Software and equipment from Dominion Voting Systems, used in this month’s presidential election, has been the source of ongoing controversy, with one legal declaration made by a poll observer of Georgia’s statewide primary earlier this year highlighting multiple problems.
Georgia Secretary of State Brad Raffensperger announced the state’s purchase of a $106 million election system from Dominion Voting Systems in July 2019. In a lawsuit, which originated in 2017, critics contend that the new system was subject to many of the same security vulnerabilities as the one it was replacing.
In an Oct. 11 order, just weeks prior to the presidential election, U.S. District Judge Amy Totenberg agreed with the concerns associated with the new Dominion voting system, writing that the case presented “serious system security vulnerability and operational issues that may place Plaintiffs and other voters at risk of deprivation of their fundamental right to cast an effective vote that is accurately counted.”
“The Court’s Order has delved deep into the true risks posed by the new BMD voting system as well as its manner of implementation. These risks are neither hypothetical nor remote under the current circumstances,” Judge Totenberg wrote in her order.
Despite the court’s misgivings, Totenberg ruled against replacing the Dominion system right before the presidential election, noting that “Implementation of such a sudden systemic change under these circumstances cannot but cause voter confusion and some real measure of electoral disruption.”
Concerns Over Election Systems
In an Aug. 24 declaration from Harri Hursti, an acknowledged expert on electronic voting security, provided a first-hand description of problems he observed during the June 9 statewide primary election in Georgia and the runoff elections on Aug. 11.
Hursti had been “authorized as an expert inspecting and observing under the Coalition for Good Governance’s Rule 34 Inspection request in certain polling places and the Fulton County Election Preparation Center.”
Hursti summarized his findings as follows:
- “The scanner and tabulation software settings being employed to determine which votes to count on hand marked paper ballots are likely causing clearly intentioned votes not to be counted”
- “The voting system is being operated in Fulton County in a manner that escalates the security risk to an extreme level.”
- “Voters are not reviewing their BMD [Ballot Marking Devices] printed ballots, which causes BMD generated results to be un-auditable due to the untrustworthy audit trail.”
During observation at Peachtree Christian Church in Atlanta, Georgia, Hursti noted that the “scanner would vary in the amount of time that it took to accept or reject a ballot.”
Hursti stated that a dedicated system should not experience variable delays and noted that “we are always suspicious about any unexpected variable delays, as those are common telltale signs of many issues, including a possibility of unauthorized code being executed.”
Hursti observed varying processing times at different locations, further raising concerns as identical physical devices “should not behave differently while performing the identical task of scanning a ballot.”
Hursti stated in his sworn statement that his presence was requested by two poll watchers at the Fanplex polling location who were observing certain unexplained anomalies. Upon arriving, Hursti observed that for “reasons unknown, on multiple machines, while voters were attempting to vote, the ballot marking devices sometimes printed ‘test’ ballots.”
As Hursti noted, “during the election day, the ballot marking device should not be processing or printing any ballot other than the one the voter is voting.” Hursti stated that this was indicative of a “wrong configuration” given to the Ballot Marking Device.
The issue also raised other questions in his mind:
- “Why didn’t the device print only test ballots?”
- “How can the device change its behavior in the middle of the election day?”
- “Is the incorrect configuration originating from the Electronic Pollbook System?”
- “What are the implications for the reliability of the printed ballot and the QR code being counted?”
Wholesale Outsourcing of Operation
During the runoff elections, on the night of Aug. 11, 2020, Hursti was present at the Fulton County Election Preparation Center to observe the “upload of the memory devices coming in from the precincts to the Dominion Election Management System [EMS] server.” During this observation, Hursti noted that “system problems were recurring and the Dominion technicians operating the system were struggling with the upload process.”
Hursti also noted that it appeared that Dominion personnel were the only ones with knowledge of, and access to, the Dominion server. As Hursti stated in his declaration, “In my conversations with Derrick Gilstrap and other Fulton County Elections Department EPC personnel, they professed to have limited knowledge of or control over the EMS server and its operations.”
Hursti noted that this wholesale outsourcing of the operation of voting equipment to the vendor’s personnel was “highly unusual in my experience and of grave concern from a security and conflict of interest perspective.” Hursti referred to Dominion’s onsite operation and access as “an elevated risk factor.”
Hursti also noted that the Dell computers running the Dominion server appeared not to have been “hardened”—the process of “securing a system by reducing its surface of vulnerability.” Hursti said that he found it “unacceptable for an EMS server not to have been hardened prior to installation.”
