Misplaced Pages

#816183

55-645: David L. Dill's research involves "circuit verification and synthesis and in verification methods for hard real-time systems". Part of this work has required him to testify on "electronic voting before the U.S. Senate and the Commission on Federal Election Reform ". These interests ultimately led him to establishing the Verified Voting Foundation in 2003. Verified Voting partners with an array of organizations and coalitions to help coordinate post-election audits, tabletop exercises, and election protection work on

110-468: A "risk limit", such as 9% in Colorado, meaning that if there are any erroneous winners in the initial results, the audit will catch at least 91% of them and let up to 9% stay undetected and take office. Another initial step is to decide whether to audit: all contests; a random sample of contests, allowing a known risk that erroneous winners will take office; or a non-random sample, so no statistical confidence

165-518: A ballot raise the chances that these small margins and large samples will occur in a jurisdiction, which is why no place does risk-limiting audits on all contests, leaving most local government races unaudited, though millions of dollars are at stake in local spending and land use decisions. Colorado picks contests with wider margins to avoid large samples. California's rules for 2019–2021 require any RLA to audit all contests, and no election offices have chosen to use RLAs under these rules. The power of

220-561: A convoy of the public. No US state has adequate laws on physical security of the ballots. Security recommendations for elections include: starting audits as soon as possible after the election, regulating access to ballots and equipment, having risks identified by people other than those who design or manage the storage, using background checks and tamper-evident seals. However seals on plastic surfaces can typically be removed and reapplied without damage. Experienced testers can usually bypass all physical security systems. Security equipment

275-430: A different kind of machine provides an independent check on official election machines. While all methods require physical security on the paper ballots, method 1 also requires enough security on the cast vote records so no one can change them. This can be accomplished by computer-calculating, storing and comparing a hash code for each file of cast vote records: (a) right after the election, (b) when independent tabulation

330-495: A large enough sample to identify winners directly. Colorado uses method 1 in most counties, and method 2 in a few counties which use election machines which do not record and store "cast vote records". Colorado uses no audit method in two counties which hand-count ballots in the first place. Risk-limiting audits are a results audit to determine if votes were tabulated accurately, not a process audit , to determine if good procedures were followed. The process starts by selecting

385-400: A large fraction of all ballots to minimize the chance of missing mistakes, if any contest is close; and it is hard to check computer totals publicly, except by releasing computer records to the public. If examining sampled ballots shows flaws in ballot storage, the usual approach cannot recover correct results, and researchers recommend a re-vote if the number of ballots held in flawed storage

440-499: A less safe alternate approach. Maryland's election machines create and store ballot images during the election, separate from the cast vote records. Most election machines do so. Maryland compares cast vote records to these ballot images from the same election machines. Unlike Florida, this approach is not an independent backup or check. A hack or bug in the election machine can alter, skip, or double-count both image and cast vote record simultaneously. Maryland's semi-independent checking

495-467: A mobile app, lacks the capacity to generate a voter-verified paper record and cannot protect a voter's privacy or the integrity of their ballot. Verified Voting notes that unlike other online services, election manipulation is difficult to catch because ballot secrecy prevents voters from seeing their ballots after they have submitted them, which also prevents voters from determining if their votes have been digitally altered or not. A 2016 report co-authored by

550-419: A peaceful transfer of power. Verified Voting also coordinates with its partners to advocate both federal and state governments for election security. The Foundation conducts this lobbying work as part of its 501(c)4 arm. At the federal level, the organization meets with lawmakers, sends letters, and issues statements to support "federal election security provisions that provide states and local jurisdictions with

605-537: A pilot, independent totals were calculated by a student on a university computer. Cost depends on pay levels and staff time needed, recognizing that staff generally work in teams of two or three (one to read and one or two to record votes). Teams of four, with two to read and two to record are more secure and would increase costs. Each minute per vote checked means 25 cents per vote at $ 15/hour, or $ 250 per thousand votes. Checking random ballots can take more time: pulling individual ballots from boxes and returning them to

