EPIC - Curling v. Raffensperger

Curling v. Raffensperger

Whether the use of direct recording electronic (DRE) voting systems that do not produce human-readable paper ballots and that have known cybersecurity vulnerabilities violates the constitution

Background|
EPIC's Interest|
Legal Documents|
Resources

Georgia Court Grants EPIC's Motion to File Amicus on Ballot Secrecy: A Georgia federal court has granted EPIC's request to file an amicus brief urging the court to protect the secret ballot. Plaintiffs presented the court with evidence that Georgia’s ballot-marking devices, which rely on large display screens, make voter choices easily viewable by others in the polling place. EPIC wrote in the amicus that "the right to cast a secret ballot in a public election is a core value in the United States." This is the second amicus brief EPIC has submitted in the case, Curling v. Raffensperger. In the earlier amicus brief, EPIC urged the court to stop Georgia's use of Direct Recording Electronic voting machines, which EPIC explained were unreliable and easily hacked. The court ruled that Georgia must replace the machines before the 2020 election. (Mar. 31, 2020)
EPIC Urges Georgia Court to Ensure Ballot Secrecy in Primary: In an amicus brief, EPIC has asked a Georgia federal court to protect the secret ballot. Plaintiffs presented the court with evidence that Georgia's ballot-marking devices, which rely on large display screens, make voter choices easily viewable by others in the polling place. EPIC wrote in the amicus that "the right to cast a secret ballot in a public election is a core value in the United States." This is the second amicus brief EPIC has submitted in the case, Curling v. Raffensperger. In the earlier amicus brief, EPIC urged the court to stop Georgia's use of Direct Recording Electronic voting machine, which EPIC explained were unreliable and easily hacked. The court ruled that Georgia must replace those voting machines before the 2020 election. (Mar. 19, 2020)

More top news »

EPIC Obtains 2018 DHS Election Security Briefing with Members of Congress » (May. 5, 2021)

Through a Freedom of Information Act request to the Department of Homeland Security, EPIC obtained records circulated in a 2018 election security meeting with members of the U.S. House of Representatives. On May 22, 2018, then-DHS Secretary Kirstjen Nielsen, then-Federal Bureau of Investigation Director Christopher Wray, and then-Director of National Intelligence Dan Coats held a classified briefing for members of Congress informing them of the risks to the election process and steps the administration was taking to assist state officials in ensuring election security. The briefing materials include charts on election infrastructure cyber risk scenarios and cybersecurity considerations, as well as compiled anecdotes of the DHS's engagement with state election security officials. These anecdotes highlighted how states have taken efforts to strengthen their election systems for the 2018 mid-term elections, including some states taking up the voluntary election security resources from DHS. EPIC sued the DHS for records about the agency’s assessment of election vulnerabilities following the 2016 presidential election and its ongoing role in protecting election systems as critical infrastructure. The agency released hundreds of pages of records to EPIC about its role in election cybersecurity, with records revealing the agency's rocky initial involvement in election security following its 2017 designation of election infrastructure as critical infrastructure and how far the agency has come since then. The case is EPIC v. DHS, 17-2047 (D.D.C.).

EPIC, Coalition Urge for Congressional Briefings on Election Security to Continue » (Sep. 11, 2020)

In a letter to the Direction of National Intelligence John Ratcliffe, EPIC joined a coalition of other groups calling for the continuation of in-person briefings to Congress on election security. The letter states, "[e]fforts to interfere with American elections are a serious threat to our democratic process and undermine public confidence in our institutions." The group emphasized that "it is critical that [ODNI] continue responding to all congressional oversight inquiries and continue to appear in-person to answer questions." EPIC is currently suing the Department of Homeland Security for records about the agency's assessment of election vulnerabilities following the 2016 presidential election and its ongoing role in protecting election systems as critical infrastructure. The agency has released hundreds of pages of records to EPIC about its role in election cybersecurity, including: DHS's contacts with election officials, state reports of election security incidents going back to 2016, meeting minutes from the DHS Election Task Force in 2017, and a September 2016 Election Infrastructure Cyber Risk Characterization Report.

American Bar Association Adopts New Drone Privacy and Election Security Resolutions » (Feb. 20, 2020)

This week the American Bar Association adopted new policies for the security of elections and the regulation of drone operations. Under the election cybersecurity policy, the ABA will urge Congress to provides funding to NIST to set election security standards, provide funding to secure state systems, and encourage state and local governments to secure election systems. Last year a federal court ruled that Georgia must replace its insecure voting machines, citing EPIC's amicus brief that highlighted the unreliable nature of paperless voting systems. EPIC continues to seek release of DHS records concerning ongoing election security risks. The ABA also adopted a drone privacy policy that will encourage federal, state, and local governments to regulate the deployment of drones. EPIC first petitioned the FAA to promulgate drone privacy regulations in 2012, has sued to obtain records of the agency's secretive drone advisory committees, and EPIC recently launched a Mandate Drone ID Campaign.

