In brief: Jill Stein’s post-recount organization, Voting Justice, won a victory over voting machines companies ES&S and Dominion in Wisconsin. Stein will be allowed to bring in experts to examine the software for several models of voting machines, and those experts will be able to report their findings publicly. These machines are used not just in Wisconsin, but around the nation. That is all very good.
But this victory is only a breach in the wall of secrecy, not a demolition. Several factors will limit the benefits that will flow from this victory. If we're going to secure future elections, we will need to thank Jill Stein and the Wisconsin Elections Commission--and keep on fighting.
An otherwise well-informed voter could be forgiven for not realizing that the 2016 Presidential recount effort, led by the Green Party’s Jill Stein, is still producing valuable results.
Corporate news media see elections as horse races. Once a winner is declared and the bets paid out, journalistic curiosity dies. Editors see no story in the poor overall quality of American election administration.
So the 2016 Presidential Recount—completed in Wisconsin, aborted in Michigan and Pennsylvania, not even attempted elsewhere—got a big media yawn when it did not change in the outcome.
Here’s some news you may have missed as a result:
Since 2016, the products of the recounts have supported organizers’ efforts to improve elections administration—with impressive success. In Pennsylvania, Stein’s organizers used a recount-related lawsuit to force that state to prohibit paperless voting machines and require routine election audits after future elections.
In Wisconsin, the recount produced a mountain of before-and-after data, from every polling place, for every candidate. Academics from MIT, Harvard, and the University of Wisconsin analyzed it. Although the recount increased neither Trump’s nor Clinton’s ultimate total by more than a few hundred votes, the researchers discovered that more than 17,600 votes had originally been miscounted—or 1 in every 170.
Those stunning findings were universally ignored by Wisconsin media, but the Wisconsin Elections Commission (WEC) took note. I believe that study contributed to their 2018 decision to encourage county clerks to improve embarrassingly weak canvass practices. (The ‘canvass’ is the weeks-long process after Election Day, during which local election officials should review the results to make sure they are correct.)
Wisconsin organizers also used the recount results successfully to encourage the WEC to prohibit further use of one particularly unreliable model of voting machine, after the recount caught it ignoring votes marked on as many as one-third of the ballots.
And now, Stein’s organization, Voting Justice, has achieved victory in a recount-related lawsuit that will throw some much-needed light on voting-machine software.
A unique Wisconsin law requires voting machine companies to place a copy of the actual vote-tabulating software in escrow after every election. Separate from the process of approving voting machines for sale, this requirement was originally intended to protect local governments’ voting-equipment investment. In case a company went out of business, the State would have a working copy of the most recently updated software as backup to keep the machines counting.
The law also requires the State to allow candidates to inspect the escrowed software if the candidates agree “to exercise the highest degree of reasonable care to maintain the confidentiality of all proprietary information.” The software in Wisconsin voting machines is the same as that used in other states, and any inspection could have national implications.
So the Stein campaign asked to inspect the software. They and WEC reached agreement on how Stein’s experts can examine the software without having the opportunity to steal the voting machine companies’ trade secrets. (I can hear the computer-security academics scoffing: “As if anyone would want to!”)
But when the voting-machine companies saw the agreement, ES&S and Dominion didn’t want to play by those rules. The two major players in Wisconsin's voting-machine market wanted WEC to impose a gag order on Stein's inspectors.
WEC said "No gag order." The companies sued.
Their demand of the court was basically: “If you’re going to let Jill Stein’s experts examine our software, prohibit them from ever telling anyone their conclusions.” In other words, the voting machine companies wanted the judge to declare that the experts’ opinions were the companies’ proprietary trade secrets.
Dane County Circuit Court Judge Stephen Elke backed the WEC and turned the voting machine companies down. Likely sensing the main reason why any company would seek such a gag order, the judge wrote:
By way of example, a nutritionist might be given access to the secret formula for Coca-cola, which is undeniably a trade secret. It would not be a disclosure of that trade secret for the nutritionist to say, “After seeing the secret formula, I can tell you that Coca-cola is unhealthy and I would never let my own children drink it.”
This is a breakthrough. To my knowledge, independent experts have never before been able to examine “the software components that were used to record and tally the votes in an election” with the approval and support of the state elections agency. That software is defined as "the vote-counting source code, the table structures, modules, program narratives, and other human-readable instructions used to count votes."
Whatever the inspectors find, the voting-machine companies will not be able to say “But the software you saw was only for review purposes. We had fixed that problem in the operational software.” If they make that claim, they’re admitting they violated the Wisconsin law that required them to provide the State with the software that was used in the election.
And what will their inspection find? Smart money would lay odds on serious problems. You need to know only the basics about profit-seeking corporations and low-bid procurement to predict flaws and holes in a product that the manufacturers believed was eternally protected from scrutiny.
We’ll have to wait to see how well the inspectors can describe those problems without violating their pledge to maintain secrecy about the details of the coding. However, this is the best opportunity so far.
A final benefit is, I believe, this decision’s effect on efforts in other states to compel independent examination of vote-tabulating software. With this precedent, those efforts will be more likely to go forward and more likely to succeed. Wisconsin has shown that states can require voting machine companies to allow inspection of the software that will count our votes.
The wall of secrecy surrounding the “black box” voting-machine programs has been breached. But it has not been torn down. The Stein team grabbed the opportunity that presented itself and made the most of it, but the benefits have limitations.
