IMPORTANT QUESTIONS ABOUT THE DEMOCRACY COUNTS AUDIT SYSTEM
Q: Why is it so important to make sure that the vote is counted accurately?
A: The United States of America was founded on the idea of fairness and equality under the law. Errors result in unfair laws and policies that favor special interests. This erodes democracy and dishonors all those people who [look at gravestones] who fought and died for our democracy.
Q: Why do we need to audit American elections?
A: As insecure computerized voting and counting have spread through the U.S. evidence of errors has increased to the point that our elections and our public officials are losing legitimacy. We need to fix that. We need to expose the problems, provoke investigations, and institute and put secure systems in place.
Q: Post-election audits already exist; why add another?
A: Many official “audits” [air quotes] are not independent or non-partisan. If conflicts of interest exist, potential for fraud in the audit exists. Only an independent, community verifiable audit can prevent this.
Once reforms are pushed through setting up an independent audit process then our audit won’t be necessary.
Q: Don’t recounts accomplish the same result?
A: Recounts usually just repeat the same process that produced the original results. If there was error in an honest jurisdiction then a recount might catch it, but if, say, machines were programmed incorrectly, when they do a second count they will produce the same incorrect result.
Q: How does your audit system work?
A: There are three essential data tools. The parallel voting system tells us the least number of votes that a candidate could possibly have received; any official result smaller than that will raise suspicion. The polling place data preservation tool makes sure that there are no changes made between polling place and final reported result. An the tool for measuring voter suppression quantifies the extent to which voters have been deprived of their right to vote and estimates the effect of voter suppression, both of which are necessary to sue in court.
Q: How do those tools work as a system?
A: Please refer to this flow chart:
Before the election we analyze the local system and its weak points, design the audit, and start recruiting citizen auditors; these steps are represented in red.
On election days we collect data of different forms in our apps, which go into our data base, then official results from the same polling places are entered into the data base. These steps are represented in orange. Analysts then review the data and if serious discrepancies are discovered they confer with our legal team.
Our lawyers then consult with lawyers for injured parties, such as losing candidates; these steps are represented in green. Those injured parties then decide whether to go to court to ask for an injunction and an order requiring law enforcement to investigate the election.
If an injunction is granted and an investigation is ordered, then all hell breaks loose. There’s no symbol for that.
Q. How is your parallel vote different from exit polling?
A. Exit polling extrapolates from small samples to the entire population. That is fine for scientific estimates, but it’s no good in court for proof of error in counting. Our parallel vote system attempts to count as close to 100 percent of the vote as possible; there is no extrapolation and little if any response bias. The result is that it becomes strong evidence in court.
It may look like a duck but it does not quack like a duck.
Q. Exit pollsters only collect one-third to one-half of voters to tell them who they voted for. What makes you think you can do better?
A. Because we tried and we succeeded. In the 2016 California primary we conducted a pilot of the parallel vote system and well over 90 percent of the voters coming out of the polls participated. And that was without having any signs saying who we were or doing any prior voter education.
We attribute this phenomenal result to the fact that voters are already investing hours in deciding who to vote for and then going out and doing it. Spending another five minutes to make sure that their votes are counted accurately is a cheap insurance policy.
Q: Your system takes so much work to implement. Isn’t there an easier way?
A: There are many easier ways to check the results but they all require the approval and cooperation of officials. In jurisdictions where the officials are honest and eager to prove it these other methods are better because they take less work. In jurisdictions where officials are cheating, however, they fight to prevent the exposure of their crimes. Our system does not require official approval or cooperation; it is conducted under the protection of the First Amendment to the Constitution, and the worst that they can do to us is harass us.
Is this a lot of work? Yes. Is it worth it? Well, that depends on whether you think it’s worth saving our democracy. Many people, including people who fought and died for our rights, believe that it is.
Q: Why are you asking citizens to do it? Why not use professionals?
It’s our job as citizens to hold their government accountable; using a volunteer workforce supported by a professional infrastructure makes it affordable and gives us more flexibility and broader coverage.
Q: Can I organize an audit of my local electoral system using your tools?
A: Absolutely. We are programming the system to allow citizens to self-organize audits in their local areas, anywhere and in any election. We plan to roll it out nationwide before the 2020 elections and globally soon after.
Q: Do you plan to let people in other countries use your tools and system?
A: Yes. Eventually anyone anywhere in the world will be able to customize the front end and conduct audits; we will run the back end and report the data back to them.
Q: How will you guarantee minimum standards in audits in other countries?
A: We plan to spearhead the creation of an International Federation of Election Auditors. This federation would establish standards and certify election auditors. It would also help provide visibility and therefore political protection to auditors in countries where it is dangerous to look too closely at elections.