SECTION 10

#1732869635817

660-755: A previous commission that studied unusual features of the 2000 presidential race. Its mandate was to examine the electoral process in the United States, bringing together leaders from the major political parties, academia, and non-partisan civic groups to explore how to maximize both ballot access and ballot integrity. The commission was set up with twenty-one members, including Lee H. Hamilton , former Congressman and 9/11 Commission vice-chair; Tom Daschle , former Senate minority leader; Bob Michel , former House Minority leader; and Betty Castor , former Florida Superintendent of Public Instruction and 2004 Democratic Senate nominee. It set out to spend six months examining

715-411: A re-vote, or no result should be declared, which usually requires a re-vote, or results can be declared if "the number of questionable or missing audit records is small enough that they cannot alter the outcome of the contest." However, if storage or records are flawed, laws may require initial results to be accepted without audit. To provide an alternative to a re-vote, seven Florida counties back up

770-554: A small city or county, with 4,000 ballots, method 1, ballot comparison, would need 300 ballots (300–600 minutes, as discussed in Cost below) for a contest with a 2% margin of victory. It would need 3,000 ballots (50-100 staff hours in the city or county) for a 0.1% margin of victory. Method 2 or 3, ballot polling or batch comparison, would need a full hand count of the 4,000 ballots (70-130 staff hours). Margins under 0.1% occur in one in sixty to one in 460 contests . Large numbers of contests on

825-676: A state and local level. The organization works closely with the Brennan Center for Justice and Common Cause; in 2020 the organizations advocated together for election best practices, such as paper ballots and adequate election security funding, in key swing states. Verified Voting also co-chaired the Election Protection Election Security Working Group during the 2020 election cycle, helping to monitor and respond to state-specific election security issues. Verified Voting participates in several coalitions, including

880-405: Is a stub . You can help Misplaced Pages by expanding it . Risk-limiting audit A risk-limiting audit (RLA) is a post-election tabulation auditing procedure which can limit the risk that the reported outcome in an election contest is incorrect. It generally involves (1) storing voter-verified paper ballots securely until they can be checked, and (2) manually examining a statistical sample of

935-511: Is a critical aspect of Verified Voting's organizational infrastructure and supports the responsible use of technology in elections. Verified Voting advocates for the use of voter-verified paper ballots that "create tangible and auditable records of votes cast in an election." Paper trails generated by voter-verified paper ballots "provide a reliable way to check that the computers were not compromised (whether through human error or malfeasance)," an important point given that 99% of all ballots cast in

990-414: Is available on the non-audited contests. Based on a formula, a sample size is determined for each contest being audited. The size of the sample depends primarily on the margin of victory in the targeted contest. A random starting point (seed) is chosen by combining information from multiple independent people, to create a series of random numbers identifying specific ballots to pull from storage, such as

1045-403: Is better than no checking, since it has found and resolved discrepancies, such as folded ballots leaving fold lines on the images, which computers interpreted as write-in votes; sensor flaws which left lines on the images, interpreted as overvotes ; and double-feeds where two ballots overlap in the scanner, and one is uncounted. When an audit produces the same result as initial election results,

1100-484: Is done, and (c) when ballot comparison is done. Colorado says it has a system to do the independent count of cast vote records, but it is not yet publicly documented, so the chance of bugs or hacks affecting this independent computer at the Secretary of State's office along with one or more of the election machines is unknown. California's process for risk-limiting audits omits the step of independent totals. When it did

1155-532: Is enough to change winners. An alternative to re-votes is to create and verify backups of the paper ballots soon after they are voted, so there is an alternative to flawed storage of the original ballots. As with other election audits , the goal is to identify not only intentional alterations of ballots and tallies, but also bugs in election machines, such as software errors, scanners with blocked sensors or scanners skipping some ballots. The approach does not assume that all ballots, contests or machines were handled

SECTION 20

#1732869635817

1210-488: Is supposed to handle the comparison to the voting system interpretation, report discrepancies, and tell staff whether to sample further. It is also hard to prepare the list of ballots to sample from (ballot manifest) without using information from the election system. Method 1, ballot comparison, requires a second step, besides checking the sample of ballots: 100% of the computer interpretations of ballots ("cast vote records") need to be re-tabulated by computers independent of

