘mistake,’ and why we need routinely to check Election-Day output for accuracy.
He: But it makes no sense to assume the computers are miscounting.
Me: Correct, in the same way that it makes no sense to assume they are counting accurately. And if we decide it's not a good idea to assume, we need to verify. Your municipal treasurer does not assume she’ll find errors when she routinely spot checks the computer-generated property-tax bills before putting them in the mail. But she does it anyway because that’s what prudent managers do.
He: There’s not enough time or money for full recounts.
Me: No one is talking about full recounts. If you’ll stop arguing for a moment, I can tell you about sampling and risk-limiting auditing.
He: But you cannot assume any sample is representative.
Me: Correct. That's why you calculate probability.
Of course, the conversation ended before he accepted the common-sense national consensus on routine verification of voting-machine output—but that was what I expected. You can tell when someone is engaging in sincere let’s-share-what-we-know conversation and when they are simply staking out a defensive position and reflexively contradicting everything you say. He was clearly doing the latter, so I let him leave when he ran out of breath. Who knows—maybe he went to his hotel room that night, gave the matter some sober thought, and moved slightly toward acceptance.
After he left, the handful of people who had been entertained by the exchange asked a few sincere questions and stayed for more information, so it turned out to be a useful exchange even if my antagonist never finds his way to common sense.
He might have been lying about having formerly tested voting machines for GAB, but I’m not lying when I say this sort of reaction is common (though far from universal) among Wisconsin elections officials from the state level on down. I had a very similar encounter with a municipal clerk just about a week before.
There’ s no need to condemn elections officials for this intellectual obstinacy, because psychological denial is a universal human foible. These men and women have likely certified dozens of elections without verifying accuracy, so it must be a real kick in the gut when they first realize how dangerous that is. When you introduce the notion they might have inadvertently certified hacked voting-machine output, I’m sure it feels to them as if you just suggested their spouse might be unfaithful.
In all but extraordinary human beings, that sort of unwelcome news creates an intolerable amount of cognitive dissonance and pretty much shuts down logical processing, at least for a while. None of us can process new information when our brain is fully occupied generating any possible excuse why the information might not be true.
So we need to be patient, to a point. I suggest that point will arrive sometime before November 2016, when we will need to insist on the resolution of our own cognitive dissonance, which comes from being forced to trust our sacred right to self-government to unaudited computer output.
May 26, 2015 at 11:47pm -- The Facebook group Wisconsin Election Integrity has lately been dominated by two people: me and an advocate for hand-counted paper ballots. That school of election-integrity activists advocates for junking voting machines entirely. They believe verification would be as thoroughly fraudulent as they believe electronically counted elections to be and would therefore serve only to create even more voter complacency.
Advocating exclusive reliance on hand-counted paper ballots (HCPB), they demand that public, transparent hand counts be conducted in every polling place immediately after polls close. That speed is necessary to provide as little window of opportunity for tampering as possible. Electronic tabulators must not be used, they argue, because they count the votes inside a black box—that is, by one computer programmer acting alone in secret.
I usually try not to argue with HCPB-only advocates for two reasons. First, they are correct that their vision could produce accurate election results every time, and second, we all need to keep our eyes on the prize. We share the same goal—verified accurate election results—so this is an argument over means, not ends. As Bill Moyer explained in “Doing Democracy,” in every successful social reform movement, you can see people playing at least four different roles ('citizen,' 'rebel', 'change agent', and 'reformer'), and “dissension among them…reduces the movement’s power and effectiveness. Activists need to become allies with those playing other roles, since cooperation and mutual support will enhance the likelihood of success.”
Avoiding fights with people who are (or should be) big-picture allies is one thing. Refusing to explain yourself is another, and I think it’s past time that someone clearly laid out the rational case for demanding post-election verification of voting-machine output instead of demanding HCPB alone. So here goes.
1) Verification of voting-machine output is hand-counting ballots, at least in those jurisdictions that use opscan machines, which is most of the big counties in Wisconsin. So this debate is actually a squabble over whether the hand count or the machine count should be accepted as definitive when they disagree, and to a lesser extent, how many of the votes we need to hand count to make sure the results are certified for the correct winner.
In Wisconsin at least, the HCPB advocates have already won the (non-existent) battle over which method produces more credible results, even if they don’t realize it. It’s not even up for debate. Statutes governing recounts already establish (and nearly every election official you can pin down agrees) that when an official hand count (not a citizens' audit) and machine count disagree, it’s the hand-counted result that prevails.
Once you’ve established that transparent human-counted results are more credible than black-box machine-counted results, it becomes apparent that doing both is more secure than doing either one alone. Even if ballots are fully hand-counted before dawn on Wednesday, obvious security advantages are created by having voters insert their ballots on Tuesday into a machine that automatically preserves a digital image of that ballot. And knowing that humans cannot ever be trusted implicitly, it is also obvious that you might as well get a preliminary electronic count when they cast their ballots, so that an election thief must jump over two hurdles (that is, to rig both an electronic system and a human one) instead of just one.
2) Verification would catch unintended miscounts, because nobody would be trying to hide them. It’s possible that the majority of electronic miscounts are accidental rather than deliberate—due to human programming or set-up error or to randomly occurring mechanical or electrical issues. (I would say it's likely most are inadvertent, but cannot prove it because no one checks for the sorts of miscounts that hacking would create, so every miscount except the obvious inadvertent ones goes undetected.)