The first limitation is that this is a one-time event. If no other candidate ever demands to inspect the software, it will never again be inspected. We don’t yet have routine quality assurance.
Second, this decision does nothing, in itself, to banish proprietary software from public elections. If we want to get any closer to open-source software and routine quality assurance inspections, we’re going to have to force this review’s eventual findings into the public’s and legislators’ awareness. We’re going to have to do that ourselves. Count on the news media to maintain their willful blindness to any news, however shocking, that lacks a Republican vs. Democrat partisan angle.
Third, while this review will be able to identify any defects or vulnerabilities in the master copy of each systems software, the inspectors won’t be able to tell whether the election was hacked.
- Computer programs can be manipulated in ways that are undetectable to even expert forensic analysts. In Brave New Ballot, Johns Hopkins University computer-science professor Aviel Rubin recounted how he annually provides his graduate computer-forensics students with programming he has hacked at the level of the binary code (that is, the ones and zeroes that underlie the human-readable source code). Years go by between the times when a grad student detects the hacked code, and grad students have been able to stump him, too.
- Neither voting-machine companies nor election officials will be able to provide Stein’s inspectors with the software that actually counted votes on Election Day. In a “precinct-count” state like Wisconsin, computer tabulation takes place in thousands of separate computers—at least one at every polling place. Before each election, those machines’ software is copied, recopied, and modified for the many different sets of races and candidates that appear on the jurisdictions’ different ballots.
In counties that use the Dominion ImageCast Evolution system (with the exception of Fond du Lac County), the software has even been transmitted over the internet from the Colorado manufacturer to the county clerk.
Therefore, to confirm with certainty that the software in every machine was compliant in even one election, inspectors would have to obtain access to the thousands of copies. No one is in a position to collect all that software in a single place, and Stein’s experts wouldn’t have time to review it even if it could be collected.
- Voting machines can be made to mis-tabulate without altering the source code that Stein’s experts will review. For example, a corrupt or lazy service technician could have installed unauthorized remote-access capability in the county elections computer (as Pennsylvania clerks discovered, to their dismay, in 2014) or in individual voting machines. Later, someone could have taken control of the machines’ output (that is, our election results) simply bypassing or overriding the authorized software.
The best possible outcome of these reviews would be that the experts will find the weaknesses, report them out, and motivate legislatures nationwide to adopt laws requiring open-source software and routine independent software inspection in every local jurisdiction in every election.
But even if that happens, it will not close and lock the door against outcome-altering mis-tabulation of our votes.
The only effective protection against hacked elections remains what it has always been: Routine, manual verification of the correct winners, using paper ballots, completed before the results are declared final.
Routine detection-and-correction is the only security measure strong enough to deter hacking while also protecting final election results against undetected error and malfunction.
It is the only way surely to protect the true voice of the people.
"As the secret ballot transformed elections in the last century," said Joseph Hall, Chief Technologist for the Center for Democracy and Technology, "risk-limiting audits are going to transform elections in this century."
In a few years, Americans will look back, aghast, at our current election management. We will be amazed that we ever trusted vote-tabulating computers so much that we routinely declared winners without checking results for evidence of fraud, glitches, or human error. We will consider routine verification to be an indispensable part of managing elections, just as cash-register reconciliation is now for managing the corner convenience store.
In preparation for that day, it's time to understand: What is a "risk-limiting audit"?Read more
Most local government officials don’t resist taking responsibility for the accuracy of their own department’s work product.
No city treasurer would refuse to check accuracy of property-tax bills.
No county executive would release a report on annual expenditures without double-checking accuracy.
These managers don't need state laws specifically requiring accuracy. It’s just part of being a responsible manager.
But the Wisconsin County Clerks Association is officially on record: They don’t want to check accuracy of their work product. Their work product is our election results.
The WCCA statement came in response to the Wisconsin Elections Commission’s September announcement that they were considering two measures to improve election security.
The first measure involved once-every-two-years voting-machine audits. Municipal clerks perform these audits of individual voting machines. They are the only accuracy checks that the Commission has authority to order, but they have limited value. Not only are these audits limited to November elections in even-numbered years, they check only a few random voting machines, without confirming the right winners in any race.
But municipal voting-machine audits are better than nothing. The Commission said it was considering ordering the municipal clerks to audit more machines than in previous years and would require the audits to be completed before election results are declared final.
The second measure would move Wisconsin slightly toward compliance with national standards for election security. The Commission said it was considering encouraging county clerks to perform election audits of the type recommended by election-security authorities.
Response from the WCCA was swift, naïve, and irresponsible. The county clerks let the Commission know they were okay with ordering the municipal clerks to do more voting-machine audits, but they didn’t want the Commission requiring, or even encouraging, the county clerks to perform genuine election audits.
Perhaps sensing they are on the losing end of a national trend (they are), the WCCA also described how it wants audits restricted:
- These managers don't wanna check accuracy until after they have certified the election results.
- These managers don't wanna check accuracy for any but the top race on the ballot.
- And they want the State to pay extra if it even suggests they check accuracy.
I’m not making that up. The organization’s memo to the Wisconsin Elections Commission is reproduced, verbatim, below.
