Over at Princeton’s Center for Information Technology Policy “Freedom to Tinker,” some thoughts on expert reports in the courts identifying security flaws in voting machines and why those reports should not remain under seal.
Category Archives: voting technology
The other other Dominion case
The AP reminds us that this case about a touchscreen ballot-marking system, first filed August 8, 2017 (challenging what were then paperless DREs), went to a summary judgment hearing on Tuesday.
“Public tirades, recall threats as Shasta County roils from decision to dump voting machines”
Weeks after deciding to dump Dominion Voting Systems and become the largest government entity in the U.S. to hand-count its votes, Shasta County officials are now grappling with the complex logistics of actually carrying out that approach, accurately and legally, in a county of 200,000 people.
In a Board of Supervisors meeting Tuesday spiced with angry personal attacks — and during which Supervisor Kevin Crye was served with recall papers on the dais mid-session— county staff told board members that hand-counting ballots could cost an additional $3 million over two years. The board ultimately voted to fund seven more staff positions to carry out the effort, even as flabbergasted citizens in the audience bemoaned what they said were absurd new expenses for a county struggling to provide healthcare and homeless services.
The board’s decision earlier this year to sever the county’s long-standing relationship with Dominion, one of the largest suppliers of voting machines and software in the U.S, has garnered national attention as an example of the chaos wrought by unfounded claims of voter fraud pushed by former President Trump and his allies after his failed 2020 reelection bid. Last week, Fox News agreed to pay Dominion $787.5 million to settle a defamation suit the company filed accusing the network of knowingly promoting false claims that its voting machines had been used to manipulate election results. As part of that settlement, Fox issued a statement acknowledging “certain claims” made on its programming about Dominion were false.
The fraud claims, nonetheless, found traction in Shasta County after a hard-right majority, including Crye, were elected to the board in November. Crye, the owner of a Ninja gym with no previous experience in elected office, recently announced he has been in touch with MyPillow Chief Executive Mike Lindell, a prominent pro-Trump election conspiracy theorist, about aiding Shasta in its plan to pilot its own voting system.
Shasta’s shift from a mechanized voting system has provoked concern among a number of civic groups, including the League of Women Voters and the American Civil Liberties Union, which have implored Shasta County to reconsider.
On Thursday, the Assembly passed a bill that would make it more difficult for any other California county to follow Shasta’s lead. AB 969, which now heads to the state Senate, would require a county board of supervisors to have a signed contract in place with a new voting system that meets state approval before canceling a contract with an old one. The bill was sponsored by Assemblywoman Gail Pellerin, a Democrat who formerly served as registrar of voters in Santa Cruz County.
At Tuesday’s board meeting, Supervisor Mary Rickert implored her colleagues to reverse their decision, saying it was “irresponsible” and ”terribly reckless.”
“I am horrified with what is happening in Shasta County,” she told them. “This is going to be your legacy.”
Supervisor Patrick Jones, who spearheaded the movement to dump Dominion, shot back: “This is going to be our legacy. We are going to have free and fair elections in Shasta County.”
That prompted Crye to pipe up that his legacy “is not going to be in politics.”
“My legacy is going to be how I serve the Lord,” he continued. “That’s my faith first, and my family second, and definitely children third.”
“The Jolt: Top Trump lawyer never saw proof of Dominion fraud claims”
One of the chief architects of pro-Donald Trump election conspiracy theories conceded in a recording that she never saw evidence of voting machine fraud in Georgia — and that’s why she didn’t target election equipment maker Dominion in a failed lawsuit challenging the state’s results.
That’s what Cleta Mitchell told donors and officials at the Republican National Committee’s spring retreat this month in an audio recording obtained by Lauren Windsor, a left-leaning operative.
Mitchell was one of the former president’s most ardent election fraud crusaders during the 2020 campaign. She joined him on his January 2021 call to Secretary of State Brad Raffensperger urging him to “find” enough votes to overturn his defeat in Georgia.
“We had all these people telling us, ‘It’s the voting machines, it’s the voting machines.’ Well, it’s one thing to say that, and it’s another to have to put it into a lawsuit where you have to put on evidence and you have to have an expert,” Mitchell said.
She told the donors that she didn’t have the time or money to find analysts who could investigate the claims.
“Bring me the proof. I’m a lawyer. I have to look at something if it can be proven in a court of law. And I haven’t had that.”
“Iran gained access to election results server in 2020, military reveals”
WaPo:
The U.S. military discovered that an Iranian hacking group had penetrated a local government website that was to report 2020 election results and disrupted the attack before the votes were tallied, officials revealed Monday during a conference of cybersecurity professionals.