DHS Agrees to Release Documents About Election Cybersecurity to EPIC » (Nov. 27, 2019)

EPIC and DHS have filed a joint status report in EPIC v. DHS. The federal agency has agreed to reprocess previously withheld documents about election security. EPIC filed a Freedom of Information Act lawsuit in 2017, immediately after the agency's decision to designate election systems as "critical infrastructure." The announcement followed the determination that Russia meddled in the 2016 presidential election. The designation also gave the DHS new responsibilities to help protect state election systems. Over the course of litigation, DHS has provided hundreds of pages to EPIC about the agency's role in election system security. But the agency has also withheld information sought by EPIC, including: (1) documents concerning contacts between DHS and State Election Officials, (2) Election Task Force meeting minutes, (3) documents about risk characterizations and analysis reports on Russian interference; and (4) incident reports and vulnerabilities in election systems. Because the 2020 election is fast approaching, EPIC sought the prompt release of these records so that Congress and the public could assess the effectiveness of the DHS security program. The recent court filing between EPIC and the DHS should move the process forward. The case is EPIC v. DHS, 17-2047 (D.D.C).

Court: Computer Experts May Examine Georgia Voting Systems » (Jul. 11, 2019)

A federal court in Georgia has ruled that Georgia election officials must allow the Coalition for Good Governance to review the state's election management databases. The Coalition argued that the databases "provide the roadmap that needs to be analyzed to identify flaws" in the state election system. EPIC recently filed an amicus brief in the case, joined by 31 legal scholars and technical experts. EPIC asked the federal court to stop Georgia's use of Direct Recording Electronic voting machines. Experts in election security have shown that DREs are insecure, vulnerable to attack, fail to provide a paper trail that enables auditing, and subject vote tallies to manipulation by remote adversaries. EPIC told the court, "the continued use of these systems poses a direct threat to personal privacy, election integrity, and democratic institutions." The case is Curling v. Raffensperger.

House Passes Election Security and Paper Ballot Bill » (Jun. 28, 2019)

The House of Representatives has passed the SAFE Act, an election security bill establishing cybersecurity safeguards for election equipment, prohibiting wireless modems in voting machines, and requiring paper ballots. The bill would also provide for grants to states that perform risk-limiting audits. EPIC, along with the U.S. Technology Policy Committee of the Association for Computing Machinery, recently filed comments to the Election Assistance Commission. The groups urged the Commission to ban internet-connected voting machinery, citing the risks to voting integrity and democratic institutions. "The EAC should ban the use of internet-connected voting machines and protect ballot secrecy," EPIC and USTPC said. EPIC has a long history of working to protect voter privacy and election integrity.

D.C. Circuit to Hear Arguments in EPIC v. IRS, FOIA Case for Trump's Tax Returns » (Sep. 11, 2018)

The D.C. Circuit will hear arguments on Thursday, September 13 in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. Live audio of the arguments will be streamed from this link at or around 9:30 a.m. EPIC has argued that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC has pursued concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyberattack) and EPIC v. DHS (election cybersecurity).

After EPIC Obtains FBI Victim Notification Procedures, Court Rules for Bureau » (May. 23, 2018)

After EPIC obtained the FBI cyberattack victim notification procedures in Freedom of Information Act lawsuit EPIC v. FBI, a D.C. federal court has ruled that the agency may withhold remaining records explaining FBI's response to the Russian interference in the 2016 election. EPIC had argued that the FBI had failed to demonstrate that releasing records of the agency's response to cyberattacks would interfere with its investigation of the Russian interference. The "Victim Notification Procedures" obtained by EPIC led to Associated Press investigation which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. EPIC is currently pursuing related FOIA cases about Russian interference in the 2016 election, including EPIC v. IRS (Release of Trump Tax Returns) and EPIC v. DHS (election cybersecurity).

Senators Question Intelligence Officials on Russian Election Interference » (Feb. 13, 2018)

The Senate Intelligence Committee held a hearing today with top officials from all U.S. intelligence agencies: Office of the Director of National Intelligence, CIA, NSA, Defense Intelligence Agency, FBI, and the National Geospatial-Intelligence Agency. The officials unanimously agreed that Russia interfered in the 2016 election and will interfere in the 2018 election, noting that they have already observed attempts to influence upcoming elections. Director of National Intelligence Dan Coats said: "There should be no doubt that Russia perceived that its past efforts as successful and views the 2018 U.S. midterm elections as a potential target for Russian influence operations." EPIC launched the Project on Democracy and Cybersecurity, after the 2016 presidential election, to safeguard democratic institutions. EPIC is currently pursuing several FOIA cases concerning Russian interference, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). EPIC also provided comments to the Federal Election Commission to improve transparency of election advertising on social media.

EPIC Urges House Judiciary to Examine FBI Response to Russian Cyber Attacks » (Dec. 12, 2017)

EPIC has sent a statement to the House Judiciary Committee ahead of Wednesday's DOJ Oversight hearing. EPIC urged the Committee to question Deputy Attorney General Rosenstein about the FBI's ability to respond to future cyberattacks concerning the 2018 elections. A recent Associated Press investigation found that the FBI, the lead agency for cyber response, did not notify U.S. officials that their email accounts were compromised during the 2016 election. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI, filed earlier this year. EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity).