In their rush to deny normal managerial responsibility, the WCCA got confused about the purpose of “evidence.” They wrote that our paper ballots “should be treated like evidence and remain undisturbed” until after the clerks have reached their verdict and know whether anyone demands a recount. Let’s hope the Trial Judges Association doesn’t follow suit and claim that they don’t need to look at the evidence until after they’ve reached their verdict and know whether anyone demands an appeal.
The WCCA’s message that only the top race on the ballot should be verified could be restated: “If you want us to protect the US Senate election, forget about protecting the Governor’s election.” And hackers are delighted to know ahead of time which race is off limits to manipulation, and which races are still on an honor system.
Because they do not consider checking accuracy a routine managerial responsibility, the county clerks demand the state pay them to verify election results. Again, putting this demand in the mouth of any other local government manager is revealing. Imagine a parks manager telling the county budget manager: “I signed off on this accounting of the user fees we collected this quarter. If you want me to ensure accuracy, you'll need to pay extra.”
For their final, Trumpian flourish, the clerks denied their ability to conduct accurate hand counts and blatantly misrepresented the findings of a study conducted by researchers from MIT, Harvard, and the UW Madison (Learning from Recounts, 2017).
The WCCA memo claimed the researchers had declared that “hand counts of election results are inherently inaccurate.” Now read the researchers’ actual words:
“...careful hand counting in a recount is the gold standard for assessing the true vote totals — in large part because of the greater focus on a single contest, more deliberate processing of ballots, and careful observation by campaign officials and other interested parties....”
The researchers ultimately expressed no preference for either method of counting, concluding: "ballots originally counted by computer ... appear to be at least as accurate as ballots originally counted by hand."
* * *
Wisconsin statutes give county clerks the buck-stops-here responsibility for election results’ accuracy. Municipal clerks cannot verify results in federal, state, and county races; they have access to the ballots from only their own city, village, or town. And the WEC is the legal custodian of no ballots at all; has only a few days after county certification before they must certify; and has no statutory authority to question results the county has certified.
We must insist the county clerks fulfill their responsibility. They have the paper ballots. They have the time. Modern election-audit practices would allow them to verify a few races on the ballot in just two or three days, at most, out of the two weeks that statutes allow them before they must certify the election. The only cost would be the hand-counters’ time at $10 or $12 an hour—a tiny fraction of the county’s elections-administration budget. They could randomly select just a few races for verification—just enough to deter election thieves in the races most liable to attract their interest.
And yet, collectively, they refuse.
Now, the bright notes: As the WCCA memo states, a few county clerks have begun voluntarily to incorporate hand-counted audits into their routine canvass procedures. Better yet, the Commission ignored the WCCA's whining and voted unanimously to encourage county clerks to start auditing during their canvass.
As a result, every county clerk in Wisconsin received a memo on October 4 explaining the current nationwide move to election auditing and providing the clerks with instructions on how to get started.
Only voters, though, can make it happen. Voters who care about election security should contact their county clerk to find out whether their votes in future elections will be protected with hand-counted audits during the county canvass.
If not, the next election on February 19 will provide an excellent opportunity for your clerk to begin developing routine election-audit practices, since it will likely be a low-turnout election. Your county clerk has plenty of time before February to learn about the various methods of checking accuracy and work out his or her local procedures.
Insist on it.
We need to talk about how we can defend election officials from partisan allegations of corruption, when they are guilty only of poor, careless, and ineffective elections management.
I hope you perceived that sentence to be as goofy as I intended it. What I really want to know is when we voters are going to demand high-quality election administration. When poorly operated polling places make voting difficult, when ballots are mishandled or when votes are miscounted, I don’t care which party it hurts or whether it was fraud or incompetence.
I want it fixed.
Following every election, my Facebook news feed fills with reports of sloppy election-management practices. If partisans can find a way to use an incident to their advantage (and they always can), that’s all they want to talk about.
I spent last Saturday morning in New Berlin at a meeting of grassroots conservative voters who are loudly disgusted with Milwaukee’s election administration. They freely alleged corruption and fraud, which I think unlikely, but I appreciate their anger and distrust.
Their candidate for governor lost by 30,849 votes on a night when the City of Milwaukee took hours longer than expected to process 47,000 absentee ballots. City officials explained that they needed to copy more than 2,000 of those ballots by hand because the original ballots were too damaged for the machines to read.
How can anyone expect emotionally invested partisans to refrain from yelling "Corruption!" when something like that happens?
So election officials promptly apologized. They admitted they knew ahead of time exactly how many absentee ballots they would need to process. They accepted full responsibility and started an immediate investigation. They made a public commitment that in future elections, absentee ballots will be processed as smoothly in Milwaukee as elsewhere.
I’m being goofy again. They did no such thing. That’s the kind of response we’d expect from a city treasurer who had sluggishly processed 47,000 property tax payments because 2,000 had been mangled.
In reality, the first response from election officials was that the incident was “routine,” hardly a confidence-building defense. Then, Milwaukee Elections Director Neil Albrecht reframed concerns about management as insults to the workers, and blamed Republicans for not passing legislation that would allow municipal clerks to run the voting machines continuously for weeks before each election. (He did not, however, offer a solution to the as-yet-unresolved details of how security and accuracy safeguards can be maintained when voting machines are in active operation for a six-week period instead of just one day.)
