The Real “Safeguards” on Voting Machines – and the Real Threat


My goodness, the doom and gloom about paperless voting machines seems palpable recently. Amidst concerns about election “rigging”, I hear worries that the lack of a “paper backup” for some DRE voting machines might create fundamental issues for election verification. Goodness knows I am not a fan paperless voting of any kind, nor of the current generation of DREs generally. But the current media blitz of fear, uncertainty, and doubt (FUD) is getting disconnected from the facts. If this post of “back to the facts” sounds like venting, well, maybe it is just a bit.

Here’s one bit of flotsam in the news stream that floated by recently, and struck me as odd – dinging paperless DREs as lacking a basic “safeguard” of a paper backup. Well, not exactly. It’s not that paperless DREs lack a safeguard; there are plenty of those, too many. What they lack is fundamental feature – an actual ballot from each voter. By now, finally, most people realize it was a Really Bad Idea to have voting machines that threw away the ballot that recorded each voter’s intent. We tossed out the ballot baby with the hanging chads bathwater.

It’s kind of like saying that a “brakeless racing bike” is missing the safeguard of a way to stop, when in fact a pair of brakes is a fundamental requirement for a racing bike. You could still ride it, but “safeguards” is what you’d need to compensate for this basic omission: limiting riding to only over flat ground, with riders wearing shoes that work as brake pads, and so on.

Paperless DREs are like that. They need extra safeguards to compensate for the fundamental shortcoming of no ballot. And it is election officials and poll workers that work hard to make that bike level and smooth.

The Real Safeguards

The safeguards are “too many” in that

  • they require a lot of extra work for hardworking election officials and poll-workers to do, and
  • they are all absolutely needed to compensate for the major shortcomings of DREs, especially paperless.

I’ve seen this firsthand, as a poll worker before CA decertified its voting machines, developed safeguards sufficient for the deficiencies found in the “Top to Bottom Review”, and re-certified with the proviso that each county needed to demonstrate adequate staff and poll worker training to operate the systems with all the required safeguards. The re-training was intense, and the additional work on election night was easily an hour or more per precinct on election day, and night, alone.

We had new tamper-evident seals (TES) on every part of the DREs, check sheets for every step in set-up and tear-down, bags for each of several kinds of evidence, a TES-sealed bag of TESs to apply the bags at the end of the day, double-sign-off sheets, new rules for ballot reconciliation, new procedures for physical chain of custody of pretty much everything.

And that was the tip of the iceberg, considering what the election officials and their temp staff had to do to set all this up, plus the back-office safeguards that the public doesn’t see. For the ultra-geeks, I’ll provide a specific couple examples later, explaining why each bit of extra work is necessary — but I hope you get the idea here.

The Five P’s for an Election Outcome

Another way of putting this is that with today’s DREs the technology platform has deficiencies that require a complex set of safeguards by people and process. Those two “P’s” are always required, but can get hairy when the 3rd “P”, the platform, wasn’t designed with self-protections that create a reasonable amount of activity from people and process.

Sure, there is a risk to the platform being compromised (or malfunction unnoticed) if the people don’t do the process adequately. We had that risk for years, with election tech that’s worse that we have now, and we still had election verification – just with a really vexing amount of work, both for the protection, and the oversight that it was done properly. And that’s part of the 4th “P”, policies, including the policy that the public must be able to verify the first 3 “P”s as part of the election outcome.

The procedures, and documentation of their performance, are both essential. It’s not enough to do the extra work to implement the safeguards required by the platform. Election officials must also prove that they did so, by following policies on documentation and record keeping. The election outcome is an important concept here.

Election outcome is not just the election results, the vote counts, who won, who lost. It is that plus all the evidence that the election was performed well enough to have confidence in the result. That’s the ultimate purpose of elections – a result that’s believable and does not create an impediment to the ordinary transfer of power.

The Federal election of 2000 is the example of what happens when the election outcome is not sufficient, and the transfer was power was in doubt for days. And that was in a calmer time, pre-Ferguson, pre-Occupy-Wall-St., before the computer in your pocket that can spread real or feigned outrage to millions in moment.s

The Real Threat

What we can see in this campaign of 2016 is the greater threat to election integrity – the 5th “P” of politics. This election is politically unique with the campaigns’ messaging on “rigging”, on cyber-risk to elections, on cyber-operations against campaigns and parties, and even foreign government influence.

It’s hard to be sure amidst all the rhetoric, but it sure looks like there is a higher risk of a situation where Federal election results aren’t enough, and the “prove that you ran the election right” demand might be placed on election officials in an unprecedented way that is far more public and adversarial than the usual and relatively gentlemanly activity of election law, litigation, recounts, and so on. The Minnesota Senate Al Franken Norm Coleman fracas could look positively quaint by comparison.

As a result, there’s the possibility of far higher stakes for the people and process to generate the evidence that proves that the election results are legitimate. The preparation for, and, heaven forbid, the execution of that proof, will be even more work than usual. Preparation could be huge, both literally in terms of work, and figuratively in terms of importance.

Preparation Is Huge

When you possibly have an election where the second place candidate says, “prove that these are the exactly correct vote totals”, you can never do that regardless of the election technology, including ancient Greek marbles and jars. That’s why “rigging” rhetoric will always be attractive.

But you can prove that all the required protective measures were done, and that there is no reasonable doubt about the result as supported by the technology. In jurisdictions with op-scanned paper ballots and documented chain of custody, the proof is relatively simple: here’s why we know that these are the legitimate paper ballots; we did a manual ballot audit and found no significant discrepancy with the machine counts. Done.

But here’s the bummer for election officials in all the paperless jurisdictions: there is more work to do. They need to prove that there is no reasonable doubt that the DREs accurately recorded each voter’s intent; and recorded the votes properly as tally datasets on removable media; and the that media used in tabulation were those same media; and the data on the media was not modified en route from polling place to election result. The proof, in other words, is complicated.

Collecting that proof is more work, and yields much more complex records, but it is not mysterious. Election officials have been doing this for years. But the complexity is an inherent vulnerability. The complexity makes it easy to have political rhetoric that points fingers at the many places it could have gone wrong, casts doubt on the proof. And it could be very effective FUD, if the proof is more complex than the public at large is willing or able to digest.

Where’s the Risk?

The risk is essentially equal for all the paperless jurisdictions, not jut the ones that the campaigns are currently pointing to, and the media scrutinizing. They all have tech with the same shortcomings and vulnerabilities, and the same extra work to implement safeguards to compensate. With this voting technology, you have to work even harder prepare to respond to claims of rigging, and even if you do a great job, it could still get ugly because of the complexity.

I don’t worry so much about the jurisdictions currently in the limelight (or hotseat) because the very limelight itself provides a great incentive to properly prepare and execute. In the so-called battleground states, the state election leadership understands the issues, and the local election officials on the ground have the experience.

Where I really worry is around the edges Perhaps if FL turns out to be the narrowest-margin state, and we see a repeat of a county’s previous breakdown in physical chain of custody. Or perhaps if GA turns out to be closer than anybody would every have expected a year ago, and election officials did not prepare as carefully to defend against claims of “rigging”.

That’s what we face in this election, and I say “never again”. We can replace all the aging-out voting systems, paperless and otherwise, with far better platform that requires reasonable efforts from people to implement processes that create comprehensible proof, enabling meaningful policies of public oversight that much less vulnerable to the politics of fear, uncertainty and doubt.

— John Sebes

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.