Officials said that while neither the votes nor the counting machines would have been affected by the intrusion, the hackers could have rendered the public-facing website for displaying results unreachable or posted fake results, shaking public confidence in the true results.
“It could make it look like the votes had been tampered with,” said Maj. Gen. William J. Hartman, commander of the Cyber Command’s Cyber National Mission Force.
Hartman did not reveal which website had been penetrated. He said his group of 2,000 cyber experts discovered the penetration during its “hunt forward” efforts overseas, then alerted the Department of Homeland Security, which helped the unnamed local government thwart the intrusion.
Hartman spoke during a rare joint presentation with the head of the DHS agency for domestic cyberdefense at the annual RSA security industry conference in San Francisco. Until his presentation Monday, the Iranian intrusion had been classified.
“Exclusive: Text messages reveal Trump operatives considered using breached voting data to decertify Georgia’s Senate runoff in 2021”
In mid-January 2021, two men hired by former President Donald Trump’s legal team discussed over text message what to do with data obtained from a breached voting machine in a rural county in Georgia, including whether to use it as part of an attempt to decertify the state’s pending Senate runoff results.
The texts, sent two weeks after operatives breached a voting machine in Coffee County, Georgia, reveal for the first time that Trump allies considered using voting data not only to overturn the results of the 2020 presidential election, but also in an effort to keep a Republican hold on the US Senate.
“Here’s the plan. Let’s keep this close hold,” Jim Penrose, a former NSA official working with Trump lawyer Sidney Powell to access voting machines in Georgia, wrote in a January 19 text to Doug Logan, CEO of Cyber Ninjas, a firm that purports to run audits of voting systems.
In the text, which was obtained by CNN and has not been previously reported, Penrose references the upcoming certification of Democrat Jon Ossoff’s win over Republican David Perdue.
“We only have until Saturday to decide if we are going to use this report to try to decertify the Senate run-off election or if we hold it for a bigger moment,” Penrose wrote, referring to a potential lawsuit.
The plot to breach voting systems in Coffee County, coordinated by members of Trump’s legal team including Rudy Giuliani and Sidney Powell, is part of a broader criminal investigation into 2020 election interference led by Fulton County District Attorney Fani Willis.
Willis’ office is weighing a potential racketeering case against multiple defendants and is actively deciding who to bring charges against, sources tell CNN. Willis has subpoenaed a number of individuals involved in the Coffee County breach, including the two men who carried it out who were in touch with Penrose and Logan.
Willis has also subpoenaed Giuliani and Powell as part of her probe. Giuliani has been told he’s a target in the Fulton County probe, CNN previously reported. The special grand jury convened for the case recommended issuing multiple indictments in its final report completed in February, according to the jury foreperson.
A source familiar with Willis’ investigation tells CNN that Willis and her team have in their possession evidence that Trump allies planned to use the breached voting data from Georgia to try to decertify the state’s senate runoff election. Emails obtained by CNN show Penrose and Powell arranged upfront payment to a cyber forensics firm that sent a team to Coffee County on January 7, 2021.
“No consequences so far after Trump supporters copied Georgia election data”
Mark Niesse for AJC:
Caught by surveillance video, text messages and emails, overwhelming evidence shows that supporters of then-President Donald Trump copied Georgia’s statewide voting software from an election office in rural Coffee County in early 2021.
Yet no one has been charged, the FBI doesn’t appear to be investigating the case, and the GBI investigation has been pending for eight months.
So far, everyone involved in the scheme has escaped accountability, including former Trump attorney Sidney Powell, a phony Republican elector who tried to award Georgia’s votes to Trump, and county election officials who helped them take vast amounts of election data.
They copied the files on Jan. 7, 2021 — the day after a mob attacked the U.S. Capitol and two days after runoffs in Georgia flipped control of the U.S. Senate.
Georgia law enforcement and election officials say they’re taking the case seriously, but little information has been made public while the investigation remains open.
Election security experts have warned that the disclosure of the inner workings of Georgia election computers increases the risk of hacks in future elections, and it could be used to fabricate evidence or spread misinformation.
“The message the GBI is telling people is that it’s OK to go into Georgia and take our software and nothing is going to happen to you. The same message is coming from the FBI, too,” said Susan Greenhalgh, senior adviser for the advocacy group Free Speech for People. “There’s no publicly available information that would indicate this investigation is being executed with great rigor.”
“New ballot-counting machines tested in spring voting were accurate, election officials say”
From NHPR, and no surprise. But/and this is also the best kind of service journalism.