No sensible observer of politics will be surprised when I report that the Republicans in the meeting I attended spoke of using this incident to restrict all early and absentee voting around the entire state. They further mused about reviewing all Milwaukee absentee ballots to make sure the envelope signatures match those on file. They spoke of demanding a randomly selected ballot be thrown out for every ballot disqualified by a non-matching signature. (That’s called a ‘drawdown’ and is legal under current Wisconsin law.) Going after mismatched signatures has been used in other states to get votes thrown out or to make voters jump through hoops to preserve their votes.
Of course, such a process, if done only in Milwaukee County, would throw out many more Democratic votes than Republican votes. That’s why throwing out the ballots of randomly selected innocent voters while creating no consequences for the responsible managers looks like a ‘solution’ through their eyes.
So we’ve got a situation in which the Democrats are using this incident to push for running the voting machines continuously for six weeks, damn the security issues. The Republicans are using it to push for measures that would suppress legitimate Milwaukee votes.
Who is talking about better election administration? Who is asking why Milwaukee officials were prepared to count fewer ballots than they knew they had on hand? Did they not hire enough workers? Did they not assign enough equipment? Were their procedures less efficient than they could have been? Who is demanding to know why Milwaukee had, proportionately, more spoiled ballots than other counties, or what can be done to fix that?
No one. We don't hold our election managers to the same standards we hold other local government managers. Can you imagine what would happen to a city treasurer who defended comparable news about processing property-tax payments by calling it ‘routine’? When transactions are conducted in votes rather than dollars, our expectations of the managers plummet.
When we tolerate--even excuse—elections mismanagement, partisans will always take advantage. To use this case as an example, it is easy to see that people who want to expand early voting should aggressively work to make it as well-managed as possible, not to defend its mismanagement as unavoidable or routine.
Partisanship will never go away; tribalism is what humans do. But our election officials could stop insisting that voters accept poor planning and accidents as routine. If we want to hush the partisan complaints, we must hold our election managers to higher standards of care and competence.
Have any Wisconsin elections been hacked? A few elections were recounted, but no one knows about the others. Until this year, Wisconsin's election officials merely added up the machines' vote totals and declared the results final. Audits were something that they did later, if ever.
But Wisconsin's clerks are waking up to the fact that if they choose to, they can detect miscounts in time to correct them.
So this month, for the first time in Wisconsin's history, voters can be present as clerks hand-count paper ballots. These audits will verify at least some computer-tabulated results before they declare election results final.
At least one audit will be conducted in every county. The day after the election, Wisconsin Elections Commission staff randomly selected 5% of the voting machines and ordered those municipal clerks to conduct hand counts. Those audits are now underway, and will be completed before November 28. Click here to see if a municipality near you is conducting one.
Do not expect the audits to detect problems.
Finding problems in this election is not the audits' main value.
Routine audits are valuable for the fraud they deter.
Our election officials need public support and recognition for starting down the road to secure, audited elections. Here's what you can do:
- At a minimum, call your local municipal clerk and your county clerk to thank them for this year's audits and encourage them to do more in future elections. The WEC can order only municipalities (not counties) to check accuracy, and can do that for only one election every two years. Voters need to pressure our local officials to do more, voluntarily.
- Better yet, ask the municipal clerk when the audit will be conducted in your municipality. Attend and observe, if only for an hour or two. As administrative procedures, audits are more relaxed than recounts. The municipal clerk should allow you to observe closely enough to see the ballots yourself, and your presence will show the clerks their work is appreciated.
- More detailed instructions for observing the audits are here.
Call your municipal clerk today, and support the efforts to secure Wisconsin's elections with routine audits.
Paper ballots can be manually counted in different ways--sort by candidate and then count the ballots; stack the ballots into groups of 20 and 100 and then have counters mark tally sheets as they go through the stack one-by-one; and more.
Affordable technology--a simple digital camera hooked up to a projector--can beat all these methods on each of the four attributes of a good manual-counting method.
1. Ballot security.
Ballots must not be altered by the manual count. Sorting and stacking methods require the ballots to be handled several times, by several people, and moved around tables. When ballots are projected, only one person needs to handle the ballots, only once, and can keep them on one table, in full view.
In a manual count, accuracy is established with redundant counts—two or more people must agree on each vote, reconciling any disagreement. When counters make errors in sort-and-stack or tally-sheet methods, finding and reviewing the problem ballot can take a lot of time and ballot-handling. With projected ballots, everyone sees the same vote at the same time, so ambiguous votes can be reconciled when they are first encountered.
Faster methods of manual counting help to restrain costs, because labor is the biggest cost. Quicker counting also makes the task more pleasant for both counters and observers. Projected-ballot manual counts have accurately counted votes in one race at a rate of 100 ballots every four minutes, including time to stop to compare paired counters' totals and resolve any differences. Depending on ballot design, two races could go just as fast.
The value of a manual count depends upon how much trust it produces in candidates and voters. In traditional manual-count methods, observers cannot see ballots well enough to verify for themselves that the votes are being counted accurately and honestly.
When the ballots are projected, observers see exactly what the official counters see. In addition, because projected-ballot counts require no ballot-handling by the counters, observers can be drafted on the spot as official counters--powerfully counteracting any distrust.
A tally sheet completed in full view of all counters and observers serves as a record of the manual count.
A pdf document containing step-by-step instructions is here.
