On July 3, state voters and a good-government group filed a lawsuit alleging that Georgia officials ignored warnings that the state’s electoral system was extremely susceptible to hacking.
On July 4, Georgia Secretary of State Brian Kemp’s office was alerted about the lawsuit by the press and declined to comment. It received a copy of the suit on July 6.
And on July 7, Georgia officials deleted the state’s election data, which would have likely been critical evidence in that lawsuit, the Associated Press reported Thursday.
Two things could have happened here. Either it was an incredible act of incompetence on the part of Georgia’s election officials, or it was an attempted cover-up to try to hide from the public a major election security lapse. Lawmakers from both parties are calling for heads to roll.
According to the lawsuit in question, the vulnerabilities included a path via Google to uncover troves of information about the electorate, including passwords into the election systems themselves. Hackers could theoretically have used these holes to breach the system and make changes to voter registries, or even raw votes. Because the state has no paper trail for votes, such an attack would have been incredibly difficult to detect. (The FBI investigated Georgia’s system earlier this year but has not publicly revealed the results of that investigation.) The lawsuit argues that because of the weaknesses in Georgia’s system, the state’s 2016 election and its 2017 special congressional election were potentially compromised.
Officials at Kennesaw State University, which provides logistical support for the state’s voting network, destroyed the server that housed statewide election data. Marilyn Marks, executive director of the Coalition for Good Governance, the organization in the suit, says that the plaintiffs expected this data would have demonstrated the system’s enormous vulnerabilities. The FBI may still have made a copy of the data taken during its investigation, but what Kennesaw State’s Center for Election Systems stored was Georgia’s only version.
Kemp—who on July 2 wrote in a USA Today op-ed that allegations that the Georgia voter system was at risk were “fake news”—blamed the CES for its “inexcusable conduct or gross incompetence.” Kennesaw State officials indicate the deletion was routine, but they also would not answer questions about the remarkable timing or state clearly the reason for the deletion. According to the Associated Press, GOP state Rep. Scot Turner called on Georgia’s attorney general to investigate “whether there was criminal intent” in the destruction of the data. U.S. Rep. Hank Johnson, a Democrat, sent the AP a statement saying the server wipe “appears to be a willful and premeditated destruction of evidence.”
In an email dated July 7, Kennesaw State University IT security professional Christopher Michael Dehner wrote to associate vice president of educational technology engineering innovation Davide Gaetano, saying: “Per your instructions regarding the reimaging and installation of the CES server, we DBAN’d the hard drives.” DBAN, or Darik’s Boot and Nuke, is a program to delete computer data. Also included on that email was Stephen Gay, Kennesaw State University’s chief information security officer and university information technology services executive director.
On July 10, the plaintiffs in the lawsuit sent the state’s attorneys a litigation hold letter instructing them that they were obligated to take “reasonable steps necessary to prevent the destruction, loss, override or modification of relevant data either intentionally or inadvertently, such as through implementation of a pre-existing document retention policy.”
This somewhat routine letter should not have been necessary to prevent the destruction of evidence. Marks said it was issued out of caution and past experience. “We did not think that anyone would immediately start deleting files. So we didn’t rush it out the door,” she told me, noting that the president of Kennesaw State University was Georgia’s attorney general until November of last year. “They didn’t fall [off] the Georgia turnip truck yesterday. They knew their duties.” Her organization learned of the deletion earlier this month. Furthermore, she says, the attorney general’s office initially and incorrectly claimed the information had been wiped in March. “We were shocked to hear of any destruction.” Her organization was only able to find out the actual date through the public records request.
On July 26, according to the secretary of state’s office, Kemp was officially served with the lawsuit.
On Aug. 8, the case was moved to federal court from state court. The new judge in the case was Amy Totenberg, a Barack Obama appointee (and NPR legal affairs correspondent Nina Totenberg’s sister).
On Aug. 9, Dehner sent Gay an email that indicated two remaining servers had also been “degaussed,” or wiped: “I’m happy to report that the remaining two servers on the AAR were delivered … and the hard drives were degaussed three times.”
Gay responded: “This is fantastic news. Great work to all parties on closing the final recommendation from the incident after action report. In your service, Stephen.” The election center’s director, Michael Barnes, was copied on these last two emails. Nothing in the emails indicate that any of this was related to the lawsuit, but then again, people don’t typically state intended conspiracies to destroy evidence in emails.
The AP first reported on Thursday that the server had been wiped, but it did not report some of the details of the above timeline or the names of the officials responsible for the destruction of this data. Slate received copies of the relevant emails from Marks, who got them following a Freedom of Information Act request by her organization.
On Thursday, Assistant State Attorney General Cristina Correia informed the plaintiffs that her office had subpoenaed the FBI for a copy of the server that the bureau had made during a March investigation into Georgia’s electoral security flaws. The AP reported that the FBI would not confirm whether the copy still exists or investigators had found evidence of a breach.