County boards and hand counts
There’s been ample publicity about the conspiracy-fueled decision in Shasta County, CA to hand-count election results (more here), and a similar truncated effort in Cochise County, AZ. (Aside from the fact that tallies will take far longer and cost far more, I’m old enough to remember when hand counting wasn’t seen as the guarantor of reliability.)
But sometimes all the attention to the outliers can make it seem like the outlier cases are actually the norm. So it’s also worth lifting up what’s happening far more frequently: county boards unanimously heeding state law and facts on the ground. To wit: this 6-0 decision in Ionia County, MI, last week.
“Here’s how protected election system blueprints are making their way into far-right circles”
On the third day of the Conservative Political Action Conference earlier this month, two men delivered on experts’ biggest concerns about attempts to access election machines after the 2020 election.
Using copies of election software — improperly removed from multiple counties — that has been circulating among election deniers, they presented an unfounded narrative that they had discovered evidence of fraud and foreign interference. They also discussed their goal to secure jobs as election officers and build a team of computer experts to access elections systems in more than 60 counties in order to prove their theories.
“This is exactly the situation that I have warned about,” said election technology expert Kevin Skoglund, a senior technical advisor at the National Election Defense Coalition. “Having the software out there allows people to make wild claims about it. It creates disinformation that we have to watch out for and tamp down.”
Skoglund is among the election security experts concerned that bad actors are using the time between the 2020 and 2024 elections to study election systems and software in order to produce disinformation during the next presidential election, such as fake evidence of fraud or questionable results.
Described as an election integrity presentation, the event wasn’t on the official CPAC agenda or sanctioned by the organization, but took place in a guest room at a nearby hotel. Some CPAC sponsors hold their own sessions, which are planned and produced by them and not CPAC.
Only a small number of people attended the event in person. At least 2,800 people watched live online through a far-right broadcast, according to that show’s host. That broadcast included commentary from election deniers before and after the presentation.
California: “Shasta supervisors pursue hand count election plan, details remain unclear”
After ditching Dominion Voting Systems in January, Shasta County still doesn’t have a clear way to conduct elections. The county’s Board of Supervisors voted on Tuesday to try hand counting every ballot.
Shasta County supervisors moved forward with an unprecedented plan to hand-count every ballot in future elections. No other county in California counts all ballots by hand.
During the Board of Supervisors meeting Tuesday, County Clerk Cathy Darling Allen pleaded with supervisors to choose one of three certified voting systems in California to avoid running afoul of state and federal laws.
“You can hear the irritation in my voice,” she said. “But I have spent the last two-and-a-half years defending a process that is not broken.”
On Monday, Darling Allen sent a letter outlining the urgency that county supervisors choose a certified voting system to be prepared for upcoming elections.
Darling Allen estimated the board would need to provide around $1.6 million and 1,200-1,300 new staff members if they wanted to count the results of the entire election by hand.
“While my office is full of extremely competent and prepared professionals, even we cannot perform miracles,” she said.
The estimated cost Darling Allen provided is just to hire the temporary staff. She said that doesn’t include post-election audits and rental of a facility large enough to accommodate the ballot-counting teams.
In January, Shasta County supervisors voted 3-2 to cancel their contract with Dominion Voting Systems, amidst unproven claims that the machines were used to switch votes from Donald Trump to Joe Biden in the 2020 election.
“Is anyone investigating Trump allies’ multi-state effort to access election systems?”
As news trickled out that former President Trump’s supporters had organized to access federally protected election machines and copied sensitive information and software, election expert Susan Greenhalgh waited for FBI or Justice Department leaders to announce an investigation.
“It just seemed so stunning that we thought, well of course there’s going to be a big reaction and the government is going to investigate,” said Greenhalgh, senior advisor on election security for the nonprofit Free Speech For People.
When months passed with no such announcement, Greenhalgh and over a dozen other election experts wrote a 14-page letter to Justice Department leaders in December outlining what they called a “multi-state conspiracy to copy voting software” and asking the agency to open an investigation.
Greenhalgh was baffled when she received a terse, noncommittal response from the FBI a month later that seemed to indicate no action had been or would be taken at the federal level.
Now, just months before the 2024 presidential primaries, it remains unclear whether any federal agency has plans for a comprehensive investigation of the effort to gain access to election systems. Election and law enforcement experts are concerned that the stolen information might be used to interfere with future elections and that the FBI and Justice Department may be sending the wrong signal to those responsible if agencies don’t investigate.
Without a national investigation, “we’re never going to know what the overall plan here was,” Greenhalgh said.
“Don’t we need to know that?” she continued. “We don’t know what this was all about, and it’s dangerous to guess or assume that, ‘Oh well, because President Biden was inaugurated on [Jan. 20], this no longer poses a threat.’”
