On Monday night, political enthusiasts across America waited for votes in the Iowa caucuses to be tabulated. And waited. And waited some more. Because of an ill-designed and poorly tested app, precinct captains couldn’t transmit their vote totals to the tabulators. This was embarrassing for Democratic Party officials and their technology vendor, but it was far from the worst thing that could have happened. In the end, the results will be tabulated correctly. Democracy worked, if a bit more slowly than some might have preferred.
But a much bigger failure is still possible, and we’re still not properly prepared for it.
The good news is that the problem in Iowa manifested in the tabulation of votes across precincts, which is the easiest part of an election to secure. There was ample public evidence of the vote count in each precinct: Voters filled out paper ballots, and precinct captains conducted public head counts. The rest — adding up votes and calculating delegate counts — is just arithmetic that candidates, journalists and citizens can replicate for themselves. The count went on, it just went didn’t go on as quickly as expected.
What we need most from our election systems is resilience. Even in the absence of a cyberattack, things will go wrong. A resilient system can detect problems, recover and reconstruct the accurate result from solid evidence. That’s what we saw in Iowa. Voters made their intentions clear, and the in-precinct paper ballot count was low-tech and public — as resilient as one could hope for. When something went wrong, officials fell back to a verifiable solution. The system worked, even if the app didn’t.
There is, obviously, room for improvement. In the future, when election results are delayed, officials should be better prepared to communicate clearly and confidently that the process has slowed but not failed. Perhaps the biggest failures lay in ill-considered statements by some commentators casting doubt on the results, or blaming officials for taking the time to ensure accurate results.
So in a very real sense, the successful fallback from the failed app to a robust lower-tech approach can be seen as a success rather than a failure. It would have been better if the app had worked, but officials wisely built a system that could succeed with or without an app.
But here’s the bad news: Iowa was playing the election security game in easy mode. Because the caucuses didn’t use a secret ballot, votes in each precinct were cast and counted in public, making the count easy for any observer to verify. Most primaries — and significantly, the upcoming November general election — use a secret ballot, which rules out the simple “line up and count heads” approach to tallying.
Most elections have to play the game in hard mode. The secret ballot requires that a ballot cannot be linked to the voter who cast it. At the same time, accuracy requires that every ballot corresponds to exactly one voter. There must be a link from ballot to voter, but that link has to remain unknowable. Achieving both goals is not so easy — and things get more dicey if something goes wrong because of malice or even simple error.
That’s why it is critical that secret-ballot elections use the resilient approach of hand-marked paper ballots with a post-election “risk-limiting” audit, in which officials compare a random sample of paper ballots to their electronic counterparts to ensure that the paper and electronic ballots agree.
Unfortunately, voters in all or part of eight states are expected to vote in November on insecure electronic voting machines that do not keep a paper ballot that the voter directly created or observed, leaving no reliable way to connect the end-of-day vote counts to what voters saw and did in the voting booth. Even the states that use paper ballots often fail to do adequate risk-limiting audits to verify that the paper and electronic ballot records are consistent.
Imagine what could happen if an election relied entirely on an unreliable app to collect individual secret ballots. If the app failed, officials would be out of luck, with no voter-verified paper ballots to hand-count. The same goes for an electronic voting system with no voter-verified paper record. Without a voter-verified record, there is nothing to audit or recount — at best, officials could ask the machines to print out the flawed results again.
This worst-case scenario is sobering: At the end of Election Day, when officials close the polls, the results are obviously wrong. Was someone tampering with the voting machines? Or was it just a programming bug? It’s hard to tell. Meanwhile, conspiracy theories are circulating, with an army of social media bots fanning the flames. The candidate who seems to be losing proclaims that the election is being stolen. The evidence is inconclusive. What happens next is anyone’s guess.
With so much at stake in our elections — and our adversaries seemingly so eager to undermine the legitimacy of U.S. democracy — we can’t take chances with election security.
Elections are a technology for gathering, aggregating and verifying evidence about whom the voters chose. The Iowa failures were embarrassing and inconvenient, but they were not a threat to democracy. In November, we’ll face more serious threats. Will we be ready?
Read more: