Colorado on Monday said it will become the first state to regularly conduct a sophisticated post-election audit that cybersecurity experts have long called necessary for ensuring hackers aren’t meddling with vote tallies.
The procedure — known as a “risk-limiting” audit — allows officials to double-check a sample of paper ballots against digital tallies to determine whether results were tabulated correctly. The election security firm Free & Fair will design the auditing software for Colorado, and the state will make the technology available for other states to modify for their own use.
The audit will allow Colorado to say, “with a high level of statistical probability that has never existed before,” that official election results have not been manipulated, said Colorado Secretary of State Wayne Williams in a statement.
Colorado enacted the audit requirement in 2009 but delayed its implementation to allow counties to test different methods. Beginning in November, according to a rule still being drafted, Williams’ office will select at least one statewide and one countywide race for each county to audit.
The move comes as election officials around the country scramble to strengthen their digital defenses ahead of the 2018 elections, the first time most Americans will cast ballots for state and federal offices since 2016 — a year filled with a series of alleged Russian cyberattacks that rattled people’s confidence in the security of the country’s electoral process. U.S. intelligence officials have warned that they expect Russia to be back in 2018 with an even more sophisticated digital interference campaign and have pressed election officials to prepare for the worst.
Colorado believes implementing the risk-limiting audit will make the state ready for any scenario.
“If a voting system has been maliciously altered in some way, [this audit] should give the public great assurance that we are going to know that, and we will adjust the result accordingly,” Dwight Shellman, county support manager in the Colorado elections office and the official helping to coordinate the new auditing process, told POLITICO in an interview.
Digital security specialists have long pushed for states to adopt risk-limiting audits, which they say are a fast and inexpensive way to give the public confidence that votes were not altered in any way.
The topic was briefly in the spotlight following the 2016 election, when a group of prominent computer scientists pressed for recounts in several critical swing states — such as Wisconsin, Michigan and Pennsylvania — to make sure that cyberattacks were not responsible for the unexpected performance of Donald Trump in those states.
These computer scientists said states could eliminate the need for such recounts in the future by implementing risk-limiting audits. Currently, only two states — Colorado and New Mexico — “conduct audits that are robust enough to detect cyberattacks,” said J. Alex Halderman, a computer science professor at the University of Michigan who led the push for recounts, testifying before Congress in June. But so far, the two states have conducted them only sporadically.
Halderman told POLITICO that Colorado’s new approach was “an excellent model for other states to follow.”
“Colorado’s use of paper ballots and risk-limit audits empowers the state to detect and correct any vote-changing cyberattacks, without relying on the Federal government or the intelligence community,” he said in an email.
Risk-limiting audits are less expensive than other types of audits because they sample fewer ballots. But because they use sophisticated statistical methods, the method actually produces more reliable results.
For example, a regular audit of the 2016 presidential election results in Colorado would have required counting more than 32,000 paper ballots out of 2.85 million votes statewide. That number will drop to 142 with the new risk-limiting audit software, according to Stephanie Singer, the project lead at Free & Fair.
In a risk-limiting audit, state officials select a sample of paper ballots — usually based on the margin of the outcome — and compare them using statistical methods to the electronically cataloged results of those ballots.
They also select a “risk limit,” which is the percentage chance that their audit will fail to catch incorrect results that could have been caused by tampering. For example, an audit with a risk limit of 5 percent will have a 95 percent chance of successfully catching incorrect vote tabulation.
Risk-limiting audits can be used to determine whether a more comprehensive recount is needed.
“This is just a commonsense quality control maneuver,” said Singer. “If you had any kind of machine that did a job and you were depending on its output, you would every so often run tests on the machine to make sure that it’s doing what it says it’s doing. It’s really, really just basic quality control.”
Colorado passed legislation in 2009 that required counties to conduct risk-limiting audits by the 2014 midterm elections, but after several years of testing, it extended that deadline to this year. It is the only state with a law requiring statewide risk-limiting audits.
Free & Fair is expected to deliver the auditing software by the first week of August, Shellman said. The state will then release a beta version for counties to test at the end of August, and it hopes to fully deploy it by mid-September.
“I don’t know of any better company in the country to do this work for us,” he said of Free & Fair. “They’re literally the only company with any experience.”
Security experts have warned Congress that without paper audit trails, states are vulnerable to invisible election tampering because votes cannot be reliably audited. A coalition of experts recently urged lawmakers to give states money to upgrade their technology so they can adopt the necessary procedures.
“Many, many states are still using legacy voting systems that are 10 or 15 years old and are rapidly reaching their end of life,” said Shellman. “In Colorado, we were a bit ahead of the curve,” he added, noting that 54 of the 64 counties in the state will be using a “brand-new voting system” as of this year.
Shellman said he hoped that other states would follow Colorado’s lead with auditing as they upgraded their voting equipment. Many cybersecurity experts have accused states of lacking the urgency to address what they feel are glaring security shortcomings in the electoral process.
“This is a marked improvement,” he said, “and I think other states will get there when they’re technologically able to be there.”
Colorado will publish its auditing software under a free license so other states can download and modify it for their own use.
“In this era where everybody is so much more aware of cybersecurity concerns and threats than they used to be, people are going to start asking the question, ‘How do we know that our votes were counted correctly? Anyone have an answer to that?’” said Singer. “And Colorado is going to have an answer to that because of these audits, and they’re going to have it in a way that is cost-effective.”