The bulk of what is known about the effort has come from investigative reporting, a handful of state inquiries and a years-long federal civil suit against Georgia authorities over the security of the state’s elections. Those sources found that an organized network of people scrambled to access county election systems in the weeks after the 2020 election and in at least the first six months of 2021.
In two instances, courts or state lawmakers granted access to the systems. In a handful of states, Trump supporters convinced election officials or law enforcement to give them access to election machines, including in Mesa County, Colo.; Coffee County, Ga.; Fulton County, Pa.; and several Michigan counties.
After obtaining access, third parties copied sensitive information, including software used in election equipment in a majority of U.S. counties, and shared the information with an unknown number of people. It is not clear that every county where election systems were accessed has been identified. Those involved have indicated in news reports that similar efforts to access election machines were made in several other states.
Despite evidence that the same people were involved in multiple states and that the effort was funded in part by prominent Trump supporters including his former lawyer Sidney Powell, there is little indication a federal inquiry is underway.
“Because there is a nationwide pattern here involving the same people, and because of the risk that those individuals will organize this yet again, I think it is … important that federal authorities look at the larger pattern,” said Norm Eisen, a longtime election lawyer who was involved in Trump’s first impeachment. “It needs to be analyzed as a recurring pattern so that that pattern does not continue to occur in the future.”
Must-read from Andrew Appel: “Unrecoverable Election Screwup in Williamson County TX”
Andrew over at Freedom to Tinker, with the kind of problem that is not going to be caught by a typical post election audit:
In the November 2020 election in Williamson County, Texas, flawed e-pollbook software resulted in voters inadvertently voting for candidates and questions not from their own districts but from others in the same county. These voters were deprived of the opportunity to vote for candidates they were entitled to vote for—and their votes were wrongly counted in elections that they shouldn’t have voted in. This wasn’t the voters’ fault, but it does mean that the results in elections for local offices were affected by this screwup by Tenex Software Solutions. Tenex’s e-pollbook malfunctions call into question the results of the 2020 school district races, municipal elections, potentially a county commissioners race, and state legislative races in Williamson County.
As more and more states use e-pollbooks in vote centers, election administrators should understand this failure, because it could potentially affect any kind of e-pollbook that prints ballots on demand.
I’ve written about other screwups caused by election software or hardware—in Antrim County MI, in Windham NH, in Mercer County NJ—but in all those cases, voters marked the paper ballots they were entitled to vote on, and election officials can and did recount those ballots to report accurate election results. That is, all those screwups were recoverable, and election officials took immediate action to recount and recover—to get an accurate result.
But in Williamson County, the mistake was unrecoverable. Once the voters have been given the wrong ballots, then no amount of recounting can recover a fully valid election result. Because all these voters were in the same county, this screwup did not affect any countywide offices, statewide offices, or the Presidential election: any countywide or statewide candidate would be on every ballot in the county, so all those votes could be cast and counted accurately. But for local races and referendum questions, and for state legislative districts, voters registered in those localities did not seem to be the ones actually voting….
Read the whole thing.
“Security experts warn of foreign cyber threat to 2024 voting”
Top state election and cybersecurity officials on Thursday warned about threats posed by Top state election and cybersecurity officials on Thursday warned about threats posed by Russia and other foreign adversaries ahead of the 2024 elections, noting that America’s decentralized system of thousands of local voting jurisdictions creates a particular vulnerability.
Russia and Iran have meddled in previous elections, including attempts to tap into internet-connected electronic voter databases. Distracted by war and protests, neither country appeared to disrupt last year’s midterm elections, but security officials said they expect U.S. foes to be more active as the next presidential election season draws near. The first primaries are less than a year away.
Jen Easterly, director of the federal Cybersecurity and Infrastructure Security Agency, referenced Russia’s attack on Ukraine and the U.S.-led effort to supply weapons and other aid to the besieged country as a possible motivator. She said the agency was “very concerned about potential retaliation from Russia of our critical infrastructure.”
She also mentioned China as a possible source of election interference, especially as the relationship between the two countries has deteriorated, mostly recently over the suspected spy balloon that floated across the country before being shot down by a U.S. fighter jet.
“We’ve not seen anything here, but I’d like to end that with the word – yet,” said Easterly, speaking during the annual gathering of the National Association of Secretaries of State.
Of particular concern is the decentralized nature of America’s election system. There are some 10,000 local voting jurisdictions throughout the U.S., including counties and townships, according to the National Conference of State Legislatures.
Not all of those have funding for new equipment, proper staffing or updated training of election workers. Easterly said it was a priority of her agency to get money and expertise to what she termed “target-rich, cyber-poor” entities.