In Thursday’s court filing, Correia said that the request of the FBI came from “an abundance of caution” and was not an admission that the server could be evidence in the litigation. Correia’s filing also claimed that the “original CES server was wiped on July 7, 2017, prior to service of this lawsuit on any defendant in this case.” That’s a pretty weaselly claim. Although Kemp was not formally served until July 26, the secretary of state’s office received a FedEx’d copy of the lawsuit one day before the deletion, according to Marks, and additional CES servers were apparently wiped a full month after he was served, according to the emails.
Barnes, the head of the election center, referred the AP to the university’s press office. As of publication time, Dehner, Gay, and Gaetano had not responded to Slate’s request for comment. The university’s press office emailed this statement:
In March 2017, a Center for Election Systems’ server involved in an alleged data breach was turned over to the FBI. While the server was in the possession of the Bureau, a forensic image or copy of all the data on the server was made and held by the agency. Following the notification from the FBI that no data was compromised and the investigation was closed, the server was returned to the University’s Information Technology Services group and securely stored. In accordance with standard operating procedures, an after-action report was prepared. This report outlined hardware improvements for the Center, including repurposing the impacted server and surplusing servers that had exceeded end of life. As part of the report, the original server that had been investigated by the FBI was designated to be repurposed, and the drives on the server were erased and the server made available for alternative uses. As noted by the subpoena filed today by the Attorney General’s Office, the data and information that was on the server in question has been and is still in the possession of the FBI and will remain available to the parties in the event it is determined to be relevant in the pending litigation.
Notably, this statement does not say why the deletions occurred when they did, who made the decision to delete on July 7 and then again on Aug. 9, or even when those decisions were made. It just says the deletion happened “as part of the report” that was issued “in accordance with standard operating procedures.”
Jeremy Epstein, the co-founder of Virginia Verified Voting, says that it is normal for some voting information to be erased after an election because some localities have limited media. There’s also been a recent concern that private data could remain on machines that then enter public circulation, which was the case earlier this year when a voting machine sold on eBay was discovered to contain personal information for more than 650,000 voters. “There is a possibility that there may have been some rationale for doing this,” Epstein told me. “But the timing is a legal question not a technical question and I’m not a lawyer.”
Regardless of what standard operating procedure might be, the timing of this is questionable at best, and an egregious and hubristic destruction of evidence at worst. “The fact that this happened after a complaint was filed and after Kennesaw State and the secretary of state’s office should have known this was going to be a matter of litigation for a while raises a lot of eyebrows,” said Lawrence Norden, the deputy director of the Brennan Center’s Democracy Program.
For his part, Kemp issued a statement blaming KSU:
The Secretary of State’s office had no involvement in this decision, and we would never direct someone to take such action. This pattern of reckless behavior is exactly why we are ending our relationship with KSU and the Center for Elections Systems and moving functionality in-house.
Not only did KSU officials fail to notify us of the server’s vulnerabilities when they first learned of the problem, they failed again to notify us when they decided to wipe the compromised server and the back-up server. We will not stand for this kind of inexcusable conduct or gross incompetence.
Earlier today, we opened an internal investigation on this new incident at KSU. Those responsible at KSU should be held accountable for their actions. The Secretary of State’s office is also coordinating with FBI officials to get our own copy of the data that was erased at KSU.
Despite the undeniable ineptitude at KSU’s Center for Elections Systems, Georgia’s elections are safe and our systems remain secure. As Secretary of State, I will continue to lead around the clock efforts to keep it that way.
An official in the secretary of state’s office who asked not to be named also blamed the university: “KSU is being completely uncooperative with our office and the media. They obviously know that they did something wrong.”
In August of 2016, Kemp was one of a number of Republican secretaries of state to decline an offer from the Department of Homeland Security to help secure the state’s election systems. At the time, he described the possibility that DHS might label the election system critical infrastructure—subjecting it to additional federal protections—“vast federal overreach” and an effort to “subvert the Constitution.”
On June 13, Bloomberg News reported that Russian hackers had attacked election systems in at least 39 states. The federal government has acknowledged that Russia was involved in a vast effort to undermine the 2016 election.
The lawsuit cited a Politico report that an independent researcher named Logan Lamb had used Google to uncover the vast security hole in Georgia’s election system in 2016 and alerted the state, which failed to close the breach. Politico reported in June that Lamb had found a registration database for the state’s 6.7 million voters, PDFs with instructions and passwords for election officials to sign in to the system server, and software files used to verify voter registration.
Politico also reported that the CES, through its server, created and distributed the back-end voter machine data that told tabulators “which candidate should receive a vote based on where a voter touches the screen.” Though it might not be self-evident, that’s a big deal. From Politico: “If someone were to alter the files, machines could be made to record votes for the wrong candidate.”
This is all deeply concerning. There remains little indication Georgia plans to do what’s necessary to put its house in order, but election experts are hopeful this debacle might be a wake-up call. “There have been questions swirling around the integrity of Georgia’s administration of elections for years, and revelations of the wiped server only add to the need to get to the bottom of what is going on,” voting expert Richard L. Hasen told Slate. “I hope both the ongoing lawsuit and Georgia Legislature will look carefully into how to fix this to insure that voting and voter registration information is secure and accurate.”