Q: How can I be sure your system won’t just skew the election in another direction?
A: Our audit system only monitors official data flow; it does not change anything. If we turn up evidence of discrepancies, and it turns out after investigation that those discrepancies changed the official results, then later corrective actions will de-skew the original false results.
Q: How much does it cost to audit an election?
A: It depends on how many citizen auditors volunteer and how many professionals have to be paid. It could be cheap, it could be expensive. It really boils down to how many people care enough to get out and do it for the sake of their democracy and their future.
Q: Who pays for your audit? Will it add to my taxes?
A: The entire system runs on volunteers and donations. If audits result in changes in the political system and better government it will ultimately lower your taxes.
Q: How can I become a Citizen Auditor?
A: Just sign up on this website.
Q: Is it a lot of work to be a Citizen Auditor?
A: No. It requires a couple of hours of training before the election, then on election days you can work for four, eight or twelve hours.
There are also many other roles we need to fill, such as organizers and managers, office workers, analysts and statisticians, attorneys, software programmers, people with negotiation skills, and more.
Q: How can I check you guys out? You know, make sure you’re legit?
A: We’re legit. Read through this website, follow the links to our team’s LinkedIn profiles, and Google us on the web. What you see is what you get.
Q: How does this relate to more broadly to a vision of America’s future?
A: For many Americans of a certain age Norman Rockwell’s America was their America. Americans now understand that Norman Rockwell’s vision was incomplete and in some respects a falsehood, especially with respect to women, minorities and Native Americans. Nevertheless, the respect for one another in civic life that he chronicled represents a vision that we can and should aspire to bring into existence, only this time for everyone.
ARCANA: QUESTIONS ASKED BY EXPERTS
Q. How do you protect secrecy of the ballot in self-reporting by voters of how they voted (in the app)?
A. This pertains only to the exit voting module of the app, not the other functions, as the data collection for the other functions does not involve ballot secrecy.
Ballot secrecy is a dogma in western democracies, not a need; people commonly brag about how they voted and they don’t put themselves in danger. Nevertheless we accede to the requirement. In countries where vote selling is common, or where local thugs might demand to see a person’s vote, the QR code (or whatever method we end up using) would not be turned on. That would probably be a local client/admin decision.
All electronic systems, including DRE etc, can expose the link between the voter and the vote, even if the sign-in and vote data are stored separately, because their clocks register both at the same or sequential times. Our app stores the data and votes in separate databases, separated widely in the cloud. We are talking about delaying by a few seconds the storage of one or the other in order to break the synchrony on the clock.
We do have one instance in which we may have to keep the voter and vote together temporarily (whether for seconds or hours we don’t know yet). That is where a “foreign” voter votes in another precinct than their own. In that case we don’t want to register their vote in the foreign precinct, and we don’t want to discard it, but we haven’t yet developed a way to get their vote over to their home precinct. The two ideas we’re entertaining at the moment are a) hold voter and vote together until their precinct is identified, but build security around them (everything is encrypted anyway so it’s a matter of sending the decryption password over and when the packages arrive opening them up and performing the regular operations); b) upload all voter registration and precinct data in advance (eventually we’ll be able to do this on a routine basis), provide a way for the voter to ID his precinct and/or automatically identify and verify it, and simply deposit voter and vote in the proper databases.
We will probably provide a way for the voter to verify that her vote was recorded properly. There are various methods but the most elegant one so far is to print enough QR code papers for the voters at a poll, hand one to each voter participating in the exit vote, and then when they are logging in (anonymously) to the vote part of the app (it’s separate from the ID part, which requires a separate login), they would use the mobile voting device to scan the QR code. They could then use their own device later to access one time the image of their vote.
Q. Are reforms, structural or procedural, required to let your system work? If so, would they be expensive?
A. Not in the United States. Activities such as ours fall under its protection of the First Amendment to the US Constitution, so we do not need official permission or cooperation to do our work. (Obviously it will smooth our functioning when officialdom is on board with what we are doing.)
Q. How can self-reporting of votes by voters be called an “audit” when it fails to include so many votes cast?
A. The votes that are cast will fall into separate categories, one category for each candidate or measure choice: If 98% of Candidate X’s voters participate, but only 40% of Y’s, then our sensitivity will be very high for X and very low for Y. One can readily imagine this happening, especially as candidates and parties learn to politicize the act of participating in this part of the audit.
Audit procedures vary across industries and fields. Audits of public companies by audit firms regulated by the audit agency of the federal government, the PCAOB, randomly sample transactions to see if any suspicious transactions pop up. If none of the sampled transactions are questionable the rest will be assumed to be okay. Risk-limiting election audits look at varying small proportions of randomly selected votes (one to five percent), depending on the closeness of the election, and recount them; any error is extrapolated to the entire vote and a decision then made as to whether to recount all the votes. Our exit-vote audit is not a sample like these but an actual replication of the vote, like a parallel election. It does not involve extrapolation from a sample because the “sample” will approach 100 percent, making extrapolation unnecessary.
