Reason or rationalization? Arguments against verifying voting-machine output

Reasoning.jpgWhen my physical therapist asks why I didn’t do the prescribed exercises, I could reply, “Because they are uncomfortable, I am clumsy, and I feel like an idiot when I do them.” Those are the real reasons--not admirable, but honest.

But if I replied, “I don’t have room anywhere in my house;” or “Your instructions confused me,” those would be rationalizations—self-serving half-truths or untruths created for the purpose of either concealing my true motivations or deflecting the conversation.

Because there is no good reason for declaring unaudited voting-machine output to be final election results, anyone who defends the practice must argue based on 1) honest but weak reasons or 2) rationalizations.

Rationalization.jpgThe county clerk where I live rationalizes. Last week, a curious newspaper editor asked me to explain the clerk’s reasons for opposing verification, so I provided her with a long, defensive memo the clerk had written for county board supervisors and explained it line by line—850 words of pure rationalization. Verifying voting-machine output is ‘outside the law’ (No, it’s not.) It would require a full recount. (No, it wouldn’t.) Pre-election testing makes post-election checking unnecessary. (No, it doesn’t.)  I almost felt silly for wasting the editor’s time. I wanted to say, “Can I just tell you that these are all just excuses and red herrings, and offer you some facts instead?”

Other county clerks I’ve encountered give honest reasons for not verifying the accuracy of the voting machines’ output. A clerk in a nearby county once gave me a very heartfelt description of his fear of sparking partisan accusations of ‘tampering’ with the election record if he opened the ballot bags after they were sealed on Election Night.  His honesty gave us an opportunity to talk about the sorts of things supportive citizens could do to shield him from such attacks.

Yesterday, I chatted with another elections official. She earned my respect for her integrity, if not her insight, as she struggled for several minutes to articulate her reasons for opposing post-election audits: “Once we start to treat election results as something that can be open to question, where does it stop? We will audit and then someone will say “Yeah, well, the audit was rigged.” Then we’ll need to audit the audit and where does it end?”

The slippery-slope argument is always suspect, but deserves respect when it is someone's genuine concern.  And in part, she is right: A small proportion of sore losers will always find fault with the process, which will always have flaws. But they’re complaining now, so we have nothing to lose with them. And if we reject every improvement that won't please them, we can never move forward.

The vast majority of voters, however, will be more confident in election results if officials make at least one transparent, credible pass at verifying the accuracy of the computer output. Other public officials who audit their computer output don't have an unmanageable  problem with demands that they audit their audits. Finally, the difference between one audit and none at all is likely to make a world of difference to a would-be electronic thief as he considers whether to hack our vote-counting software.

I have a lot of respect for the reasoners, even if we disagree. Their well-motivated effort to articulate what they honestly see as problems and to stay engaged in the conversation is invaluable in moving forward. The rationalizers? I dunno. Constructive conversation with them is impaired if not impossible. After all, that is why people rationalize--to shut down productive conversation. And if they don't engage in problem-solving conversation, we just have to go around them to others. Although I genuinely dislike showing someone up to be foolish or dishonest, I don't yet see any other option.


Dane County, Wisconsin residents: Please visit this county citizen-feedback webpage, and vote for the petition seeking verification of our voting-machine output. (Use a desktop, laptop, or tablet--users say that the site does not yet work well on smartphones.) 

Add your reaction Share

Think of it as a critical administrative task, not a challenge to preliminary results

Verifying voting-machines output before declaring election results final is such a no-brainer, I find myself spending significant brain power trying to figure out why so many people cannot see that.

Take the computer out of the voting machine and into any other office in county government...or city government, or state, federal, private business or even your own home, and no one would dream of using its output to make a decision even half as consequential as who will govern us before they have verified the computer output was correct. Stick it in a voting machine, and everyone (except probably the hackers) sees it as some sort of Greek Oracle--whatever it prints out Must Be The Truth.

FourFatesCartoon.jpgIt's occurred to me that one problem might be that we all get caught up in elections as contests--this side versus that side. When preliminary results are announced on Election Night, those tagged as winners want to celebrate. The head-spinning rapidity with which candidates concede to unaudited computer tape may be a good indicator of how very much they just want it to be over once the voting-machine oracle has spoken. After all, they need to get back to finishing up their campaign-finance reports--those need to be accurate.

