risk limiting audits

Tag Archive

National: RSA Cryptographer Ronald Rivest Seeks Secure Elections the Low-Tech Way | Susan D’Agostino/Quanta Magazine

onald Rivest sports a white beard, smiles with his eyes and bestows his tech gifts on the people of the world. The Massachusetts Institute of Technology professor is the “R” in RSA, which means that he, along with Adi Shamir (the “S”) and Leonard Adleman (the “A”), gave us one of the first public key cryptosystems. It’s still common today: Nearly all internet-based commercial transactions rely on this algorithm, for which the trio was awarded the 2002 A.M. Turing Award, essentially the Nobel Prize of computing. In recent decades, Rivest has continued to work on making it computationally hard for adversaries to break a system, though he now focuses on ensuring that votes in democratic elections are cast as intended, collected as cast and tallied as collected. Elections, he has discovered, have stricter requirements than nearly any other security application, including internet-based commerce. Unlike online bank accounts and the customer names with which they are affiliated, ballots in an election must be stripped of voters’ names because of voting’s secrecy requirement. But the ballot box’s anonymity sets conditions for real or perceived tampering, which makes proving the accuracy of tallies important to voters, election officials and candidates. Another requirement is that voters can’t receive receipts verifying their candidate selections, lest the practice encourage vote selling or coercion. But without a receipt, voters might wonder if their votes were faithfully and accurately counted. It’s a tough problem to crack, and Rivest thinks the solution lies not with fancier computers, but with pen, paper and mathematics. “I mainly argue for some process by which we have confidence in our election results,” he said. “No one should say, ‘It’s right because the computer said so.’”

Full Article: RSA Cryptographer Ronald Rivest Seeks Secure Elections | Quanta Magazine.

Voting Blogs: Ballot-level comparison audits: precinct-count | Andrew Appel/Freedom to Tinker

In my last post I described a particularly efficient kind of risk-limiting audit (RLA) of election results: ballot-level comparison audits, which rely on a unique serial number on every ballot. The serial number should not be preprinted on the ballot where the voter can learn it, otherwise the voter could sell their vote, or be coerced to vote a certain way, and the buyer or coercer could learn the vote from the file of cast-vote records (CVRs). The solution, when central-count optical scan (CCOS) is used, is that the central-count optical-scan voting machine can print the serial number onto the ballot, as it scans and counts the ballot. But many jurisdictions use precinct-count optical scan (PCOS): the voter marks a ballot, and feeds it directly into the PCOS voting machine, where it is scanned, counted, and preserved in a ballot box. This has three advantages over CCOS: PCOS machines can alert the voter about overvotes, undervotes, or blank ballots, which gives the voter a chance to correct their ballot. PCOS tabulations are ready immediately at the close of the polls, which gives faster election-night reporting. PCOS tabulations give an additional safeguard against low-tech paper-ballot tampering: if the hand-to-eye recount of this batch does not match the results claimed by the optical-scanner, then one of them is wrong. The paper ballots themselves are the presumed ballot of record; State statutes should say that in case of disagreement we trust the paper by default, not the (possibly hacked or buggy) computers; but even so, a disagreement is important evidence of possible tampering that could be worth a forensic investigation. We don’t get this safeguard with central-count scanning of precinct-marked ballots. But PCOS machines are not equipped with serial-number printers. Why is that? It would be straightforward to add one to a standard PCOS design, and it wouldn’t much affect the price of the product (so I’ve been told by the vice president of a major voting-machine company). The reason is not that the vendors can’t or won’t make the product; it’s that PCOS-ballot serial numbers are not so straightforward to use in RLAs.

Full Article: Ballot-level comparison audits: precinct-count.

Verified Voting Blog: Letter to Georgia Secretary of State regarding Verified Voting’s position and involvement with risk-limiting audit pilots

The following letter was sent to Georgia Secretary of State Brad Raffensperger on December 16, 2019. The letter addresses Verified Voting’s concerns following the November 2019 election in Georgia and provides clarity on Verified Voting’s position and involvement with risk-limiting audit pilots in the state.