Since no one expects the accidental miscounts, no one would sabotage a verification to cover them up, and they would be detected readily, in much the same way that recounts discover errors more often than not. Those who reject routine verification because they believe clerks often want to cover up fraud are, in practice, proposing we allow all the accidental miscounts to remain undetected because we shouldn't trust the clerks to reveal the fraudulent ones. I am not willing to do that; I'll take what I can get when it comes to detecting and correcting miscounts.
3) Verification would deter or detect fraud that the local officials were not in on. National experts believe the most likely and most dangerous form of electronic election fraud is one in which a single programmer makes illegitimate changes to the vote-tabulating software at some time while it is not in the control of local elections officials. John Washburn has also convinced me that it would be easy for someone to insert wireless communications capability into Wisconsin’s voting machines—again, before the hardware comes into the possession of any local elections official. This capability would go undetected by our election officials because they never look for it.
Wise criminals never involve anyone in fraud who does not need to be involved, and neither of these frauds needs to involve any local elections officials. So when elections are hacked, it's entirely possible the local elections clerks aren’t in on the scheme. Therefore, they have no reason to sabotage verification.
The only time a local elections clerk would want to sabotage a post-election verification would be when he or she is in on the fraud, and that clerk's resistance would then call attention to a problem, if the rest of the world knew what a decent post-election verification looked like. No one does now, because we don't do them.
4) Hand counts have their own problems. In the real world, it’s questionable whether relying entirely on hand counts would give us much more confidence in election results than relying entirely on machine counts. (To repeat: I think we need to do both full machine counts AND sufficient hand-counts to verify the outcomes.) Sloppy chain-of-custody practices come to light with every recount, and—I’ll be frank—I’ve never fully understood why people expect hand counts to be transparent enough. I’ve observed about six, and there wasn’t one of them where I could come close to seeing what the hand-counters saw except intermittently. The observers at Scotland’s referendum hand count were mightily frustrated by their inability to observe effectively, and what they did observe wasn’t reassuring.
And then there’s the question of who, really, would come out to count or observe a hand count during the wee hours on Wednesday morning following Election Day? I have been greeted with “You’re the first citizen ever to show up to observe our public test!” at literally every single one of the dozen or so pre-election voting machine tests I’ve observed, so I can vouch for the fact that no one attends those--and they take only about two hours during the daytime! I’m all for making election work something like jury duty, but it would take years of work to get that legislation passed. That doesn't mean we shouldn't start now, but that brings me to…
5) We could get verification in place by November 2016; we don’t have a prayer of HCPB by then. I won't stand in the way of those who want to work on getting the voting machines thrown in the junk yard. But there is no way on god’s green earth that we’re going to get state law changed to require HCPB between now and the critical 2016 elections.
How many more elections are we going to let be decided by unverified black-box output, when the most basic common sense tells us how incredibly careless that is? I cannot speak for other states, but if enough Wisconsin citizens pressured their county clerks and county boards of canvass hard enough between now and, say, January of next year--especially if even one county clerk is willing to show leadership and vision by adopting such practices--we could have fairly decent post-election verification policies in place in the critical counties in time to protect the 2016 elections from electronic miscounts. Truly, there is nothing in state law or GAB written policy that forbids it—it’s all a matter of the county clerks’ discretion and voters’ interest.
I could go on, but those are my best arguments.
Someday soon, I’ll get around to laying out the case for verification to its other sometimes-hostile allies: Those who argue that our energy should be directed at improving the technology rather than wasting time with a low-tech, unsexy chore like verifying output.
May 20, 2015 at 9:56pm -- Pay an hour’s attention to the vote-counting debate and you’ll probably hear several myths. From defenders of the status quo, you'll hear that our municipal clerks' management of our voting machines is able to stump hackers.
From critics, you'll hear that widespread snafus indicate widespread fraud.
Those myths are easily debunked with a moment’s serious thought. All you have to do is say " Sony, Anthem, and Target" and a county board supervisor will realize our votes are not safer with a municipal clerk than our credit-card information is with a multi-million dollar corporate IT security program.
Point out that our elections are run by lightly trained temporary workers who get no more than four days' on-the-job experience every years, and any worried voter will realize we cannot expect perfection from an elderly, 32-hours-a-year poll worker--particularly if the worried voter is an elderly, 32-hours-a-year poll worker.
However, there are other myths that more insistently keep otherwise intelligent people from thinking sensibly about vote-counting. I’m sure others can suggest more, but these are my top three.
* * *
Myth: Election results are announced on Election Night.
Fact: The numbers announced on Election Night are preliminary. Elections officials have two weeks—more if they ask—before they have to sign the statement that will transform those numbers into final, official election results. Statutes allow several weeks for the canvass process so the results can be reviewed to make sure they are correct. That’s what ‘canvass’ means.
An example of how this belief affects citizens: Within a week following one election, I received a copy of a complaint filed with the state elections authority. The complainant was demanding the State investigate an anomaly in the Election-Night results. I had to explain that the state elections agency didn't even officially have the election results yet. County boards of canvass were still working with them. I suggested the complainant contact the counties—particularly the county where the anomaly was most obvious—to make sure the county officials noticed the problem, checked it out, and fixed it. That’s their job, and there was still time for them to do it right. But no. He wanted to file a formal complaint with the State.
How this belief limits elections officials: We praise other managers who notice and correct computer errors, but not election managers. For example, you likely notice reversed entries on your monthly bank statement from time to time. You never pointed the error out to the bank; they found it and corrected it themselves. This likely makes you more, not less, trusting of the bank’s integrity and competence.
