by Jeff Carlson
Behind the current controversy surrounding the integrity of results from the Nov. 3 presidential election in Georgia are years of court battles over an outdated voting system and the controversial $107 million purchase of new touchscreen machines from Dominion Voting Systems in July 2019.
A review of court documents and sworn expert testimonies raise troubling questions about the Dominion voting system and its rushed implementation by the State of Georgia.
Among the many issues raised was the inability to accurately audit Dominion’s systems in order to verify that votes were cast as intended. Audit and cybersecurity experts also demonstrated to the court how the Dominion system inherently prevented the successful use of risk-limiting audits (RLA)—a method employed by Georgia during the recount.
Cybersecurity experts provided evidence to the court that Dominion’s QR system wasn’t secure, was subject to duplication, and that the ability to generate fake QR codes existed. A nationally recognized cybersecurity expert also found that during Georgia’s August 2020 elections, servers at two county election offices he visited “enabled unsafe remote access to the system through a variety of means,” including the use of flash drives.
This same expert found that in one of those counties, “server logs were not regularly recording or updated in full and that Dominion’s technical staff maintained control over the logs and made deletions in portions of the logs.”
Computer science experts also found significant problems with the testing processes used by Pro V&V in the testing of the Dominion equipment. In a case that involved last-minute updates to Dominion software in late September 2020, the court was told that the testing lab “performed only cursory testing of this new software.”
Additionally, during testing in 2019, a Dominion system experienced what was termed a “memory lockup” after scanning only 4,500 ballots. An analysis from Dominion determined that a “power cycle” of the unit is required after scanning more than 4,000 ballots. It isn’t known if this issue was fixed prior to the 2020 elections or if election workers were properly trained in the event the issue was still present in the Dominion systems.
The court also found that the manner in which the Dominion system functions failed to meet the requirements of Georgia election law. As U.S. District Judge Amy Totenberg noted, Dominion’s system “does not produce a voter-verifiable paper ballot or a paper ballot marked with the voter’s choices in a format readable by the voter because the votes are tabulated solely from the unreadable QR code.”
In response to the problems presented to the court, Totenberg issued a ruling, noting “demonstrable evidence” that the implementation of Dominion’s systems by the State of Georgia places voters at an “imminent risk of deprivation of their fundamental right to cast an effective vote,” which the judge defined simply as a “vote that is accurately counted.”
However, Totenberg ruled that “despite the profound issues raised … the Court cannot jump off the legal edge and potentially trigger major disruption in the legally established state primary process.”
Dominion Systems Don’t Conform to State Law
While acknowledging that Georgia’s Election Code mandates the use of a ballot marking system (BMD) as the method of voting in Georgia, Totenberg also noted there are certain legal requirements that must be concurrently met in the use of such a system:
“The statutory provisions mandate voting on “electronic ballot markers” that: (1) use “electronic technology to independently and privately mark a paper ballot at the direction of an elector, interpret ballot selections, communicate such interpretation for elector verification, and print an elector verifiable paper ballot;” and (2) “produce paper ballots which are marked with the elector’s choices in a format readable by the elector.””
And as noted by the judge, the Dominion systems and equipment purchased by the State of Georgia failed to conform to the state’s own legal requirements:
“The evidence shows that the Dominion BMD system does not produce a voter-verifiable paper ballot or a paper ballot marked with the voter’s choices in a format readable by the voter because the votes are tabulated solely from the unreadable QR code. Thus, under Georgia’s mandatory voting system for “voting at the polls” voters must cast a BMD-generated ballot tabulated using a computer generated barcode that has the potential to contain information regarding their voter choices that does not match what they enter on the BMD (as reflected in the written text summary), or could cause a precinct scanner to improperly tabulate their votes.”
In other words, the equipment, as provided by Dominion and put in place by the state, failed to meet the legal requirements that Georgia has in place for a voting system.
Risk-Limiting Audits Deemed Unreliable
Totenberg also addressed the use of risk-limiting audits (RLA), a statistical methodology used to audit election outcomes before they become official that has been endorsed by the National Academy of Sciences, Engineering, and Medicine.
As the judge noted, the consensus among experts is that “the best audit trail is voter-marked paper ballots.” By contrast, “voter-verifiable paper records printed by voting machines are not as good.”
Georgia’s use of the new Dominion machines created a particular problem regarding the performance of a successful RLA, precisely because the system “by its nature, erases all direct evidence of voter intent.” As Totenberg stated, “There is no way to tell from a BMD printout what the voter actually saw on the screen, what the voter did with the device, or what the voter heard through the audio interface.”
This creates a situation in which auditors are severely limited and “can only determine whether the BMD printout was tabulated accurately, not whether the election outcome is correct.“ Totenberg stated in her ruling that a BMD printout “is not trustworthy” and the application of an RLA to an election that used BMD printouts “does not yield a true risk-limiting audit.”
Election security expert J. Alex Halderman noted the same issues in a sworn declaration, telling the court, “if voters do not reliably detect when their paper ballots are wrong, no amount of post-election auditing can detect or correct the problem.”
VotingWorks Employed Risk-Limiting Audit in Georgia
During the court proceedings, two contrasting views were presented. Ben Adida, founder and executive director of VotingWorks, claimed that as long as “voters verify the text, and as long as RLAs are conducted on the basis of the same ballot text, then potential QR code mismatches are caught just like any other tabulation mistake might be caught.”
But Adida’s position was heavily criticized by Philip Stark, a “preeminent renowned statistician,” who is the “original inventor and author of the risk-limiting audit (“RLA”) statistical methodology.”