Reporter: "Does it bother you that what you're showing is humbug?"
PT Barnum: "Do these smiles seem humbug? It doesn't matter where they come from if the joy is real."
I recalled this dialogue from The Greatest Showman as I was observing a pre-election voting machine test in the City of Elroy, Wisconsin on Monday, August 6.
Conducted in every municipality before every election, these tests serve some necessary functions.
But as a safeguard against hacking, they are humbug—as authentic as a bearded lady whose facial hair is hanging from strings looped around her ears.
I've observed more than two dozen of these tests over the years. The ones I observed this week were typical. Even if you're not an IT professional, I'll bet you can pick out why these tests don't protect Election-Day results from hacking—whether the hacker is an Internet cyber-crook or a corrupt voting-machine company insider.
Here, try it. Start by predicting what the hacker might try to do. First, do you think the hacker would make the malicious code miscount every single vote or only some votes?
You guessed 'only some,' and experts agree. When a blue-ribbon election-security task force convened by the Brennan Center for Justice worked out how a hacker would steal a statewide race in the imaginary State of Pennasota, they calculated that no hacker would likely alter more than 7.5% of the votes, or a little more than 1 in every 13. So if you want to detect hacking, your set of fake ballots—your 'test deck'—should contain enough ballots to give each candidate at least 13 valid votes.
But Wisconsin municipal clerks typically create test decks with only one vote for each candidate—enough to catch only hacks that affect every single vote.
Second, do you suppose the hacker might instead allow the machines to count votes accurately all day, and then simply flip the candidates' vote totals at the end of the day to give his guy the biggest total? You probably guessed yes, he might. So you would need to create a test deck that has a winner in each race, a different number of votes for each candidate.
Wisconsin municipal clerks' pre-election test results typically contain a lot of ties--the same number of votes for each candidate in each race. Those test decks would not detect any vote-flipping hacks.
Finally, would the hacker's malicious code kick in whenever the machine was turned on, or only on Election Day? This one is easy. Hacks would never trigger on any day other than Election Day.
This is the fatal flaw of pre-election testing as a safeguard against hacking. Hackers can program their code to trigger only when the calendar says it's Election Day...or only when ballots are inserted at a rate typical of Election Day...or only when the machine has been operating continuously for more than eight hours...or only on some other telltale sign that real votes, not test votes, are being counted. As the Brennan Center Task Force report put it, trying to use tests like these to detect hacking would create a constantly escalating arms race between election officials trying to make the test look like a normal Election Day and hackers finding new ways to detect a test situation.
As a result, the Task Force didn't bother even to mention pre-election testing as a safeguard in its list of six security recommendations.
Many of Wisconsin's pre-election tests do not hide the fact that the machines are running in test mode, not Election-Day mode. The photo at right is a close-up of the voter-verifiable paper trail from an AVC Edge voting machine, programmed by Command Central, being tested in Juneau County before the August 14, 2018 primary. Notice that the voting machine printed "PRE-LAT PAPER RECORD" at the top of the ballot. 'LAT' is the computer professionals' term for "logic and accuracy testing," a basic routine whenever software has been updated. (I don't know why Command Central calls it "PRE-LAT".)
This machine clearly knows it is counting test ballots, not real ones. Operating in test mode doesn't render the test useless for things like catching innocent programming errors. But:
It is humbug for election clerks
to fool themselves, or to fool the public,
into thinking these pre-election tests
provide any protection against hacking.
If we want to stop being fed humbug, we have to stop falling for it. If your local election officials tell you:
- "Election results are protected by pre-election voting machine tests", tell them that you know Wisconsin's pre-election voting machine tests could not detect hacking any less obvious than that which in 2010 elected a cartoon robot to the Washington, DC school board.
- "Election results are protected by keeping the machines unconnected from the Internet," tell them that you know that they have no idea about what happens to the software before it comes into their control.
- "Election results are protected by federal and state certification," tell them you know that the software has been copied and updated many times since it was certified, and that no one has ever or will ever inspect the software that will count your votes on Election Day.
- "Election results are protected by the audits we already do," tell them that audits completed only after the canvass cannot possibly protect results they have already declared final ('certified').
The solution: Contact your county election office. In Milwaukee County, that's the Elections Commission; in other counties, it's the county clerk. Tell them:
"This voter is done with humbug. I know that one and only one safeguard can protect our final election results.
Use our paper ballots to detect and correct any electronic miscounts before you declare election results final. Start this November."
Don't expect your county official to be stubborn; several are already planning to check accuracy before they certify the November results as final. Find out if yours is one.
But if your county officials are not now planning to begin auditing, don't accept excuses. They got a memo on August 1, 2018 from the Wisconsin Elections Commission that made it clear: "A post-election audit is a tool that could be implemented to confirm that results have been tabulated accurately," and "post-election audits of the results may be conducted prior to certification of the canvass." The Commission even gave them basic instructions they can follow.
No more humbug
about election security.
Tell your county officials
today: "Time's up.
You can also help by donating to help Wisconsin Election Integrity get the no-humbug word out to voters, officials, and media through our 2018 publicity campaign.
And you can email the Wisconsin Elections Commission at email@example.com to encourage them to mandate pre-certification audits in every county, at their September 25 meeting.
Just a few tweaks to WECs' audit policy could make Wisconsin’s November 2018 elections the most secure since we started counting our votes with computers.
