‘Forensic examination’ of voting system doesn’t prove election tampering, experts say
Report based on Mesa County system images alleges uncertified software, wireless capabilities create vulnerabilities
Voters wait in line to cast the ballots in person at Mesa County Central Services in Grand Junction, on Tuesday, Nov. 3, 2020. Voters reported wait times of 20-30 minutes. (Barton Glasser for Colorado Newsline)
A report supported by embattled Mesa County Clerk Tina Peters that claims significant vulnerabilities exist in the county’s election system is another attempt to stretch a kernel of truth into a false cause for panic, security experts and election officials say.
The report, written by an ally of MyPillow CEO Mike Lindell, Doug Gould, claims that the election system used for the 2020 election — which has since been decommissioned and replaced — had 36 wireless components that could “be exploited to obtain unauthorized access from external devices.”
The other primary finding was the inclusion of uncertified software in the system, which Gould wrote made the system vulnerable to attacks. In doing the forensic examination, Gould used before and after images, or copies, not the hardware itself, which Peters helped make without authorization during a “trusted build” software update in May 2021.
GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX
“From my initial review of the report, it appears that our county’s voting system was illegally certified and illegally configured in such a way that ‘vote totals can be easily changed.’ We have been assured for years that external intrusions are impossible because these systems are ‘air gapped,’ contain no modems, and cannot be accessed over the internet. It turns out that these assurances were false,” Peters wrote in a letter to county commissioners introducing the report.
Peters is facing a grand jury indictment on charges stemming from her having helped make those copies and allegedly allowing an unauthorized person to attend the trusted build, which resulted in the publishing of sensitive system passwords.
Gould’s report offered the theory that the machines could have been accessed by bad actors but did not provide evidence that they were, or that the results of any election administered through the system were incorrect.
This is the second report written by Gould. The first hinged on the claim that thousands of files were deleted from the election system.
“As with the first report, there’s nothing really new here,” said Matt Crane, the executive director of the Colorado County Clerks Association and the former Republican clerk for Arapahoe County. “This is the same playbook that these people used in Antrim, Michigan, and in Arizona, and a lot of it has already been called out for the BS it is. What these grifters and bad actors are really good at is something called malinformation, when they take a shred of truth and they create a whole narrative that is a lie based on that truth.”
The “shred of truth” here, Crane said, comes from a program called Microsoft SQL Server Management Studio installed in the Mesa County server. The report alleges that the program is uncertified and therefore renders the entire system illegal to use in elections. It also alleges that the presence of the program, combined with other factors, could allow a bad actor to hack the server and flip votes.
Crane noted that the program is part of the SQL package installed on the computer, and was listed in the Dominion Voting Systems product documentation submitted to the state in 2019.
“Yes, it wasn’t outlined on the certification application. But everyone knows it is a part of that package. It was outlined in the Dominion documentation,” he said.
There is no evidence that votes were flipped in any election.
Known security flaws
Some cyber experts, however, say the vulnerabilities allegedly found by Gould make sense, but it is not a cause for alarm.
“I’m not at all surprised he would find vulnerabilities in a computer system like this. Most computers in this world have vulnerabilities,” Eric Wustrow, an assistant professor of computer engineering at University of Colorado Boulder, said. “And I’m also not shocked at his findings, because the system is set up to protect against these exact kinds of things.”
Those protections include features like physical security measures regarding election equipment, restricted access to equipment and post-election activities such as risk-limiting audits.
“It is important to look at systems rigorously and understand any threats and vulnerabilities to them,” Wustrow said. “But I don’t think anything in this report tells us that we have any reason to doubt past election results.”
What this forensic evidence could show is that the barn door was left open, but it doesn’t show that anyone stole anything.
– Douglas W. Jones, retired computer science professor at the University of Iowa
Douglas W. Jones, a retired computer science professor at the University of Iowa with extensive experience researching voting systems said that even if Gould’s report showed evidence of flawed election system security, it does not prove any wrongdoing during the 2020 election.
Jones said he thinks the report reveals “real security flaws.”
“What this forensic evidence could show is that the barn door was left open, but it doesn’t show that anyone stole anything,” he said. “Relying on that to disprove the integrity of our elections is a mistake.”
Jones thinks it is important to create election systems with all wireless components disabled or excluded entirely, especially as it gets more and more difficult to buy any computer without wireless components baked in automatically. This extends beyond just Mesa County.
“It’s a concern nationally,” he said. “What this report finds is that this is not a problem for the future. It’s already there and already real.”
When Mesa County replaced its system in the wake of the Peters investigation, the county received machines without the wireless hardware, and Crane said election administrators have been working in general to use machines without wireless capabilities.
“This isn’t some new discovery that the (U.S Election Integrity Plan) came up with,” Crane said, referring to a Colorado-based far-right group founded by election-denial activists. “They didn’t discover the Fountain of Youth. We’ve known about this and have been working towards it.
Officials warn that reports like this one sow further distrust in an audience of mostly conservative voters, many of whom have already been convinced that elections are insecure. Such distrust can suppress voter participation and turnout and is bad for democracy overall.
“These people claim to be Republicans and conservatives and want to see conservatives do well. That garbage that started here in Colorado about Dominion cost the Republican Party the Senate runoffs in Georgia, and thus the control of the U.S. Senate,” Crane said.
Colorado-based conservative activist Joe Oltmann began pushing the conspiracy theory that Dominion Voting Systems planned to rig the 2020 presidential election in early November 2020.
Sens. Jon Ossoff and Raphael Warnock then won their races in early 2021, as misinformation about the integrity of the November 2020 election surged.
The office of Colorado Secretary of State Jena Griswold also disputes the report.
“These misleading reports serve to further the spread of election disinformation,” a statement from the office reads. “Colorado leads the nation in election security and will continue to do so through legislation like the Colorado Election Security Act which protects against officials, who serve in public trust, jeopardizing the state’s election security to prove conspiracies.”
That legislation, introduced last week, seeks to increase safeguards against insider threats to the state’s election systems.
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.