But talk to any elections official and you are likely to find an intense fear that the opposite is true for them--that they would be crucified for admitting an error. They could be right. For exercising the same sort of quality management for which other managers are praised, elections officials likely face criticism. And this affects their behavior: you won't catch many election officials reminding people that Election-Night reports are subject to change if any miscounts are detected.
Myth: Voting machines can and should be expected to produce the correct results the first time and every time.
Fact: Computers are manufactured, programmed, maintained, and operated by always-fallible, sometimes-dishonest humans and their output must routinely be checked for accuracy, no matter how much confidence we have in the people who run them.
Here's one federal judge speaking for all who hold a childlike faith in computers: “The machine…relies on an objective tabulating machine that admits of no discretion to count votes. If a voter casts a vote according to the instructions, the machine will count it.” (U.S. Court of Appeals, 11th Circuit, Touchstone and Shepperd vs. McDermott, Dec. 6, 2000)
It’s easy to ridicule that sort of digital-age naiveté, but I see the same blind faith in the perfectibility of computers among some election-integrity activists—specifically those who argue that open-source code is the solution to our woes. What they don't seem to realize is that on that wonderful day when our voting machines are loaded with open-source software, nothing new will be preventing human errors as the same old humans program the machines for each new election. Nothing new will be in place to prevent ink transfer and dust bunnies from voting. Nothing new will be in place to make sure someone has the time and skill to examine the open-source software in each voting machine, or to do anything about it if they see a problem. Open-source programming is merely decorative if people don't routinely check the output for accuracy, and if people routinely check the output for accuracy, it won't matter whether the programming is open-source or proprietary.
The voting-machine regulators have also been seduced by this myth. In 2013, I sat through a two-hour debate during which state elections board, their staff, county representatives, and voting-machine vendors argued about whether to require Brown County to purchase a separate computer to support its new voting machines, or to allow the clerk to rely in part on a shared county computer. Given a chance to comment, I suggested that Brown County be allowed to use the system it wanted as long as it checked to make sure its results were accurate. Such an effort would catch not just any miscounts created by the shared-computer arrangement but by dozens of other possible causes. I was ignored, and Brown County was ordered to increase its election-administration costs by several thousand dollars, in the naive expectation that this would make the system so secure it wouldn't need to be audited.
With this new system, I'm sure that Brown County officials won’t notice any miscounts. Just like their teenage sons never notice any dirty underwear or dried-out pizza crusts under their beds--and likely for the same reason.
And the winner is:
Myth: It’s somebody else’s job to make sure our votes are counted correctly.
Fact: In Wisconsin and other states that do not audit preliminary election results, no one is standing between any electronic miscounts and our certified-final election results. Clerks, citizens, candidates—everyone—needs to do what he or she can to help detect and correct miscounts.
When I was a little girl, I remember my dad coming home from work complaining, “The whole world can fall apart and those people don’t care as long as none of the pieces land on their desk.” That attitude is still around. My personal collection:
- A municipal clerk: “We don't check the vote totals in the pre-election tests. We don’t need to. The State wouldn’t have approved the equipment if it didn’t count right.”
- State elections staff: “Every municipality conducts a pre-election test of its voting equipment, which ensures the accuracy of every piece of voting equipment in the state.”
- A municipal clerk: “If we notice an anomaly on Election Night, we note it for the county board of canvass. It’s their job to correct any miscounts.”
- A board of canvass member: “We trust the results sent to us by the municipal canvass and would never unseal the ballot bags for any reason.”
- A county board supervisor: “If any election results seem suspicious, the county clerk would surely check them even if the results are outside the statutory recount margin.”
- A county clerk (in that same county): “I am really not interested in doing a recount for candidates (whose results fall outside) the recount margin.”
- An election-integrity activist: “The political parties should care enough to send observers to the pre-election tests.”
- A political-party activist: “We’re too busy with get-out-the-vote efforts to spend any time observing voting-machine stuff. You election integrity people will need to do that.”
People who are standing around pointing at each other saying, “It’s his job, not mine,” might be glitch-governed people, or error-governed people, or hacker-governed people. But they cannot honestly think of themselves as self-governing people.
Citizens who are serious about their right to self-government and the diligent public officials who serve them need to educate themselves about the risks of electronic elections technology. Local elections officials need to adopt prudent management practices, and citizens need to be willing to show up.
There’s no way around it: we have to do it ourselves.
April 17, 2015 at 7:45pm -- The Wisconsin legislature is set to amend state elections law pertaining to recounts under s.9.01, Wis.Stats, in a way that makes no sense with respect either to partisan interests or to election integrity. The only thing that can be motivating the proposed provisions of Senate Bill 96 is a child-like trust in the reliability of the computers inside our voting machines.
Under both current law and the proposed amendment, any candidate can request a recount, but they are required to pay the cost of the recount unless the margin of victory is small. Under current law, election officials will recount the preliminary results at no cost if the computers tabulated a victory margin less than one-half of one percent, and candidates must pay $5 per ward if the margin is between 0.5% and 2.0%. If the computer output gave the victor a margin of more than 2%, the loser must pay the full cost of any recount.
Under the proposed legislation, election officials will perform recounts at no cost only if the margin is less than 0.25%. Candidates will have to pay the actual cost for all other recounts, although the cost of the recount will be refunded if the recount overturns the preliminary results.
