The aftermath of the 2020 election put an intense spotlight on voting machines as supporters of former President Donald Trump claimed victory was stolen from him. While the theories were unproven — and many outlandish and blatantly false — election security experts say there are real concerns that need to be addressed.
In Georgia, for example, election security expert J. Alex Halderman says he’s identified “multiple severe security flaws” in the state’s touchscreen voting machines, according to a sworn declaration in a court case.
Halderman told The Associated Press in a phone interview that while he’s seen no evidence the vulnerabilities were exploited to change the outcome of the 2020 election, “there remain serious risks that policymakers and the public need to be aware of” that should be addressed immediately to protect future elections.
Trump loyalists — pushing the slogan “Stop the Steal” — held rallies, posted on social media and filed lawsuits in key states, often with false claims about Dominion Voting Systems voting machines. Almost all of the legal challenges casting doubt on the outcome of the election have been dismissed or withdrawn and many claims of fraud debunked. State and federal election officials have said there’s no evidence of widespread fraud. And Dominion has fought back forcefully, filing defamation lawsuits against high-profile Trump allies.
As an election security researcher, it’s been frustrating to watch the proliferation of misinformation, said Matt Blaze, a professor of computer science and law at Georgetown University. For years, he said, concerns raised by election security experts were dismissed as unimportant.
“All of a sudden, people are going the other way, saying the existence of a flaw not only is something that should be fixed, it means the election was actually stolen,” he said. “That’s not true either.”
David Cross is an attorney for plaintiffs in a long-running lawsuit filed by proponents of hand-marked paper ballots. His clients’ concerns about Georgia’s electronic voting machines long preceded the 2020 election, but he says they’re now grappling with how to expose vulnerabilities and advocate for changes without fueling conspiracy theories.
It’s also frustrating, he said, to watch the state “try to dismiss actual scientific, rigorous examination of the voting equipment by just saying we’re no different from the ‘Stop the Steal’ people when we’re relying on the most respected election integrity experts in the country.”
Halderman, a voting technology specialist and director of the University of Michigan’s Center for Computer Security and Society, serves as an expert witness in the lawsuit, which was filed by individual voters and the Coalition for Good Governance.
In declarations submitted as part of the case in federal court in Atlanta, Halderman wrote that he had identified vulnerabilities that attackers could exploit to “install malicious software, either with temporary physical access (such as that of voters in the polling place) or remotely from election management systems.” Once installed, he wrote, such malware “could alter voters’ votes while subverting all the procedural protections practiced by the State.”
He detailed his findings in a report filed under seal last month as part of the lawsuit, which challenges the election system Georgia bought in 2019.
State officials have consistently argued that the Dominion machines have been thoroughly vetted and that security measures are in place to prevent problems.
“In an ever-changing threat environment, there are always new evolving threats to any kind of election system,” Ari Schaffer, a spokesman for Secretary of State Brad Raffensperger, said in an email. “That is why we are vigilant to the challenges that arise to the integrity of our elections. We are constantly in touch with federal and state security partners to protect our elections and keep them secure and reliable.”
The state paid more than $100 million for the new Dominion system, replacing the outdated equipment it had been using since 2002. First used statewide during last year’s primary election, it includes touchscreen voting machines that produce paper ballots with barcodes tallied by scanners.
Halderman said his 25,000-word report was the result of 12 weeks of intensive testing of Dominion equipment from Fulton County. All voters in Georgia use those machines, and at least some voters in 11 other states also use the same voting machines, according to data compiled by Verified Voting.
Because it was filed under seal, The Associated Press hasn’t seen Halderman’s report or any specifics of the alleged vulnerabilities. It was also designated “attorneys’ eyes only,” meaning even the actual parties to the lawsuit cannot see it.
For that reason, no one in the secretary of state’s office has seen the report, but Deputy Secretary of State Jordan Fuchs said, “We are familiar with these contentions. They are not new and Halderman’s report is only possible because the judge gave him unrestricted access to equipment that he could not otherwise get.”
Halderman, who has long argued that the touchscreen machines are vulnerable, said the access allowed him to identify for the first time specific vulnerabilities and the ways they could be exploited. He believes the information should force the state and Dominion to address the issues.
“That’s just standard security practice,” he said.
Halderman was tasked with evaluating the machines, not with looking for evidence that potential vulnerabilities had been exploited in a past election.
During a conference call with the parties last month, U.S. District Judge Amy Totenberg, who’s presiding over the case, said she wasn’t ready to unseal his report. But she did say she’s “concerned enough about the information contained in it,” according to a transcript.
“I have seen how this can blow up,” she added. Totenberg’s past opinions in the case, which were critical of Georgia’s election system, have been cited by people pushing conspiracy theories.
Because of its confidential designation, the report hasn’t been shared with Dominion. Halderman wrote that he’s been trying since January, through the plaintiffs’ lawyers, to arrange a meeting with Dominion but the company has not agreed to meet.
“Despite continued defamatory attacks against our company and its systems, Dominion has emerged from the 2020 election cycle with arguably the most-tested, most-scrutinized, and most-proven voting technology in recent history. Our company welcomes feedback that is provided in good faith by researchers,” Dominion said in a statement.
In response to Halderman’s report, the state filed a rebuttal declaration from one of its own expert witnesses, Juan Gilbert.
Gilbert, chair of the computer and information science and engineering department at the University of Florida, wrote that “any computer can be hacked with enough access and knowledge of a determined malicious actor.” He added that while he believes electronic ballot-marking devices can be improved upon, that “does not mean I believe they are so insufficiently secure as to be unconstitutional or otherwise impermissibly vulnerable.”
While Halderman says he has tested various methods of hacking that he says are generally undetectable, Gilbert wrote, “I am not aware that Dr. Halderman has provided equipment marred by ‘un-detectable’ hacks to any other independent researcher to test his theory that it is, in fact, un-detectable and not correctable.”
Halderman countered in a declaration filed with the court that the declaration from Gilbert doesn’t dispute the existence of the vulnerabilities he detailed or the steps that could be taken to alter individual votes and election outcomes. Nothing in Gilbert’s declaration indicates that state officials understand how serious the problems are or have taken any steps to address them, Halderman wrote.
He argued that state election officials “urgently need to engage with the findings in my report and address the vulnerabilities it describes before attackers exploit them.”