There's still time before the November 2018 elections for the Wisconsin Elections Commission (WEC) to put a patch on the state’s biggest, most dangerous election-security hole. Up to now, local election clerks haven't been checking the voting machines' Election-Day accuracy before the certify election results. They could be doing that easily, quickly, and cheaply.
To audit voting machines' November 6 output, neither WEC nor the local clerks need to spend an extra penny over what they already have budgeted for that election. The WEC has to change only one policy at their September 25 meeting.
But voters have to speak up--now. We must tell the WEC to revise their policy regarding the voting-machine audits for 2018, and order those audits to be completed in every county before election results are declared final. The WEC can be reached at (608) 266-8005 or by e-mail at firstname.lastname@example.org.
We have paper ballots. And local officials have up to two weeks after each election to review (‘canvass’) them to make sure the results are correct before they declare the official winners (‘certify’).
But Wisconsin election clerks seal them in bags on Election Night. During their review, they look at the poll tapes, but leave the ballots sealed. Then they certify. They swear the winners into office. Twenty-two months later, they destroy the ballots.
Perpetually sealed paper ballots do not deter hackers; they protect them.
About half the states require officials to do at least a little auditing of computer-calculated Election-Day results before they certify. But in Wisconsin, state law merely allows, but does not require, accuracy checks.
When I ask county clerks why they don't check Election-Day accuracy, I get answers like, "If we had to count votes manually, that would defeat the purpose of using the machines," and "If these machines were capable of miscounting, the State wouldn't let us use them." And "We did a recount before and didn't find that election had been hacked." Basically, the people who manage our voting machines don't believe they can be hacked. Or that they can malfunction. Or that humans sometimes make programming errors.
We can't have kind of naiveté among our voting-machine managers.
Since 2006, Wisconsin statutes have required the state elections agency to order voting-machine audits following November elections. That law, section 7.08(6) of the statutes, also orders local governments to do any audits the WEC tells them to do.
As is typical for laws like this, the statute leaves the details to the bureaucrats. How many voting machines to audit? When to audit? How to select the sample? Those decisions are left to the state elections agency.
But state elections officials have, before this year, denied the risk of an Election-Day hack. They were so confident, they didn't think anyone needed to look for it. So they have never ordered the type of audits that would protect final election results from hackers.
But times have changed, and awareness of the complex risks--not limited to Russian hackers--has grown. WEC will be tweaking their voting-machine audit instructions soon, as they always do shortly before November general elections, and we voters have got to make sure they do it right this time.
We must demand two things.
First, the 2018 audit instructions need to tell local officials “Finish the audits during the county canvass so that you can correct any hacks or errors you might find.”
From 2006 through 2012, the State told local officials to wait to check accuracy until after they had certified the results. In 2014, state elections board members ordered their staff to stop prohibiting on-time audits. But they have never ordered timely audits—they merely stopped prohibiting them.
Second, we must demand that the WEC order audits of at least one voting machine in each county. More would be better, of course, but they’ve budgeted for only 100 voting-machine audits, and Wisconsin has 72 counties. So they can do this.
The sample selection method used in previous years is too odd to explain here. It has to do with making sure the sample contains five of each make and model of voting machine. The critical fact is that it has always left some counties out.
Wisconsin’s voting machines are, in all but a few counties, programmed at the county level. For the federal, state, and county races, the same vote-counting code is copied onto all the voting machines in a county. So there’s a good chance you could deter hackers by randomly selecting one machine in each county.
The best audit would, of course, include enough ballots to produce a statistically valid answer to “Are these the right winners?” But we're down to the wire in 2018, and valid, respectable audits will probably need to wait until 2020. Until then, we need quick, better-than-nothing audits.
About cost: Funding for around 100 voting machine audits has already been budgeted--or should have been. Unless they increase the sample size, the WEC can order protective audits for the same price they are planning to pay for useless ones.
Just those two tweaks to WECs' audit policy, and Wisconsin’s November 2018 elections will be the most secure in our state’s history since we started counting our votes with computers. They will be the first in which would-be hackers were put on notice: Any voting machine anywhere in the state might be randomly selected for an audit while there is still time to detect your mess and clean it up.
So: We must tell the WEC to order voting-machine audits in every county, and that they be completed before November 2018 election results are declared final.
This topic will be on their September 2018 meeting agenda, and they have asked for voters' input.
The WEC can be reached at (608) 266-8005 or by e-mail at email@example.com.
The job description for the Wisconsin Election Commission’s public information officer does not say “Secure Wisconsin’s elections.” So Reid Magney's annual performance review won't suffer if, next November, hackers compromise ES&S headquarters in Nebraska, manipulate Milwaukee County's voting system, and pick Wisconsin's US Senator.
Magney’s job description probably says something like “Build voter confidence.” So don't expect him to draw attention to this or that national report, or whichever new report has once again given Wisconsin poor marks for election security.
Last Wednesday, Carrie Kaufman of WPR’s Morning Show told Magney, “Assure me that our voting system is secure.”
Magney obliged, and recited all the great things about security for the voter-registration system (my emphasis, not his). He talked about firewalls, multifactor authentication, hiring new Internet security staff, and installing software that will monitor for suspicious activity.
Magney avoided saying much about Wisconsin's vote-tabulation system. That’s a different security story.