1265-489: Is vulnerable before and after delivery. Insider threats and the difficulty of following all security procedures are usually under-appreciated, and most organizations do not want to learn their vulnerabilities. Method 1 requires the ballots to be kept in strict order so one can compare the computer interpretations of sampled ballots with those exact physical ballots. If the correct ballots are present, but out of order, method 2 can be used. Maryland, like other states, randomizes

1320-501: The 2000 and 2004 elections were marred by partisan, campaign-affiliated officials who held roles in the Bush campaign and Florida and Ohio Secretary of State positions. Because the Secretary of State is responsible for certifying votes, these conflicts of interest were deemed by the panel as damaging to "confidence in elections". The panel made a variety of other recommendations, including: This American elections -related article

1375-508: The 23rd, 189th, 338th, 480th ballots in precinct 1, and other random numbers in other precincts. When storage is opened, records are checked to see if each sampled precinct still has the same number of ballots recorded during the election, if correct numbers appear on seals, if machines or containers have been tampered with in any way, and/or other methods to check if ballots have avoided intrusion. If ballots have not been stored successfully, advocates of risk-limiting audits say there should be

1430-652: The Secure Our Vote Coalition and the National Task Force on Election Crises. Secure Our Vote helped to successfully block legislation permitting internet voting in Puerto Rico (see below for Verified Voting's stance on internet voting). Verified Voting's work with the National Task Force on Election Crises supported the Task Force's mission to develop responses to potential election crises in 2020 and guarantee

1485-444: The United States are counted by a computer. Verified Voting advises state and local jurisdictions to help them "implement best practices for election security." The organization advocates that election officials avoid using electronic voting systems which do not provide a paper trail. Verified Voting plays a leading role in providing states and localities with the information, expertise, and advice needed to make informed decisions about

1540-409: The accuracy of a certain tabulation—not the general results of an election. Risk-limiting audits, meanwhile "provide reason to trust that the final outcome matches the ballots." RLAs accomplish this by checking a "random sample of voter-verifiable paper ballots, seeking evidence that the reported election outcome was correct, if it was." In this context, the 'correct' outcome is what a full hand count of

1595-429: The ballots would reveal. Since RLAs continue checking random samples until there is convincing evidence that the outcome is correct, "contests with wide margins can be audited with very few ballots, freeing up resources for auditing closer contests, which generally require checking more ballots." RLAs can also trigger full hand recounts if the audit results do not support the reported election outcome. In order to facilitate

1650-885: The computer at the elections office on the receiving end of the online ballot." Online technologies that rely on blockchain technology faces a similar challenge: Verified Voting argues that while "blockchain technology is designed to keep information secure once it is received," such technology "cannot defend against the multitude of threats to that information before it is entered in the blockchain." Moreover, blockchain technology prevents voters from anonymously verifying their ballot, and presents risks to "ballot secrecy if encryption keys are not properly protected or software errors allow decryption of individual ballots." Verified Voting advises state and local governments to pilot and implement and post-election audits and risk-limiting audits (RLAs). Post-election tabulation audits routinely check voting system performance. These audits are designed to check

1705-524: The country were hacked and votes were changed. Verified Voting, which advocates for election security measures, indicated that current hand counting of ballots is rare, and is used mostly in situations where there are few ballots to count. Verified Voting works diligently to highlight risks of online voting and recommends that state and local governments avoid adopting these technologies. The organization argues that elections held online would be "easy targets for attackers." Online voting, which includes voting on

Verified Voting Foundation - Misplaced Pages Continue

1760-534: The first state to implement ballot comparison audits, auditing one contest, not randomly chosen, in each of 50 of its 64 counties, several days after the election. Following the 2018 General Election, Colorado will conduct audits in the 62 of its 64 counties that use automated vote counting equipment (the two remaining counties hand count the ballots). Rhode Island passed legislation requiring that state's Board of Elections to implement risk-limiting audits beginning in 2018. Individual jurisdictions elsewhere may be using

1815-763: The funding and assistance they need to implement best practices like paper ballots and RLAs." The organization also advocates in specific states, employing a "targeted approach" that seeks to address the specific election security and voter integrity issues facing a particular state. In 2020, for instance, the organization worked in Virginia to increase safe voting options amidst the pandemic, successfully advocated against internet voting legislation in New Jersey, and provided advice on RLA regulation to officials in California and Oregon. Since 2004, Verified Voting has been collecting data on