Download the Letter (PDF)

Dear Secretary Raffensperger,

I am writing to address a few issues that have concerned us since the November election and so that you and your staff have clarity on Verified Voting’s position.

As an initial matter, Verified Voting did not recommend that Georgia purchase all ballot marking devices for all in-person voters. We made our position clear in a letter to the co-chairs of the SAFE Commission dated January 4, 2019 attached for your reference. Verified Voting stands by its position and notes that this continues to be our recommendation for jurisdictions who are deciding what system to purchase among commercially-available voting systems. The fact that Georgia did not follow our recommendation and purchased Dominion BMDs for all in- person voters does not change our position.

Since the summer of 2019, Verified Voting has been working with the staff of the Secretary of State to implement post-election risk-limiting audits. Mark Lindeman, Director of Science & Tech Policy at Verified Voting has been the primary contact for your staff and is a subject-matter expert on RLAs. Our work with you on the implementation phase in no way endorses Georgia’s decision to move forward with BMDs instead of our prior recommendation of both hand-marked paper ballots and ballot marking devices in the polling place.

A risk-limiting audit is a tabulation audit: it uses statistical methods to provide confidence that the paper ballots were correctly tabulated. It checks only the tabulation, namely whether a full hand-count of the cast paper ballots would reveal something different than the reported outcome. It does not check — among other things — that voters actually verified their paper ballots, or that the paper ballots being tabulated are exactly those paper ballots that should be tabulated. Nor does it check whether strong chain of custody procedures, proper ballot accounting or other processes necessary to create a trustworthy record were observed. To express or imply that doing an RLA pilot demonstrates the security of the system is simply not true.

Verified Voting Blog: The Role of Risk-Limiting Audits in Evidence-Based Elections

In the aftermath of the 2016 election cycle, interest in securing American elections from tampering or hacking has intensified. Given that 99% of our votes are counted by computers, and that computers are used in every aspect of the electoral process, election security is a top priority. For over a decade, Verified Voting has advocated for the widespread adoption of post-election risk-limiting audits (RLAs) alongside other best practices to facilitate a trustworthy and auditable record of votes cast.

A post-election risk-limiting audit (RLA) is one of the pillars of cyber security. In this day and age of nation state attacks on our election systems, it is very important for election systems to be resilient and provide a way for jurisdictions to identify problems and to recover from them. Security experts agree that the best method is voter-marked paper ballots (which voters choose to mark by hand or with a ballot marking device), having a deliberate and intentional step for voters to verify their ballot selections, providing a strong chain of custody of the ballots, and checking that the computers counted them correctly (RLAs).

Evidence-Based Election Ecosystem

Risk-limiting audits are one piece of the larger ecosystem of evidence-based elections that depend upon a trustworthy record to give confidence to election outcomes. There are some things that risk-limiting audits do not do. They do not tell us whether the voting system has been hacked. They do not and cannot determine whether voters actually verified their ballots. But they can detect and correct tabulation errors that could alter election outcomes — or provide strong evidence that a full hand count would yield the same outcomes.  

Pennsylvania: Philadelphia tests way to ensure no one hacks 2020 presidential election in Pennsylvania | Jonathan Lai/The Philadelphia Inquirer

Philadelphia voters can rest assured Jim Kenney really was reelected mayor this month, according to a squad of data and voting experts from around the country who ran a rigorous statistical test of the results Thursday. But while it’s no surprise that a Democrat won by 80 percentage points in an overwhelmingly Democratic city, it’s notable that the scientists were able to conduct such an audit in the first place. That’s because on Nov. 5, for the first time, Philadelphia used voting machines that leave a paper record of voters’ choices. As Pennsylvania’s counties roll out similar new machines required to create paper trails in time for the 2020 presidential election, the reported electronic returns can now be checked for accuracy. That’s an important change in a state that Donald Trump carried in 2016 by slightly more than 44,000 votes, or less than 1%. Pennsylvania is expected to be critical again next year. “We know we saw in 2016, everybody wondering, was this real, was this not real?” said Kathy Boockvar, secretary of the commonwealth, whose department oversees Pennsylvania elections. In 2020 and beyond, with what are known as risk-limiting audits, election officials will be able to confirm that the text of paper ballots lines up with what ballot-reading machines say. “The stakes are high, people are very passionate, and we have the paper that will be able to show the actual evidence,” Boockvar said. Officials hope the audits will make it harder for bad actors to tamper with the results. They also hope to increase public confidence in elections generally, following what U.S. intelligence agencies concluded was a systematic campaign by Russia to interfere in the 2016 election to boost Trump. (That campaign involved the dissemination of news and information Americans consumed, not the manipulation of actual votes or voting machines.)