Although this legislation is being sponsored and promoted by Republicans--Senator Devin LeMahieu of Oostburg and Rep. Joan Ballweg of Markesan--Republican candidates are just as likely to be hurt as any other candidates—perhaps more likely, depending upon who you assume is most willing and able to commit electronic election fraud.
And the legislation will hurt every citizen who cherishes our freedom to exercise our right to self-government, regardless of party affiliation. Here’s why:
Computer glitches, human programmer errors, and electronic malfunctions have no partisan loyalties. They will hurt Republican candidates just as readily as any other. As we recently saw in Stoughton, where dust bunnies voted on 1.27% of the ballots cast in one precinct, electronic tabulation can be off by more than 0.25% simply by virtue of random, unpredictable malfunction. The Medford miscount of 2004--believed to have been an inadvertent programming error but never actually investigated, as miscounts never are--disenfranchised every voter who chose the straight party ticket, about a third of the voters in that presidential election! Errors of this type are not scandalous or surprising; they are occasionally unavoidable and should be anticipated whenever we use computers.
In addition, experts in elections technology will tell you that, depending upon ballot design, as many as 0.5% of the voters’ marks will be unreadable by optical scan machines, although voter intent may be obvious to human eyes. The clearest example of this I ever saw was a would-be Republican voter who drew a circle around each Republican candidate’s name, though never straying into the area where he or she should have recorded the votes. The machine saw nothing but white space, but any human eye could easily discern an intended vote for every Republican on the ballot. Without a recount or an audit, those Republican votes were completely lost. Again, non-scandalous, non-partisan, and an entirely predictable event when using computers.
Finally, we come to the issue of hacking. Dollars to doughnuts, the Republican sponsors of this bill believe that Republican candidates are more likely to be targeted by hackers than other parties’ candidates. Look at 4Chan; look at Anonymous. When and if they target Wisconsin elections, who are they going to go after? There must be hundreds, maybe thousands, of left-wing techies with the ability and willingness to hack into the companies that program Wisconsin’s voting machines.
On that inevitable day when they find their way into Wisconsin’s vote-counting software, SB 96 will make it more likely they will escape detection. Under current law, hackers need to flip only 1% of the Republican vote in a toss-up election to create a 2% victory margin that puts the results outside the recount margin. Under the new law, hackers will need to flip only 5 out of every 4,000 Republican votes to prevent anyone from demanding a recount and detecting the theft of a hard-earned, expensive Republican victory.
However, I am not going to put any effort into opposing this legislation. Not because I want to protect Republican candidates or those of any other party, but because I don’t think recounts are very useful for election integrity even under the current law.
Wisconsin’s self-governing citizens shouldn’t have to demand, election by election, that our government check the output of our voting machines' computers for accuracy, and we certainly shouldn’t have to pay extra for it when we suspect a computer error might be larger than 0.25%. Your bank doesn’t wait for you to demand an audit before it audits its computers’ output, and certainly doesn’t limit its audits to instances when only tiny errors are suspected. And then it gives you a statement so that you can check, too.
Your grocery store audits the output of its scanners without its customers paying extra for that safeguard. And then it gives you a receipt, so that you can check, too.
Wisconsin citizens don’t have to demand and pay for verification of the DOC computer output that keeps track of criminals on probation and parole--DOC employees do that as part of their job. Wisconsin school boards don’t have to demand and pay for double-checking of the output of the computers that calculate school aids--DPI employees and legislative employees do that routinely.
Responsible public managers, like responsible business owners, check their computers’ output for errors—both tiny and large—as routine, prudent IT management. When the computers are deciding who will govern us, there is no sensible reason why the burden is on voters and candidates to demand and pay for checks of the computers’ accuracy.
What Wisconsin needs is what 20 other states already have, and what every national elections-administration and information-technology expert has recommended from very inception of electronically counted election results: Routine (that is, after every election) post-election verification of electronically tabulated voting-machine output before those preliminary results are certified as final.
After the polls closed in Stoughton, Wisconsin last November 4, workers in three of the city’s four polling stations were surprised to see their voting machines had counted no votes for a municipal referendum. A different puzzle confronted the poll workers in the fourth polling station. In a precinct where 1,255 voters had cast ballots, the output tape indicated the machine had counted 16 votes (9 no, 7 yes.)
The main problem was rapidly diagnosed as a set-up error that sent all four ES&S DS200 optical scanners looking for referendum votes in a blank section on the back of the ballot, rather than in the ovals that voters had filled in. Had the error simply looked for 'yes' votes in the 'no' spot and vice-versa, the referendum would have failed and no one would ever have noticed the mistake under Wisconsin's current, ineffective post-election audit policies. However, because the error was so dramatic, a prompt hand count revealed the true results, which were certified on schedule.
But the mystery of the 16 votes remained. It was not possible that the optical scanners could have recognized 16 actual votes and ignored the rest. Those were phantom votes, cast by no one. What caused them?
Dane County Clerk Scott McDonell quickly concluded that the 16 votes were voter error--using wet marking pens for races on the front that had bled through to cause readable marks on the back, where the referendum was the only contest.
Inspection of the ballot layout, however, revealed this was not likely to have caused the phantom votes. The ovals that voters fill in are placed along the left edge of each column on the ballot, where the optical scanners are programmed to look for them. Any bleed-through from ovals on the other side would show up along the right edge. A very heavy write-in vote might bleed through to the left edge of a column on the other side but on this particular ballot the opposite side contained another yes-no referendum. No write-ins there.