Instead of standing back, unemotionally, from the task and treating voting-machine output like we would any that supporting any other big decision, we perceive post-election verification as a continuation of the winners-and-losers drama. Instead of acting like sober grown-ups, we act like spectators at a ball game, condemning anyone who questions the ref. In the past two weeks, I've read a lot of online discussion of the odd results in Kentucky and Ohio. Nearly every discussion gets derailed into a discussion of people's motives for questioning the output or into evidence-free speculation on other reasons for the outcomes. I cannot think of any other circumstance in which people don't demand an answer to the first question, "Are we sure that's correct?" before, or at least while, speculating on other possibilities.

Yesterday, I introduced the topic of verifying voting-machine output to a sharp young democracy activist from Milwaukee. She is already deeply immersed in the fights for redistricting reform, getting the money out of politics, and even proportional representation. She seemed to catch on quickly, but after nodding and asking a few good questions, she asked, "So what makes you think there's a problem?"

She fully understood and accepted the fact that we routinely swear people into office on the basis of unverified computer output--but she didn't perceive that as a 'problem' unless I could present her with evidence that some competitor had been unfairly denied a victory. (I'm polite when I get this response, but one of these days: "I just informed you that no one would know if our elections were being stolen, and you respond by asking whether any elections have been stolen. Let me start again at the beginning...")

Election integrity activists need to point out that verification isn't necessary for the purpose of changing preliminary results; it's necessary to make sure they are, in fact, the results.

We need to speak relentlessly of post-election verification as a routine, basic administrative procedure, rather than as a challenge to this outcome or that. We need to point out the three-legged stool of a) ongoing security, b) pre-operation testing, and c) post-operation verification that every other computer-dependent manager relies upon, and point out that elections administrators are the only managers who pull off and discard that third leg.

A business manager doesn't wait for the owner to contest the bank deposit before he will agree to reconcile the receipts with the cash-register print-out. The city treasurer doesn't need citizens storming his office complaining of inaccurate property tax bills before he makes sure they are being calculated correctly. We don't need to demand a recount from our bank before they audit their books to confirm that all deposits were credited to the correct accounts.

Routine verification of computer output is standard administrative practice, not a continuation of a contentious political campaign.  

Add your reaction Share

Bike helmets and post-election verification

When I was a kid, bike helmets were unknown. I didn't get hurt and none of my friends got hurt in any way that didn't heal in a few weeks. We know better now, but whenever I put on a bike helmet, I still hear that little devil on my shoulder: "It's inconvenient." "It looks dorky." "I can't feel the wind in my hair." "I can't see as well." "I know how to be careful on a bike.” “I survived childhood without a helmet--what are the odds?"


But the world has changed since I was a kid. Experience and reason won out and nowadays, most of us not only have our kids wear helmets, but we wear them ourselves.

A conversation with a very reasonable municipal clerk yesterday reminded me of bike helmets.  The conversation ended well (usually does) but started the same way that 99.9% of these conversations do: with the otherwise sensible elections official reflexively running through a predictable list of objections:

  • "We do pre-election tests" (they quickly realize those tests cannot catch Election-Day miscounts, when you point it out);
  • "The county clerk programs our machines, not the voting-machine company" (they quickly realize setting the machine up for each election is different than programming it to count votes, when you point it out);
  • "We check and double check that the machines counted the right number of ballots" (they quickly acknowledge they don't check the accuracy of the VOTE count, when you point it out.)
  • "The machines are approved by the feds and by the GAB" and "We've done several recounts and always got the same result." (they quickly realize that says nothing about whether THIS machine worked right on THIS day in THIS contest, when you point it out).

When we realize we’ve been doing something stupidly dangerous, we seem hard wired to come up with reasons why we’re immune from danger or in control of events that we know are not truly controllable. I don't know any way around this human reflex.

One place where the analogy between bike helmets and verification of voting-machine output breaks down is that miscounted elections don’t leave blood on the street. Quite the opposite: even the most surprising voting-machine output fails to arouse alarm—heck, it doesn't even arouse curiosity. For example, Eric Cantor’s legislative career can get smashed to smithereens and no one thinks even to ask whether there was an accident or crime. (To this day, no one knows. But Virginia’s voting machines were investigated and decertified the following year when an obvious problem revealed itself: The machines stopped working when people tried to download music on cell phones in the polling place.) Kids would probably still be helmetless if we had a similar blind spot and lack of interest about childhood injuries.

It’s going to take patience, lots of talking, and unfortunately a few more obvious disasters. We have to continue to spread the word about accidents that revealed themselves (like Stoughton and Medford) and explain that all accidents likely aren’t as obvious; that thieves are always trying to steal, particularly from those they know won’t notice a theft; and that we need to start to take the responsible precautions we can--soon.