WEC has very little responsibility for the vote-tabulation system. It was developed by private out-of-state companies, and is owned, operated, updated, and maintained by those companies and Wisconsin's counties, cities, villages, and towns. Not by WEC.
Magney left the impression that the wonderful safeguards protecting WEC's voter-registration system also protect the vote-tabulation system.
I know enough election technology to notice Magney's feints and finesses. As I listened, I found myself imagining a different interview. I imagined that Kaufman had asked specifically about the tabulation system, and that she was speaking with a WEC representative whose job description said “Make sure voters understand the real risks and necessary safeguards.”
Here’s that interview:
Interviewer: Welcome to our show. Every day seems to bring more alarming news about Russia’s intent to tamper with American elections. Is Wisconsin's computerized vote-tabulation system secure? I will discuss that today with my guest, Earnest Veracity of the Wisconsin Elections Commission. Welcome, Earnest.
Veracity: Thank you for having me.
Interviewer: I’m assuming you’re familiar with the five basic functions of a cybersecurity program, spelled out by the National Institute of Standards and Technology—identify the risks; protect the system; detect any problems; respond to any problems; and recover. Would that be a good framework for discussing Wisconsin's election security?
Veracity: Yes, that framework is useful. But I must make one thing clear before we start. I’ll answer your questions as best I can, but tabulation-system security isn't something that WEC has much say about. That's the job of the voting-machine companies and the local election officials. Wisconsin has decentralized elections administration, and voting-machine security is no exception.
Interviewer: I understand that. Let’s start with simply describing the system. Are the computers that count our votes inside those machines at our polling place, or somewhere else? Whose system is it? Who manages it?
Veracity: The vote-tabulating system consists of three parts: whatever computers the voting-machine companies use to develop and update the software; an 'elections management' computer in each county clerk's office; and the voting machines in each polling place. Each new election has its own set of races and candidates, so the county computers and the voting machines have to be reprogrammed for every new election. Typically, the software is developed out of state at one of the voting-machine companies' offices, and then transferred to the county either over the Internet or with portable digital media. The county clerk then prepares the software for each voting machine, and the municipal clerks install it in the voting machines. That software really travels.
Ownership and management get a little tangled. The companies own the software and some of the equipment. Counties typically own and manage the county computers, while the voting machines are owned or leased by the cities, villages, and towns.
Interviewer: So where are our votes counted?
Veracity: The software that counts your votes is typically inside the machine in your polling place. But it got there through the county's computer and the vendor's computers.
Interviewer: Got it. Let's move to security, and start with the first function, risk identification. Have the voting machine companies and the local election officials identified the risks?
Veracity: We don’t know whether the voting-machine companies have identified the risks. It’s possible they haven’t, because to the best of our knowledge, none employ any IT security professionals. Your network carries a great show, Science Friday, which aired a very good segment on this topic right before the 2016 elections. Aviel Rubin, director of the Johns Hopkins University Information Security Institute, described what he learned when he visited all the major voting-machine companies.
As for the local election officials, few understand the risks. Most, for example, will tell you the voting machine cannot be hacked if it isn’t connected to the Internet, overlooking the other computers involved in the process. They also believe that pre-election tests can detect hacked software. No one should expect local election officials to be IT security professionals. They just are not.
Interviewer: I suppose that’s fair. How about the second function of a good cybersecurity program. Do the managers of the vote-tabulation system protect it from the risks?
Veracity: Again, we know almost nothing about the voting-machine companies’ security practices. A few incidents indicate they might be lax. For example, in 2016, recount observers noticed manufacturers’ seals missing from voting machines in St. Croix County. When we investigated those citizens’ reports, we discovered a vendor’s service technician had left machines unsealed through several elections. We checked only St. Croix County’s machines. There may have been others that the technician left unsealed.
The local election officials, well, they do the best they can. They keep the voting machines and county election computers in locked rooms, and only occasionally find someone got unauthorized access. They are very reliable about keeping track of the software as it passes back and forth between the county and the municipalities. But keep in mind the nature of the workforce. Elections are run mostly by people who work on those tasks only a few days each year. We cannot expect security protocols to be reliably followed.
Interviewer: Well, that’s sobering. Who oversees the local governments’ election-security efforts? Do you?
Veracity: No, they’re pretty much on their own. County clerks are independently elected. Making sure they do their job right is up to the voters. Municipal clerks generally answer to the city council, village board, or town board, not to any professional election overseers. WEC does not, cannot, monitor their security practices.
Interviewer: Yikes. So as far as we know, no one is making sure we have much risk-identification or strong protection going on. What about detection? Do the local officials at least have ways to detect Election-Day computer miscounts? I understand that hacking isn’t the only threat—that they also need to be on the lookout for human error and random malfunction.
Veracity: Yes, those are the three main categories of electronic threats to our election results. But again, I'm sorry I cannot answer that question with regard to the voting-machine companies’ security practices. We have no idea what they do, if anything, that would, for example, detect malicious code if one of their programmers goes rogue and starts working for Russia.
And local election officials have no way to notice any malicious code if it’s already there when they receive software or updates from the vendor and install them in the voting machines. They are good about doing pre-election voting-machine tests, which can catch human programming errors. But those tests wouldn’t detect hacking. Remember the Volkswagen scandal? That should have taught everyone that hacks are designed to operate only during actual use, not during testing. A hacker would make the malicious code operate only on Election Day.