The ES&S manufacturer’s representative had a different explanation. He told Stoughton City Clerk Lana Kropf that the 16 votes were likely the result of ballots being sent through the voting machine while the ink was still wet. This, he said, could have caused the wheels that feed the ballot through the optical scanner to transfer ink from a real vote to another area on the ballot.
Working with that hardly-reassuring suggestion, Kropf and I, working with Sue Trace and Julie Crego from the WGN Election Integrity Action Team, investigated. We examined every ballot cast in that precinct, looking for evidence for either explanation. Could we find 16 ballots on which front-side votes had bled through to the area where the misprogrammed machines were looking for votes? Or could we find 16 ballots with evidence of wet ink from a real vote being picked up and redeposited into that area?
No, we could not. We saw about four or five ballots on which bleed-through seemed to be dark enough to be read as votes on the other side of the ballot, but the bleed-through was, as we’d expected, not in any target area where the voting machine would have been looking for votes.
We also saw three or four ballots with stray marks that looked like they could have been created by ink on a rotating wheel. However, the very darkest of these marks was in our opinion too faint to have registered as a vote and there were too few to account for all 16 phantom votes anyway.
Other types of stray marks appeared on perhaps a dozen or so more ballots—finger smudges, printers ink transfer from one part of the ballot to another when the ballot was folded, a mark made by a dropped pen, and an imprint left when a voter wrote on another document while the ballot lay underneath it on a desk. None of these were both dark enough to have registered as a vote and in the correct spot on the ballot to have been counted as a phantom vote.
What then? Is Dane County in possession of a voting machine with a will of its own, capable of generating votes on its own initiative?
I contacted Douglas Jones, a computer-science professor at the University of Iowa. Professor Jones has done academic work and research on electronic elections technology and has advised several states, the US Congress, Civil Rights Commission, and Federal Election Commission, and several foreign nations on elections technology issues, in addition to consulting with organizations such as the ACLU and the Brennan Center for Justice.
Jones’ research has been surprisingly thorough. He wrote, “I always test voting machines with a random handful of pens and pencils as well as testing them with the official recommended marking device. Glitter pen turns out to work well (if you let it dry properly before scanning!) but I would never recommend that voters vote with such pens.”
More seriously, he confirmed that he has “seen both bleed-through and ‘tractor trails’ that end up being counted as votes.” Both, however, can be prevented.
Bleed-through. The right paper stock and marking pen can prevent bleed-through on ballots marked at the polling place, but Jones pointed out “No matter what kind of ballot-marking pen or pencil the polling place provides, some voter will pull a random pen or pencil out of their pocket and use it. This is particularly true in a crowded polling place when the official ballot marking pen or pencil goes bad (out of ink, needs sharpening) and also true for absentee voting.”
Next to heavy paper stock and special pens, ballot design is the most effective preventive measure: “When two-sided ballots are necessary, Jones recommends that clerks “hold a ballot up to a bright light (tape it to a window with the sun shining through it) and see how the voting ovals on one side line up with the ovals on the other. No oval on one side should be within 1/4 inch of an oval on the other side to be really safe, although 1/8 inch between ovals ought to be sufficient.”
Tractor trails. Jones wrote that he has never seen marks caused by rollers transferring wet ink from one part of a marked ballot to another, although “with many common ballpoints, sometimes a glob of ink gets loose and will dry extremely slowly. I can imagine a paper feed roller transferring such a glob down the ballot as extra marks.”
Nevertheless, he has seen such marks created by the wheels alone—without ink. When he used one stack of ballots to test several different machines, he noticed that “After 8 passes, the tread marks from the feed rollers began to be visible, after 16 passes, the tread marks were quite visible.” This obviously isn’t a problem in real elections, when ballots “are scanned just once, except when there is a machine recount, and then they may get scanned twice.”
Again, the best preventive measure is ballot design. Jones wrote: “Find out where the paper feed rollers are in your scanners. They are extremely unlikely to be full-width rollers. Rather, the rollers are most likely 1/2 inch wide (or so) with from 3 to 5 rollers working across the width of the ballot. A well-designed ballot will never have a column of voting targets aligned with the feed rollers. The voting targets should fall between rollers. Following this design rule, even if the rollers leave black skid marks on the ballot, they won't interfere with the vote counting.”
My main question to Jones, however, was not about what we could see with our own eyes (bleed-through and tractor trails), but what we could not see: Any reason for the 16 phantom votes. I asked whether he knew of any malfunction that might cause an optical-scan voting machine to generate votes on its own accord--that is, for some reason other than readable marks appearing on a ballot.
Jones replied: “I can think of two things, one that remains a possibility and one that your hand search probably ruled out.”
Flaws in the ballot paper. “If you look at any commercial source of paper,” Jones wrote, “you will find occasional flecks of bark or other dark material embedded in it. Some art papers deliberately have many flecks. Most office paper has very few, and the ballot stock you get from (voting machine vendors) has even fewer, but every once in a blue moon, there will be a fleck.”
One precaution against this, Jones wrote, was used by the people who helped launch American Information Systems (the company that eventually became ES&S, which manufactured the Stoughton machines), who “in the early days…made a point of scanning all the blank ballots before election day, rejecting all the ballots that scanned as nonblank” as a result of printing defects or flecks in the paper.
Jones guessed that our visual inspection ought to have ruled this out, and he is correct—it did.
Dust bunnies and paper lint. “The possibility that remains,” Jones concluded, “is dirt. Just plain dust, really. In any scanner, there is the possibility that a hair or a piece of lint or something similar will lodge briefly in the scanner, being detected as a black spot. It might hang there for a while, scanning as a black streak from the top to the bottom edge of several ballots until the leading edge of some ballot wipes the dust away, or it might just show up for part of one ballot.”