The exit vote function is one part of a larger set of functions; other audit functions work differently.
Q. Will promoting self-reporting of votes in name of detecting fraud in how votes are counted increase lack of confidence that votes matter? In turn, will this lead to lower voter turnout due to stoking of fears about uncounted ballots?
A. The fear that proving discrepancies (when they occur) will discourage voting is a straw man; any effects can be easily countered in the public mind by saying plainly that finally, finally, there is a way to make sure that every vote counts, so nonvoters have even less reason to stay home. Knowing that their votes can’t be stolen (at least without being discovered) is an incentive to vote – or at least it takes away a disincentive.
Our experience during our June 2016 pilot was that most people, when they heard that we were testing a system to hold the election system accountable, were eager to participate. That is an empirical indication of the opposite of cynicism. Of course these were the voters, not the nonvoters. How the nonvoters will behave is a separate question. Many “apathetic” nonvoters already lack confidence in the system – if not in the count’s accuracy, then in the translation of their votes into policy. What’s the point, they say: “The results in my life don’t change irrespective of who is elected.”
It is also true that in an election with a million votes, one vote is mathematically meaningless. Votes matter in aggregate, of course, so collective behaviors are important, which makes collective psychology important, in turn making the political debate about the audit important. We expect the audit’s opponents to be predominantly those interests that are threatened by accountability, and we will be surprised if they don’t do their best to discourage participation and impugn its credibility. One should also expect the same interests to impugn the credibility of risk-limiting audits. Their argument would be that the official system is accurate and that accountability measures are illegitimate, especially as they involve small samples. Whether those arguments result in more or less cynicism or discouragement about voting is an empirical question.
Interestingly, this straw man is raised most frequently by election integrity advocates. Some seem to believe that if people are in any way disabused of their magical thinking about the importance of their individual vote, or if they come to believe that their votes are being stolen, then they will lose their faith in the system and not vote. These questioners are caught in a dilemma: They believe in accuracy and accountability, the obtaining of which requires that the public be assumed to be discerning enough to be trusted with information that the system is vulnerable and needs to be safeguarded. On the other hand they are afraid that proof of theft and significant error will discourage voters, the public being too infantile and undiscerning to be trusted with the truth of our systems’ shortcomings. The way out of the dilemma is to provide proof of error at the same time as offering a solution.
Q. How does reporting of problems using your app differ from voter protection outreach programs? For instance, lawyers and volunteers often observe polls and report on irregularities in election administration, denials of right to cast ballot, etc.
A. The incident report function in our app is designed to help participants in voter protection programs report the irregularities they encounter. Indeed, the lawyers and volunteers could/should use our app to make their reports. Why? Because instead of having them filter in slowly, probably on paper, the reports by lawyers and volunteers will be available on our platform for instant analysis by the voter protection program managers, which will allow attorneys to address problems much faster.
Ordinary citizens can also download the app and file incident reports. These are kept separate, but both are available in the same instant reports, so the voter protection program managers can assess their reliability better.
This system adds speed and data volume, thereby improving the response speed of the lawyers charged with countering the irregularities and allowing them to see emergent problems in real time.
Q. How do voters know to whom they are surrendering their identity and the information about whom they voted? Can’t a voter reasonably suspect the information will be used for reasons other than those advertised and that for whom they voted will not be kept private?
A. Our system is designed to make it very difficult penetrate the secrecy of the ballot, but as we know the ultimate safeguard of any system is the integrity of the operators. We intend to build a reputation and a brand that demonstrates our integrity. No company, organization or agency can do better than that. Even many official systems can be forced to reveal who voted for whom. We at least are independent and without conflicts of interest. The people who manage elections in government are partisan politicians with conflicts of interest; if anyone has a reason to violate ballot secrecy they do.
Q. What laws would forbid and/or penalize the owners of the information sent via the app from disclosing who voted and for which candidates? If the information can be shared or sold for reasons other than use in assuring the election results are accurate without legal penalty, shouldn’t voters know that it is legally not safe to share the information (i.e. that the secrecy of their ballot cannot be protected)?
A. Laws vary across jurisdictions. In the design of our system we have adhered to the highest standard of secrecy consistent with the realities of software design. If someone believes that it’s not safe to participate in our system they have the right to decline to participate. We will represent what we are doing with accuracy and integrity. There will always be skeptics and cynics, however.