1870-646: The implementation of RLAs, Verified Voting designs pilot audits and post-election audits in conjunction with specific state and local governments, and has conducted studies in Rhode Island, Orange County (California), and Fairfax (Virginia). These studies have helped lead to the implementation of RLAs and audit legislation in several states. The organization advocates for robust, post-election audits and also maintains an online, publicly-accessible database of all state election audit laws. Commission on Federal Election Reform The Commission on Federal Election Reform

1925-695: The latter is more expensive. There are three general types of risk-limiting audits. Depending on the circumstances of the election and the auditing method, different numbers of ballots need to be hand-checked. For example, in a jurisdiction with 64,000 ballots tabulated in batches of 500 ballots each, an 8% margin of victory, and allowing no more than 10% of any mistaken outcomes to go undetected, method 1, ballot comparison, on average, needs 80 ballots, method 2, ballot polling, needs 700 ballots, and method 3, batch comparison, needs 13,000 ballots (in 26 batches). The methods are usually used to check computer counts, but methods 2 and 3 can also be used to check accuracy when

1980-420: The law does not require any of the audit work to be done in public. All methods are designed to be independent of the election software, to ensure that an undetected error in the election software can be found by the audit. The audit in practice is dependent on its own software, separate from the election system. Election staff examine ballots and enter staff interpretations into an online software tool, which

2035-434: The local certification deadline." An alternative to large samples is to audit an affordable sample size, and let the risk limit vary instead of the sample size. For a fixed sample, closer margins of victory would have more risk of letting erroneous winners take office, but any substantial sample would still have a known substantial chance of catching errors. Election managers would announce the level of confidence provided by

2090-634: The method on the local election clerks' initiative. In 2018 the American Statistical Association , Brennan Center for Justice , Common Cause , Public Citizen and several election integrity groups endorsed all three methods of risk-limited audits. Their first five criteria are: In 2014, the Presidential Commission on Election Administration recommended the methods in broad terms: By selecting samples of varying sizes dictated by statistical risk, risk-limiting audits eliminate

2145-494: The nation's voting machines and making it available through a web-based interactive tool called "the Verifier." The Verifier is the most comprehensive publicly available set of data related to voting equipment usage in the United States. For each federal election cycle, the Verifier documents the specific voting equipment in use in every jurisdiction across the country. The Verifier is used by election officials, academics, organizations,

2200-479: The need to count all the ballots to obtain a rapid test of the outcome (that, is, who won?), while providing some level of statistical confidence. In 2011, the federal Election Assistance Commission initiated grants for pilot projects to test and demonstrate the method in actual elections. Professor Phillip Stark of the University of California at Berkeley has posted tools for the conduct of risk-limiting audits on

2255-446: The news-media, and general public as a source of information about voting technology. Since its inception, the Verifier has supported a number of initiatives including national election protection operations, state advocacy, policy making, reporting, and congressional research inquiries. To maintain the database, Verified Voting liaises with election officials, monitors local news stories, and researches certification documents. The Verifier

Verified Voting Foundation - Misplaced Pages Continue

2310-436: The order of paper ballots and cast vote records to protect ballot secrecy, so method 1 cannot be done there, since paper ballots and cast vote records cannot be compared. All the methods, when done for a state-wide election, involve manual work throughout the state, wherever ballots are stored, so the public and candidates need observers at every location to be sure procedures are followed. However, in Colorado and most states

2365-550: The organization concluded that "as states permit the marking and transmitting of marked ballots over the Internet, the right to a secret ballot is eroded and the integrity of our elections is put at risk." The organization notes that with mobile voting, there is no way to determine the security of "the actual device that voters cast their votes on...The voter’s device may already be corrupted with malware or viruses that could interfere with ballot transmission or even spread that malware to

2420-402: The original election computers. This re-tabulation checks whether election computers tallied the cast vote records correctly. Like any computer step this independent tally is subject to hacks and bugs, especially when voting rules are complex, such as variations in the number of candidates from different districts to vote for. The reason for the re-tabulation step is that independently programming

