igor - Fotolia

Electronic voting systems in the U.S. need post-election audits

Colorado will implement a new system for auditing electronic voting systems. Post-election audits have been proven to help, but are they enough to boost public trust in the systems?

The state of Colorado has taken a step toward rebuilding public trust in the election system in the United States.

Beginning in November 2017, Colorado will require risk-limiting audits, or RLAs, in elections statewide. The state has always required traditional post-election audits, but in 2009, a law passed requiring RLAs throughout Colorado.

According to the statute, an RLA is "an audit protocol that makes use of statistical methods and is designed to limit acceptable levels of risk of certifying a preliminary election outcome that constitutes an incorrect outcome." This means that all post-election audits in the state of Colorado compare a random sample of paper ballots to their digital counterparts.

Colorado's law is, in large part, a reaction to recent events in the U.S. and across the globe that have called the security of electronic voting systems into question and emphasized the importance of election audits for all levels of elections.

For instance, in the 2008 Senate race in Minnesota, the incumbent Republican senator, Norm Coleman, was reported as the winner based on the electronic tally. However, after hand counting the paper ballots, Democratic challenger Al Franken was declared the actual winner by a slender margin of 312 votes, in a race where almost 3 million votes were cast.

In the U.S., some states -- such as Minnesota -- still rely on the use of paper ballots to cast votes, while others have moved entirely onto electronic systems, such as direct recording electronic (DRE) systems or optical scan systems. This means that some states have a paper trail after elections and some states do not.

Some of the states that use paper ballots now have laws that require traditional post-election audits. This entails a hand count of a fixed percentage of the paper ballots with a comparison to the electronic records that are kept in tandem with the paper trail. The laws vary by state, but finding a significant discrepancy between the verified paper records and the electronic tally could potentially result in a recount.

Post-election audit requirements by state
How strong are your state's post-election audit requirements?

Organizations such as Verified Voting document instances in U.S. elections in which an audit on Election Day provides a different winner than what the electronic voting systems record.

The 2008 Senate race in Minnesota provides a great example of the importance of post-election audits. However, in DRE states that inherently have no paper trail, there is no way to audit election results.

Forensic audits, which are at least theoretically possible, are never performed. There is currently no generally accepted technology available to perform a basic audit on electronic voting systems to ensure their accuracy, so any potential challenge to the outcome of an election would likely fall flat.

Colorado takes action

With no way to verify the results when they are disputed, some states have taken action. This is where Colorado's move to mandate the use of RLAs in elections starting in November 2017 comes into play.

Colorado has been testing this method and technology in individual counties since the law passed nearly a decade ago. For the statewide implementation this fall, a startup called Free & Fair has developed open source software that implements RLAs.

The idea, says Stephanie Singer, project lead at Free & Fair, is that these RLAs can provide a smart, efficient, statistical check on the electronic voting systems that tabulate the paper ballots in an election.

This system allows you to really focus on the bottom line of elections, which is that you don't want to get the outcome wrong.
Stephanie Singerproject lead, Free & Fair

"This system allows you to really focus on the bottom line of elections, which is that you don't want to get the outcome wrong," Singer said.

Free & Fair's system is an electronic audit of electronic results, but if a mismatch is discovered, the Colorado Secretary of State is notified. The Secretary will use the data and analysis provided to decide whether a hand count of the paper ballots is necessary. This is intended to take place on Election Day before the final results of a vote are posted.

"If you test a statistical sample of ballots and you find that they all have votes for the person who presumably lost instead of votes for the person who presumably won, well then you are going to start to think 'gee, maybe the outcome isn't correct,'" Singer said, also noting that, despite the challenges with the 2016 presidential election, not a single electronic voting machine in the country underwent a forensic audit.

"There is so much statistical evidence of things that ought to have been investigated, but were not," she said, adding that this applies to U.S. elections even before 2016. "There's no single case where I am 100% sure that an untoward outcome happened."

However, Singer said, right now, there's no way to know one way or another.

The hope Singer and Free & Fair have is that, since the RLA software Colorado will implement is open source, it will eventually spread to the whole country.

Is election auditing truly possible?

One expert argued that electronic voting systems are inherently not auditable.

Jonathan Bennun, product manager at OneLogin and a former project leader for the Wombat Voting System, said that there is a need for greater transparency when it comes to election auditing, but that there doesn't yet exist a way to get it without compromising the privacy of voters.

"We can't escape electronic voting," Bennun said. However, he did question whether it's possible to have transparency in audits without infringing on confidentiality.

Despite the lofty task of finding this balance, he suggested that there are smaller scale steps to take to improve the security and reliability of elections, such as developing and implementing a specific kind of "firmware to lockdown these [voting] machines" or finding a better way to secure optical scanning systems.

Something both Bennun and Singer agree on is that paper ballots are the best of a bad situation.

"We must go back to paper ballots if we want to trust the outcomes of our elections," Singer said.

Bennun agreed, but noted that paper ballots come with their own security struggles; most notably, the human factor in the chain of custody.

"But at least there is a paper trail," he said, adding that manipulating an electronic voting machine "can be a lot easier than making an entire ballot box disappear. With electronic voting, we just don't know what's happening."

Next Steps

Learn more about how Defcon hackers tackled electronic voting machines

Read about the challenges surrounding online voting security

Find out why voting machine hacking is both good and bad

This was last published in August 2017

Dig Deeper on Compliance