The dust might come from outside the machine or from the paper ballots themselves. “All paper sheds lint, although the ballot paper I've worked with sheds less lint than most paper,” Jones explained. “A single fiber of paper lint would be too small to cause a problem, but if the fibers accumulate into a little ball of felt, this could be a problem.”
“The trouble with the lint hypothesis is that we'll never know,” he added. “If lint interfered with the counting of 16 ballots, it is long gone by now.”
Judicious use of compressed air can prevent dust bunnies and lint from voting in future elections, according to Jones. “If you look at a large absentee vote-counting center when there are…technicians on hand, you'll see them stop the count on each scanner after every few hundred votes and go in with a can of compressed air to blow out any dust.”
Jones helpfully provided a price check: “Canned air is pretty cheap. I just checked eBay, 12 cans for $55. I'd trust poll workers to blow dust with such a can, and the normal pre-election setup routine for each scanner ought to include a dusting by a trained technician.”
* * * * *
It’s unlikely we’ll ever know for sure what caused those 16 votes or—more importantly—how to prevent phantom votes in future elections. And unless we begin routinely to verify the output of our voting machines, we won’t know how many votes were cast by bleed-through ink, tractor trails, ink transfer, spotty paper, or dust bunnies the next time they decide to vote.
We knew this time only because the set-up error removed all the real votes and left only the phantom votes to be counted. It's worth noting that when happenstance gave us the chance to see phantom votes on four voting machines, one of them had dust problems. Do 25% of all the other voting machines carry voting dust bunnies? Your guess is as good as mine.
It’s time we stop pretending that voting machines are any more reliable or secure than other computers or any better than the fallible humans who program, test, and maintain them. They are not. They are prone to the same mundane malfunctions and vulnerabilities as any other machine, and are at least as vulnerable to hacking as the computers operated by the likes of Anthem, Home Depot, and Target. We can never be sure we have anticipated and prevented every type of miscount that could affect our election outcomes, so we are imprudent fools if we do not routinely check to make sure they counted correctly after each election.
Four months ago, on July 7, citizens in Stoughton, Wisconsin presented their city clerk's office with petitions bearing enough signatures to get a Move to Amend referendum on the November ballot. City voters would be asked if they wanted a constitutional amendment overturning Citizens United--that is, putting an end to corporate personhood rights and the notion that money is constitutionally protected speech. This same referendum has been racking up 75-80 percent of the vote in other communities around Wisconsin.
Last Tuesday, nearly 5,350 good citizens of Stoughton went to the polls. If you believe the city's voting machines, exactly 16 of them had an opinion they cared to express on the matter. The rest thought "Whatevs" and left the referendum blank.
Fortunately, no one believes the city's voting machines. The municipal canvass board wisely declined to certify those results and will instead hold a public hand count on Monday, November 10.
What happened--the technical explanation
The Dane County clerk's office sets up ES&S DS200 opscan voting machines for each municipality before every election. To do that, they program ballot-reading instructions onto 'memory sticks,' (also called flash drives or thumb drives.) DS200 ballots are marked along the edges with black index marks. Each of the bubbles where votes are marked is close to one of these index marks. Translated to English from computer-ese, the instructions say, "If the bubble closest to the top index mark on the right edge of the front of the ballot is filled in, count a vote for Candidate Smith. If the bubble closest to the second-from-the-top index mark is filled in, count a vote for Candidate Jones.
When Stoughton's ballots came back from the printers, the referendum was perfectly placed on the ballot right where it was intended to be. However, the person who programmed the sticks wrote instructions that told the machine to look at the areas two index marks below the referendum, in white space. That explains the thousands of apparently blank ballots.
But what explains the 16 votes? Did 16 of Stoughton's voters know they could get their vote counted by making a black mark an inch below the bubbles that everyone else was filling in? Nope. Truth is, they were voting so enthusiastically for someone on the front of the ballot that their votes were bleeding through the paper into the white space below the referendum on the back. (Update: This initial theory didn't hold up to further investigation. Real answer here.)
Bleed-through usually isn't a problem, Dane County Clerk Scott McDonell told me today, because when two-sided ballots are designed, the bubbles are placed so that any bleed-through from particularly heavily marked votes will fall into white space on the other side--as these marks did. Usually, the machines are not looking for votes in the white spaces. Not usually, but they did on Tuesday in Stoughton.
What happened--the procedural explanation
When my daughter did a grade-school report on the sinking of the Titanic, I remember her conclusion: It wasn't just one thing that sank the Titanic. The designers could have put lids on the 'watertight' compartments. The captain could have steered around the iceberg field. The lookouts could have had binoculars. Lots of people had to mess up, and if any one of them had not messed up, the Titanic would have made it to New York.
The harm done by the Stoughton miscount cannot be compared to the Titanic, of course, but the moral of the story is the same: It takes several mistakes to sink the boat. Among the factors that probably contributed to the miscount (and there are certainly more than these):
- Stoughton's veteran city clerk had resigned around the same time the referendum petitions were handed in, and the office remained vacant for months. Preparations for the November elections were handled by city officials who normally had other jobs, such as the city finance director and deputy clerks. The current city clerk had been on the job only a few weeks at the time of the November election.