Full Article: Philadelphia tests way ensure no one hacks 2020 presidential election in Pennsylvania.

National: CISA and VotingWorks release open source post-election auditing tool | Catalin Cimpanu/ZDNet

The US Cybersecurity and Infrastructure Security Agency (CISA) and VotingWorks, a non-partisan, non-profit organization, have open-sourced today a tool for the post-election auditing process. Developed by VotingWorks and named Arlo, the tool is available on GitHub. It’s a web-based app designed specifically for the US election process where votes are tallied electronically using software or special machines. To safeguard the election process against hacked or faulty voting systems, the US government mandates that all counted votes go through a post-election audit to verify the results, in a process called a Risk-Limiting Audit (RLA). Arlo is designed to automate this auditing process by automatically selecting random voter ballots for the RLA process, providing auditors with the information they need to find those ballots in storage, helping officials compare audited votes to tabulated votes, and providing monitoring & reporting capabilities so that election officials and public observers can follow the audit’s progress and outcome. “The tool supports numerous types of post-election audits across various types of voting systems including all major vendors,” CISA said in a press release today. CISA did not develop Arlo — created by VotingWorks on its own — but the agency has adopted the tool and is currently working on convincing state election officials to deploy it before next year’s presidential election.

Full Article: CISA and VotingWorks release open source post-election auditing tool | ZDNet.

Pennsylvania: State starts testing new election auditing procedures | Emily Previti/PA Post

Pennsylvania’s elections overhaul isn’t limited to deploying new voting machines and making sweeping changes to absentee voting and registration deadlines. Officials also are working on new post-election auditing procedures that employ statistical modeling. Test runs occurred earlier this week in Mercer County and are scheduled for Thursday in Philadelphia. Post-election audits already happen in Pennsylvania. State law requires counties to audit 2 percent of ballots cast – or 2,000, whichever is less – in each race. Other auditing criteria – such as sample ballot selection – are largely left up to county election officials. That’s expected to change in 2022. The state agreed to implement a more robust post-election audit system — called risk-limiting audits — as part of the settlement of a lawsuit brought by 2016 Green Party presidential candidate Jill Stein. “The process that’s in place now is practically meaningless,” Stein’s spokesman Dave Schwab wrote in an email Tuesday. “In contrast, risk-limiting audits are designed to use the paper records to ensure that the machine count didn’t produce the wrong winner.”

Full Article: Pa. starts testing new election auditing procedures | PA Post.

Colorado: Secretary of State’s Office begins post-election ballot audit | Michael Karlik/Colorado Politics

Secretary of State Jena Griswold on Friday directed county clerks to begin the audit of a random selection of ballots after this month’s general election. A press release said that this risk-limiting audit, the only statewide one in the country following most elections, provides a “high statistical level of confidence that the outcome of an election is correct and reflects the will of the voters.” Colorado conducted its first statewide audit in 2017, covering all counties that used machines to tally their votes. Two counties, Jackson and San Juan, do not perform an audit because their ballots are hand counted. The secretary of state’s office randomly chose the ballots for each clerk to review using a 20-digit number, generated from multiple rolls of a 10-sided die. “If what the audit board reports matches how the voting system tabulated the ballots, the audit concludes,” Griswold’s website explains. “If there are discrepancies, additional ballots are randomly selected to compare until the outcome has been confirmed. If the wrong outcome was reported eventually all of the ballots will be examined and a new outcome will be determined.”

