Get our free weekly newsletter on important housing and democracy news every Thursday.
A federal trial six years in the making reached its halfway point this week, after a series of computer experts expressed concerns in court about cyber vulnerabilities in Georgia’s touchscreen voting machines, while a series of state officials displayed the opposite. Secure Voting
The election case pits an election integrity nonprofit and a handful of Georgia voters against the Secretary of State’s office. They claim that the state’s computerized voting machines face an unacceptable risk of being hacked, which infringes on the constitutional rights of voters.
The Coalition for Good Governance has spearheaded the case since 2017–well before former President Donald Trump and allies launched multiple conspiracy theories in the aftermath of the 2020 presidential election, distorting concepts such as election integrity and cybersecurity with claims of stolen votes.
Subscribe to our weekly newsletter to keep up with all things Housing and Democracy related in metro Atlanta.
The state’s position is that election equipment is kept secure by measures such as using tamper-evident zip ties with serial numbers to seal cases storing voting machines and procedures such as testing voting machines before elections.
U.S. Northern District of Georgia Judge Amy Totenberg has been conducting the bench trial, –meaning there’s no jury–since Jan. 9. After both sides have presented their case, she could decide to enjoin, or prohibit, the state from using its Dominion Voting Systems machines, which could lead to Georgia voters choosing candidates by pen and paper in this year’s presidential election in November.
Such a decision could also impact voters in other states using the same voting machines for years to come, through additional lawsuits or new policies.
The case has already made history, after Totenberg ordered the state in 2019 to replace its previous voting machines from Diebold Election Systems. Her ruling came after plaintiffs highlighted the touchscreen machines’ vulnerability to being hacked. In response, Georgia bought the Dominion machines and began using them in the June 2020 presidential primary.
With the Dominion machines, voters use a touchscreen, also called a “ballot-marking device” (BMD), to make their choices. Then, they print out their ballots, which have a QR code that a scanner reads to record and tally the votes.
During the six-year case, computer scientists serving as experts for the plaintiffs have uncovered multiple, specific ways that both the current Dominion and the previous Diebold voting machines are vulnerable to hacking.
The solution, the plaintiffs argue, is to have voters mark paper ballots by hand–as nearly 70% of voters do in the rest of the country. The ballots themselves–not just a QR code–would then be scanned and a procedure known as a risk-limiting audit would be used to verify the results.
Georgia is one of a handful of states that uses the same election system for all of its registered voters statewide. That means any problem, whether due to hacking or human error, could affect nearly eight million votes. Many other states use a patchwork of systems.
As the voting machine case has unfolded, one of the plaintiffs, the Coalition for Good Governance, uncovered efforts by Trump allies in early 2021–right after the hotly contested presidential election–to download the Georgia voting system’s software and other data from rural Coffee County’s elections office. The software and other information remains in the hands of an unknown number of persons, which elevates the risk of hacks to Georgia’s system, plaintiffs’ experts testified this week.
The Coffee County breach is mentioned more than 50 times in the indictments that the Fulton County District Attorney’s office has brought against Trump and 18 others in a separate, wide-ranging criminal RICO case over presidential election interference. So far, four defendants have pled guilty in that case after reaching deals with prosecutors.
“The state either doesn’t understand, or can’t control, the technology.”
But the Coalition for Good Governance’s efforts have exposed a series of vulnerabilities in Georgia’s electronic voting systems since the touchscreen voting machine case’s beginning.
In August 2016, “friendly hacker” Logan Lamb, a former federal cybersecurity researcher, gained access to the state’s Diebold voting system. Seven months later, Lamb’s colleague Christoper Grayson did the same. They both tried unsuccessfully to get the Secretary of State’s office to remedy its cybersecurity problems. The Coalition for Good Governance’s executive director, Marilyn Marks, filed suit in June 2017.
A year later, Totenberg listened to a lawyer for the state, former Georgia Gov. Roy Barnes, claim that the Diebold voting system’s security had been improved. Barnes discounted the concerns over hacking from the plaintiffs’ computer science witnesses and attorneys, calling them “outsiders” or “from the North.”
