The following is a guest post from Susan Greenhalgh and Philip Stark:
Last month, Election Law Blog highlighted a Votebeat newsletter published January 29 by Jessica Huseman, a response to a story in the Atlanta Journal Constitution. The newsletter purported to provide missing context and expert analysis of the debate over Professor J. Alex Halderman’s court-sealed security study of Georgia’s electronic ballot marking devices in Curling et al. v. Raffensperger et al. (originally Curling et al. v. Kemp et al.)
The Votebeat piece was riddled with inaccuracies, flawed assumptions, and faulty conclusions—perhaps because Huseman did not seek comment or context from Prof. Halderman or anyone else directly involved in the plaintiffs’ side of the case.
Shortly after the newsletter was published, we contacted Votebeat. We provided evidence supporting our concerns, and requested the piece be corrected. Several weeks passed without any corrections, so we contacted Votebeat again last week. Votebeat subsequently republished the story on its website with minor corrections, without noting the story had been corrected. Many important errors remain, which is why we, as expert consultants to the Coalition plaintiffs in Curling with direct knowledge of the facts, including the content of the Halderman report, are writing to set the record straight.
The central thesis of the newsletter is that Curling and similar lawsuits challenging electronic voting machines are pointless (or worse), because, Huseman alleges, they have not convinced any Court of the merits of their claims. For support, Huseman quotes David Becker, a paid consultant for the State of Georgia in their rollout of the equipment in question—but fails to disclose Becker’s relationship with the defendant. Becker falsely claims that Curling and similar suits seeking to compel jurisdictions to stop using untrustworthy voting systems have all lost in court. Huseman argues that the allegedly fruitless lawsuits serve only to feed Big Lie conspiracists.
To support this narrative, Huseman claims that in 2019, the state ditched its direct record electronic (DRE) touchscreen voting machines of its own initiative. This is contradicted by the facts.
When first filed in 2017, Curling sought to decommission the paperless DRE machines Georgia required virtually every in-person voter to use. After a two-year court battle, on the merits of evidence and arguments, plaintiffs in Curling v. Raffensperger prevailed. A 2018 Court ruling directed the State to get rid of its paperless DRE voting system, writing: “… the Court advises the Defendants that further delay is not tolerable in their confronting and tackling the challenges before the State’s election balloting system. The State’s posture in this litigation – and some of the testimony and evidence presented – indicated that the Defendants and State election officials had buried their heads in the sand.”
The Court’s words registered with the Georgia Secretary of State’s SAFE Commission, created to guide the adoption of a new voting system. In its report, the Commission wrote: “[We are] aware of the court order in Curling v. Kemp where a federal judge strongly suggests that if Georgia does not update its voting system soon, a new system will be ordered.”
The Secretary of State publicly cited the Court’s decision in Curling as the reason the state abandoned its DRE machines, stating at a press conference: “We stood up a new voting system, new voting machines in less than six months. And that was really because we had an activist judge that said you can’t use the old DRE machines. And so, we had to do that for the first primary that we had coming up.”
In August of 2019, the Court issued a landmark ruling granting plaintiffs’ relief, permanently banning the use of the DREs in Georgia. The order barred the continued use of the DREs, warning the state that if it had any issues rolling out its new system, it could not use the old machines. Contrary to the Votebeat narrative, the Court ruled Georgia’s DRE voting machines unconstitutional based on the evidence presented by plaintiffs and their experts—including Halderman.
The article also claims the lawsuit was brought merely because plaintiffs don’t like the equipment, dismissing the security concerns at the heart of the suit as unrealistic. This is a second major theme in the Votebeat column.
Instead of speaking with a cybersecurity researcher or Halderman himself, Huseman relies on remarks from Tammy Patrick, a senior advisor for Democracy Fund. (Huseman doesn’t disclose the fact that Democracy Fund is a financial supporter of Votebeat through its parent, Chalkbeat – apparently in violation of Votebeat’s Code of Ethics). Huseman and Patrick argue that, because Halderman had complete access to this system, his findings are unsurprising and inconsequential. In the real world, they claim, election equipment has physical security measures and is subject to tests, audits, and other procedures to prevent and detect tampering. Security testing a system with full access is inapplicable and irrelevant, the article contends.
This is an ill-informed take on how cybersecurity testing is done, and on the state of election system security and cybersecurity. It’s dangerously naïve to assume that adversaries don’t already have full access to a system. Well-resourced actors, such as nation states, can obtain the voting system software and hardware through nefarious or legitimate channels: these systems are for sale internationally. Attackers can then study the system for vulnerabilities and game out an attack that requires minimal access and could evade existing safeguards.
