That said, the GOP voters of Georgia and the country should not be made to pay the price for Georgia state politicians — led by the Secretary of State — ramming through the use of a new electronic voting system that was identified months in advance of having operation deficiencies, vulnerabilities, and the inability to have a meaningful post-election audit or recount of ballots in the event of a razor-thin outcome.
On October 12, 2020, District Court Judge Amy Totenberg issued an Order denying a motion for preliminary injunction sought by various voting rights groups that would have prevented the Georgia Secretary of State from using a new electronic voting system which it contracted with Dominion Voting Systems to provide.
This case was originally filed in 2017 — it has nothing to do with COVID-19, mail-in voting, or changes to Georgia election laws by any judge. In 2019, Judge Totenberg held that Georgia’s existing voting system was unreliable and used software vulnerable to outside penetration that posed problems for election security and integrity. She found that the experience of Georgia voters in the 2018 midterm elections confirmed that continued use of the existing system violated state and federal constitutional rights of Georgia residents to free and fair elections, and ordered Georgia to replace the outdated “electronic touch” voting machines with either a paper-marking balloting system or an electronic balloting system that generated a paper ballot that the voter could review prior to the votes being cast.
The Georgia Secretary of State, the defendant in the litigation, entered into a $105 million contract with Dominion Voting Systems (DVS) to provide electronic voting equipment and a tabulating system in time for use in the November 2020 general election.
After the selection of that system, and specifications for the devices were made public, the Plaintiffs went back to Judge Totenberg seeking injunctive relief to prevent Georgia from using the new DVS system during the November 2020 election. They sought an order forcing Georgia to use a voter-marked paper-ballot system. As characterized by the Court, the Plaintiffs claims were:
…Defendants have failed to implement a constitutionally acceptable election system by requiring all in-person voters to use a BMD [“ballot marking device”] system that, as a whole, in its design and operation, is not voter-verifiable, secure, or reliable. They contend this system suffers from some of the same major cybersecurity vulnerabilities posed by Defendants’ deeply flawed, outdated Direct Recording Electronic (“DRE”) Voting System addressed by the Court’s lengthy Order of August 15, 2019 that granted injunctive relief.3 Plaintiffs’ challenge embraces an array of associated issues involving the electronic voting process that impact if an individual’s vote (whether recorded from a scanned BMD-generated barcode or a hand-marked paper ballot) will be correctly captured, scanned, and accurately counted. Their claims thus also raise significant issues regarding the auditing of the election system’s voting results and ballot processing.
Among the concerns was that the DVS system used electronic “ballot marking devices” — computerized screens — onto which the voter input their selections for each race. That BMD was connected to a printer, and the printer would issue a paper version of the ballot selections made by the voter for the voter to confirm before scanning the ballot. BUT, when scanned, the tabulating software did not “read” the indicated “markings” of the voter as depicted on the ballot. Rather, the paper ballot had a bar code imprinted on it, and the bar code contained the ballot selections made by the voter. The scanning software read the barcode, and recorded votes based on what was contained in the barcode.
But the voter could not verify that the barcode reflected the selections as depicted on the paper printed ballot, so the voter had no way of knowing if the information on the barcode accurately reflected the voter’s selections on the BMD, and then on the printed ballot.
The fact that the barcode is not encrypted meant that any determined hostile actor who could gain access to the tabulation system through hacking or otherwise (a thumb drive with the necessary malware would be sufficient) would have the ability to alter votes reflected on the barcodes in a manner that might be undetectable after the fact.
The full opinion is 149 pages long and is dense with summaries of expert witness testimony and opinions with regard to security and reliability of the DVS devices that Georgia employed in its new voting system.
But the Court ultimately found that ordering any wide-ranging alteration of the voting system to take the place of the DVS devices that were in place — notwithstanding their vulnerability and deficiencies — would not be possible without wholesale disruption of the election day vote which was only three weeks away. Georgia had no back-up “paper marking” balloting system to employ and putting such a system in place, printing ballots, and training election workers in how to conduct such an election day process was a factual impossibility. So, in the end, Judge Totenberg denied the motion for a preliminary injunction and allowed Georgia to go forward with the new DVS system on November 3.
But she did so only with this final warning:
The Court’s Order has delved deep into the true risks posed by the new BMD voting system as well as its manner of implementation. These risks are neither hypothetical nor remote under the current circumstances. The insularity of the Defendants’ and Dominion’s stance here in evaluation and management of the security and vulnerability of the BMD system does not benefit the public or citizens’ confident exercise of the franchise. The stealth vote alteration or operational interference risks posed by malware that can be effectively invisible to detection, whether intentionally seeded or not, are high once implanted, if equipment and software systems are not properly protected, implemented, and audited. The modality of the BMD systems’ capacity to deprive voters of their cast votes without burden, long wait times, and insecurity regarding how their votes are actually cast and recorded in the unverified QR code makes the potential constitutional deprivation less transparently visible as well, at least until any portions of the system implode….
The Plaintiffs’ national cybersecurity experts convincingly present evidence that this is not a question of “might this actually ever happen?” – but “when it will happen,” especially if further protective measures are not taken. Given the masking nature of malware and the current systems described here, if the State and Dominion simply stand by and say, “we have never seen it,” the future does not bode well.
Still, this is year one for Georgia in implementation of this new BMD system as the first state in the nation to embrace statewide implementation of this QR barcode-based BMD system for its entire population. Electoral dysfunction – cyber or otherwise – should not be desired as a mode of proof. It may well land unfortunately on the State’s doorstep. The Court certainly hopes not.
One issue presented in the case was that the unencrypted barcodes — because they were insecure — could never be the basis for an audit of the accuracy of the vote. If the vote was manipulated through the barcodes, then the manipulation would persist into any recount or audit of the outcome.
I’ll try to look a little more deeply at this case again when there is more news about what direction the outcome in Georgia is headed.