State Election Officials Have Known for Years that Voting Equipment Used in Many Counties Is Too Easy to Hack
Texas has 254 counties. Each accepts delivery of computerized vote-counting equipment, trusting that it properly counts votes. It’s the Texas secretary of state who bears responsibility for reliability and checking that built-in security features safeguard the integrity of the software.
In February 2020, Texas Secretary of State Ruth Ruggero Hughes received a disturbing report about the ES&S election equipment Texas used in some counties. She had assigned Brian Mechler, an expert in electronic data communications systems, to certify the equipment.
“There were a few issues with the hash verification procedure,” Mechler wrote of equipment from the nation’s largest vote-counting software firm, a secretive Nebraska outfit reincorporated as ES&S in 1997.
Texas trusted ES&S to act with scrupulous integrity, catch any simple mistakes as well as big ones and ferret out any intrusions by third parties.
Mechler’s report on verification issues was an understatement. Hash verification ensures no tampering of a program. It is a critical element in ensuring that the proprietary software counts all votes correctly. With the hash verification procedure having issues, the software could be set, for example, to count every 27th vote for one candidate as a vote for their opponent without the software detecting or recording it was modified.
Hash verification tracks digital fingerprints to monitor any modifications to the software from the time it leaves the vendor to when ballots are cast and counted. If the hash verification procedure is not operating properly, the ability to detect changes and ensure the integrity of software is compromised.
Trump Hasn’t Attacked ES&S
Significantly, Donald Trump has not attacked ES&S, whose machines counted ballots in counties where Trump and Republicans did unexpectedly well.
ES&S originally was started more than three decades ago by conservative Republicans under the name American Information Systems, but its current ownership is something the company has refused to discuss with Democratic lawmakers in Washington or DCReport.
Seven months after his initial report, Mechler issued a new detailed and disturbing report. Mechler found that the hash verification issues he had identified were still a major problem.
His report came in late September—just 44 days before the presidential election. It was a tight window to fix problems that had lingered unresolved for months, especially in a state as diverse and with as many counties as the Lone Star state. In contrast, California, the largest state, has just 58 counties, about one-fifth of the Texas count.
Multiple Security Issuesl
Mechler reported the ES&S software suffers from “multiple issues with its prescribed hash verification procedures.”
More troubling was this: “ES&S personnel have performed the hash verification process instead of their customers.”
The lack of independent verification meant Texas trusted ES&S to act with scrupulous integrity, catch any simple mistakes as well as big ones and ferret out any intrusions by third parties. Putting so much faith in the vendor given its own self-interest was bad policy, Mechler warned.
“Jurisdictions should always perform this process themselves. To have the vendor perform a required component of acceptance testing creates, at best, a conflict of interest,” Mechler wrote.
And, lest anyone doubt the depth of the vote-counting integrity problems, Mechler wrote this about a specific bug in the ES&S software: “It is my opinion that this bug (in addition to the overall process) indicates that ES&S has not developed their hash verification process with sufficient care, quality assurance, and concern for usability.”
Worse as the Election Loomed
Most disturbing of all in Mechler’s report was the trend in how issues were handled since his February report. Instead of fixing problems and creating a testable verification system, he wrote that things were getting worse.
“The ES&S hash verification process has been a growing issue of concern over the past few certification exams” he warned. “In this exam, their customer relations with regard to this process have also become a concern.
“At this point, these issues have been communicated in detail to ES&S. I will not recommend certification of future ES&S releases unless they make substantial improvements to the ease-of-use, reliability, and traceability of their hash verification process.” (Emphasis in the original.)
Incredibly, the examiner certified the machines. Mechler declared that if issues weren’t corrected by the next exam, he would refuse certification. Considering the next exam would not occur until after the 2020 elections, that’s like taking a new aircraft carrier out for trial runs despite indications it may tip over and sink in heavy seas.