Full Article: Secretary of State’s Office begins post-election ballot audit | News | coloradopolitics.com.

Pennsylvania: Mercer County conducts first risk limiting election audit | Glenn Stevens/WFMJ

Mercer County is conducting a risk-limiting post-election audit for the first time in Pennsylvania. A working group assembled at the Mercer county courthouse on Monday to perform the post-election audit.   It’s described as a scientifically designed procedure that utilizes math and statistical data to confirm election outcomes. “They’ve found out a way to use the math to provide a statistical certainty that the results that we are reporting accurately reflect that’s what the voters did,” said Mercer County Elections Director Jeff Greenburg. “The math is maybe a little complicated for the average person until you get kind of hands-on experience, and that’s really what we’re doing here today,” according to Jonathan Marks, Deputy Secretary of Elections for Pennsylvania.  Pennsylvania has returned to a paper ballot, and the risk-limiting audit is viewed as another step forward for voter confidence and election integrity.

Full Article: Mercer County conducts first risk limiting election audit - WFMJ.com.

Georgia: Paper ballots recounted to check election results in Georgia | Mark Niesse/The Atlanta Journal-Constitution

A recount of ballots printed out by Georgia’s new voting system confirmed the accuracy of electronically counted election results, state election officials said Wednesday. But critics say the state’s audit proved nothing, and they believe ballots created by computers remain vulnerable to tampering and inaccuracies. Election workers on Tuesday reviewed a sample of paper ballots printed by touchscreens during last week’s election in Bartow County, one of six counties that tested the state’s $107 million voting system. Voters in the rest of the state will switch to the new system starting with the March 24 presidential primary. “An important part of the new voting system is the ability to audit with the use of paper ballots. This feature provides the confidence voters deserve,” Secretary of State Brad Raffensperger said. During the audit, four teams of two election workers each pulled a random sample of 80 ballots out of 1,550 cast in Cartersville. The teams read the printed-out text on the ballots and tallied the results in the race for mayor and a referendum on Sunday morning alcohol sales.

Full Article: Test run of new Georgia paper ballots audited.

Missouri: Greene County experiments with process for verifying elections | KOLR

Greene County Clerk Shane Schoeller says election security is a top priority, which is why his team is double-checking the accuracy of its vote-counting machines. His office does this after every local election. This time though, they’re doing things differently. People from around Greene County witnessed and participated in the debut of a new election-auditing process: the risk-limiting audit. It’s a new election accuracy test using 20 multi-sided dice and real ballots from the most recent Greene County election. Schoeller says this method is much better than the state’s current post-audit process. He says when Greene County post-audits, no less than five percent of the polling locations of the casted ballots that day are evaluated. His new risk-limiting audit, however, looks at a much wider range of polling locations. He says this ensures the accuracy and election security he’s looking for.

Full Article: Greene County experiments with process for verifying elections | KOLR - OzarksFirst.com.

Indiana: State to start seeing voting equipment changes | John Lynch/Ball State Daily

While some Hoosier voters will start seeing changes in electronic voting systems this election, Muncie will have to wait. In late July, the Indiana Election Commission approved the first voter verifiable paper audit trail (VVPAT) for electronic voting systems — a security measure that allows voters to independently verify their vote was correctly recorded, according to a press release from the Office of the Indiana Secretary of State. Almost half of the counties in Indiana use direct record electronic (DRE) machines, the press release stated. These machines have a paper trail in the back of the machines, but not visible to the voter. As a security measure, paper trails that are visible to the voter are being added to VVPAT electronic voting equipment, it stated. “Adding VVPATs to election equipment will help boost voter confidence and allow us to implement risk limiting audits,” said Secretary of State Connie Lawson in the press release. “Together, these practices will show voters at the polls their vote is safe and secure and following up with a post-election audit will confirm their vote was counted. As we prepare for the upcoming presidential election, we will be working to protect 2020 and beyond.”

