Federal Judge Blasts Georgia’s ‘Dated, Vulnerable’ Voting System

voters casting ballots during early voting in Atlanta in 2016.

voters casting ballots during early voting in Atlanta in 2016. David Goldman/AP File Photo

Featured eBooks

The Government's Artificial Intelligence Reality
What’s Next for Federal Customer Experience
Cloud Smarter

The state avoided having to make a change in election equipment before the midterms, however.

Georgia won’t be required to make a last-minute switch to paper ballots for the November midterm elections, but a federal judge still sent a strong message to election officials that she saw significant flaws with the state’s “dated, vulnerable” voting system.

U.S. District Judge Amy Totenberg on Monday denied a motion by a group of voters seeking to force Secretary of State Brian Kemp and county election offices to stop using direct recording electronic voting machines, or DREs, for anyone other than people with disabilities in 2018.

DREs use reprogrammable, removable memory cards vulnerable to hackers and don’t produce an independent paper audit trail.

In her order, Totenberg noted that during recent testimony she heard from both county and state officials that the logistics of moving to a paper ballot with early voting coming next month would create chaos for voters. But the judge also emphasized that she “advises the Defendants that further delay is not tolerable in their confronting of and tackling the challenges before the State’s election balloting system.”

“The State’s posture in this litigation—and some of the testimony and evidence presented—indicated that the Defendants and State election officials had buried their heads in the sand,” the judge said.

Nowhere was this more clear than when Georgia cybersecurity expert Logan Lamb accessed at least 15 counties’ election management databases from the central tabulator via the state Center for Election Systems’ public website, the order continued. The white hat hacker notified CES he was able to obtain private elector information and DRE passwords used by polling place supervisors, but the state took no action between August 2016 and February 2017.

The FBI took possession of CES’s server, which was moved internally—but not before the controversial erasure of its election data. The data was deleted on July 7, 2017, three days after Kemp’s office was alerted to the lawsuit accusing state officials of ignoring warnings the election system was vulnerable.

Attorneys for plaintiffs emphasized the judge’s critical take on the state of election security.

“Although the court late last night denied our preliminary injunction aimed at securing the midterm elections in Georgia, it found that the current system is critically unsecure and that a new, secure system with a verifiable paper trail is required before the next elections,” said David Cross, the Morrison & Foerster attorney representing the Curling plaintiffs, in a statement. “Ironically, the ineptitude demonstrated by certain state election officials in this case likely played a significant part in the decision that those officials could not manage a change now.”

Kemp is the Republican candidate for governor, and the neither the lawyer for his office nor his office responded to requests for comment in time for publication.

Cyber threats to election systems are “here to stay,” Totenberg wrote.

“Defendants will fail to address that reality if they demean as paranoia the research-based findings of national cybersecurity engineers and experts in the field of elections,” she concluded.

As the judge did not rule on the broader case seeking generally to force the state to replace its machines, Totenberg noted that unless her decision is taken up on appeal, she plans to move forward quickly, with an eye on the 2020 elections.