Report Released—After the Election
To attempt to show that her office was being transparent about vote-counting software and hardware integrity, Texas’ Hughes posted the September report on the state’s website for public review. But as election security activist Jennifer Cohn noted on Dec. 9, it was posted five weeks after the election.
“Texas has some fine nerve complaining about election security. What about the ‘bug’ discovered in the state’s ES&S machines in September 2020?!”
Mechler’s scathing report came nine months after Texas declined to certify a competing vendor’s vote-counting products. That action involved the company Team Trump repeatedly attacked—Dominion Voting Systems. The January 2020 decertification was the third time Texas rejected Dominion because state officials consider serious flaws in its products.
Why would Texas apply such different standards to these two companies, one Trump and his surrogates relentlessly attack as unfair to him and another on which Trump has been silent?
On Fox Business News’ Lou Dobbs Tonight, Trump’s legal team congratulated Texas for its foresight in rejecting Dominion.
Rudy Giuliani applauded Texas for decertifying Dominion. He also harshly criticized Georgia for shifting from ES&S to Dominion. Giuliani wrongly claimed, “The lobbyist for Dominion was the former chief of staff for the governor.” Not exactly. Giuliani may have been referring to Gov. Brian Kemp’s chief of staff when Kemp was secretary of state, without revealing that the member of staff hadn’t been in that position since 2015, years before Georgia switched to Dominion in 2019.
More significantly, Giuliani failed to note that Charles Harper, Kemp’s current deputy chief of staff, had been registered to lobby for ES&S during the gubernatorial race in which Kemp beat Stacey Abrams.
Those 2018 votes were counted using ES&S equipment. Harper was still Kemp’s deputy in March 2019 when, because of his conflict of interest, Democrats successfully fought Kemp’s plans to buy new ES&S equipment.
Dominion Files $1 Billion Suit
Giuliani’s disinformation campaign prompted Dominion to file suit on Friday against Trump lawyer Sidney Powell for more than $1.3 billion in damages. Dominion also has threatened to sue Giuliani and White House Counsel Pat Cipollone for what it says is calculated lying about the company to advance Trump’s baseless claims that he won in a landslide.
Another voting machine software company, Smartmatic, threatened to sue Fox News, including hosts Dobbs and Judge Jeanine Pirro, as well as far-right propaganda outlets OANN and NewsMax. Smartmatic says all of them made maliciously false statements that damaged the company.
The litigation threats by Dominion and Smartmatic have raised concerns that they could deter serious journalism about how votes are counted.
More than 90% of votes are counted by the machines of three vendors: industry leader ES&S, Dominion, and Hart InterCivic. While Hughes was refusing to certify Dominion in Texas, she ignored warnings and historical issues related to the other two vote-counting vendors on which Texas also relied.
Vendors over Voters?
The issue: Did Hughes deliberately put the interests of vendors over voters? And why did she ignore alarm bells?
As DCReport told readers on Dec. 31, ES&S lobbyists work closely with state and local elections officials. Considering Hughes herself was previously found to be working closely with other lobbyists on legislation another issue arises: How did Hughes’ affinity for lobbyists put the integrity of Texas elections in question?
Her lapses in ensuring cybersecurity come in a state where Republicans have pursued aggressive voter-suppression techniques for decades.
ES&S was not the only vote-counting firm with a troubling history in Texas. In 2018, counties deployed hundreds of aging Hart machines that confused voters. That led to accusations of illegal vote flipping in the hotly contested Senate race between the vociferously anti-Democratic Republican incumbent Ted Cruz and his popular Democratic opponent Beto O’Rourke.
The Texas Democratic Party called the issue “a malfunction” and asserted it caused Democrats to inadvertently vote for Cruz—who won the election by just 1.6 percentage points among nearly 8.4 million votes.
Both ES&S and Hart machines are still being used to count votes throughout Texas.
Featured image: With 10% of the state’s votes in, Fox News said Trump would win the state.