When a group of Rhode Island’s top officials gathered in a chilly warehouse in Providence in mid-January to fight foreign interference in U.S. elections, the mood was festive.
After Secretary of State Nellie Gorbea’s name was pulled out of a knit Patriots hat, the crowd applauded and cheered uproariously. And when she leaned over a plastic table to roll a 10-sided die typically used for Dungeons and Dragons, people watched intensely.
Then the work began. The number generated from 20 rolls of the dice was used to pick the ballots that would be pulled and tested to see if November’s vote counting had been done correctly, a final fail-safe against a hacked election, all done in plain view of the public.
“Democracy and elections are only as good as whether people trust them or not,” Gorbea said. “Confidence in our democracy is critical to every other public policy issue.”
Voting experts say this kind of election audit is critical to thwarting attempts to meddle with American democracy. It not only detects problems with ballot counting, but the open nature of the audit itself also helps restore voters’ confidence in the system.
The U.S. election system is under more threats than it has been in decades. Intelligence officials have concluded that Russian agents spread disinformation through social media and tested the vulnerabilities of voting systems, penetrating election websites and voter registration databases in several states.
America is also failing on its own. Voting equipment across the country is outdated and experts warn that election systems are insecure. Five states still exclusively used voting machines with no paper trails in last November’s midterm elections, and nine more have no paper trails in at least some jurisdictions. A bipartisan bill that would have addressed many of these issues stalled out in the last Congress.
All of this has left experts, officials, and many Americans with significant questions about whether the country’s election system is as secure as it needs to be for 2020.
Amid this uncertainty, Rhode Island is pioneering a means of protecting its election results through a procedure called a “risk-limiting audit.” This method, which election experts consider the gold-standard of post-election checks, is essentially an efficient review of ballots that provides strong statistical evidence that the reported vote tallies in an election are correct.
Because a risk-limiting audit takes place after an election, it cannot prevent hackers from gaining access to votes. But that is not the biggest risk facing U.S. elections. Despite all the fears raised in 2016, the prospect of a national election being hacked is highly unlikely, election officials and security experts say. The U.S. election system is extremely decentralized, making it difficult to cause a uniform problem, and the paper records that exist for the majority of votes mean that cyber intruders would need a very complex strategy targeting just the right unsecured ballots to affect any outcome.
The much more immediate threat is that of people losing confidence in elections. “One of the terrifying things about a real threat — from Russians or anyone — is that they don’t have to change a lot of votes, or maybe any votes, to create a lot of fear,” says Mark Lindeman, an election auditing expert at election security advocacy group Verified Voting, who helped design Rhode Island’s pilot audit. “That doubt persists.”
This erosion of trust has been building for years. From the 2000 presidential election recount to Donald Trump’s repeated claims the election would be rigged in 2016, voters on both the left and right have become more skeptical about elections.
In a Pew Research Center survey published the week before the 2018 midterm elections, just 45% said they were at least somewhat confident that U.S. election systems were secure from hacking. Democrats and Republicans who live in states controlled by the opposite party were significantly less likely to think their state was making serious efforts to protect against hacking, and majorities of both Democrats (64%) and Republicans (56%) said the opposing party had little or no commitment to fair and accurate elections.
That plays right into the hands of Russia and others hoping to hurt the U.S. As the U.S. intelligence community’s January 2017 report on Russian election interference noted, Russia’s first goal was to “undermine public faith in the US democratic process.”
The group that gathered in Rhode Island this month was well aware that the 2018 midterm elections were over. They know that even when talking about 2020, “Little Rhody” as they affectionately call their home, is not a swing state and will not likely change the outcome of a presidential election. But election officials and cyber security advocates there want to create a fail-safe to restore confidence among voters that their choices are being counted correctly.
“We are the protectors of democracy,” Robert Rapoza, executive director of the Rhode Island Board of Elections, told the assembled crowd at the pilot audit on Jan. 16.
In addition to public officials and election staffers, the “protectors of democracy” in Providence included a substantial number of volunteers offering their time and expertise for free, simply because they were passionate about securing their fellow citizens’ votes. Teams from Worcester Polytechnic Institute and MIT developed the software that selected votes for the pilot, which will be open source so other states can use it in the future. The leader of a Connecticut citizens’ group provided input on one ballot-counting method, and a woman who independently advocates for audits organized observers to gather timing data throughout the event. Many in the group greeted each other like summer camp friends after a winter away, eager to catch up on issues they’d seen in other elections and share tips on the newest democracy-defending tactics.
Rhode Island, which passed legislation in 2017 to require risk-limiting audits by 2020, is technically not the first state to implement this security measure. That was Colorado, which conducted the first statewide risk-limiting audit in 2017. But Colorado votes entirely by mail, making it quite different from most other states. So that puts Rhode Island in the spotlight, and when it conducts its real audit in 2020, it will be the first state to do so using ballots cast in local precincts around the state.
States often move slowly to pass legislation or change requirements around elections, but for now many local officials are forging ahead. Jurisdictions in California, Virginia, Indiana, Ohio, Michigan and New Jersey have conducted test risk-limiting audits, and more states are looking into setting up pilots this year. Experts hope that as more localities experiment, their successes will convince states that risk-limiting audits are necessary and doable.