- Although the citizens had submitted the petitions for the referendum to the Stoughton city clerk's office in plenty of time, the turnover and inexperience caused the city clerk's office to fail to provide the necessary information to the county clerk's office until the very last minute--in fact, just a little late. Because there was still time to rush the ballot-printing and programming through, the county clerk decided not to make the citizens wait until next year to see their referendum on the ballot, and he decided to rush the job of getting the referendum on the ballot for which the citizens had petitioned.
- Normally, the county clerk's office voluntarily checks its own work before sending the programmed sticks to the municipalities for the legally required public voting-machine tests, which occur in the 10 days before each election. But they did not do that for the rushed Stoughton machines' sticks this year. McDonell didn't say this, but I was wondering whether all the back-and-forth on voter ID cut into the work they normally do in preparation for elections. I lost track of how many times they had to issue and retract Voter ID procedures and instructions.
- It's still unclear what happened with the required public pre-election voting machine tests in Stoughton. A city official has publicly stated that the tests found no error, but the city clerk will need to make the records available for this to be believed. (See update at the bottom of this post.) McDonell told me he used the sticks from the Stoughton machines yesterday to run the test he had intended to run before the election and figure out what went wrong, and his test precisely replicated the miscount.
- No citizens were present at the public pre-election voting machine test to ensure that it was done properly and that the machines could, in fact, produce an error-free count.
On the positive side, several things went right, considering. No one for a moment believed the voting-machine output and by all accounts I've heard, no one panicked. The city and county clerks both swung quickly into a let's-get-this-fixed mode. A representative from the citizens' group backing the referendum told me today that they have received nothing but respectful cooperation from the city clerk, and I've been pleased with the openness and honesty of County Clerk Scott McDonell.
If the hand count goes well on Monday, the municipal referendum results will be final and certified--and more guaranteed-accurate than anything else on the ballot--within the time normally allowed even when they don't have to correct an electronic miscount. Things could have gone a lot worse.
The county clerk's office shouldn't make any more programming mistakes. And having gone through this experience, probably won't--at least until current staff retire and are replaced by others who haven't been burned like this.
I'll go out on an limb and say without having seen the evidence that Stoughton's pre-election machine test was botched, that the city clerk's office needs to learn how to do those tests effectively. I don't see any way that test could have been conducted properly and not discovered the faulty programming. As I write this, it bothers me that the pre-election test is the one mistake that has not yet been admitted. I hope the city clerk will correct that next week. You cannot fix problems you won't admit. (See update at the end of this post.) Judging by what the WGN observers saw at pre-election voting-machine tests we observed in other municipalities this year, many of them--not just Stoughton-- could use remedial work. During 2015, we will be advocating with GAB and the clerks for serious additional training and better instructions.
And citizens have got to do our bit. We cannot relentlessly demand transparency in government while we relentlessly fail to show up for things like public demonstrations of the voting machines' ability to produce--or in this case, not produce--an error-free count.
But the biggest thing:
Humans will always make mistakes, and procedures followed well one year can be expected to deteriorate the next. That's just the way it is until the day when we can hand our elections over to some impartial, infallible authority (Benevolent space aliens? The Election Fairy Godmother?) Self-government means we do it ourselves, and we're going to have to figure out how to conduct elections using only the regular flawed humans we have on hand.
Which brings me back--always brings me back--to the need for routine post-election verification of voting-machine output.
Had this programming error been a simple flip--telling the machine to count 'yes' votes from 'no' bubbles and vice-versa--and not the blatantly obvious error it was, the municipal canvass would almost certainly have certified the results without examining even one actual ballot; the Stoughton newspaper would be coming up with perfectly believable reasons why theirs was the first city ever to vote 75% no instead of 75% yes, and a few referendum backers and election-integrity activists would be saying "That's got to be a miscount" to anyone who would listen--which would not be many.
And you can bet that even the most dedicated county clerk would not be working overtime during his own county canvass to investigate an unexpected result in a municipal advisory referendum.
And had this miscount occurred in a high-stakes partisan contest rather than a wildly popular advisory referendum, there would be hell to pay. The voting machines' 9-7 verdict (56%-44%) is well outside the recount margin provided by Wisconsin statutes section 9.01. Had this been a battle between two PAC-funded, party-backed candidates, does anyone imagine the 'loser' would not be in court demanding a recount despite the statutory requirement than anyone losing by that big a margin pay the full cost, and the 'winner' arguing--as GAB staff were doing as recently as two weeks ago when testifying to their board on a related topic (wisely, the Board itself rejected their argument)--that there is no specific statutory provision for handling electronically counted ballots for any reason other than a recount under s.9.01?
And under those circumstances, which of our municipal or county clerks would be willing to do what Dane County and Stoughton clerks are doing this week and say, "I'm using my own statutory authority to correct those flawed results, even without a demand for a recount."
Finally, where would circumstances like that leave the voters and the taxpayers? "Oh, don't worry about us. We'll just keep paying the bills while you guys fight it out about who will govern us based on the verdict of some black box while the truth of the election outcome lies, undetected, on our marked ballots gathering dust in the courthouse store room."
On the other hand, imagine this miscount had occurred in a jurisdiction that had a routine practice of verifying voting-machine output before certifying final election results. If people commented on it at all they'd be calmly saying, "Those preliminary results sure do look funny. I wonder what they'll find out in the verification step."
State laws requiring routine post-election verification of voting-machine output would certainly help, but we cannot hold back on making any possible improvements until that day. Right now, under current law, we need our local elections officials to adopt policies and practices that routinely verify voting-machine output after every election. They're the ones who sign their names to statements attesting to the fact that the election results are "true and accurate."