Barnes thundered to the plaintiffs’ expert witness J. Alex Halderman, a University of Michigan computer scientist, “You don’t know anything about the state of Georgia! How many times have you been here? Do you even know where the Big Chicken is?”—the Marietta KFC store with a 56-foot-tall steel chicken perched on its roof.
The judge said at the 2018 hearing that she found the state’s explanation of improvements to the Diebold system “oblique.” Totenberg sternly advised the state that “further delay is not tolerable in … confronting and tackling the challenges before the state’s election balloting system”–but she also decided that it was too late for Georgia to change its machines due to fast-approaching midterm elections.
Then, in 2019, the judge issued an unprecedented order, telling the state to stop using its Diebold machines altogether, which led then-Secretary of State Brian Kemp to form a commission to choose a new system. The commission would go on to ignore its sole cybersecurity expert, Georgia Tech computer science professor Wenke Lee, who counseled against implementing a new touchscreen system except where needed for voters with disabilities. He advised using hand-marked paper ballots. His arguments mirrored the plaintiffs’ position.
Instead, the state spent close to $150 million on its current Dominion touchscreen system.
Meanwhile, the Coalition for Good Governance and fellow plaintiffs updated their complaint to allege cybersecurity vulnerabilities in the new Dominion voting machines. In July 2021, Halderman and another computer science professor, Drew Springall of Auburn University, completed a 96-page report for the plaintiffs that found “vulnerabilities in nearly every part of the system that is exposed to potential attackers.” That could allow votes to be changed, potentially affecting election outcomes in Georgia, according to Halderman’s summary.
A year later, in June 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), issued an advisory warning of potential vulnerabilities to the Dominion ImageCast X system that was based on Halderman and Springall’s findings. Computer scientists from Princeton, Yale, Stanford, Georgia Tech and other universities and organizations drew attention to his findings in a letter.
During the same two-year period after Georgia adopted the Dominion voting system, Trump allies entered rural Coffee County’s elections office with the help of local officials and gained access to the system, copying software and other data.
That incursion was likely “the largest elections systems breach in U.S. history,” said plaintiffs’ witness Kevin Skoglund, the president of Citizens for Better Elections, in court this week. Skoglund, who serves on a cybersecurity advisory group to the U.S. Election Assistance Commission, testified that Georgia’s Dominion elections software was now “spread out around the country” in the hands of “close to a dozen people.”
The state’s main response has been to replace election equipment in the rural county.
In that situation, Skoglund said, “You can’t regain control [of the software and other data]–like you can with something physical.”
In response to a question from one of the state’s lawyers asking whether there is such a thing as a “perfectly secure voting system,” Skoglund replied, “That’s not how cybersecurity works.” Instead, the cybersecurity expert said, “You look at threats, the potential they could be realized, and their impact if they’re realized.”
The Coffee County breach has left the state’s electronic voting system “with very high risks–and Georgia should move expeditiously to mitigate them,” he added.
It’s become something of an annual tradition for states with Republican-controlled legislatures to try and change election laws in their states. The floodgates opened in Georgia after the U.S. Supreme Court in 2013 dismantled a key provision of the federal Voting Rights Act, said Anne Gray Herring, a policy analyst for Common Cause…
The plaintiffs’ case included a demonstration by Halderman, the University of Michigan computer scientist, about ways to hack the state’s voting machines. One involved using a pen to hold the machine’s power switch for seven seconds.
At that point, Georgia Tech computer science professor Richard DeMillo told Atlanta Civic Circle, “you’ve taken over the machine … and can install software or crash the machine.”
Despite Halderman’s demonstration, the state treated the vulnerabilities as “theoretical,” DeMillo said. State election officials countered that such a hack has never happened in an actual Georgia election. Halderman acknowledged that there is no evidence that the vulnerabilities he demonstrated for the voting machine have actually been exploited.
“The state responded stupidly,” said DeMillo, who founded Georgia Tech’s cybersecurity program and has given testimony in support of the plaintiffs’ case. “In engineering, if there’s a bad bolt on a bridge, it’s going to collapse some day. The fact that it hasn’t doesn’t mean anything.”