2475-755: The original results were hand-counted. The steps in each type of risk-limiting audit are: All methods require: The last three items are hard in one-party states, where all participants may be swayed by the ruling party. Hand-checking ballots (method 1) identifies bugs and hacks in how election computers interpret each ballot, so computer processing can be improved for future elections. Hand-counting ballots (methods 2 and 3) bypasses bugs and hacks in computer counts, so it does not identify exactly what mistakes were made. Independently totaling cast vote records (method 1) or batch totals (method 3) identifies bugs and hacks in how election computers calculate totals. Method 2 does not need this independent totaling step, since it has

2530-422: The outcome is confirmed, subject to the risk limit, and the audit is complete. If the audit sample shows enough discrepancies to call the outcome into question, a larger sample is selected and counted. This process can continue until the sample confirms the original winner, or a different winner is determined by hand-counting all ballots. Sample sizes rise rapidly for narrow margins of victory, with all methods. In

2585-533: The paper ballots by copying them the day after they are voted, with machines independent of election machines. While any copy can have flaws, comparing cast vote records to these independent backup copies would give an alternative to re-voting or skipping the audit when storage is not trustworthy. Florida does not hand-check this backup, which would be required by a risk-limiting audit. Instead Florida machine-audits 100% of votes and contests. They have found discrepancies of 1-2 ballots from official machines. Maryland has

2640-412: The paper ballots until enough evidence is gathered to meet the risk limit. Advantages of an RLA include: samples can be small and inexpensive if the margin of victory is large; there are options for the public to watch and verify each step; and errors found in any step lead to corrective actions, including larger samples, up to a 100% hand count if needed. Disadvantages include: the sample needs to be

2695-430: The same spot. It is relevant to methods 1 and 2. As of early 2017, about half the states require some form of results audit. Typically, these states prescribe audits that check only a small flat percentage, such as 1%, of voting machines. As a result, few jurisdictions have samples large or timely enough to detect and correct tabulation errors before election results are declared final. In 2017, Colorado became

2750-406: The same way, in which case spot checks could suffice. The sample sizes are designed to have a high chance of catching even a brief period when a scratch or fleck of paper blocks one sensor of one scanner, or a bug or hack switches votes in one precinct or one contest, if these problems affect enough ballots to change the result. Comparisons can be done ballot-by-ballot or precinct-by-precinct, though

2805-505: The sample also depends on staff expanding the audit after any discrepancy, rather than dismissing it as a clerical error, or re-scanning problematic ballots to fix just them. When Maryland evaluated audit methods, it noted that local boards of elections could not budget, or plan staffing, for risk-limiting audits, since the sample "is highly dependent on the margin of victory in any given audited contest... A very close margin of victory could... require days of staff work, possibly compromising

SECTION 50

#1732869635817

2860-529: The sample, and would have procedures to follow up if the sample finds one or more errors. The sample sizes presented will be enough to confirm a result, subject to the risk limit, when the apparent winner is the actual winner. If the sample does not confirm the win, more ballots are sampled, up to a 100% hand count to confirm a different winner. Ballots are at risk when being transported from drop boxes and polling places to central locations, and may be protected by GPS tracking, guards, security systems, and/or

2915-404: The state of elections and to offer recommendations on improving it. The panel made 87 recommendations in all in its 91-page report. Implementation of all suggestions would require congressional action for some measures, as well as a total expected cost of $ 1.35 billion. A major point was the commission's call for nonpartisan professional and state oversight over elections. The panel noted that both

2970-503: The voting equipment they use and purchase. In 2019 and 2020, the organization offered feedback on the adoption of new voting machines in California, New York, Florida, North Carolina, Pennsylvania, as well as other states, advocating in all instances for the use of voter-verified paper ballots. In 2022, legislators in at least six states and local jurisdictions have proposed to prohibit the use of ballot tabulating machines. The proposals stem from unproven theories that election machines around

3025-529: Was a private, bipartisan organization founded in 2004 by former US President Jimmy Carter and James A. Baker, III , a top official under presidents Ronald Reagan and George H. W. Bush , to overcome the flaws brought to light by the electoral uncertainty in Florida in the 2000 United States presidential election and in Ohio in the 2004 election . The commission continued work begun by Carter and former President Ford in

#816183