Judge Amy Totenberg has issued a decision concurring there is sufficient reason to believe that the electronic voting machines used by the State of Georgia have substantial flaws.
The District Court Judge found that there is sufficient cause to believe that there may be “cybersecurity deficiencies that unconstitutionally burden Plaintiffs’ First and Fourteenth Amendment rights and capacity to case effective votes that are accurately counted.”
Totenberg scheduled a bench trial for January 9, 2024, which entails the absence of a jury. Nevertheless, she acknowledged that a compromise might be possible if the state legislature were to take action.
“The Court cannot wave a magic wand in this case to address the varied challenges to our democracy and election system in recent years, including those presented in this case,” she wrote. “But reasonable, timely discussion and compromise in this case, coupled with prompt, informed legislative action, might certainly make a difference that benefits the parties and the public.”
Critically, the court denied that criticism of security flaws with Georgia’s voting machines are based purely on “conspiracy theories.”
“The Court notes that the record evidence does not suggest that the Plaintiffs are conspiracy theorists of any variety. Indeed, some of the nation’s leading cybersecurity experts and computer scientists have provided testimony and affidavits on behalf of Plaintiffs’ case in the long course of this litigation,” the judge’s footnote remarked.
The District Court then laid out several established objections to the 2020 election.
First, the Court recognized that, because the DREs did not include a paper
voting trail, “No voters could verify whether their intended votes for particular
candidates were actually cast.”
The court notes that several voting machines were running on an outdated Windows XP/2000 operating system, and the DRE machines were operating on software from 2005
that was “so out of date that the makers of the software were no longer supporting
it or providing security patches.”
Next, the Court reviewed “newly available evidence regarding the CES/KSU
data breach, data systems mismanagement, and record destruction events
previously addressed in the 2018 PI Order. The expanded record revealed
additional troubling details regarding the breach.”
In addition, the Court found in its 2019 Order that “Plaintiffs presented
significant evidence of vulnerabilities in the State’s voter registration database in
connection with the previously discussed exposure of voter data, the exposure of
passwords, and outdated software issues.”
The Plaintiffs also raised issues concerning the State’s ability “to audit the functionality of the BMDs, specifically in the event that the selections contained within the QR codes did not match the selections that appear in the human readable text (for example, if the QR codes had been altered). At the hearing, the State Defendants argued that audits would look to the human readable text – not the QR codes. Plaintiffs argued that audits would not necessarily remediate this issue because most voters do not review each of their selections contained in the human-readable text. This would not allow the printouts to be properly audited against the QR data…”
Ultimately, the Court concludes that there are “material facts in dispute presented in the record that preclude its grant of the State Defendants’ Motions for Summary Judgment on the primary claims.”
The Court then announced that it will “resolve these material factual disputes and related legal issues based on the evidence presented at a bench trial to begin on January 9, 2024.”
Importantly, the Court recognizes that the most important remedies for election integrity may be political and not judicial.
“To be clear from the start, the Court does not have the legal authority to grant
the broadest relief that Plaintiffs request in this case without directly infringing on
the state legislature’s vested power to enact legislation,” the judge said. “Even if Plaintiffs prevail on their substantive claims, the Court cannot order the Georgia legislature to pass legislation creating a paper ballot voting system or judicially impose a statewide paper ballot system as injunctive relief in this case. Quite simply, the Court has the legal authority to identify constitutional deficiencies with the existing voting system, but it does not have the power to prescribe or mandate new voting systems (i.e., a paper ballot system) to replace the current, legislatively enacted system.”
But the court did not that it would hear evidence that insufficient election security may comprise a constitutional rights violation.
“That said, as the Eleventh Circuit previously recognized in this case, suits challenging election procedures [or policies] are routine,’ and there are critical issues raised in this case that do not “present a political question beyond this Court’s reach.” Curling v. Raffensperger, 50 F.4th 1114, 1121 n.3 (11th Cir. 2022).”
“Still, Plaintiffs carry a heavy burden to establish a constitutional violation connected to Georgia’s BMD electronic voting system, whether in the manner in which the State Defendants have implemented the voting system — i.e., that it imposes serious security voting risks and burdens impacting Plaintiffs’ voting rights — or otherwise,” the judge added.
Several election security experts testified on behalf of the Plaintiffs: Dr. J. Alex Halderman, Dr. Philip Stark, Kevin Skoglund, Dr. Andrew Appel, and Harri Hursti.
The most substantive criticism of the current state of the voting systems in Georgia was perhaps laid out by Dr. J Alex Halderman.
On July 1, 2021, Dr. Halderman, submitted a detailed, lengthy Report both (1) expounding on his prior testimony in this case and (2) identifying additional vulnerabilities he found in the BMD system, based on his testing of a BMD and associated election equipment provided to him by Fulton County. (See Redacted Halderman Report, Doc. 1681.)
Dr. Halderman identifies seven primary vulnerabilities, as follows:
1. Attackers can alter the QR codes on printed ballots to modify voters’ selections
2. Anyone with brief physical access to the BMD machines can install malware onto the machines
3. Attackers can forge or manipulate the smart cards that a BMD uses to authenticate technicians, poll workers, and voters, which could then be used by anyone with physical access to the machines to install malware onto the BMDs (id.);
4. Attackers can execute arbitrary code with supervisory privileges and then exploit it to spread malware to all BMDs across a county or state (id.);
5. Attackers can alter the BMD’s audit logs (id.);
6. Attackers with brief access to a single BMD or a single Poll Worker Card and PIN can obtain the county-wide cryptographic keys, which are used for authentication and to protect election results on scanner memory cards (id.); and
7. A dishonest election worker with just brief access to the ICP scanner’s memory card could determine how individual voters voted (id.).
Dr. Halderman also opines that “election insiders and ordinary voters could
be recruited by domestic political actors or hostile sophisticated foreign nations to
attack Georgia’s voting system by, for instance, implanting malware.”
Following the court’s review of the case, the State Defendants’ Motions for Summary Judgment was granted in part and denied in party.
Fulton County’s Motion for Summary Judgemen, however, was granted in full.