With the backing and support of regular citizens, they can--as they are doing now with the Stoughton referendum--use their common sense, courage, and what authority current statutes give them to make sure they certify only accurate election results. Ever.
Update, Dec. 19, 2014:
The hand count was conducted without problem on Monday, November 10. The results reversed the electronic result and Yes prevailed with 4,440 (81.7%) to No's 992 (18.3%).
Stoughton City Clerk Lana Kropf admitted error in the pre-testing procedure shortly after the blog post above was written, without excuse or trying to shift the blame. Like many municipal clerks, she was alone when she conducted the voting-machine tests--no other city staff, no citizens, no newspaper reporters, no one. She knew she was to conduct a pre-election test, but her predecessor had instructed her only to test for many other things--that the machine could read different color inks, that the date and time was set correctly; that the machine was reading ballots inserted in all different orientations--but not that the machine was counting the votes correctly. Kropf was diligent in testing the things she'd been trained to test for, and a few other things she thought of on her own. Our observations have found that about half of Wisconsin's municipal clerks are similarly unaware of the need to verify accurate vote totals.
Kropf said the Stoughton staff have revised their procedures, and will ensure that witnesses are present at every future voting-machine test. She readily agreed to meet with us in January to examine the ballots and determine what happened to create the 16 phantom votes. The findings from our January review of ballots is here.
(Don't miss the update at the end of this post)
Coverage of Eric Cantor’s defeat in Virginia’s 7th Congressional District primary provides one of the most dramatic displays of psychological denial you are ever likely to witness.
After declaring the 56%-44% results to be “astonishing”, “a shocker”, “stunning”, and “historically unprecedented” the pundits go on to make dozens of guesses about how unknown Tea Party challenger Dave Brat knocked off the sitting House Majority Leader.
The pundits grasp at every straw--except one. Maybe Cantor's support for immigration reform doomed him. Well, no, most of the 7th District voters support reform. Okay, maybe a crossover Democratic vote? Over-confident Cantor voters staying home? No evidence of those, either. It certainly wasn’t that Brat spent more money. The Tea Party itself didn’t invest in that race. Pundits offer dozens more guesses; you can peruse some of them here, here, and here.
What is never discussed--not even mentioned--is a possible electronic miscount—something that has already happened in many elections elsewhere and that IT professionals consider a routine occurrence, given the inadequate IT management practices of America’s election officials.
Is any pundit so naïve and trusting to think that not even one Tea Party sympathizer (it would take only one) has the ability to hack rural Virginia’s electronic elections technology?
Virginia (like most other states, including Wisconsin) treats the vote-tabulators as if they were Greek Oracles, providing raw output too sacred to be questioned or reviewed by mere humans before it is acted upon. Brad Friedman, a national commentator who concentrates on voting machine integrity, reports that 60 percent of the votes in Cantor’s primary were cast on touch-screen voting machines designed to leave no auditable record of the votes cast on those machines. (That type of machine is illegal in Wisconsin.)
Got that? If a hacker succeeded in tampering with the vote-recording or vote-tabulating software in those machines, the truth cannot now be discovered. Would-be hackers know this, even if the pundits, journalists, and voters willfully refuse to look under that particular rock.
If any other IT system had produced such dramatically unexpected output, there is ZERO chance that the possibility of electronic miscount would be ignored.
In fact, the possibility of computer error would routinely be investigated before any other explanation was even considered.
Why this willful blindness when it comes to vote-counting computers?
Your guess is as good as mine. My most charitable guess is that political journalists and pundits are not inclined to lead the national discussion into areas they know little about, which include elections administration and prudent management of information technology.
But it’s hard to be charitable when the pundits know enough about IT management that they’d immediately recognize a scandal if a grocery store chain had no way to verify the accuracy of its checkout scanners. Can you imagine the headlines if a bank set its ATMs up to be completely unauditable? It's so irresponsible and careless as to be unthinkable--for banks. For elections, it's accepted as normal.
This surprising result in Virginia provides a perfect opening to educate our fellow citizens. Chances are, in the next couple weeks, each of us will find ourselves in discussions about Eric Cantor’s defeat. Use the opportunity to point out the common sense about prudent management of elections technology:
- Point out how ridiculous it is that elections are the one and only application of computer technology in business or government where major, consequential decisions are made on the basis of unaudited--often unauditable--computer output.
- Point out that our voting machines are programmed in secret by private vendors, who are accountable to no one for their IT security procedures.
- Point out that the voting machines are managed by local elected officials, none of whom is required to have any specialized expertise in IT security.
- And above all, point out that the output of those poorly managed computers is nearly universally certified as our final election results before being checked for accuracy, and rarely verified even after that.
Make sure they understand that with our current lack of post-election audits, we can never know whether anyone hacked Virginia’s 7th District primary.
And that's actually than knowing it had been stolen. At least if we knew that the election had been rigged, we could fix it. But if we have no way even to notice fraud when it occurs, we will keep pouring effort into ineffective pre-election security measures while those who have figured out how to steal our elections will be the only ones who know the truth.
Update, June 2015: Less than a year after Cantor lost his seat, poll workers in one Virginia polling place noticed that voting machines would crash whenever someone tried to download music using an iPhone. The investigation was wisely taken away from the election officials and given to the state's IT office. It resulted in emergency decertification and replacement of the machines. Investigators determined, too late for Eric Cantor, that Virginians had been voting on "the worst voting machine in the US."