Add your reaction Share

Reality Bites: Election Officials' Remarks on Voting Machine Reliability

If some genie were to happen by and offer me three wishes, I fear that before world peace, I'd ask to understand our election officials' lack of interest in verification, when I'm sure they all have the sense to know why banks audit to make sure their computers credited deposits to the correct accounts. It puzzles me deeply.

clerksBlinders1.jpgYesterday. The chairman of Wisconsin's elections authority, the Government Accountability Board, was testifying before a legislative hearing to defend the agency's continued existence. One of his Republican executioners confronted him with the fact that the GAB had, for many years, neglected to perform statutorily required post-election audits. How could the Board, the questioner badgered, assure Wisconsin residents that their voting machines had counted correctly if they never did post-election audits?*

GAB Board Chairman Judge Gerald Nichol responded--right out in public, on the record, and apparently without embarrassment, "It is true we did not do the audits, but I don't find that too worrisome because our staff thoroughly tested the systems before they were approved for use in Wisconsin."

And--I'm not making this up--that answer appeared to satisfy his questioner.

Imagine what Judge Nichol or the legislator would have said if a banker testified, "We never audit, but I don't find that too worrisome because when we bought those computers, we tested one to make sure it was capable of counting correctly."

The over-the-top ridiculousness of that statement would be immediately evident to either of them in relation to a bank's computers, but neither seemed to think it in any way remarkable when the output in question was our election results.

ClerkBlinders2.jpgToday. I went to a large-group training where about two dozen municipal clerks were in attendance. I had several opportunities for one-on-one chats, and I used them to feel a few officials out about their level of awareness of voting machine accuracy. I've learned to start such conversations with praise for their efforts in double-checking that the machines counted the right number of ballots--which they do quite well.

"I'm conducting sort of an informal survey about clerks' thoughts on voting machine accuracy," I would start. "I know you know for a fact that the machines always count the correct number of ballots--you've got that nailed down. But what's your level of trust that the machines counted the right number of votes?"

Most conversations go one of three ways from there. The worst conversations don't even get started (two tonight, but I've gotten this reaction on other occasions). The question explodes some landmine: "Our voting machines are accurate! We test and double test and maintain the very best security. Our election results are always accurate, I'd bet my life on it." Any follow-up question (e.g., Can you tell me what gives you that confidence?) will be met with only more anger, and the clerk or poll worker will walk away. The Topic Must Not Be Raised.

The second typical response is less emotional, but no more productive: Some election officials will be unable to understand the question no matter how you phrase and rephrase it. It's as if you are asking "What do you do when the sun comes up in the west?" They mentally rephrase the question into something that makes sense to them and start talking about that. The elections official will describe the process for checking that the machines counted the right number of ballots, and I'll politely wait until she is done, and then ask the question again more specifically: "Yes, but how often do you think the number of votes--that is, the number of votes for Jones, and the number for Smith--are correct or incorrect?" The elections official will repeat the explanation about verifying the number of ballots, or tell you how the machines reject over-votes, or how they check their addition during the municipal canvass, or some other thing. I'm usually the one that ends these conversation, because I start to feel I'm being mean.

The third most typical response is that they 'correct' the question rather than answering it. In a you-should-know-this tone, they will say something like: "The machines cannot miscount," or "Accuracy is the county canvass job."  I had two of these conversations tonight. They don't go anywhere, either. Once this type of election official has decided you are just naive, they switch to an all-talk-no-listen mode.

Of seven or eight conversations I started tonight, only one unfolded into a genuine exchange of information. The clerk responded to my question with, "I would say I'm pretty close to 100% confident, but it does bother me we don't know for sure. I've never discovered any miscount in the pre-election test--that's what gives me confidence--but I know that doesn't guarantee they'll count right on Election Day."  Wow. Town of York voters, you're in sensible hands.

For the life of me, I cannot understand this mental block. It would be easy to say "People are naive about computers," but this level of blindness affects their thinking about only voting machines--no other computers.

Some sort of reflexive emotional-defense denial is a possibility--the thought of incorrect election results is just so horrifying that they cannot permit its presence. Maybe, but most of an elections official's work is dedicated to preventing various mistakes and frauds. It's simply not believable to me that they could not already have accepted the idea that something could go wrong.

Different officials probably have different reasons. For example, it seems that those who react immediately with anger, taking offense that you would even ask about electronic miscounts, are at some level aware that they might be certifying inaccurate totals--otherwise, why would they be so defensive?

But the others--I genuinely cannot guess.