Full Article: Indiana to start seeing voting equipment changes | Ball State Daily.

Editorials: A simple step every state could take to safeguard elections | The Washington Post

Election security is a complex challenge. One essential step, however, is so simple it can be carried out with a pen and paper. Pennsylvania officials have announced that Philadelphia and Mercer County will conduct a post-election pilot next month of what’s called a risk-limiting audit. The procedure is new to most of the country, but 12 states are experimenting with it — because it’s that much of a no-brainer. Currently, 17 states are not required by law to verify the accuracy of their vote tallies at all. Those that are mostly do so the “traditional” way, which in this case means the wrong way. The process auditors typically use — manually recounting votes in a predetermined percentage of precincts — tells officials whether a particular machine or group of machines is working, but it doesn’t actually answer the essential question: Did the declared winner actually win? Risk-limiting audits instead do what any mathematician . They hand-count a statistically meaningful sample of all votes to determine whether the original tally was correct. The required sample increases as the margin of victory narrows. It’s easy, and it’s time-consuming only in the tightest elections, or when something actually has been tampered with. Of course, that’s when it’s most worth investing the time. So why isn’t everyone doing it?

Full Article: Election security that Mitch McConnell should get behind - The Washington Post.

National: Cybersecurity and Democracy Collide: Locking Down Elections | Andrew Westrope/Governing

When asked at a congressional hearing if Russia would attack U.S. election systems again in 2020, Special Counsel Robert Mueller was unequivocal: “It wasn’t a single attempt,” he said. “They’re doing it as we sit here, and they expect to do it during the next campaign.” Presidential campaigns are now underway, and election systems are still vulnerable. From voter registration databases to result-reporting websites to the voting machines themselves, researchers have identified soft spots across the system for hackers to exploit, meaning cybersecurity is now a front line of defense for American democracy. There are many parties working on this problem — secretaries of state, the Department of Homeland Security (DHS), EI-ISAC (Elections Infrastructure Information Sharing and Analysis Center), various nonprofits and private companies — and a few common refrains between them. They’re all pushing for paper ballots, vulnerability screenings, staff training, contingency plans, audits and, above all, more consistent funding. And they all have the same basic message for state and local officials: The security of our elections is riding on you.

Full Article: Cybersecurity and Democracy Collide: Locking Down Elections.

Rhode Island: Report examines ways to adopt election audit system in Rhode Island | Jennifer McDermott/Associated Press

A new report recommends how to adopt a system for auditing election results required in Rhode Island. Common Cause, Verified Voting and The Brennan Center for Justice at NYU School of Law released the report Tuesday. They helped the state design and test the risk-limiting audit system this year. Rhode Island will first use risk-limiting audits for the 2020 presidential primaries. There are three ways to do the postelection audit. The report recommends a ballot-level comparison because of its efficiency, transparency and relatively predictable cost. That type of audit would compare the vote on an individual ballot to the machine’s recording of the vote on that ballot, which requires the fewest number of ballots to be examined. The other methods, ballot polling and batch comparison, compare more ballots to totals produced by the machines and require the examination of far more ballots, John Marion, executive director of Common Cause Rhode Island, said Tuesday.

Full Article: Report examines ways to adopt election audit system in Rhode Island - News - providencejournal.com - Providence, RI.

Michigan: Lansing city clerk pilots new post-election audit | Elissa Kedziorek/WILX

The Lansing community was invited to observe a new post-election audit Monday morning. Lansing City Clerk Chris Swope partnered with the Secretary of State’s Bureau of Elections, other local election officials and national election security experts to conduct a risk-limiting audit of the May 7, 2019 Lansing School District Special Election. After checking 337 randomly selected ballots as part of a new election audit pilot, Swope declared the Lansing School Millage Election results are confirmed accurate. “It was great to work with election officials at the national, state, county and local level to develop best practices to confirm election results,” Lansing City Clerk Chris Swope. “Each election we learn more, and the City of Lansing will be very experienced by the Presidential Election in November 2020. Nationally, risk-limiting audits are considered to be the gold-standard method for confirming results. This type of audit uses statistical methods that can detect possible discrepancies in areas that may need further attention due to factors such as human error, possible manipulation, cyber attacks,or a variety of other things.

