(Updated after publication; see note at end.) When Jon Stewart signed off last night, his parting gift was a bit of sound advice. “Bullshit is everywhere,” he said. “So if you smell something, say something.”
Political bullshit, Stewart explained, comes in three flavors. First, it's used to make bad things sound like good things, like when politicians call it "The Patriot Act" instead of the "We're Going To Read All Your Email Act." Second, politicians use bullshit to hide bad things under piles of complexity, like using reams of complex regulations to make it look as if Congress is trying to control the bankers. Third is the 'bullshit of infinite complexity,' when they try to pretend action is impossible until we get more information, like when climate-change deniers pretend more research is needed.
Okay, Jon, this is for you: I smell something, and I'm saying something.
Take a look at this recent public-information memo from Dane County Clerk Scott McDonell and tell me what you smell. I’m pretty sure anyone with basic knowledge of elections administration or computers will, as I do, detect a distinct odor of...complexity. Technical and procedural details are being used to avoid acknowledging a simple fact: No one routinely checks the accuracy of our voting machines' output before the county board of canvass declares election results final.
McDonell knows what we're worried about. If an electronic miscount changes the outcome of any election--in any other than a blatantly obvious way, like the Stoughton miscount--he and the Board of Canvass won't notice before they hand a certificate of election to the 'winner.' People who want to commit election fraud have known this for a long time, and the electorate is wising up to both the possibility of electronic fraud and the probability of errors and malfunctions.
So, we want McDonell to do what national... elections ...authorities... unanimously ...recommend: Adopt management practices at least as prudent as, say, the owner of the corner store who every night reconciles his receipts with the cash-register tape. McDonell's pre-election security practices are, as he says, about as good as a county clerk can get them, but no amount of pre-election security can answer the day-after question, "Did it work?"
If McDonell were willing to consider federally endorsed sampling methods and the possibilities of using the digital ballot images, he would soon find out there are highly efficient and transparent methods that could be completed during the county canvass period without disturbing the paper ballots.
But obeying the Democratic Party line that talking about the need to protect our election results from electronic miscounts makes people less likely to vote, McDonell doesn’t even acknowledge the risk. Instead of participating in a serious discussion of the risks and possible solutions, he gives us a pile of complexities.
The linked memo contains a list of good but basic pre-election security and testing measures (not even close to bullet-proof against all hacks, particularly by insiders; demonstrably unreliable at detecting errors; and useless against Election-Day malfunctions), plus a few weak post-election measures (promising to check for obvious miscounts). For good measure, he attaches three pages of what appears to be sections from the voting machines’ operator’s manual. McDonell probably knows that most readers won’t realize these techy details describe security only after the machines have already read our ballots and tabulated our votes, making them irrelevant to the question of whether that tabulation was correct. It sure looks impressive but oh, that odor...
Scrape away the complexity and the straight-talk message is: “Before each election, I take the basic security precautions I’m required to take. During the canvass period, I will promise to notice obvious miscounts. And if we do notice an obvious miscount, the Board of Canvass will consider whether to look into it. Now tell everyone to trust the election results.”
I don't know what it's going to take to wake our elected officials up to the facts of the world we live in. I hope the crisis that enlightens them isn't a bad as it might be. It can't be that McDonell actually believes hackers who can defeat the security systems of Anthem, Sony, and the federal Office of Personnel Management can be stymied by little ES&S of Omaha, Nebraska. Nor can he believe no one wants to hack our elections, or that no insiders are corruptible.
Is it that he is relying more on the voting-machine vendor than on independent, national experts on elections security for his understanding of the risks? Barely nine months ago, he presided over an election marred by human error piled on human error and by unexpected machine malfunction; he can't possibly be naïve about those risks.
I'm not among those eager to allege fraud whenever they see inexplicably secretive behavior but--damn!--he's not making it easy for me to defend him against those who are.
In one email McDonell wrote to the county board, he expressed fear that treating the Election-Night output as something that could be subject to change would lead the more contentious losers to be disruptive and cause "mischief and chaos." I can understand that fear, given the experience most county clerks have had with recounts and coming from the partisan perspective McDonell has. However, verification is not a recount, and if it's transparently handled by the clerk as the prudent managerial responsibility it is, candidates would promptly learn to appreciate the certainty that the voting machines' accuracy has been verified. Of all the clerks in other states who have adopted routine verification, I have never heard of one who stopped doing it, and have heard others report that their candidates and voters are very appreciative of the proven reliability.
And a note to anyone worried about "mischief and chaos:" Think of what will happen when a miscount is detected while it can still be corrected, and what will happen when it's discovered only after you've declared the election results final. I know which level of mischief and chaos I'd prefer to deal with.
McDonell's memo is vague enough on some points that a judge and jury would be wise to ask for more information before convicting him of imprudent management or worse. But the fact that he's not offering those details isn't comforting.
And it's worse than not offering information: McDonell has for the past several months consistently either ignored or declined our many emails requesting and suggesting times for a meeting. He has turned down every invitation to one of our public events for over a year now. Maybe he will respond if I tag him when I post this to Facebook. I wish it hadn't come to that.
The rest of this post is the details, for those interested in a point-by-point analysis of McDonell’s memo. And Scott, if you're reading, these are the questions I will ask when and if we meet.
McDonell's words are in the text boxes.
Whether naively or deliberately, this explanation glosses over the difference between source coding (which is installed and maintained by the vendor and which local elections officials are prohibited from viewing or altering) and set-up coding, which can be done either by the vendor or the local elections officials. IT security experts believe that hacks are more likely to affect the source code, so secure set-up coding is only a weak safeguard, at best.
- Counties that do the opposite and have the impartial vendor set their machines up for each election believe that arrangement to be more secure; there are arguments in favor of both views. Verifying the output is advisable regardless.
- The claim that the vendor does not touch, update, or patch the software is a curious one. Scott, if you're reading this, be prepared to explain what you do if a machine needs repair, adjustment, or maintenance, or if ES&S notifies you that a patch is necessary. Also be prepared to explain where the flashdrives go between elections--are you really saying that they never leave your possession, that they are never returned to ES&S?
Even if the vendor never updates or patches our software, however, malicious code can be transferred into machines through several other pathways. Here's the report of the 2007 blue-ribbon task force on electronic elections security convened by the Brennan Center--start reading on page 20. Here is another that is less technical but more readable.
- Voting-machine software can be compromised even if never connected to the Internet--the two documents I just linked can tell you more; the biggest risk is probably insiders, who have been responsible for most of the election fraud in human history, no matter how votes are counted.
Another question for Scott: Do you or Dane County IT staff check the voting machines to make sure no one has installed wireless communications capability without your knowledge? Voting machines are manufactured for a national market, so even though you ordered machines without wireless capability, it’s possible that it could have been installed without your knowledge. Unless the inner workings of the voting machines have been inspected by Dane County officials who know what to look for, we are operating on nothing more than trust in the vendor and the machine custodians when we say the machines cannot be accessed wirelessly.
In this section, McDonell is talking only about pre-election testing, not checking Election-Night output for accuracy. The municipal testing is required; the county testing is a good addition. When pre-testing is done well, it is effective in catching set-up errors only. It can never be effective in preventing Election-Day malfunction or in detecting deliberate hacks, which would never operate other than on Election Day, so pre-testing does not eliminate the need for checking Election-Day accuracy. Go back to the analogy of the store owner. I'm sure he tests the bar-code scanner when he sets it up, but he also wouldn't think that testing somehow eliminates the need to reconcile his receipts at the end of the day.
And of course, the pre-testing itself can be affected by errors, as we saw with the November 2014 referendum miscount.