* Just for the record, with the audit procedures the Board uses, final Wisconsin election results are unprotected against electronic miscounts whether the Board does the audits or not. Even if they had done them, their procedures are not designed to detect and correct incorrect election outcomes. Among other problems, they use a too-small sample size and have no provision for expansion of the audit beyond a single precinct if a miscount was discovered. The audits are performed after election results are certified as final, so unaudited voting-machine output determines the 'winners' regardless.

Read more
1 reaction Share

Quick FAQ about verification using digital images


What are the digital images?
Two types of voting machines approved for use in Wisconsin--the ES&S DS200 and the Dominion Imagecast system--preserve a digital image of each ballot at the moment it is cast. The votes, in fact, are read and counted as the machine 'looks at' the digital image, not the ballot. 
The machines can be set up to discard the digital images or preserve them. GAB has wisely required Wisconsin election officials to preserve them.

How are they stored?
We haven't yet worked with the Dominion images, but the DS200 images are stored on flashdrives--the same flashdrive that contains the set-up coding for the ballot. After polls close, the flashdrives should be transported securely to the county clerk. In Dane County, they are downloaded into a central computer, and copies can be made for any individual or group filing an open-records request. Dane County charges about $18, mostly to cover the cost of the new flashdrive they use for the copy.

Are the images clear?
The DS200 images are .pbm files with an impressive resolution: 3,856,896 pixels per each side of the ballot. The pixels are either black or white; there's no gray, so some of the gray-shaded areas can show up as funny patterns, but the votes themselves and things like the poll workers' initials show up clearly and precisely. 

Can the digital images be hacked?
Yes, of course. Data created or processed by a computer can be altered by a computer. The computer professionals we work with--John Washburn of Washburn Research, Prof. Douglas Jones of the University of Iowa, and Paul Lindquist, a Microsoft programmer who works with our group--all agree, however, that altering digital images would present multiple significant  challenges that traditional electronic vote-flipping does not. Washburn likened hacking only vote totals to climbing over a three-foot garden retaining wall, and hacking digital images to climbing over a castle wall. 
These difficulties include:

  1. Preparing ballot images before the election to substitute them for images of actual ballots would be highly detectable. You'd have to be able to duplicate the poll workers' initials; predict the turnout; and invent outcomes in every race, not just the one you want to hack.
  2. If an insider--say at the voting machine company--wanted to write a hack that would simply move a few pixels around (that is, moving the image of the voter's mark from one candidate to another), he or she would need to know the ballot layout before writing the hack. Because ballot layouts differ by jurisdiction and are not finalized until 6-8 weeks before each election, this both complicates the hack and reduces the window of opportunity for writing and distributing it.
  3. The processing power of voting machines is not great. They are usually designed to be as cheap as possible, and so are built with only enough processing power to do the relatively simple tasks they are designed to do. Altering digital images may (we don't know for sure until a truly independent professional assesses it) take more processing power than the machines possess. If someone did insert programming that made the machines alter the images before detecting votes and storing the image, that programming could noticeably slow the machine down or cause it to freeze up.
  4. The digital images could easily be altered, one by one, after the election. Based only on my own pretty-darn-good Photoshop skills, I'm guessing I could change the votes at a rate of 3-4 seconds per ballot, once I loaded them and the digital-image-editing software into my computer. Personally, I wouldn't know how to prevent evidence of the edit from being saved with the file, but I'm sure someone does. If someone was going to alter the outcome of an election using this method, however, he or she would need to have the access and skills to both hack the machines before Election Day to manipulate the vote totals, and then have access to the digital image files after Election Day to manipulate the images to match the totals he or she hacked into the machine. The best way to make sure a records custodian with hacking skills doesn't do this is to quickly make and distribute copies of the digital-image files after the polls close.

If the digital images can be hacked, what's the point in using them in verification? 
Neither human error nor unintentional malfunction would move pixels on a digital image from Candidate A to Candidate B, so any miscounts caused by unintentional error or malfunction will be detectable in a digital-image audit. In addition, no one will be trying to cover them up.

And we lose the deterrence value of the digital images if we don't use them in routine verification. If hackers know no one is ever going to look at the digital images, they won't need to bother with altering them; they will be able to use the easier vote-total-altering  hacks. 

 How can digital images be used in verification?
The Wisconsin Election Integrity Action Team has written read-only software (open source, provided for free to any clerk or citizen's group that wants to use it) that allows the digital images to be projected as a slide show. The images can be projected at a rate of 1, 1.5, or 2 seconds per ballot, and the projected image can zoom in on any section of the ballot. The slide show pauses after each 25 images to allow counters to verify subtotals. If you want to see what a vote-counting slide show looks like, check out this video, and skip to 19:40.