In any event, people share their data all the time knowing that legal penalties are iffy at best, and people are right to be cynical: witness Facebook and Equifax. So people do a rough cost-benefit calculus, weigh what they know of the organization, and decide (if they have a choice) whether or not to use the service.
The questions of “legally not safe” and “cannot be protected” are very different questions. The first question assumes that the lack of legal sanctions determines the weakness of technical protection. We will provide technical protection, which will be verified by independent experts, so that irrespective of the lack of sanctions the voters’ vote will not be traceable to them.
Q. Will the app involve voters taking pictures of their ballots? Does this violate state laws that forbid taking such pictures?
A. No it doesn’t. Though the project that became Democracy Counts started with this initial idea, we quickly abandoned it because of concerns about a) the low probability that sufficient numbers of voters would download an app and use it properly to provide adequate sensitivity, b) the possibility that such pictures could be used to prove to vote buyers that the person selling his/her vote has voted as agreed, and c) the difficulty of administering a feature that might be legal in some jurisdictions and illegal in others.
Q. Is the self-reporting of your parallel vote the same as a risk limiting audit?
A. These two concepts are not commensurate. We are not conducting a risk limiting audit, which uses statistics to estimate the probability of error. We are conducting a different kind of audit that operates in a wholly different way that does not involve any extrapolation. It is more difficult to conduct but when done correctly much more likely to catch error and to stand up as evidence in court.
Q. In what way can random samples show failure to count specific votes?
A. Random samples (of anything) never reveal information about specific data occurrences. The best they can do is make it increasingly probable (with increasing sample size, or with differentiated sampling techniques of subpopulations) that rare data occurrences will be captured in the sample population. For instance, if one in a thousand votes were switched, the odds of a 100-vote random sample capturing that switch would be 10%. If the sampling method is not random, e.g., if the authority charged with the audit has a measure of control over the choice of precincts or ballot inventories being audited, or a subpopulation sample is poorly designed/executed, the probability will shrink even more.
In order to obtain samples large enough to make it highly probable that we would capture low levels of fraud we would have to have access to the actual ballots and be allowed to sample randomly. In jurisdictions where the authorities are engaged in or aware of fraud we don’t expect that that access will ever be granted, except perhaps under legal duress after fraud was already strongly suspected.
Statistics as a tool was invented to make it feasible, i.e., easier and less expensive, to learn about larger populations without having to capture 100% of the data in the population. Confidence intervals were invented in order to estimate the probability that the true result was outside the sample’s result. Though it is possible with a sufficiently large (and expensive) sample to make the confidence interval very small, the possibility of the true result being outside the sample’s result never completely goes away. Furthermore, unless the sample is a large proportion of the total population (which is Census-level expensive in populations larger than a few thousand), and the sampling method demonstrably random (which is pretty much impossible to achieve without compulsion in a politicized environment), then the sample is subject to charges of response bias, i.e., that critical subpopulations refused to participate and that the extrapolations are therefore suspect.
These are why we have chosen not to use random samples in our system but instead to attempt to capture the entire population and its data.
Q. Is there a threshold of self-reporting (e.g. above 70 per cent of all votes in a precinct) that makes the self-reporting minimally reliable as a way to suggest failure to count votes?
A. In exit polling a random sample of 1000 or so respondents is adequate for even very large populations to produce narrow confidence intervals (1.5% or so). We are not doing polling with our exit vote function, however, because we are not extrapolating from samples: We are attempting to duplicate the data for the entire voting population. Our exit vote function’s sensitivity to discrepancies depends on the size of the actual discrepancies (which are unknown a priori, of course) and how close we get to 100 percent of the true total vote for the candidate suffering the errors.
We assume that most fraud is calculated to provide narrow margins of victory over the defrauded candidate, i.e., wide enough to guarantee that the automatic recount provision of state law won’t be triggered, but not so wide as to provoke suspicion. Our system has to be highly sensitive to these narrow margins. The sensitivity will vary by locale, according to what the fraud margin is, but it’s safe to say that our exit vote function will have to be in the 95%-plus range, because flipping 2.5% of votes produces a 5% swing. Ergo, if we are going to be sensitive to a 5% swing we have to have better than a 95% participation rate. (The other system functions do not require this degree of sensitivity.)
Achieving this level of sensitivity is an expensive and difficult challenge, but it is the only type of independent, direct evidence that courts are likely to accept as sufficiently probative to justify ordering injunctions and investigations.
Q. By what methodology is a prediction made from limited samples that there was a problem counting all votes accurately?
A. This question is inapposite. Limited samples and predictions based on samples are conducted by pollsters, and election authorities might use them in their audits, but our system does not involve the use of limited samples, and we don’t engage in prediction.
Please support our work. Help restore integrity to elections and accountability to government. Click here to donate.