Questions for Scott: What have you done since the Stoughton miscount to educate municipal clerks about the need to check that the machines are counting votes correctly in their pre-election testing, and about the need to create test decks with no ties? Pre-election tests build confidence only if conducted publicly. Are the county's pre-election tests open to the public? (I'm not saying they need to be, but you cannot use them as evidence of transparent accuracy unless they are.)
Board of Canvass (BOC) Review:
- Checking for obviously suspicious under-vote rates is a GAB-recommended practice useful for detecting what is believed to be the most common type of inadvertent electronic miscount.
- Checking for departures from historic patterns is a good idea and could be useful in detecting signs of a deliberate miscount. Scott, do you have written criteria for what sort of inconsistency will be considered 'reasonable'? If not, how do you ensure the board will consistently and impartially decide which inconsistencies to consider suspicious? I have to point out that routine verification could reduce the need to make this sort of subjective judgment call.
- In a July 13 email to county board supervisors, McDonell argued that unsealing ballot bags during the canvass process is contrary to statutes, but got his fact correct in this memo; the board does have legal authority to unseal ballot bags on its own initiative for verification purposes. Scott, I'm hoping you will be able to clarify that the board will always vote to resolve any anomalies it notices, and will never vote not to.
I don't know about all the counties, but McDonell could very well be correct that he does more review of processes and procedures than any other clerk, and that's good. But McDonell's audits don't yet include verifying the results. In its Report on Election Auditing, the League of Women Voters of the US wrote (page 4): "Generally, audits can be divided into two categories: (1) reviews of processes and procedures that contribute to an orderly and fair election and (2) verification of the vote counts. The former can be conducted periodically (while) verification of vote counts should occur after every election.”
That LWV report and this document from ElectionAudits.org (probably the most-often cited best-practices document) are two of the best sources with regard to the features of a good post-election audit.
It will help voter confidence, Scott, if you can provide more detail about the procedures, timing and method of your audits. To be effective in building confidence among voters and candidates, post-election audits need at least:
- Transparency: Are candidates and voters invited to observe the random selection and the audits? If the selections and the audits are done behind closed doors, they fail to build confidence and may even make distrust worse. (Scott, if your post-election audits are transparent, you'll need to be a better job publicizing them, and please put me on the list of people who want to be notified.)
- Clear criteria and procedures adopted before the election: Without clear criteria and procedures, post-election auditing can create an appearance of favoritism because it allows elections officials to question only those races in which they disliked the outcome. (Scott, how do you select the races or precincts to be audited?)
- Timeliness: Audits conducted after the board of canvass has declared the elections results final are suspect, because local elections officials have allowed themselves time to tamper with the record, and any errors that might be detected could not be corrected without expensive and divisive legal action, if then. (Scott, when do your audits occur? How many auditors do you have working on them?)
- Statistical validity: At least enough randomly selected ballots or precincts need to be counted to provide statistical confidence that the electronic tabulations identified the correct outcomes, if not the exact total number of votes. (Scott, do your audits confirm the outcomes of any contests were accurate?)
Paper Ballot Trail:
The key word is ‘would.’ Fraud WOULD be risky if we routinely checked for miscounts and routinely investigated any miscounts we detect, but we don’t.
Hackers and corrupt insiders really appreciate the way Wisconsin elections officials are so powerfully dedicated to making sure the ballot bags stay sealed from poll-closing until destruction. It helps them sleep easy and get on with their lives.
Research has shown that some voters think that their vote is not secret or that their vote won’t be counted. They then decide that voting is pointless. As you can see we ensure that every vote is counted. Let’s work to get the word out that our elections are secure.
In the 21st Century, when few people are willing to believe that computers can be infallible or immune to misuse, simple reassurances and smelly complexity no longer build confidence--particularly when those reassurances assume a certain level of naiveté about computers and computer security. So let’s work to get the word out that our elections can be made secure with routine post-election verification.
Updated a few hours after publication to add the paragraph about McDonell's point about not wanting to spark 'mischief and chaos' and to tone down a few sentences I thought too harsh upon later reading.