Intelligence experts warn that hostile nation-states, criminals and political partisans are preparing attacks on our election systems in 2020. We’ve set ourselves up for this: In the course of modernizing our voting systems, our country has introduced computers into many layers of our election process, including the recording and tallying of our votes. In fact, 99 percent of votes cast in 2020 will be counted either by the computerized voting machines on which the voters cast their ballots or – in the case of voter-marked paper ballots – by scanners, which also are computers.
As former secretaries of state from both parties, we know that it’s possible to devise tangible solutions needed to validate our elections. In fact, we can tell you how to do it.
That’s not to say that it’s easy, particularly given the decentralized nature of our election administration system. Most states administer elections locally and only a few states have uniform equipment in each locality. For many years, election administration has been woefully underfunded, leading to wide variability in capacity and resources. But, as long as the equipment incorporates a voter-marked paper ballot, officials can adjust existing processes to instill confidence in elections, regardless of the equipment in place.
First, we need to dispel one misconception. Many people (including many election officials) believe that if a voting system or scanner is never connected to the internet, it will always be safe. Alas, that’s not the case. For each new election a file is prepared that contains the candidate and issue names and their placements on the ballot. This file is created by another computer that may be connected either directly or indirectly to the internet. If that computer is infected with malware, it can pass on that infection when the file containing the election information is fed into the voting machine or scanner.
What this means is that while we must make our election infrastructure as secure as possible, we need to accept that it is essentially impossible to make those systems completely secure. As we’ve seen from multiple successful attacks on corporations and government entities, computers throughout our country continue to be vulnerable to attack. Fortunately, we don’t need complete security, so long as we can recover from software bugs and attacks on our elections. The good news is that we know how to do that.
There are three things that every election jurisdiction needs to secure their systems: voter-verifiable paper ballots, a strong chain of custody of those ballots and rigorous postelection ballot audits.
The three parts work together. Voter-verifiable paper ballots are required as a check on the computers that tabulate the ballots. The strong chain of custody prevents ballot box stuffing, as well as the theft or alteration of voted ballots. And ballot audits, known as Risk-Limiting Audits (RLAs), make it possible to recover from an attack, or even from malware or unintended mistakes, by randomly selecting ballots and using them to check the accuracy and correctness of the scanner.
It’s not enough to just have paper ballots – it’s also important that they be checked by voters. If a voter makes a mistake while marking her ballot or if a machine that marks a paper ballot for the voter misrecords the voter’s selections, then the voter’s choices will not be correctly counted. This is an important step to raise confidence in the validity of any system. A strong chain of custody also increases confidence.
Perhaps the part of the system least understood by election officials and the public alike is the importance of auditing the results. The most robust tabulation audits, the RLAs, provide a large, statistically guaranteed minimum chance of correcting outcomes that are wrong due to tabulation errors.
RLA protocols require that after the vote counting has been completed, officials randomly select a certain number of paper ballots and check the results against the results reported by the software. Unlike fixed-percentage audits, RLAs automatically adjust to the particulars of each contest. An RLA could halt after examining just 35 ballots if the margin (i.e. the difference between the winner and the runner-up) is at least 20 percent and the sample doesn't uncover any errors. A small sample is sufficient, because if anybody other than the reported winner really won, there would be a lot of errors, and even a small random sample would likely uncover some.
At the other extreme, an RLA would need to examine at least 7,000 ballots if the margin is 0.1 percent (below the threshold for an automatic recount in some states). The sample needs to be larger because a small error rate could have caused the wrong candidate to appear to win, and the audit can't stop until it has strong evidence that errors didn't change the result. Notably, these numbers — 35 ballots for a 20 percent margin and 7,000 ballots for a 0.1 percent margin — don't depend on how many ballots were cast in the contest. That might be surprising, but the same principle is involved when you check whether soup is too salty: Stirring the pot and tasting a tablespoon is enough, whether the pot holds one quart or 10 gallons.
Random sampling continues until enough evidence exists to confirm the computer-tabulated outcome. An audit that does not produce such evidence will trigger a complete manual tally. This is most likely to happen when the reported outcome is wrong, which is exactly when a manual tally is needed. One of the benefits of risk-limiting audits is that, in many cases, the audit can confirm the result without the need for hand counting every ballot. Importantly, RLAs can detect discrepancies in the reported results early on and demonstrate the need for a full recount.
By routinely conducting postelection tabulation audits, we can make verification of the results an automatic part of certifying elections. As the operational aspects of audits are refined, the relative burden on election administration will be lessened. The greatest challenge now is demystifying RLAs and helping election officials understand the value of the tool in demonstrating the correctness of software-reported results.
There have been several pilot studies of RLAs in places such as the city of Fairfax, Va., Orange County, Calif., Michigan, Indiana, New Jersey and Pennsylvania. In 2018, Colorado – which is an all paper-ballot state – conducted the first statewide RLA. While there were a number of challenges, the audit was a resounding success. Rhode Island is following Colorado’s lead, and we urge other states to do likewise.
We no longer need to trust the results of computers that may or may not be deserving of that trust. We have the tools and the know-how to convince the losers and their supporters that they truly lost. (As it happens, winners tend not to need convincing.)
The discussion around election security is not going away anytime soon. Given the cynicism that some Americans feel about elections today, validating our elections is a critical step that will strengthen our democracy.
Kevin Shelley, a Democrat, is the former California secretary of state and serves on the board of directors for Verified Voting, a nonpartisan, nonprofit organization that promotes verifiable voting practices. Wayne Williams, a Republican, is the former secretary of state for Colorado and also serves on the board of advisers for Verified Voting.