- True the Vote
- Posts
- Monday, Sept 30th - Georgia Judge Hears Case on Lawsuit Concerning Dominion Encryption Keys
Monday, Sept 30th - Georgia Judge Hears Case on Lawsuit Concerning Dominion Encryption Keys
Encryption Keys, aka Passwords, are Exposed and Available For Exploitation. What Does This Mean For Election Security?
Georgia Judge Scott McAfee will hear Kurt Olsen’s case DeKalb County Republican Party vs. Raffensperger on Monday, Sept. 30 in Fulton County. The Application for Writ of Mandamus filed on August 30, 2024 alleges Dominion Voting Systems (Dominion) machines used across Georgia and several other states are using “cryptographic encryption keys to secure election systems” that fail to meet the “mandatory security requirements for encryption keys.”
To be clear, the referenced encryption keys provide access to all tools and functions, including the ability to decrypt, alter, and re-encrypt election results without qualification or detection.
Election systems like Dominion’s Democracy Suite, according to the lawsuit, use encryption to prevent unauthorized access and to “prevent malicious alteration of election results” per mandated EAC-certification requirements. It seems Dominion failed miserably to protect voters from potential manipulation of election data.
According to the filing, the use of unprotected encryption keys “compromised Georgia’s election systems and left them vulnerable to any malicious actor–foreign or domestic– to manipulate results without likely detection.”
Secretary of State Raffensperger “has been on notice of this violation of EAC certification requirements since at least March 28,2024,” according to the lawsuit. The DeKalb County GOP asserts it has "cognizable injury sufficient to support a claim for mandamus relief” because Georgia continues to use election systems “that do not meet the cyber security requirements of Georgia law…”
Georgia’s Secretary of State entered into the contract with Dominion for the purchase of electronic voting equipment “on or about July 29, 2019.” The terms of that contract “remain in force today,” according to the lawsuit. Dominion is making bank with its contract with Georgia; well over $100 million dollars as documented in Exhibit G of the case. The Annual cost of software licenses alone 2023-2029 is over $2.3 million dollars.
Cyber Security expert Clay Parikh testified about the encryption key security issue and other security issues found after the 2020 election before the U.S. Supreme Court in the Kari Lake and Mark Finchem v. Adrian Fontes case. Parikh’s affidavit can also be found in Exhibit 3 of the DeKalb County filing. Parikh called the security violation “egregious,” rendering “the security and accuracy of election results and data…meaningless.” Specifically, Parikh stated,
The secret encryption key and x509 certificate used to encrypt, decrypt, the election data, and used for authentication when transferring files and communication are stored in plaintext, unprotected within the election database. Compounding this, the database is not configured to standard security configurations use for a database dealing with sensitive information. These findings indicate that all cryptographic safeguards, designed to ensure the security and accuracy of elections results and data, have been rendered meaningless.
Parikh also noted in his testimony that during his review of “four Georgia databases, each database contained simple and easy to guess passcodes.” In addition, he shared that “common or shared passwords were also discovered.” Stunningly, “the same exact security code was being utilized in other states during the same election period. The same password and/or security code for certain accounts are identical to the password or security code used in Maricopa County, AZ and Mesa County, CO,” Parikh added. The databases Parikh examined were from Appling, Bibb, Jones, and Telfair counties in Georgia.
According to Parikh, the passwords and encryption keys were easily accessed because the only authentication needed was a Windows log-in. “Windows log-in can easily be bypassed,” said Parikh. As a result of the insecure election systems, Parikh declared that voters of Georgia “should have no confidence that their votes have been accurately counted, if they were even counted at all.”
Notably, the DeKalb lawsuit reveals that Dominion admitted in an internal email that it knew encryption was a key security requirement in elections.
From an engineering perspective, the main reason why we don’t want unencrypted databases is that then the integrity of the election data and results cannot be guaranteed.
The February 4, 2020 email from Director of Engineering Services, Ivan Vukovic, is pictured below:
Exhibit 4 of the lawsuit features an affidavit from veteran computer forensics and incident response expert Benjamin Cotton. Cotton notes that the State of Georgia has known about the “critical vulnerabilities” in Dominion Voting System’s ability “to secure the encryption keys” and has “failed to address any of the vulnerabilities.” Cotton reviewed Coffee County’s Election Management System (EMS) after the 2020 election. Cotton alleges he found “evidence that executable files were created and modified after the Dominion Voting Software (DVS) was installed and certified.”
Cotton warned in his declaration that the security violations are akin to “having the most secure vault in the world, touting how secure it is to the public and then taping the combination in large font type on the wall next to the vault door. Anyone with local or remote access to the system, including authorized or unauthorized users, can obtain the certificates and keys and once obtained the entire election can be compromised.
Olsen plans to file an amicus brief signed by “50-plus Georgia County GOP parties on Sunday night.” On Sept. 19, Olsen also sent a pre-litigation demand letter to Maricopa County Attorney, Rachel Mitchell. The letter warns Maricopa County that it must “take action to provide a secure and accurate election in the upcoming 2024 general election.” Olsen alleges the 2024 Maricopa County election is vulnerable to security breaches because of the same insecure “vendor-supplied encryption keys placed in unprotected and in plain text.”
WOW!
Maricopa County Republican Committee sends pre-litigation letter to secure 2024
Among other things…Dominion is using the SAME PASSWORDS in multiple states
Oh, and “TOTAL CONTROL” of the results can be obtained by any bad actor because the encryption keys are unencrypted
— Liz Harrington (@realLizUSA)
11:14 PM • Sep 20, 2024
In an effort to address these systemic weaknesses and prevent their exploitation, this lawsuit seeks relief including full transparency of digital logs and election-related documents, all to be made publicly available. It is a reasonable remedy that could provide significant safeguards in this November’s election.
In addition, plaintiffs put the state on notice, making it clear that the Secretary of State must comply with “Georgia Election Code and other mandatory regulations” during Georgia’s administration of the 2024 General Election. This will include the application of “any remedial measures…applied state-wide in a uniform fashion” to ensure all Georgia voters are afforded a level playing field as protected by state law and the Equal Protection Clause of the U.S. Constitution.
Godspeed to the plaintiffs and their legal representation. Americans want accountability. This definitely appears to be a step in the right direction.
Live stream of hearing at 9 a.m. EST here.