Security

Risk-Limiting Audits Can Support an Election’s Legitimacy

Counting votes after they’ve been cast on paper is the best way to ensure that the tally is honest, a new NAS report states.

Elizabeth Neus

Elizabeth Neus is the managing editor of FedTech. Before joining FedTech, Elizabeth was a reporter for Gannett, covering health care policy and medicine. As a Gannett editor, she worked on publications and magazines focusing on everything from defense to agriculture to travel to shopping. The Washington Nationals are her team; 80s Brit pop is her sound.

The National Academy of Sciences report is blunt: “There is no realistic mechanism to fully secure vote casting and tabulation computer systems from cyber threats.”

But election officials can and should audit votes — rather than performing time-consuming full recounts — before election results are certified to confirm their legitimacy, the report states.

Risk-limiting audits are a relatively new way to double-check the results of an election after the fact. First implemented in Colorado in 2017, the audits examine a randomly chosen, statistically significant number of paper ballots and compare the results in those ballots to the actual result.

They’re done no matter the margin of victory; suspicious results may trigger a full recount.

VIDEO: See how state election officials are working to protect the November midterms.

How Risk-Limiting Audits Work

“It’s an abbreviated recount, in a sense,” said Ronald Rivest, one of the inventors of the RSA public-key cryptosystem and a member of the NAS panel that wrote the report.

“Recounts are expensive. Is there a way to get most of the assurance of a recount through statistics? That’s what a risk-limiting audit does. If the sample is large enough, it’ll tell you where the truth lies,” he said during a press conference at the report’s September release.

The Colorado Secretary of State’s office describes the risk limit as “the largest chance that an incorrect outcome escapes correction. If the risk limit is 1 percent, then, in the long run, at least 99 out of 100 wrong outcomes would be corrected by the audit.”

Once a county finishes tabulating all election ballots, the secretary of state convenes a meeting where members of the public establish a 20-digit random seed through rolls of 10-sided dice. The secretary enters the seed into the audit software’s pseudo-random number generator, invented by Rivest, which randomly selects individual ballot cards for audit in each county.

The number of ballot cards to be audited in a county depends on two primary factors: the risk limit for the audit and the margin of victory in the race or measure being audited. Lower-risk limits and closer margins require auditing more ballots than higher-risk limits and wider margins.

Bipartisan audit boards in each county then locate and retrieve the ballots randomly selected by the secretary of state, identified by tabulator or scanner ID, batch number and the ballot’s position within the batch. Without knowing how the system counted the ballots, the board reports its count of votes on the paper ballot. The auditing software, which is open source, then compares the human interpretation to the cast-vote record.

If the human interpretation matches the machine count, the risk limit is satisfied and the audit is complete. If the human count reveals a closer margin than the machine count, additional rounds of auditing will be required until either the risk limit is met or a full hand count results.

Homeland Security Secretary Kirstjen Nielsen “has been pretty clear that she would like to see every state get to auditability by 2020,” said Matthew Masterson, a senior cybersecurity adviser in the Department of Homeland Security office that oversees election cybersecurity, speaking at Imagine Nation ELC 2018 in October.

States Move Closer to Audits

According to the National Conference of State Legislatures, 30 states and the District of Columbia already require post-election audits of varying methods.

Colorado requires the risk-limiting audit and Rhode Island is implementing it; the city of Fairfax, Va., and Marion County, Ind., both tested RLAs in primary elections earlier this year, and other states are planning pilots.

In light of the election glitches reported in Texas — aging voting machines have a bug that can misregister a voter’s intended choice — this is a major step, election experts say. At least 80 percent of the votes cast in 2016 had an auditable record, said Masterson, who is also the former chairman of the Election Assistance Commission and a former Ohio election official.

“The trend is to auditability. Many states say their next system, when they get the funding they need to replace them, will be auditable,” he said. “I’m really optimistic that auditing is the place we can make the most progress in the shortest amount of time.”