A ‘Major Deficiency’
In addition to the hardening problems, Hursti observed that computers used in Georgia’s system for vote processing appeared to have “home/small business companion software packages” on them. This raised areas of significant concern for Hursti as he noted:
“[O]ne of the first procedures of hardening is removal of all unwanted software, and removal of those game icons and the associated games and installers alongside with all other software which is not absolutely needed in the computer for election processing purposes would be one of the first and most basic steps in the hardening process. In my professional opinion, independent inquiry should be promptly made of all 159 counties to determine if the Dominion systems statewide share this major deficiency.”
In addition to the software packages noted above, Hursti discovered that one of the computers had an icon for a 2017 computer game called “Homescapes” which Hursti noted called into question whether “all Georgia Dominion system computers have the same operating system version, or how the game has come to be having a presence in Fulton’s Dominion voting system.”
Hursti also found a troubling blend of old and new equipment which carried additional security risks due to a lack of patch updates:
“Although this Dominion voting system is new to Georgia, the Windows 10 operating system of at least the ‘main’ computer in the rack has not been updated for 4 years and carries a wide range of well-known and publicly disclosed vulnerabilities.”
Hursti noted that the lack of “hardening” created security risks even for computers that were not connected to the internet. He observed that when flash drives were connected to the server, the “media was automounted by the operating system. When the operating system is automounting a storage media, the operating system starts automatically to interact with the device.”
Hursti noted that the management of Fulton County’s EMS server appeared to be an “ad hoc operation with no formalized process.” This seemed particularly apparent in relation to the process of storage media coming in from various precincts throughout the night:
“This kind of operation i[s] naturally prone to human errors. I observed personnel calling on the floor asking if all vote carrying compact flash cards had been delivered from the early voting machines for processing, followed by later finding additional cards which had been overlooked in apparent human error. Later, I heard again one technician calling on the floor asking if all vote carrying compact flashes had been delivered. This clearly demonstrates lack of inventory management which should be in place to ensure, among other things, that no rogue storage devices would be inserted into the computer. In response, 3 more compact flash cards were hand-delivered. Less than 5 minutes later, I heard one of the county workers say that additional card was found and was delivered for processing. All these devices were trusted by printed label only and no comparison to an inventory list of any kind was performed.”
Hursti also observed that “operations were repeatedly performed directly on the operating system.” The election software has no visibility into the operations of the operating system, which creates additional auditing problems, and as Hursti noted, “Unless the system is configured properly to collect file system auditing data is not complete. As the system appears not to be hardened, it is unlikely that the operating system has been configured to collect auditing data.”
Raising even greater concerns was the apparent “complete access” that Dominion personnel appeared to have into the computer system. Hursti observed Dominion technicians troubleshooting error messages with a “trial-and-error” approach which included access into the “Computer Management” application, indicating complete access in Hursti’s opinion.
As he stated in his declaration, “This means there are no meaningful access separation and privileges and roles controls protecting the county’s primary election servers. This also greatly amplifies the risk of catastrophic human error and malicious program execution.”
During these attempts to resolve the various issues that were occurring in real-time, Hursti noted that it appeared as though Dominion staff shifted from on-site attempts at remediation to off-site troubleshooting:
“The Dominion staff member walked behind the server rack and made manual manipulations which could not be observed from my vantage point. After that they moved with their personal laptops to a table physically farther away from the election system and stopped trying different ways to work around the issue in front of the server, and no longer talked continuously with their remote help over phone.
In the follow-up-calls I overheard them ask people on the other end of the call to check different things, and they only went to a computer and appeared to test something and subsequently take a picture of the computer screen with a mobile phone and apparently send it to a remote location.”
Hursti stated that this “created a strong mental impression that the troubleshooting effort was being done remotely over remote access to key parts of the system.”
Hursti also noted that a “new wireless access point with a hidden SSID access point name appeared in the active Wi-Fi stations list” that he was monitoring.
All of this raised material alarms for Hursti, who noted that “If in fact remote access was arranged and granted to the server, this has gravely serious implications for the security of the new Dominion system. Remote access, regardless how it is protected and organized is always a security risk, but furthermore it is transfer of control out of the physical perimeters and deny any ability to observe the activities.”
On Nov. 11, 2020, Georgia’s Secretary of State Brad Raffensperger announced that there will be a full recount and audit of all ballots cast in the presidential election.
“With the margin being so close, it will require a full, by-hand recount in each county. This will help build confidence. It will be an audit, a recount and a recanvass all at once,” Raffensperger said.
Dominion Voting Systems did not respond to a request for comment.