Without the need to sort, stack, straighten out, and flip over paper ballots, counting votes from a slide show is breathtakingly fast. A precinct with 1,200 ballots can easily be counted in under 45 minutes. The process is also fully transparent: Every observer can see exactly what the official counters see, and can count right along with them.

Can the digital images be checked against the paper ballots to make sure they are true copies?

They can and they should, but getting that done is going to take a lot of work--logistical work and psychological work. We'll have to get back to this after we get a few counties up and running with digital-image verification.

Logistical issue: The DS200 images don't contain any marks (that we know of) that would allow them to be matched to individual paper ballots. However, every ballot is unique in the placement and style of poll workers' initials, irregularities of stamps, and the voters' marks themselves. With careful, time-consuming work, I'm thinking you could match enough of the ballots from one precinct to that precinct's digital images to achieve confidence that they are the same or gather enough evidence to indicate a need to discard the digital images as flawed and verify the outcomes with the paper ballots instead. 

Psychological issue: Wisconsin's election officials, providing comfort and joy to potential election thieves everywhere, are terrified of unsealing ballot bags once they've been sealed on Election Night. They would much, much, much rather risk certifying the wrong winner than risk opening a sealed ballot bag for verification purposes. There's no question that they have the legal authority to open ballot bags for verification purposes if they choose to; it's only folklore that they don't. But they are convinced--down to their bone marrow--that irrational angry partisans will charge them with tampering with the ballots if they unseal the ballot bags, even if they do so in the presence of witnesses while religiously following instructions for maintaining a clear chain of custody. 

I'd rather stay away from bullying our public officials, but any clerk who makes that argument is telling us, loud and clear: "I make my policy decisions only in deference to irrational angry bullying; I don't respond to reason and polite requests." Let's work with them cordially for as long as we can, but if any clerk continues to use this excuse as his or her reason for refusing to ensure election results are accurate, responsible citizens will need to criticize and bully them harder than the irrational partisans do.

1 reaction Share

Why Dane County? Why not?

Dane.jpgRecently, WORT invited me and Dane County Clerk Scott McDonell to be interviewed during the same noon-hour program. I came prepared to talk about the need to verify voting-machine output; McDonell was prepared to talk about voter suppression; and call-in questions took the conversation in even other directions.

Despite the disjointed conversation, McDonell got across the point that while the voting-machine software is in his control, he maintains pre-election security for our voting machines as well as any county clerk. I agreed he could be right about that.

I got across the point that, regardless of ongoing security, routinely checking computer output is a universal, basic IT management practice—one that is not now done for Dane County elections.

Just common sense, but nevertheless, sitting across the desk from host Yuri Rashkin, I got the feeling I wasn’t making much sense to him. Our short conversation after the show confirmed that.

Read more
Add your reaction Share

If you smell something

JonStewart1-small.jpg(Updated after publication; see note at end.) When Jon Stewart signed off last night, his parting gift was a bit of sound advice. “Bullshit is everywhere,” he said. “So if you smell something, say something.”

Political bullshit, Stewart explained, comes in three flavors. First, it's used to make bad things sound like good things, like when politicians call it "The Patriot Act" instead of the "We're Going To Read All Your Email Act." Second, politicians use bullshit to hide bad things under piles of complexity, like using reams of complex regulations to make it look as if Congress is trying to control the bankers. Third is the 'bullshit of infinite complexity,' when they try to pretend action is impossible until we get more information, like when climate-change deniers pretend more research is needed.

Okay, Jon, this is for you: I smell something, and I'm saying something.

Take a look at this recent public-information memo from Dane County Clerk Scott McDonell and tell me what you smell.  I’m pretty sure anyone with basic knowledge of elections administration or computers will, as I do, detect a distinct odor of...complexity. Technical and procedural details are being used to avoid acknowledging a simple fact: No one routinely checks the accuracy of our voting machines' output before the county board of canvass declares election results final.


Add your reaction Share

Abnormal psychology? No, just normal human foibles.

HowToSteal-Patriot.jpgThis weekend, the Wisconsin Grassroots Network allowed the Election Integrity Action Team to use part of its booth at the annual state Democratic Convention. With a colorful pamphlet titled “How to Steal Wisconsin Elections” on one side, and “How to Protect Wisconsin Elections” on the other, I was able to start good conversations with more than 100 people, a large number of them involved in local elections administration in some capacity—mostly as poll workers or board of canvass members.

