Colorado’s First-in-the-Nation Risk-Limiting Audits Take Shape Ahead of 2017 Election
A crowd outside Denver's State Capitol protests the 2016 election result. Brennan Linsley / AP Photo
The state has had eight years to develop a secure election process that’s open source and easily replicable.
Colorado’s state legislature originally passed a statute in 2009 requiring its secretary of state to implement post-election risk-limiting audits within five years, and despite the delay, the state is still on track to do so first in the nation.
RLAs are preferred by election security experts and involve comparing a random sampling of paper ballots, which can’t be hacked, to their digital counterparts to ensure the outcome is correct more efficiently and accurately than simple random audits.
A 2013 amendment stayed auditing until this year, so Secretary of State Wayne Williams’ office, county clerks and recorders, statisticians and activists have had eight years to experiment with a more secure election process.
“These types of audits really close the circle on election security because, if an inadvertent error or malicious act leads to an erroneous report, there’s a high statistical probability of finding the error and correcting it before the official results are certified,” Dwight Shellman, the Colorado Department of State’s Elections Division county support manager, told Route Fifty by phone. “Worst case scenario: Let’s assume the reports getting back from the audit boards are just not matching the cast vote records. The audit proceeds to a full hand count.”
Colorado’s centralized RLA will work by having counties upload data from their vote tabulation systems to the secretary of state’s office, which it will use to randomly select ballots throughout the state for audit. For that, a software tool for applying statistical algorithms was needed.
Portland, Oregon-based startup Free & Fair responded to Colorado’s call for documented quotes—the state’s expedited procurement process—and was selected because of its open source tool. The company isn’t starting from scratch, but the system will be tailored to the state’s specifications.
Three user groups exist: the secretary of state’s office, responsible for gathering county info and making decisions for the whole state; counties, which interpret the ballots; and the public, to make the process as transparent as possible.
A risk level, which establishes the degree of confidence in the audit process, is set by the secretary of state. For example, a 5 percent risk level means that if there’s a 1 in 100 chance of an incorrect election tally due to hacking or error, that chance decreases to 1 in 2,000 post-audit.
After the election, counties submit their ballot manifests, and Free & Fair’s tool randomly orders ballots for audit and relays instructions back to the selected clerks and recorders.
“That number of ballots is typically really small,” said Stephanie Singer, Free & Fair’s project lead, in a phone interview. “Good mathematics is saving election officials some serious time.”
Colorado was one of several states with audit laws on the books, and last election 32,000 ballots were audited after the vote. That number would have been reduced to 142 using Free & Fair’s algorithms.
If discrepancies arise between ballots and their digital interpretations via voting machines, records are matched until the risk limit is met and the outcome is deemed correct, or else the hand count occurs.
Free & Fair’s tool allows updated tallies to be posted to a public website, in this case the secretary of state’s, in real-time.
At the end of the day though, even cybersecure software is susceptible to hacking.
“We are exchanging data on a network, so it would be disingenuous for me to say to you that’s impossible,” Shellman said. “But we are very familiar with network security protocols, and we will have multiple layers of protection to ensure that the random selection is actually random, that the algorithms we use are correct, and the county data submitted to us is actually from the counties.”
The software being open source is the first line of defense, allowing anyone to critique the code and other jurisdictions to utilize it—recording any modifications made—for the cost of hiring someone to ensure the system is installed correctly. Colorado paid about $100,000, Singer said.
As another safeguard, counties export data showing how the system interpreted every ballot onto another computer before it’s uploaded to the state, so it’s “hashed.” A specific numeric value is assigned to the data that will change if the content changes—such as if the file is manipulated.
All in all, RLAs prevent official certification of an incorrect outcome.
In 2002, the Help America Vote Act saw the U.S. Department of Homeland Security appropriate more than $3.5 billion to states and localities to upgrade their voting systems. That amount would be $10 million to procure an open source election system any jurisdiction could use just for the hardware, Singer said.
“It’s just basic quality control. There’s no reason that states shouldn’t do it because it’s affordable and effective,” she said. “[Colorado is] showing everybody that this is really doable. It’s not burdensome on the election officials.”
Dave Nyczepir is a News Editor at Government Executive’s Route Fifty and is based in Washington, D.C.
NEXT STORY: Meet Missi, Mississippi’s 1st Artificial Conversational Chatbot