Stark noted that Adida’s premise relies on the assumption that voters will actually review and verify their ballot selections on their ballot printout. But “overwhelming evidence from actual studies” of voter behavior “suggests that less than ten percent of voters check their printouts and that voters who do check often overlook errors.”
Therefore, following an actual election—such as the Nov. 3 presidential election—there is simply no way to ascertain how many voters actually checked their BMD printouts for accuracy, inherently impairing, and perhaps destroying, the value of a post-election audit.
Additionally, Stark “categorically” disagreed with Adida’s position that a post-election audit can establish that the voting systems actually functioned correctly during the elections. As Stark told the court, “audits of BMD-marked ballot printouts cannot reliably detect whether malfunctioning BMDs printed the wrong votes or omitted votes or printed extra votes.”
Notably, Stark testified that “this is true, even if the malfunctions were severe enough to make losing candidates appear to win.”
Despite the significant issues noted by Stark, the State of Georgia had already “contracted with Adida’s VotingWorks for guidance in the development and implementation of a RLA.”
Indeed, VotingWorks was used by Georgia to perform its risk-limiting audit of the Nov. 3 presidential election:
“Georgia’s first statewide audit successfully confirmed the winner of the chosen contest and should give voters increased confidence in the results,” said Ben Adida, Executive Director of VotingWorks. “We were proud to work with Georgia on this historic audit. The difference between the reported results and the full manual tally is well within the expected error rate of hand-counting ballots, and the audit was a success.”
Despite the material flaws inherent to employing a RLA, particularly given Georgia’s statewide implementation of Dominion’s voting systems, this didn’t keep Secretary of State Raffensperger from announcing the results of the audit as certain:
“Secretary of State Brad Raffensperger announced the results of the Risk Limiting Audit of Georgia’s presidential contest, which upheld and reaffirmed the original outcome produced by the machine tally of votes cast. Due to the tight margin of the race and the principles of risk-limiting audits, this audit was a full manual tally of all votes cast. The audit confirmed that the original machine count accurately portrayed the winner of the election.”
Raffensperger’s statement is in direct conflict with that of Totenberg, who noted that “there is no audit remedy that can confirm the reliability and accuracy of the BMD system, as Dr. Stark has stressed.”
Encryption Claim Disputed by Court
Judge Totenberg noted that Georgia had presented the cybersecurity of Dominion’s systems as “reliable and fortified,” based on the testimonies of Eric Coomer, Dominion’s director of product strategy and security, and Jack Cobb, the laboratory director for Pro V&V.
Notably, Secretary of State Raffensperger had retained Pro V&V to perform a review of the Dominion system purchased by Georgia. One of the representations made by Cobb was that the system’s security was “fortified by the encryption of the QR code [a scan code produced by the ballot machine after voting] and accompanying digital signature code as well as various other security measures.”
Despite Cobb’s claims of “fourteen years of experience in testing voting machines,” the court found that Cobb lacked “any specialized expertise in cybersecurity testing or analysis or cybersecurity risk analysis.” Additionally, the court found that Cobb “had not personally done any of the security testing referenced in his affidavits.”
During testimony, Cobb testified that QR codes on Dominion’s printed ballots are encrypted, but that assertion was immediately disputed by plaintiff experts. Under questioning, the court found that Cobb was using Dominion’s documentation for his claim that QR codes were encrypted, but hadn’t actually tested the claim.
The court found that the “evidence plainly contradicts any contention that the QR codes or digital signatures are encrypted,” and pointed out that this was “ultimately conceded by Mr. Cobb and expressly acknowledged later by Dr. Coomer during his testimony.”
The court also heard from Vincent Lui, a leading international cybersecurity analyst who is CEO of cybersecurity firm Bishop Fox. He started with the National Security Agency as a global network exploitation analyst, and led the global penetration team for Honeywell International.
During testimony, Lui “addressed head-on the inaccuracy of any contention that the QR code or signature utilized in the Dominion BMD system in Georgia is encrypted.” Lui noted that while his firm was’t not granted physical access to the Dominion machines in Georgia, it was able to develop code that read the Dominion QR code. From there, they extracted the raw data and determined that the Dominion QR code wasn’t encrypted and the ability to generate fake QR codes existed:
“In this case, public-key cryptography was not being used with QR codes. And so the implication is that with the BMDs and the generation of the QR codes themselves — the implication with the design of the Dominion BMD system is that any device that has necessary keys to operate would be able to generate a fake QR code. And you would not be able to determine which machine generated it, whether it was the EMS, the BMD, the ICP, or any other system that had that key loaded on to it.”
This conclusion was echoed by Halderman (also an expert witness in the court case) during an Oct. 26 interview with PBS Newshour. Halderman stated that by “analyzing the structure of the QR codes, I have been able to learn that there’s nothing that stops an attacker from just duplicating one, and the duplicate would count the same as the original bar code.”
Lui noted that if you have “an infected BMD that has been compromised [by malware], it can just tell you whatever value that it wants. [A]s it is deployed within the Dominion devices, it does not appear to be used in a fashion that could be considered secure. It can easily be circumvented.”
Lui’s concerns with the security of the Dominion system didn’t not end there. He informed the court that the underlying Android operating system was “over half a decade out of date,” and also noted that the Dominion system used “USB devices and portals,” which Lui considered to be “fraught with security concerns.”
Lui concluded that “the design of the security of the BMD [Dominion] system is not secure and requires a more in-depth review.”