In general, the Democrats were skeptical whenever I offered the pamphlet with the “How to Steal” side up asking, “Want to know how to hack voting machines? The Republicans know, so you should, too.”

 But when I turned the pamphlet over to reveal the “How to Protect” side, they were  receptive, confirming my sense that people are tired of being educated about problems they cannot solve, while they are ready to welcome constructive information about solutions. 

Their reactions, after I’d given them the election-integrity elevator speech, confirmed that politically active people, like everyone else, typically assume our election results are routinely checked for accuracy and are shocked to learn they are not. Like all other sensible digital-age people, they immediately grasp the carelessness of that practice.

HowToProtect-Patriot.jpgDuring the entire two days I staffed the booth, all but one of the conversations went very well, often ending with the person asking for more literature and promising to talk to their county clerk when they got home.

I ran into only one person who vigorously argued with me, and I hope you’re as disturbed as I was by who it was—or might have been.

After taking the pamphlet with a frown, one man listened to my short speech and flatly told me I was wrong. Voting machines are reliably accurate, he said, and he should know: Before he retired, he tested voting machines for the Wisconsin Government Accountability Board and for the State Elections Board before that.

I realize he could have been misrepresenting himself, but he might not have been. I recognized the GAB staff attitude toward citizen input and their talking points.

As he argued, he revealed either that he was painfully ill-informed about voting machines and IT security, or that he thought I was and could be distracted with misinformation.  It was hard to tell.

For example, when I explained that the hacking information in the pamphlet was based on the findings of a national panel of voting-machine security experts, he said something along the lines of “The national experts’ findings are not applicable to Wisconsin. Wisconsin’s voting machines are programmed individually for each county—no hacker could get to all of them.”

I gently redirected him: “A hack wouldn't need to affect all the machines everywhere. Mathematically, you could change a statewide outcome merely by making one big county already likely to go for your candidate go even more decisively. Pundits will simply say, "Oh, wow. That party did a great get-out-the-vote effort in that county!"

"And besides, the national experts says that the most likely, most dangerous hack would affect the source code, not the set-up for each election. It's the set-up that is done separately for each county. The source code is programmed by just a few vendors.”

But he doubled down and insisted the source code is programmed individually into each voting machine by the counties.

We had drawn a few witnesses by now, so even though I suspected he knew it, I gave the basic explanation of the difference between programming the voting machine and setting it up for each election. (“When you get a new cell phone, it comes with lots of programming deep inside that neither you nor the salesperson touch as you set the phone up with your phone number and contacts.”)   I reminded him that the source code must be tested by independent laboratories and approved by the federal government and that once approved, no one is allowed to make changes.  If the voting machines’ source code is being “programmed individually,” as he claimed, someone is breaking the law. The speed with which he gave up that line of argument indicated to me he knew that all along.

He then tried the recount defense—claiming that if anyone suspects election results are wrong, they can demand a recount. Again, not knowing whether he was genuinely naïve or was hoping I was, I explained Wisconsin recount law. He finally conceded, “Well, yes, they would have to pay for the recount.” 

When I asked, “Would you trust a bank that refused to verify your check had been deposited to the right account unless you paid for the audit?”, he moved on to his next point. We then danced through a set of well-worn arguments.

He: Local election officials store their machines securely.

Me: Local election officials have no control over the security of the software while it is with ES&S, Dominion, and Command Central.

He: But those companies have wonderful, effective security.

Me: They would be in the IT-security consulting business if they could do IT security better than Anthem, eBay, Target, and Sony.

He: There are no miscounts.

Me: (Stoughton, Medford.)

He: Well, those should have been caught in pre-election voting machine tests.

Me: Right, but they were not. That’s why every human language has a word for ‘mistake,’ and why we need routinely to check Election-Day output for accuracy.

He: But you cannot just assume the computers are miscounting.

Me: Right. Just like you cannot assume they are counting accurately. Just like your municipal treasurer does not assume she’ll find errors as she spot checks the computer-generated property-tax bills before putting them in the mail. But she does it anyway because that’s what prudent managers do.

He: There’s not enough time or money for full recounts.

Me: No one is talking about full recounts. If you’ll stop arguing for a moment, I can tell you about sampling and risk-limiting auditing.

He: But you cannot assume any sample is representative.

Me: Right; that's why you calculate probability.

Of course, the conversation ended before he accepted the common-sense national consensus on routine verification of voting-machine output—but that was what I expected. You can tell when someone is engaging in sincere let’s-share-what-we-know conversation and when they are simply staking out a defensive position and reflexively contradicting everything you say. He was clearly doing the latter, so I let him leave when he ran out of breath. Who knows—maybe he went to his hotel room that night, gave the matter some sober thought, and moved slightly toward acceptance.

