Will Georgia use open-source software to audit?

by Robin Kemp

Georgia Secretary of State Brad Raffensperger, who had announced a 1 p.m. press conference, held one at 10:30 a.m. to announce that he had chosen the Presidential race for a risk limiting audit.

State law already had required that such a count be conducted as a “pilot program” before Dec. 31, 2021.

A previous risk-limiting pilot program took place in a Cartersville municipal eleciton, according to Raffensperger’s office. An open-source program called Arlo was announced then as a tool for possible future audits.

According to an undated press release on the Secretary of State’s website, Arlo was developed by the federal Cybersecurity and Infrastructure Security Agency and VotingWorks, both of which partnered with Raffensperger’s office and the Center for Election Innovation and Research to implement the system in Georgia.

Raffensperger said the count would be done by hand. Whether that involves using Arlo or other computerized methods is unclear.

Arlo’s GitHub page is here: https://github.com/votingworks/arlo

Georgia law defines a “risk limiting audit” as “an audit protocol that makes use of statistical methods and is designed to limit to acceptable levels the risk of certifying a preliminary election outcome that constitutes an incorrect outcome.”

In addition, state law provides that “The Secretary of State shall conduct a risk-limiting audit pilot program with a risk limit of not greater than 10 percent in one or more counties by December 31, 2021. The Secretary of State shall review the results of the pilot program and, within 90 days following the election in which such pilot program is used, shall provide the members of the General Assembly with a comprehensive report, including a plan on how to implement risk-limiting audits state wide. If such risk-limiting audit is successful in achieving the specified confidence level within five business days following the election for which it was conducted, then all audits performed pursuant to this Code section shall be similarly conducted, beginning not later than November 1, 2024.”

Watch press conference:

https://www.gpb.org/events/news/2020/11/11/secretary-of-states-office-addresses-georgia-election-results

Some recent history

In 2017, then-Secretary of State and now Governor Brian Kemp removed state elections data from Kennesaw State University’s Center for Elections and returned it to the state Elections Office after a security hole was found in a server at KSU.

In 2018, the Center for American Progress evaluated election security in all 50 states. Georgia got a “D” overall, with “unsatisfactory” ratings for post-election audits and voter-verified paper audit trail, and “fair” ratings for minimum cybersecurity for voter registration systems, ballot accounting and reconciliation, paper absentee ballots, voting machine certification requirements, and pre-election logic and accuracy testing. CAP called on Georgia to “switch over to a paper-based voting system and require mandatory post-election audits that test the accuracy of election results after every election” and to coordinate with “federal agencies with expertise in cybersecurity and access to classified information on contemporaneous cyberthreats (that) have the personnel and resources necessary to thoroughly probe and analyze complex election databases, machines, and cybervulnerabilities.”

In 2019, Raffensperger traveled the state–including Clayton County’s Frank Bailey Senior Center–to introduce a hybrid “ballot marking system” that uses proprietary touchscreens where voters mark their ballot choices, then prints out a paper with two key components: a human-readable list of the elector’s choices and a non-human-readable QR code. The voter checks the human-readable list for errors, then inserts the paper into a large black bin with a scanner that reads the QR code and deposits the paper printout into a stack for potential audits such as the one just announced. The data is stored on CF cards. Critics say there is no way for voters to verify for themselves whether the QR code represents the human-readable list.

More to come.

Leave a comment