In yesterday’s “Fraction Farce”, I addressed a video that purported to show some form of election fraud but that convinced me of nothing and failed to prove its claims to me. (The author of the video claims to have evidence confirming the fraud; I wish that author great success pursuing any instance where that fraud may actually have taken place. I argue that the video itself asked the wrong questions and did not answer the questions it did ask.)
Today, I put forward suggested security and controls as we look at the two fundamental aspects of the electoral process that we as a society must protect for ourselves: Chain of custody of every device and every artifact of the electoral process, and transparency and auditability of every automation step in the electoral process.
In other words, as a society, we face the fundamental challenge of protecting the sanctity of each and every ballot, protecting the validity and accuracy of each and every counting and reporting device, and protecting the clarity and timing of the communication of results throughout the system and to the public. And many people in our society—myself included—do not trust that our elections officials have control or honesty sufficient to prevent fraud.
Here is the key: Unless and until everybody can inspect the computer programs that count our votes, we stand zero chance of having true transparency in our electoral system. First and foremost, all contracts between the States and any vote-tabulation software companies must require that all tabulating programs be released as open-source code, allowing everyone to look at the raw code and understand how an ink blot on a paper ballot becomes a tally on a website. Ensuring that everybody can see the counting code is the single biggest change we need to make to our elections before we can take any other step to fight electoral fraud.
And it doesn’t take a video for an average voter to recognize that anybody with access to a counting computer—either in person or by dastardly and nefarious program code—could impact the outcome of an election.
Start with open-source software. Let the public verify the counting program. And publish the source with a checksum, a kind of digital fingerprint, that proves consistency between the code the public validated and the code the elections staff installs on the equipment. Add to that major change more people who represent more than just the two big parties and who are trained and educated on software fundamentals and who can attest to the sanctity of the processes that follow. It is this group of analysts that provide the human element to secure an honest election.
Before election day, these analysts need to confirm the processing code and the functionality of every device that will be deployed to the precincts and every component of the master counting system. In addition to reviewing the open-source code, these analysts must be present when the elections department verifies the checksum and compiles that code (compiling program code converts it from the human-readable source code to a machine-runnable program file). This ensures that the code running on the equipment is the same code the public has reviewed.
This also directly addresses the core concern of yesterday’s video: that a correctly-filled bubble on a paper ballot must count for no more or no less than one vote, precisely and invariably. As long as the ballot software undergoes review, code that could under- or over-count a ballot cannot rig an election.
Of course, the machines need protection against tampering between the date of setup and certification and the date of the election. Traditional physical controls such as closed-circuit monitoring, storage behind locks that require multiple different keys to open, and tamper-evident seals are important here. Also, the analysts must review audit logs built into the operating systems of each computer to verify that the machine has neither been turned or nor logged onto during the intervening time.
However, there should be one test permitted: Each of the designated analysts should have the ability to process an arbitrary number of test ballots through several randomly-selected precinct collection devices of their choice and pass all of their results through the master counting system. With agreement on the results of these tests, the source code should be verified, recompiled, and reinstalled in a clean room environment, and then all of the equipment should be secured until election day.
Custody of all un-voted ballots ahead of election day, and custody of all voted ballots on election day, must be perfect and incorruptible. Analysts must be able to validate ballots before printing, randomly during printing, during packaging for the precincts, and between delivery to the precincts and voting. This ensures that a mark at a location the machinery will count for candidate A could never appear beside the name of candidate B.
And then comes the election.
During the day and until polls close, the master counting system must remain offline so that it cannot begin to aggregate results early in the day. Votes from any precinct should never be reported until the polls close. This avoids disenfranchising later voters by casting the election of a given candidate as a mathematical impossibility. Only once the polls close should the master come online or any counting device reveal its tallies. To ensure that those counting devices cannot broadcast counts during the day, code review can prove that no code will emit a vote count through anything but a securely-encrypted channel to the master counting system. As long as that system remains offline until polls close, the count itself cannot be used to influence voters.
There are numerous other controls and considerations to put into place, not dissimilar to handling cash:
• On election night, election officials and analysts must all be present and observing during the opening of any precinct collection devices and during the reprocessing of any ballots.
• At all times, ballots must receive protection against damage or destruction by a failed mechanism. Scanned images of batched ballots can serve as a backup for this purpose.
• Multiple analysts representing multiple different interests must be present throughout every counting process.
• Multiple compulsory spot checks must occur throughout the count.
But here’s the kicker: Because the counting program code is open-sourced, analysts, party representatives, individual voters, and election officials alike would be able to edit or write their own custom versions of the code or build their own counting devices. After the official first count, and within reason, the analysts must have access to recount every ballot for themselves. Custody and protection of the physical ballots at this point is important. An impartial third-party security company—think armored car courier companies—should take over custody of the ballots after the first count for the duration of any subsequent counts on election night, and it may be appropriate for that third-party to feed ballots to these independent counting devices. Checks and balances cannot work among the three branches of the Federal Government if we cannot enforce checks and balances in the processes that install people into that government.
Now, many vote-counting controls already exist in one form or another, but the controls in-place today simply do not go far enough. And there are likely to be many more controls necessary than what I’ve proposed here. But without opening the programming of every ballot-counting device to public scrutiny, every other control is moot. As soon as it was revealed that George Soros controls the company that makes one of the predominant vote-counting systems, the entire electorate should have demanded more security in the vote. Until qualified analysts representing the interests of the voter and not the parties can peer into every step of the electoral process—especially the source code—our elections will remain fodder for claims of fraud and complaints about the process.
And we risk missing opportunities to address the issues that matter to the average voter.