After he left, the handful of people who had been entertained by the exchange asked a few sincere questions and stayed for more information, so it turned out to be a useful exchange even if my antagonist never finds his way to common sense.

He might have been lying about having formerly tested voting machines for GAB, but I’m not lying when I say this sort of reaction is common (though far from universal) among Wisconsin elections officials from the state level on down. I had a very similar encounter with a municipal clerk just about a week before.

There’ s no need to condemn elections officials for this intellectual obstinacy, because psychological denial is a universal human foible. These men and women have likely certified dozens of elections without verifying accuracy, so it must be a real kick in the gut when they first realize how dangerous that is. When you introduce the notion they might have inadvertently certified hacked voting-machine output, I’m sure it feels to them as if you just suggested their spouse might be unfaithful.

In all but extraordinary human beings, that sort of unwelcome news creates an intolerable amount of cognitive dissonance and pretty much shuts down logical processing, at least for a while. None of us can process new information when our brain is fully occupied generating any possible excuse why the information might not be true.

So we need to be patient, to a point. I suggest that point will arrive sometime before November 2016, when we will need to insist on the resolution of our own cognitive dissonance, which comes from being forced to trust our sacred right to self-government to unaudited computer output.

Add your reaction Share

Why we need to work for verification rather than throwing out the machines

The Facebook group Wisconsin Election Integrity has lately been dominated by two people: me and an advocate for hand-counted paper ballots. That school of election-integrity activists advocates for junking voting machines entirely. They believe verification would be as thoroughly fraudulent as they believe electronically counted elections to be and would therefore serve only to create even more voter complacency.

Advocating exclusive reliance onjunkedVotingMachines.jpg hand-counted paper ballots (HCPB), they demand that public, transparent hand counts be conducted in every polling place immediately after polls close. That speed is necessary to provide as little window of opportunity for tampering as possible. Electronic tabulators must not be used, they argue, because they count the votes inside a black box—that is, by one computer programmer acting alone in secret.

I usually try not to argue with HCPB-only advocates for two reasons. First, they are correct that their vision could produce accurate election results every time, and second, we all need to keep our eyes on the prize. We share the same goal—verified accurate election results—so this is an argument over means, not ends. As Bill Moyer explained in “Doing Democracy,” in every successful social reform movement, you can see people playing at least four different roles ('citizen,' 'rebel', 'change agent', and 'reformer'), and “dissension among them…reduces the movement’s power and effectiveness. Activists need to become allies with those playing other roles, since cooperation and mutual support will enhance the likelihood of success.”

Avoiding fights with people who are (or should be) big-picture allies is one thing. Refusing to explain yourself is another, and I think it’s past time that someone clearly laid out the rational case for demanding post-election verification of voting-machine output instead of demanding HCPB alone. So here goes.

1)      Verification of voting-machine output is hand-counting ballots, at least in those jurisdictions that use opscan machines, which is most of the big counties in Wisconsin. So this debate is actually a squabble over whether the hand count or the machine count should be accepted as definitive when they disagree, and to a lesser extent, how many of the votes we need to hand count to make sure the results are certified for the correct winner.

In Wisconsin at least, the HCPB advocates have already won the (non-existent) battle over which method produces more credible results, even if they don’t realize it. It’s not even up for debate. Statutes governing recounts already establish (and nearly every election official you can pin down agrees) that when an official hand count (not a citizens' audit) and machine count disagree, it’s the hand-counted result that prevails

Once you’ve established that transparent human-counted results are more credible than black-box machine-counted results, it becomes apparent that doing both is more secure than doing either one alone. Even if ballots are fully hand-counted before dawn on Wednesday, obvious security advantages are created by having voters insert their ballots on Tuesday into a machine that automatically preserves a digital image of that ballot.  And knowing that humans cannot ever be trusted implicitly, it is also obvious that you might as well get a preliminary electronic count when they cast their ballots, so that an election thief must jump over two hurdles (that is, to rig both an electronic system and a human one) instead of just one.

2)      Verification would catch unintended miscounts, because nobody would be trying to hide them. It’s possible that the majority of electronic miscounts are accidental rather than deliberate—due to human programming or set-up error or to randomly occurring mechanical or electrical issues. (I would say it's likely most are inadvertent, but cannot prove it because no one checks for the sorts of miscounts that hacking would create, so every miscount except the obvious inadvertent ones goes undetected.)