“In a very competitive election like we’re likely to see in 2020, where there is going to be stress on polling places and the voting system itself, we would really like to see all states do a very rigorous post-election auditing of all the ballots that were cast in the election. That way we can really confirm that the election results that are being reported are consistent with what voters intended in their ballots,” says R. Michael Alvarez, co-director of the Caltech/MIT Voting Technology Project.
The rigor Alvarez and other experts want is one of the primary benefits of risk-limiting audits. But 31 states plus Washington, D.C., currently use some form of traditional audits, which typically require a set number or percentage of ballots to be counted regardless of the election’s margin of victory. Risk-limiting audits are generally more accurate and efficient because they use the margin of victory and statistical principles to determine how many ballots need to be sampled — so a close margin of victory would require more ballots to be counted while a higher margin means fewer ballots are needed.
This was on display back at the Board of Elections warehouse in Providence, where 22 election staffers overseen by Deputy Director of Elections Miguel Nunez and Warehouse and Logistics Manager Steve Taylor retrieved and manually counted ballots for three different kinds of risk-limiting audits to see which method worked best for their state. Due to the relatively high margins of victory in each jurisdiction tested (Bristol, Cranston and Portsmouth), the pilot audit only needed a few hundred ballots in each case.
Still, the pilot involved a complex process. Before it could begin, ballots from the three towns were taken from their secure rooms and signed over to the Board of Elections in Providence. Then on the morning of Jan. 16, 20 participants were randomly selected to roll 20 dice, generating the random seed that would help a computer program choose which ballots to include in the audit. This random selection is what allows the audit to rely on such a small sample to verify the outcome of an entire election.
After the ballots were retrieved from a secure area known as “the cage,” they were counted and compared with Election Night results. These comparisons looked different for each method of auditing: In the batch-level comparison method, workers manually recounted all ballots from randomly selected batches (in this case precincts) and made sure the final tallies matched those initially reported. The ballot-polling audit involved sampling individual ballots randomly chosen by the die-roll-fed software and seeing whether the winner from the sampled ballots was the same as the reported election outcome. And for the ballot-level comparison, staffers also retrieved randomly selected individual ballots, but this time they compared each ballot’s votes to the cast vote record of how tabulating machines interpreted that ballot on Election Day, doing a spot-check to make sure each randomly sampled vote was counted correctly.
This last method used a sample of just 100 ballots in Rhode Island, making it potentially the most efficient method of all. However, most voting machines in the U.S. do not currently have the ability to prepare ballots for this kind of audit, so jurisdictions hoping to use the audit style would likely need to take extra steps or use a combination of methods.
Throughout the process, 135 observers from six states and several of Rhode Island’s towns sat in the Providence warehouse watching staffers count and interpret ballots. Many were officials hoping to learn about risk-limiting audits for their own communities, some were representatives from advocacy groups, others worked for voting equipment manufacturers and still others were simply interested citizens, getting their fix of participatory democracy.
“I love being here to see how Rhode Island is trying things,” said Brenda Cabrera, the registrar from the city of Fairfax, Virginia, who held her own pilot risk-limiting audit last summer. Transparency is a core tenet of risk-limiting audits, and Cabrera says that has been critical to her enthusiasm for them. “There isn’t much I like more than being able to say to a voter who walks in and has questions … Well this is our pre-election testing process and what we do, and now this is our post-election process,” she explains.
At the end of Rhode Island’s pilot, the batch-level comparison and ballot-level comparison audits were both successful, meaning they provided strong statistical evidence confirming the reported election results. The ballot-polling audit fell very slightly outside the accepted risk, which in a real audit would trigger another round using a slightly larger sample. But in this pilot, the goal was simply to test the methods, not to meet a particular level of evidence.
“There has to be a cost-benefit analysis of which type of audit fits better with the way elections are run in Rhode Island,” says Miguel Nunez, who worked with outside experts and election security groups like Common Cause and Verified Voting to organize Rhode Island’s pilot audit. “Our focus was to learn each step of conducting this audit from the beginning to the end … and in that respect we succeeded.”
All of these methods can be adapted to different states’ specifications, but the one fundamental requirement for risk-limiting audits is a voting system with a paper trail. Rhode Island uses paper ballots in optical scan machines, which puts the state on good footing.
But after the 2018 midterms, 14 states still had at least some jurisdictions that vote without any paper trail. This is the most dangerous vulnerability of all, experts say, because without a paper trail, there is no way to audit or verify election results. As election officials around the country prepare for 2020, security advocates hope they will look to Rhode Island and take tangible steps to fortify their votes against any shadow of doubt.
“I’m optimistic that if Rhode Island is successful in proving that a precinct-based voting system can be efficiently audited, that other states with similar systems will take the leap,” says John Marion, executive director of Common Cause Rhode Island, who served as the initial force behind the state’s audit requirement. “I wasn’t sure that we’d be able to execute on that and have it go as smooth as it did,” he told the group at the conclusion of the pilot in January.
“But,” he added, “I’ve walked away with the confidence that we can.”