After each election, local election officials check that the machines counted ballots correctly, but not whether the machines counted votes correctly. That doesn’t protect our election results, because hackers would tamper only with vote totals and leave the ballot totals alone.
When miscounts are really obvious, local election officials sometimes notice, like they did in Stoughton in 2014. But sometimes they don't. In Racine and Marinette Counties in 2016, and in Medford in 2004, the local officials just blew past obvious computer miscounts and certified the wrong vote totals. Hackers could make thousands of votes just disappear, and it probably wouldn't be noticed or corrected in the canvass.
A citizens’ group, Wisconsin Election Integrity, has been pressuring us since 2012 to promote routine post-election audits during the canvass. National authorities recommend, and other states use, those audits because they deter hacking and protect certified election results from all types of miscounts. But we cannot make a decision in only six years. Maybe we’ll give it some thought for 2020. Maybe not.
Interviewer: Do the managers have procedures to respond to an event, so that they can prevent or minimize damage to the final election results?
Veracity: Finally, I can answer "Yes!" If local election officials detect incorrect preliminary vote totals during the canvass, Wisconsin statutes give them everything they need to protect the final, certified election results. They have the paper ballots, the freedom to decide to hand count, enough time for the canvass. The Stoughton voting-machine miscount of 2014 is an excellent illustration. Once they noticed the miscount, the municipal clerk quickly opened the ballot bags, hand-counted, and didn’t even miss the municipal canvass deadline. So if they do routine audits during the canvass, they will always be able to secure the final election results.
If they wait to detect problems until after they certify, though, that would be royal mess—expensive lawsuits and scandal, massive damage to voter confidence. I don’t even want to think about it.
Interviewer: Do the managers have procedures to recover and restore the system to normal functioning after an event?
Veracity: Well, neither we nor the local election officials have the skills or resources for serious forensic investigation. So it’s hard to say what we’d do to determine the causes and fix the flaw if we ever noticed a hack. When in 2017 we could no longer ignore the Optech Eagle’s inability to count votes from many absentee ballots, we decertified that system. But we probably wouldn’t do that if we found problems with a newer system. I cannot imagine, for example, expelling ES&S from the state if we found they’d installed remote-access software here like they admit they’ve done elsewhere. They count more than 70% of Wisconsin’s votes. Banishing them would be terribly disruptive and expensive.
* * *
Russians aren't the only ones who can buy social media. We can do it, too--if you donate. Help us publicize the easy solutions to Wisconsin's frightening election-security situation. Just $25 could help us reach hundreds of people and move Wisconsin that much closer to true election security. Please donate now!
Ask any Wisconsin official whether our elections are secure and you'll get this answer: "Our voting machines are never connected to the Internet; elections administration is decentralized; and the machines' designs were approved by the federal and state governments."
Go ahead—call your county clerk and ask. That is the answer you'll get. He or she sincerely believes those three safeguards protect Wisconsin elections.
Today, a consortium of national election-integrity groups released a new report: Securing the Nation’s Voting Machines: A Toolkit for Advocates and Election Officials.
Here's how many of the Wisconsin election officials' three favorite safeguards made the list recommended by the national authorities: None.
Here's why not:
- Voting machines are and always will be programmed by fallible, corruptible humans. Anyone who develops or loads the software can manipulate the vote totals without the Internet.
- You could hack into only one or two big counties' voting machines and swing a statewide election. In fact, county control of the voting machines might make hacking easier by increasing the number of vulnerable entry points. Besides, it's not really the local clerks who manage the machines anyway. It's three companies: Command Central, Dominion, and the biggest one, ES&S, which supplies the software that counts about 2 of every 3 Wisconsin votes.
- Federal and state approval of the voting machines' original design cannot secure the machine that counts your votes. The software was copied and updated dozens of times before it reached the machine in your polling place. No one ever inspects or approves the software that actually counts your votes.
What does protect elections: Paper ballots and audits.
Wisconsin has paper ballots, but not a single county clerk—not one—looks at those ballots before declaring election results final.
As long as our ballots are packed up on Election Night and kept under seal until they are destroyed 22 months later, Wisconsin elections are no safer than if we were using paperless touchscreen machines.
That's where Wisconsin's decentralized elections can help to protect our elections. State law gives every county clerk two weeks after a general elections—and more if they request it—to review the Election-Night results to make sure they are correct. The county clerks and their boards of canvass are free to adopt any review method they choose—it's up to them.
Any county or municipal clerk could, at any time he or she chooses, open the ballot bags and conduct a legitimate audit. It would be harder for municipal clerks, because they have only a week for review, and they certify only local races anyway. But county clerks have plenty of time to audit, and they certify the state and federal races—the ones most likely to be hacked.
Call your county clerk today and educate them. Tell them that the three safeguards they rely on are not really safeguards at all. Tell them to start—NOW—planning how they will verify the voting machines' Election-Day accuracy after future elections. If your county clerk doesn't know how, refer them to Securing the Nation’s Voting Machines: A Toolkit for Advocates and Election Officials, which has a good list of pointers and resources. Write to your local newspaper to make sure they cover this story.
Then, keep calling your county clerk until you get the answer Wisconsin voters deserve: "Yes, we will make sure your votes were counted correctly before we declare election results final."