Cybersecurity & Tech Democracy & Elections

Federal Court Ruling in Georgia Shows Judges Have a Role to Play in Election Security

Jessica Marsden
Friday, October 12, 2018, 8:00 AM

In the wake of Russia’s interference in U.S. elections, questions persist as to whether Russia changed vote totals and changed the outcome of the election.

Source: Joe Shlabotnik/Flickr

Published by The Lawfare Institute
in Cooperation With

In the wake of Russia’s interference in U.S. elections, questions persist as to whether Russia changed vote totals and changed the outcome of the election. Former Homeland Security Secretary Jeh Johnson and the Senate intelligence committee each say there is no evidence that the Russians did so. But as technologist Matt Blaze told the New York Times, that’s “less comforting than it might sound at first glance, because we haven’t looked very hard.” And experts agree that our outdated voting technology certainly exposes voters to the risk of interference, as election security experts and election administrators have known for more than a decade.

Last month, the U.S. District Court for the Northern District of Georgia recognized that the risk of election hacking is of constitutional significance—and that courts can do something about it. In Curling v. Kemp, two groups of Georgia voters contend that Georgia’s old paperless voting machines are so unreliable that they compromise the plaintiffs’ constitutional right to vote. In ruling on the voters’ motion for preliminary injunction, Judge Amy Totenberg held that the plaintiffs had demonstrated a likelihood of success on the merits—in other words, Georgia’s insecure voting system likely violated their constitutional rights. While the court declined to order relief in time for the 2018 elections, the ruling suggests that Georgia may eventually be ordered to move to a more secure voting system. (Protect Democracy, where I work, has filed an amicus brief in Curling. Protect Democracy also represents Lawfare contributors and editors Benjamin Wittes, Jack Goldsmith, Scott Anderson and Susan Hennessey on a number of separate matters.)

Until now, courts have had few opportunities to consider the constitutional dimensions of vote-counting procedures. Voting rights litigation has centered on voter-registration rules, access to the polls, and access to the ballot, rather than the mechanics of counting votes. But with a new focus on election hacking, courts are being invited to scrutinize the sufficiency of different states’ voting systems and their security from intruders. Totenberg’s ruling shows that courts are fully capable of evaluating the risks of different voting technologies—and ordering remedies when they are needed.

Georgia exclusively uses Direct Recording Electronic (DRE) voting machines that produce no paper record. These touchscreen machines record votes on a memory card, which is removed at the end of voting and used to transfer the vote totals to county servers for tabulation. Computer scientists who have studied the machines used in Georgia have identified multiple avenues through which attackers could change vote totals on the machines. In fact, the Georgia plaintiffs’ computer-science expert actually executed one such hack in a live demonstration for the court. Separately, Georgia election administrators inadvertently published sensitive voting-related information such as software applications, voter registration information, and ballot-building files on a public website. Taken together, the court found, these features of Georgia’s system exposed voters to a substantial risk of election hacking.

The court further held that these serious security flaws and vulnerabilities in Georgia’s voting system implicate the constitutional guarantee of the right to vote. The right to vote is not satisfied simply by filling out a ballot or making selections on a touchscreen. As Totenberg recognized, voters have a “fundamental right to cast an effective vote (i.e., a vote that is accurately counted).” She concluded that, because of their security flaws, Georgia’s DRE machines do not fulfill that guarantee, in violation of plaintiffs’ due process and equal protection rights.

Importantly, the court found that voters have standing to challenge voting procedures even before an election hacking attack occurs. Generally, standing requires a plaintiff to show (1) an injury in fact that was (2) caused by the defendant’s conduct and (3) that is redressable by the court. Here, the Court found that Georgia plaintiffs satisfied the injury-in-fact requirement in two ways. First, the voting system actually has been hacked—by cybersecurity experts who reported the system’s vulnerabilities to election officials. The plaintiffs’ right to vote was burdened by a voting system that failed to “accurately and reliably record[] their votes and protect[] the privacy of their votes and personal information.”

Second, the plaintiffs alleged an imminent risk of future harm in the form of a future hacking event by malicious actors. Once an election has been hacked, the only viable remedy is re-running the election—an extreme and disruptive remedy. Furthermore, paperless voting machines make it impossible to know for sure whether an election has been hacked. As the court recognized, voters should be able to challenge the voting system before such a catastrophe occurs.

The court also rejected Georgia’s argument that any risk of injury to plaintiffs’ right to vote is caused solely by potential hackers, not by the state’s choice of voting system technology. The court pointed out the obvious: The government, not the hackers, controls which voting system is used in its elections. In Georgia, the State Election Board requires the use of DREs in all federal, state and county elections. Georgia’s secretary of state provides counties with DRE machines and software. And state officials are empowered to investigate the security of the DRE machines and order potential remedies. The court found that these allegations were sufficient for voters to establish that their imminent injuries were “fairly traceable” to the state’s choice of voting system.

The ruling is important not just in Georgia, but in other jurisdictions across the country where DRE machines are still in use. Thirteen states currently use DRE machines in at least some jurisdictions; five of them use the machines statewide. Protect Democracy has filed a lawsuit similar to the Georgia case in South Carolina, contending that its statewide use of another type of vulnerable DRE machines violates the constitutional requirements for a secure election system. In the other states that use paperless voting machines, advocates are clamoring for change. The Georgia court’s ruling should be a wake-up call for state legislators who are dragging their feet on replacing out-of-date election technology. The risk of election hacking is real, and change is on the way—even if voters have to take their concerns to court.

Jessica Marsden serves as counsel at Protect Democracy.

Subscribe to Lawfare