When it comes to influencing elections, you can unleash an army of Twitter bots, curry favor with candidates’ closest advisers, create your own Super PAC—or you could just cut to the chase and hack the election equipment. You wouldn't be the first to try. Over 21 state election systems were targeted by hackers before the last presidential election, according to the Department of Homeland Security.
One might assume, then, that securing these systems and protecting their data would be a high priority for those tasked with safeguarding the democratic process. But that’s not always the case. In a spoliation scandal that’s still developing, election technicians in Georgia wiped information from a crucial election server, after a public interest group sued over the election system's dated and insecure technology.
Forget Hanging Chads, Worry About Deleted Ballots
At the heart of the dispute is a vulnerable computer server operated by the Center for Election Systems at Kennesaw State University, which runs the state election system. Last July, Logan Lamb, a former cybersecurity researcher with the federal Oak Ridge National Laboratory in Tennessee, publicly revealed vulnerabilities in that system. A firewall meant to keep voter and election information private had failed, Lamb found, leaving highly sensitive information unprotected. In addition, the site was still using an outdated version of Drupal, a content management software vulnerable to being hijacked by hackers.
In 2016, Lamb was able to access a database with registration information, including birth dates, social security numbers, and party affiliation for the state's 6.7 million voters. Passwords for the central election server were left unprotected, open to whoever could find them. Even databases for the General Election Management Systems servers, the election systems used to prepare ballots and tabulate votes, were exposed. Lamb informed the Center for Elections Systems, but months later the vulnerabilities had not been fixed.
“I was absolutely stunned, just the sheer quantity of files I had acquired,” Lamb told Politico in an interview this June.
Georgia uses 27,000 AccuVote touchscreen voting machines, dating from the early 2000s, that do not use paper ballots or create hardcopy records—making any data insecurity especially troubling.
On July 3rd, the Coalition for Good Governance, joined by a handful of Georgia voters, sued Georgia’s State Election Board and Secretary of State Brian Kemp, for failing to secure the integrity of the election system.
The suit seeks a writ of mandamus forcing Kemp to “fulfill his public duty to reexamine this system and its fundamental irregularities”.
Wiping an Election Server
Just a few days after the suit was filed, employees for the Center for Elections Systems wiped the server at issue, according to the Associated Press.
The server’s data was destroyed July 7 by technicians at the Center for Election Systems at Kennesaw State University, which runs the state’s election system. The data wipe was revealed in an email — sent last week from an assistant state attorney general to plaintiffs in the case — that was obtained by the AP. More emails obtained in a public records request confirmed the wipe.
Not only was the server erased, but two backups were “degaussed three times,” according to emails by a Center for Elections Systems information security staffer.
That data, the AP explains, “could have revealed whether Georgia’s most recent elections were compromised by malicious hackers.” Plaintiffs had planned to conduct an independent review of the server which, they believed, would show the election systems vulnerabilities—and put the results of Georgia's recent elections into question.
Of course, legal professionals know (or should know) that the obligation to preserve evidence arises once litigation is reasonably anticipated, which can be long before a suit is filed. Wiping a server whose data is at the heart of a newly filed suit would be a fairly flagrant abdication of that responsibility.
Even when spoliation is accidental (Secretary of State Kemp initially blamed the deletion on “undeniable ineptitude”), courts have broad remedial powers to “order measures no greater than necessary to cure the prejudice” when such spoliation has prejudiced the other party. And when spoliation is done with intent to deprive the other party of use of the data, such spoliation can cost you the case under the sanctions available under Rule 37(e)(2).
In a case such as this, though, one might expect the consequences of spoliation to reach far beyond just one lawsuit.
Nonetheless, it’s possible that the wiped data may be recoverable. The FBI imaged the server in March as part of its own investigation into the system’s lack of security. Georgia is now “reaching out to the FBI to determine whether they still have the image,” according to the state attorney general’s office.
It’s also possible that the destruction of the server’s data was routine. On Tuesday, the Georgia Secretary of State issued a report saying the erasure was “consistent with standard IT practices and were not undertaken to delete evidence.”
The plaintiffs, however, don’t seem convinced. “I don’t think you could find a voting systems expert who would think the deletion of the server data was anything less than insidious and highly suspicious,” says Marilyn Marks, executive director of the Coalition for Good Governance.
This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.com or on Twitter at @caseycsull.