A federal trial beginning this week in Atlanta could change the way people vote in this year’s election in a key swing state, and potentially affect voters in other states for years to come.
The trial, six years in the making, pits a non-profit organization and a handful of Georgia voters against the state, claiming that vulnerabilities in the state’s computerized voting machines place a voter’s choices at an unacceptable risk of being altered, infringing on their constitutional rights.
Georgia’s current system prints a ballot after voters use touchscreens on what is called a “ballot-marking device” (BMD), and the ballot has a barcode that a scanner reads to record each voter’s choices. Associates of Donald Trump hacked the system in early 2021, according to last year’s Fulton county indictment.
The solution, plaintiffs have argued since 2017, is for voters to mark paper ballots by hand – as about 70% of voters do in the rest of the country. The ballots would then be scanned and a tool known as a risk-limiting audit used to verify results. Judge Amy Totenberg will decide in the coming weeks whether to enjoin – or prohibit – the state from using its voting system, which would then probably lead to Georgia voters choosing candidates by pen and paper in this year’s election.
Less than 12 months from the 2024 presidential election, the trial’s outcome is “extreme and urgent”, said Marilyn Marks, executive director of the Coalition for Good Governance, a North Carolina-based non-profit organization and one of the suit’s plaintiffs. “It’s the ability to satisfy winners, losers and their supporters [in 2024] that Georgia’s election was legitimate and verifiable.”
Georgia is one of a handful of battleground states considered vital to deciding this year’s election.
In a sign of what’s at stake, it took a last-minute federal court of appeals decision on Friday to clarify whether Georgia’s top elections official, the secretary of state, Brad Raffensperger, would be compelled to testify. The three-judge panel issued a decision only four days before the trial’s start, releasing him from the responsibility.
Georgia is one of few states to use the touchscreen voting machines at the center of the case for all of its nearly 8 million registered voters – meaning any problem, whether due to hacking or human error, could affect all of them. Other states tend to use a patchwork of systems.
Last year, Marks’s group uncovered the efforts by associates of Donald Trump in early 2021 to download the Georgia system’s software and other data from rural Coffee county’s election department; the breach is mentioned more than 50 times in the indictments Trump and 18 others are facing in Georgia and has led to several guilty pleas to date. The software and other information remains in the hands of an unknown number of persons.
But the coalition’s efforts have exposed a series of vulnerabilities in Georgia’s system since the case’s beginning.
In August 2016, Logan Lamb, a “friendly hacker” and former federal cybersecurity researcher, gained access to the state’s system, including instructions and passwords for election workers to use on election day. Seven months later, Lamb’s colleague Christoper Grayson discovered he could still access the same information. They both tried to force the state to remedy its cybersecurity problems, to no avail. Marks filed suit in June 2017.
A year later, Judge Totenberg listened to former Georgia governor and attorney for the state Roy E Barnes claim the state had taken measures to improve the system’s security. The judge called the state’s explanation of those same measures “oblique”.
J Alex Halderman, a computer science professor at the University of Michigan, testified on behalf of plaintiffs about the system’s weaknesses, and while he correctly forecast future breaches of the system, he misidentified where the threat would come from. “When I began my research in 2006,” he told the judge, “… we were thinking about threats such as dishonest candidates. Everything changed in 2016. Threats by nation-states are now much more serious.”
Halderman testified only months after media outlets revealed that Russia had attempted cyber-attacks on election systems in 39 states before the 2016 presidential election. He could not have known that Trump and colleagues would be indicted five years later in Georgia.
Still, Totenberg decided at the time it was too late for Georgia to change systems due to fast-approaching midterm elections.
A year later, in 2019, the judge gave an unprecedented order, directing the state to stop using its machines altogether, which led the then secretary of state, Brian Kemp, to form a commission on choosing a new system. The commission ignored its sole cybersecurity expert, Georgia Tech computer science professor Wenke Lee, who counseled against implementing a new touchscreen system except where needed for voters with disabilities, and in favor of using hand-marked paper ballots – mirroring the position of plaintiffs in the current case.
Instead, the state spent close to $150m on the computerized system currently in use, made by Dominion.
Meanwhile, Marks and fellow plaintiffs amended their complaint more than once. In July, 2021, Halderman and Drew Springall, a computer science professor at Auburn University, completed a 96-page report that found “vulnerabilities in nearly every part of the system that is exposed to potential attackers” which could allow votes to be changed, potentially affecting election outcomes in Georgia, according to Halderman’s summary.
The report’s findings were of such concern that Totenberg ordered it sealed. A year later, in June 2022, the US Cybersecurity and Infrastructure Security Agency (Cisa), part of the homeland security department, corroborated Halderman’s work. In June last year, a redacted version was released.
During the same two-year period, the effort by Trump’s associates to enter Coffee county’s elections department and breach the state’s system also occurred, followed by differing statements from Raffensperger and other state officials about when they learned of the incident and what they would do about it.
“The kneejerk reaction is to circle the wagons and present an implausible response … either because they don’t understand [the technical issues] or because they think no one else will,” said Richard DeMillo, founder of the cybersecurity program at Georgia Tech. He has filed amicus briefs in the case.
The pattern has continued with Halderman’s findings and the Coffee county incident; the state has described both as being of little concern given the state’s security practices and procedures.
Halderman’s report benefited from court-ordered access to the Dominion touchscreen machines used in Georgia – resulting in what he described in writing as the first study in more than a decade to assess the cybersecurity of a widely used US voting machine.
Nonetheless, Mike Hassinger, a spokesperson for Raffensperger, told the Guardian in a June email that addressing Halderman’s findings “forces me into the Dumb and Dumber paradox. Every time I describe something as ‘theoretical but highly unlikely’, your response is, ‘So, you’re telling me there’s a chance!’ It’s a no-win situation.”
Hassinger went on to conflate the work of Halderman, an experienced computer scientist, with the opinions of Trump-following election deniers. In the upcoming trial, “the federal court could clarify for the public … what the real science and technology is, versus what some group says,” DeMillo said.
If Totenberg decides to enjoin the state from using its computer touchscreens in the upcoming (and future) elections, “the result could be used to throw out BMDs in counties across the country,” the veteran computer scientist added – “places like Pennsylvania, Texas, California and Colorado.”
Such a decision could also affect places that are considering using such technologies, said Marks. “They will think twice, and ask themselves, ‘Do we really want to hold an election that a federal court said is unconstitutional?’”