“The state either doesn’t understand, or can’t control, the technology,” was how DeMillo evaluated the state’s assessment of its voting system’s vulnerabilities, particularly after the Coffee County breach.
The computer scientist added that the state’s presentation of its case, which should start this week, doesn’t appear to include any cybersecurity experts. The state “doesn’t have independent experts with credentials to back them up.”
DeMillo, who has attended almost every day of the trial so far, said some of the plaintiffs’ initial witnesses “were ordinary voters who were not as confident as they would have liked that their votes were being counted,” due to vulnerabilities in the computer voting system.
“Confidence is undermined when you see weaknesses that are unaccounted for,” he said.
The three questions below help ensure our reporting best serves readers like you. We appreciate your feedback.
Unfortunately, a free press isn't free. It takes the generosity of readers like you to fund local, independent journalism that impacts the lives of your community. Donate today!
VERY good article. Yours is the first one I’ve read that goes deep, from the beginning of the CGG Curling case.
I smell a election corruption cover up here. Only allowing a left leaning lawsuit to go through and denying much more credible right leaning election integrity lawsuit . The demonstration in Coffee County was EXPOSING the election fraud after the 2020 election but only exposure mentioned. CISA issues report claiming vulnerabilities in Dominion but in 2020 CISA said it was a perfect election, no problem. The fraud has,been exposed by many experts but ignored by the media and courts. Georgia visually witnessed what happened at State Farm Arena and we were,told not to believe our lying eyes. How condescending. Now SOS,needs 52 million and says it can’t be updated on time for 2024. I hope this lawsuit will allow all of the fraud but I have a feeling it will be something like this, yes there was fraud but it didn’t change the outcome of the election. How do I know? Because they have used this talking point several times. At midnight election night president Trump was,ahead in Georgia by 350,000 votes which statistically is impossible to overcome with over 90% reporting. But somehow, with vote dumps in the Middle of the night and days of counting after election day us over which is illegal a miracle happened. NOT Additional evidence of ghost voted inserting old data from 2010 census and illegal ballots with ballots stuffing before, during and after. How does a county over vote? They have more votes cast than registered voters and sometimes total population
The trump case was not a crime it was a group of lawyers exposing the fraud the machines commit by changing votes. They were trying to expose how easy the machines were changing votes. They will beat their case as we all see how it’s developing with the corruption of the da s. Ga election system was part of a swing state wide voter fraud op where all swing states shut down counting the night of the election to commit fraud and steal an election. Never have we seen where an election was stopped and no winner declared besides the Florida case Gore v bush. It was a criminal conspiracy using the machines as part of it to alter the results. A solid red state like ga going to dems it was obvious fraud.
Great work ! Once on a computer any algorithm could be changed or vote and how would anyone know .. unless you’re a computer genius it would be impossible !
I’m ready to go back to ID’s and even a prick of blood ! And for people who can leave their home offer an earlier date and send people to them and a copy of ID and a prick of blood so we know they are alive
Thank you – very helpful article. You should also describe the simple, fundamental issue with any jurisdiction which forces voters to use a ballot-marking device: many voters don’t check their ballots, and the election officials can’t deal effectively with reports of malfunctioning BMDs. GA officials don’t have a good answer for this question: “How they would deal with repeated claims by voters that a ballot-marking device produced a paper ballot which misrepresented the way they voted”. If they just ignore it and call it the voter’s mistake, then the many voters who don’t check their ballots would remain at risk, and even risk-limiting audits wouldn’t help. If they take the machine out of service, then they are at risk of a “denial of service” attack. There are peer-reviewed papers pointing out these flaws. Link to detailed info, e.g. at https://www.electiondefense.org/ballot-marking-devices
They should of course just say they’ll do what the plaintiffs are asking for: start handing out ballots that voters can mark by hand, like most other states do.
Your email address will not be published. Required fields are marked *
Voting Machine In Philippines Our mission is to serve civic-minded Atlantans the best in journalism and other resources to help foster a better connected and informed community.