Full Article: Lansing city clerk pilots new post-election audit.

Editorials: Knowing It’s Right: Limiting the Risk of Certifying Elections | Tammy Patrick/Democracy Fund

Every election we ask ourselves, what motivates voters to participate? Could it be the love of a charismatic candidate? The dislike of a less-than-desirable one? Passion for a specific ballot initiative? Do voters show up to the polls out of habit? The answer is as varied as the voting population, as is the reason voters do not participate. Research shows that while voters’ confidence in their own vote being counted accurately remains relatively constant, their belief that results at the national level are correct is in decline. As we work through reestablishing trust in our elections following Special Counsel Robert Mueller’s 22-month long investigation, the threat of interference in our elections by another nation-state remains. The American public wants to believe that when they vote it means something—we are teaching elections officials about a new way to audit our elections and check for the accuracy every voter deserves. As with most election administration processes, implementation success lies in preparation—and Risk Limiting Audits (RLAs), which some proponents often refer to as the “cheap and easy” method to check the accuracy of the results, are no exception.

Full Article: Knowing It's Right: Limiting the Risk of Certifying Elections: Democracy Fund.

Michigan: Three communities auditing May election results as part of election security pilot program | Lauren Gibbons/mlive.com

Michigan elections officials are continuing pilot tests of an auditing system to check election results, with the ultimate goal of perfecting a process for verifying outcomes of both local and statewide races. The pilot audit kicked off in Lansing Monday, where local and state elections officials joined national experts and observers from around the country in overseeing a “risk-limiting audit” of the results in a May ballot question regarding a millage for the Lansing School District. The risk-limiting audit process relies on a mathematical formula to randomly select ballots for auditors to review, and is intended to detect any potential irregularities that could have influenced the outcome of the election. Colorado currently uses risk-limiting audits to test election results.

Full Article: Three Michigan communities auditing May election results as part of election security pilot program - mlive.com.

Oregon: On Election Day, Oregon Senate passes bill requiring future election audits | Associated Press

County clerks in Oregon would be required to audit results after each election under a bill that overwhelmingly passed the Senate on Election Day. The bill approved Tuesday requires county clerks to conduct hand-count or risk-limiting audits after every primary, general and special election. Risk-limiting audits are based on counts of statistical samples of paper ballots. Sen. Lew Frederick, a Portland Democrat, said the bill ensures more audits happen to make sure election results are correct. The bill requires audits after every election, instead of just general elections. It goes next to the House. Heading into the 2020 cycle, a new report out Tuesday provides a stark warning about the cyber-insecurity of the highest-profile U.S. political organizations even after years of concerted efforts to improve digital safeguards and an intense focus in Washington on the need to secure campaigns and elections.

Full Article: On Election Day, Oregon Senate passes bill requiring future election audits;.

Media Release: Verified Voting Applauds Oregon’s Senate for Passing Bill Requiring Robust Post-Election Audits to Verify Elections

Marian K. Schneider: “Oregon is leading the way towards better integrity and security with the passage of SB 944.”

The following is a statement from Marian K. Schneider, president of Verified Voting, on Oregon’s Senate passage of SB 944, offering counties the option to audit elections using a process known as risk-limiting audits, which are designed to bolster public confidence in elections. For additional media inquiries, please contact aurora@newheightscommunications.com  

“Oregon is leading the way towards better election integrity and security with the Senate’s passage of SB 944. This bill requires county clerks across the state to conduct audits after every election — not just general elections — and lets them choose between a partial hand count and risk-limiting audits (RLAs). An RLA examines a sample of the paper ballots to check if the election outcome is correct.  RLAs provide strong evidence when election outcomes are correct, and have a guaranteed large chance of correcting wrong outcomes or, outcomes that are wrong because of counting errors.