Right before midterms, a United States District Court judge found that Georgia’s electronic voting machines are extremely vulnerable to hacking and foreign meddling — including from Russia — but ruled against changing the state’s elections systems to avoid voter confusion and chaos.
But by simply highlighting the vulnerability of Georgia’s electronic voting machines, the judge may have already undermined voter confidence just weeks before the midterms.
The new ruling from Judge Amy Totenberg in Curling v. Kemp found that Georgia’s electronic voting machines are so easily hacked that it is irresponsible for a locality or state to use them without a paper audit trail.
Georgia’s machines do not have paper audit trails.
Totenberg admonished the state of Georgia for not properly addressing election security issues in time for the 2018 midterm elections, reminding them that “2020 elections are around the corner” and that “if a new balloting system is to be launched in Georgia in an effective manner, it should address democracy’s critical need for transparent, fair, accurate, and verifiable election processes that guarantee each citizen’s fundamental right to cast an accountable vote.”
Over the past few years, cybersecurity experts and lawyers have told state and local governments repeatedly that electronic voting machines and platforms are easily hacked and should either be substantially reinforced or at least have verifiable paper audit trails.
Just last week, an MIT computer scientist demonstrated how to hack an electronic voting machine — the AccuVote TS-X — which is used in some localities of 18 states, but is used statewide in Georgia.
Atlanta attorney Bruce Brown, who told the state of Georgia that its central election server was “insecure” months before the 2016 presidential election, told Totenberg in an August court filing that it would be “prudent” for the state to switch to paper ballots.
According to the ruling, “In August 2016, Logan Lamb, a professional cybersecurity expert in Georgia, went to CES’s public website and discovered that he was able to access key election system files, including multiple gigabytes of data and thousands of files with private elector information. The information included electors’ driver’s license numbers, birth dates, full home addresses, the last four digits of their Social Security numbers, and more. Mr. Lamb was also able to access, for at least 15 counties, the election management databases from the GEMS central tabulator used to create ballot definitions, program memory cards, and tally and store and report all votes. He also was able to access passwords for polling place supervisors to operate the DREs and make administrative corrections to the DREs.”
Lamb alerted authorities but the state did not act on his research.
The plaintiffs — which included lead plaintiff Donna Curling and the Coalition for Good Governance — sought a court order to declare use of Georgia’s electronic voting machines unconstitutional (because they are insecure and thus deprive Georgians of their constitutional right to vote) and “an injunction prohibiting [the state] from conducting public elections with optical scanned paper ballots without also requiring post-election audits of paper ballots to verify the results.”
While Totenberg sympathized with the plaintiffs, she ruled in favor of the defendants (including Georgia Secretary of State Brian Kemp and the State Election Board) due to such close proximity to midterms while advising the defendants that “further delay is not tolerable in their confronting and tackling the challenges before the State’s election balloting system.”
The plaintiffs told the Washington Post that they are confident they will eventually succeed because Totenberg has not ruled on the “underlying claims” of the case — that use of the machines is unconstitutional. They plan to appeal.
Despite Totenberg’s recommendation that the state should update its election system to include a paper audit trail, the fact that her decision comes so close to midterms and is so dismissive of Georgia’s election security may cast substantial doubt on Georgia’s midterm results and could have serious consequences for voter confidence.
The Center for Democracy and Technology’s Senior Technologist Maurice Turner told InsideSources in an interview that Totenberg’s ruling is a “net negative” for voter confidence and the integrity of Georgia’s election systems.
“Voter confidence is critical,” Maurice said. “If election officials can’t convince voters that the election systems themselves are sound, I can’t think of any other reason why voters would feel confident their ballot is going to be counted correctly. We need to move beyond having faith in the election officials, they really need to stand up and prove that the procedures they haven place are actually valid and worthy of voters having confidence.”
Maurice said he “totally agrees” with Totenberg’s decision that switching the election system two months before midterms is “impractical,” but he also said her decision could create chaos after the votes are counted.
“It provides ample opportunity for folks on either side of any of these races to be able to point at this fundamental flaw in the Georgia election system and say, hey look there’s something wrong here, so if one side loses they might blame the voting machines, and I believe that’s the worst case scenario,” he said.
Furthermore, he said, despite Totenberg’s rebuke to the state, it’s unlikely the state will fix its election system in time for the 2020 presidential election.
“I have my doubts two years is long enough,” he said. “If you’re talking about the same governor, secretary of state and staff, it seems that there are issues below the surface we may not have visibility into, and unless those are addressed, I’m not confident they’ll implement this new system and be effective and with fewer errors by 2020. They may need some assistance.”
Maurice said the case also speaks to the importance of security researchers, “not only when it comes to finding vulnerabilities but also being able to report on them in a responsible manner.”
“Lamb did the right thing repeatedly, but unfortunately there was not an appropriate system in place to handle it,” Maurice said. “It highlights the need for all organizations to have a clear, publicly available vulnerability disclosure policy so when a researcher in good faith finds vulnerabilities, there is a legal safe harbor and the vulnerabilities can be mitigated in an appropriate amount of time.”