Georgia voting machines get 11th-hour software fix; security experts cry foul in crucial state

From Harri Hursti Filing Declaration

There’s been lots of noise around potential problems with mail-in voting lately, but it’s not hard to find flaws in the way America counts ballots.

What would you think if a state paid more than $100 million to buy all-new electronic voting machines, and it recently found a flaw that prevented the machines from displaying all the candidates running for U.S. Senate — so the software was fixed, over a weekend and, and a week before voting was set to begin, vendors were running around the state with USB sticks upgrading thousands of machines?

Does this sound like a functioning democracy to you? If you’ve been following election technology issues for years, it might sound like….Georgia.

Anyone who’s ever witnessed installation of an across-the-board emergency software fix at work knows odds are high that fix will break something else. Can you imagine a bank doing this before launching a fleet of new ATMs, for example? That’s the situation Georgia finds itself in right now. Voting is set to begin there Oct. 12, and voting rights advocates are in federal court trying to force the state to switch to paper ballots.

The sad Georgia voting machine saga has gone on for years (with accusations that computer records that might have proven the state was hacked had been intentionally dfestroyed), but most recently, the state was forced by a federal judge to rid itself of old, insecure voting machines that did not produce a paper record after ballots were cast. Election security experts urged the state to switch to a paper ballot system, but it instead invested $100 million with Dominion Voting Systems to purchase some 30,000 new electronic voting machines — in this case, so-called ballot-marking devices that translate touch-screen inputs into paper that is fed into a optical scanning device to be counted.

While these machines do produce something of a paper “receipt” — unlike Georgia’s prior system — it’s not ideal, critics say. That receipt includes both a summary of a voter’s choices that is readable by a person and a QR code that is read by a second machine which tallies the vote. Voters cannot verify that the QR code accurately reflects their wishes.

Rollout of the new machines has not been smooth. A small, initial test late last year saw glitches. Then this year’s primary election was marred by long delays and equipment malfunctions.

So election security experts were already on edge for this year’s critical Georgia statewide vote. The state is suddenly a battleground in the presidential race, but perhaps more important: Both U.S. Senate seats are up for grabs. The state could easily swing the balance of power in the Senate, and by extension in the country.

And two weeks before the election, emergency software fixes were installed on the state’s new voting machines as they make their debut in a general election.

Marilyn Marks, Executive Director of the Coalition for Good Governance, which has led the federal lawsuit and the public flogging designed to get Georgia’s vote-counting house in order, says it’s time for the state to abandon ship and switch to paper ballots as a fallback. U.S. District Judge Amy Totenberg, who ordered the state to upgrade its machines, said in her order that it must be prepared for the paper ballot plan B. The Coalition for Good Governance is back in court trying to force that switch.

“This situation is quite dire…I believe experts will tell you that there is no precedent for such a massive risk being taken on the eve of an election,” she said to me. “The candidates and parties seem to be ignoring the risk which will make it easy for losing candidates to challenge the outcomes.”

What evidence of trouble might exist? Here’s a small excerpt from a statement made to the court by Harri Hursti, no stranger to The Red Tape Chronicles. Hursti raced to Georgia on Oct. 1 to witness installation of the software fix.

“The new software was contained on USB sticks. However, there was no inventory management present for the USB sticks. There also was no inventory control for the technician authorization smartcards, which provide access to the controls of the touchscreen. Workers did not sign or otherwise document when they took possession or returned the technician cards and software upgrade USB sticks. Those items were in an open plastic bag which was sometimes placed on table, and sometimes carried around the working area by the manager. Anyone was able to pick up a USB stick or drop them there freely, permitting the easy substitution of USB sticks containing malware or to leave the premises with copies of the software update.

Some workers worked one BMD (ballot-marking device) touchscreen machine at the time, while others simultaneously worked on 2 or 3 machines. There was no accountability for how many sticks and technician smart-cards each worker had in their possession. Clearly, the USB sticks were not considered to be security sensitive items at all.

Hursti was also critical that there were no plans to do “acceptance testing” after the machines were upgraded.

Acceptance Testing is an almost universally mandated basic test of the hardware and software when a change or repair to either has been made before counties are permitted to install election programming and deploy voting system components. Acceptance testing must be performed on each unit, and cannot be performed on a sample basis. Fulton’s failure to conduct such testing should be a serious warning sign of further recklessness in the installation of inadequately tested software.

Georiga election officials maintain that the software changes made were “de minimus” — so small that they don’t require upending the state’s election process now.

“The plaintiffs are flagging this as some apocalyptic scenario on social media, and it’s not. This is a very minor issue,” said Bryan Tyson, an attorney for Secretary of State Brad Raffensperger, according to the Atlanta Journal-Constitution.

Perhaps. But it’s important to recall attacks on voting machines by a foreign power, or even a prankster, are not some imagined boogeyman. There is evidence that Georgia’s voter rolls were hacked several years ago. Meanwhile, federal officials have actually indicted a group Russians for attempting to hack the Georgia election in 2016.

Given that backdrop, it would seem imprudent to call an 11th-hour software upgrade rushed out from production a “minor issue.”

Plaintiffs are still hoping a federal judge will force the state to switch to paper ballots for in-person voting — which begins in some Georgia polling places as early as Oct. 12.

In a phone call late Tuesday, I asked Marks if it was really practical to switch to paper at this late date. She was emphatic that it was. Human beings can do the same task that the ballot-marking devices do, she said. In most cases, they can do it more quickly.

The judge’s ruling could come at any time, but federal judges are reluctant to issue rulings that impact state voting procedures close to election day.

I’ll keep you posted.