Threats from insiders with access to the system must also be contemplated. And because Dominion software was very publicly released last year and posted on the internet, economic and logistical barriers to access the software have been eliminated. Pretending that adversaries don’t have access to the system is unrealistic. Vulnerability assessments should allow researchers access to the same information available to potential attackers.
The article concedes that Halderman’s research would have value if he had been able to manipulate ballots in a way that could not be detected and prevented by the safeguards and protocols currently in place, but claims that no one who has reviewed the report has agreed that he found such vulnerabilities.
This is misleading. First, the report has been available to experts for the defendants to check, replicate, or refute since July 1, 2021. To our knowledge, they have not tried; none offered a substantive rebuttal to Halderman’s report. Second, in a publicly available declaration filed with the Court that references his full security analysis, Halderman warns “Attackers could exploit these flaws to install malicious software, either with temporary physical access (such as that of voters in the polling place) or remotely from election management systems. I explain in detail how such malware, once installed, could alter voters’ votes while subverting all the procedural protections practiced by the State, including acceptance testing, hash validation, logic and accuracy testing, external firmware validation, and risk-limiting audits (RLAs). Finally, I describe working proof-of-concept malware that I am prepared to demonstrate in court.”
Either Huseman never read Halderman’s public declaration, or she mistakenly interprets the fact that, because the defendants have not publicly affirmed and accepted Halderman’s findings, the findings can’t be taken seriously. We are unaware of any litigation in which the defendant’s response to a plaintiff’s expert report was “we replicated your research, and you’re right!” Halderman and the plaintiffs want the report released precisely so that other entities, like the Georgia Secretary of State and the Department of Homeland Security, can evaluate and validate his findings and act to mitigate the risks. It’s illogical to argue that you shouldn’t address these security findings until there’s expert consensus to validate them, when only the defendants’ experts have had access to the findings.
The newsletter concludes by using this carelessly constructed narrative to school journalists covering Curling and give pointers about how to report on the case, taking a direct swipe at the Atlanta Journal Constitution. Huseman criticizes the AJC for quoting people whom she claimed had not actually read the report, writing “that’s not the responsible way to present these issues.” One problem—it’s wrong. As consulting experts to plaintiffs in Curling, both of us have read Halderman’s report and one of us was interviewed and quoted by the AJC. (The republished version has been corrected to note some quoted by the AJC have read the report, but retains the same flawed conclusion unfounded attack on the AJC.)
We agree with Huseman that the current situation is a mess, but her newsletter makes matters worse by citing as authorities individuals with little technical knowledge, conflicts of interest, and no knowledge of the contents of the report (and who fund Votebeat); by selective and sloppy reporting; and by distortions and inaccuracies. That is not the responsible way to present these issues.
Back Then
As an addendum, Votebeat adds a short explanation of the history of DREs and the move to paper ballots, explaining that Rep. Rush Holt (NJ) tried unsuccessfully more than once to pass legislation that would have required paper ballots and audits of all elections. The passage concludes, “More than a decade later, most states have made this transition on their own” (emphasis added).
This baseless claim ignores more than two decades of relentless work by citizen advocates all across the country, mounds of research from computer scientists,[1],[2],[3] high profile failures of DREs,[4],[5] state and federal sponsored research on election security,[6],[7],[8] the Secretary of Homeland Security declaring DREs a “national security concern,”[9] and the impact of the DEF CON Voting Village.[10] We sincerely doubt that the transition would have occurred without tireless, coordinated pressure from the computer security and election integrity communities.
Editor’s Note: The revised version of the Votebeat column at issue is available at this link.
[1] https://www.usenix.org/legacy/event/evt07/tech/full_papers/feldman/feldman_html/index.html
[2] https://www.cs.princeton.edu/~appel/papers/appel-evt09.pdf
[3] https://www.blackboxvoting.org/BBVreport.pdf
[4] https://www.wired.com/2004/11/computer-loses-4500-votes/
[5] https://www.nae.edu/7665/WhatHappenedinSarasotaCounty
[6] https://www.sos.ca.gov/elections/ovsta/frequently-requested-information/top-bottom-review
[7] https://www.eac.gov/sites/default/files/document_library/files/EVEREST.pdf
[8] “Securing the Vote,” The National Academies of Science, Engineering and Medicine, September 2018. https://www.nap.edu/resource/25120/Securing%20the%20Vote%20ReportHighlights-Federal%20Policy%20Makers.pdf
[9] Dustin Volz, Patricia Zerngerle “Inability to audit U.S. elections a ‘national security concern’: Homeland chief,” Reuters, March 21, 2018.
[10] https://www.washingtonpost.com/local/virginia-politics/virginia-scraps-touch-screen-voting-machines-as-election-for-governor-looms/2017/09/08/e266ead6-94fe-11e7-89fa-bb822a46da5b_story.html