Judge to Georgia voting officials: you’re terrible at digital security

Georgia’s upcoming November 6, 2018 election will remain purely electronic, and will not switch to paper to ward off potential hackers, a federal judge in Atlanta ruled on Monday evening.

But as US District Judge Amy Totenberg wrote, she is not at all happy with the inadequate efforts by state officials to shore up their digital security measures.

“The Court advises the Defendants that further delay is not tolerable in their confronting and tackling the challenges before the State’s election balloting system,” she wrote in her order.

“The State’s posture in this litigation—and some of the testimony and evidence presented—indicated that the Defendants and State election officials had buried their heads in the sand.”

The case, Curling v. Kemp, pits a group of activists and Georgia voters—who say that their home state’s woefully inadequate digital security violates their rights to cast meaningful ballots—against Georgia officials. They, in turn, say that revamping the entirely election process, particularly when the November election is just weeks away, is practically and logistically impossible.

As Ars reported previously, Georgia is just one of five American states that use purely digital voting without any paper record.

During a September 12 hearing, Judge Totenberg heard a compelling presentation by J. Alex Halderman, a professor at the University of Michigan, and one of the nation’s authorities on digital voting security.

Halderman presented an example of how malware could be used on Georgia’s Direct Recording Electronic (DRE) machines to alter individual votes.

“Professor Halderman explained in his testimony in detail the reasons why the DRE auditing and confirmation of results process used by state officials on a sample basis is generally of limited value,” Judge Totenberg wrote. “This process is keyed to matching the total ballots cast, without any independent source of individual ballot validation, and it can be defeated by malware similar to that used by the Volkswagen emissions software that concealed a car’s actual emissions data during testing.”

The judge went on to note that Georgia “presented no witness with actual computer science engineering and forensic expertise”—it seemingly provided no meaningful explanation for its questionable lack of security.

“Advanced persistent threats in this data-driven world and ordinary hacking are unfortunately here to stay,” she concluded. “Defendants will fail to address that reality if they demean as paranoia the research-based findings of national cybersecurity engineers and experts in the field of elections.”

The plaintiffs may now appeal to the 11th US Court of Appeals in Atlanta.

Latest Articles

Related Articles