Since no one expects the accidental miscounts, no one would sabotage a verification to cover them up, and they would be detected readily, in much the same way that recounts discover errors more often than not. Those who reject routine verification because they believe clerks often want to cover up fraud are, in practice, proposing we allow all the accidental miscounts to remain undetected because we shouldn't trust the clerks to reveal the fraudulent ones. I am not willing to do that; I'll take what I can get when it comes to detecting and correcting miscounts.

3)      Verification would deter or detect fraud that the local officials were not in on.  National experts believe the most likely and most dangerous form of electronic election fraud is one in which a single programmer makes illegitimate changes to the vote-tabulating software at some time while it is not in the control of local elections officials.  John Washburn has also convinced me that it would be easy for someone to insert wireless communications capability into Wisconsin’s voting machines—again, before the hardware comes into the possession of any local elections official. This capability would go undetected by our election officials because they never look for it.

Wise criminals never involve anyone in fraud who does not need to be involved, and neither of these frauds needs to involve any local elections officials. So when elections are hacked, it's entirely possible the local elections clerks aren’t in on the scheme. Therefore, they have no reason to sabotage verification.

The only time a local elections clerk would want to sabotage a post-election verification would be when he or she is in on the fraud, and that clerk's resistance would then call attention to a problem, if the rest of the world knew what a decent post-election verification looked like. No one does now, because we don't do them. 

4)      Hand counts have their own problems. In the real world, it’s questionable whether relying entirely on hand counts would give us much more confidence in election results than relying entirely on machine counts. (To repeat: I think we need to do both full machine counts AND sufficient hand-counts to verify the outcomes.) Sloppy chain-of-custody practices come to light with every recount, and—I’ll be frank—I’ve never fully understood why people expect hand counts to be transparent enough. I’ve observed about six, and there wasn’t one of them where I could come close to seeing what the hand-counters saw except intermittently. The observers at Scotland’s referendum hand count were mightily frustrated by their inability to observe effectively, and what they did observe wasn’t reassuring.  

And then there’s the question of who, really, would come out to count or observe a hand count during the wee hours on Wednesday morning following Election Day? I have been greeted with “You’re the first citizen ever to show up to observe our public test!” at literally every single one of the dozen or so pre-election voting machine tests I’ve observed, so I can vouch for the fact that no one attends those--and they take only about two hours during the daytime! I’m all for making election work something like jury duty, but it would take years of work to get that legislation passed. That doesn't mean we shouldn't start now, but that brings me to…

5)      We could get verification in place by November 2016; we don’t have a prayer of HCPB by then. I won't stand in the way of those who want to work on getting the voting machines thrown in the junk yard. But there is no way on god’s green earth that we’re going to get state law changed to require HCPB between now and the critical 2016 elections.

How many more elections are we going to let be decided by unverified black-box output, when the most basic common sense tells us how incredibly careless that is? I cannot speak for other states, but if enough Wisconsin citizens pressured their county clerks and county boards of canvass hard enough between now and, say, January of next year--especially if even one county clerk is willing to show leadership and vision by adopting such practices--we could have fairly decent post-election verification policies in place in the critical counties in time to protect the 2016 elections from electronic miscounts. Truly, there is nothing in state law or GAB written policy that forbids it—it’s all a matter of the county clerks’ discretion and voters’ interest.

I could go on, but those are my best arguments.

Someday soon, I’ll get around to laying out the case for verification to its other sometimes-hostile allies: Those who argue that our energy should be directed at improving the technology rather than wasting time with a low-tech, unsexy chore like verifying output.

Add your reaction Share

Three Most Dangerous Vote-counting Myths

Pay an hour’s attention to the vote-counting debate and you’ll probably hear several myths.  From defenders of the status quo, you'll hear that our municipal clerks' management of our voting machines is able to stump hackers.

From critics, you'll hear that widespread snafus indicate widespread fraud.

Those myths are easily debunked with a moment’s serious thought. All you have to do is say " SonyAnthem, and Target" and a county board supervisor will realize our votes are not safer with a municipal clerk than our credit-card information is with a multi-million dollar corporate IT security program.  Point out that our elections are run by lightly trained temporary workers who get no more than four days' on-the-job experience every years, and any worried voter will realize we cannot expect perfection from an elderly, 32-hours-a-year poll worker--particularly if the worried voter is an elderly, 32-hours-a-year poll worker.

However, there are other myths that more insistently keep otherwise intelligent people from thinking sensibly about vote-counting. I’m sure others can suggest more, but these are my top three.

Read more
Add your reaction Share