NEWS UPDATE - EPIC Sues FBI for Details of Russian Interference with 2016 Election » (Jan. 18, 2017)

EPIC today filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation in federal district court in Washington, DC. The case is designated EPIC v. FBI, No. 17-127 (D.D.C. filed Jan. 18, 2017). The complaint states “EPIC challenges the FBI’s failure to make a timely decision concerning EPIC’s request for expedited processing of the FOIA request for records about the Russian interference with the 2016 Presidential Election.” A press conference will be held at the Fund for Constitutional Government on Capitol Hill on Thursday, January 19, 2017 at 1 pm. Media Advisory

Senate Armed Services Committee to Examine Foreign Cyber Threats » (Jan. 4, 2017)

The Senate Armed Services Committee will hold a hearing on "Foreign Cyber Threats to the United States" on January 5, 2016. EPIC submitted a statement to the Committee to alert Senators about a pending Freedom of Information Act request. The EPIC FOIA request concerns the lax response of the FBI to the Russian interference with the 2016 Presidential election. EPIC wrote “we believe that the information that we are seeking from the FBI will also be helpful to the Senate Armed Services Committee as you investigate foreign cyber threats to the United States.”“Director of National Intelligence James Clapper, National Security Agency and Cyber Command Chief Adm. Mike Rogers and Undersecretary of Defense for Intelligence Marcel Lettre are scheduled to testify.

Summary

Individual Georgia voters, along with a voting rights organization, brought separate § 1983 actions, later consolidated, against Georgia state officials alleging that the state’s reliance on direct recording electronic (DRE) voting systems burdened their Fourteenth Amendment rights to due process and equal protection. DRE voting machines do not produce a paper trail or any other way to independently verify each individual's vote. DRE machines also have known cybersecurity vulnerabilities.

Plaintiffs seek, among other things, a declaration that the use of DREs is unconstitutional, and an injunction preventing Georgia from requiring voters to use DREs and requiring Georgia to use a system that produces a paper audit trail. Defendants moved to dismiss the case, arguing that Plaintiffs did not have standing and that Defendants were protected by Eleventh Amendment immunity. The District Court denied this motion. Defendants appealed this decision to the Eleventh Circuit.

The Eleventh Circuit upheld the lower court’s ruling. In May 2019, the district court addressed the defendants’ other claims, and found that res judicata or collateral estoppel from Curling I did not apply and the defendants named were the correct defendants. The Court also rejected the plaintiffs’ claim for a writ of mandamus, but denied the defendant’s motion to dismiss plaintiff’s due process and equal protection claims. The Court ordered discovery to begin immediately.

Background

Factual Background

Georgia uses Diebold AccuVote DRE voting machines in all of their elections. DRE voting machines are touchscreen computers that record votes on a removable memory card. DREs generally do not produce a paper ballot that can be used to verify an individual's vote or audit the computer record. Instead, DREs internally tally the vote totals, and then print the totals to paper.

Cybersecurity experts have long warned about the privacy and security concerns with DRE systems. In 1993, computer scientist Peter G. Neumann set out criteria that electronic voting systems should meet and pointed out that "the absence of a physical record of each vote is a serious vulnerability in direct-recording election (DRE) systems." Cryptographer Ron Rivest has emphasized the importance of verifiable voting, which includes the verifiability that a vote has been "cast as intended," "collected as cast," and "counted as collected." In their book, Broken Ballots: Will Your Vote Count?, computer scientists Barbara Simons and Douglas W. Jones devote an entire chapter to the problems with Diebold DREs, calling the company "the poster child of much that is wrong with DREs."

Cybersecurity experts have shown that DRE machines are vulnerable to manipulation. For example, Dr. Alex Halderman, a Professor of Computer Science and Engineering and Director of the Center for Computer Security and Society at the University of Michigan in Ann Arbor, has demonstrated that a DRE's vote totals can be manipulated by introducing malware via the memory card slot. The attack will go undetected because the malware will modify all relevant data, including audit logs.

There are also privacy concerns with the way DREs record individual ballots. AccuVote DREs record individual ballot data in the order in which they are cast, and they assign a unique serial number and timestamp to each ballot. This makes it possible to match votes to the voters who cast them.

Several authorities have raised the alarm about paperless electronic voting and the use of DRE machines. In March 2018, Department of Homeland Security Secretary Kirstjen Nielsen told the Senate Intelligence Committee that the lack of audit capability is a "national security concern." In August 2018, the National Academies of Science, Engineering, and Medicine released a report urging that electronic voting machines produce "human-readable paper ballots" and that machines that do not provide a voter verifiable paper audit trail "be removed from service as soon as possible."

Georgia law requires that “in jurisdictions in which direct recording electronic (DRE) voting systems are used at the polling places on election day, such direct recording electronic (DRE) voting systems shall be used for casting absentee ballots in person at a registrar's or absentee ballot clerk's office or in accordance with Code Section 21-2-382, providing for additional sites.” O.C.G.A. § 21-2-383(b). In 2002, the Georgia State Election Board passed a rule mandating the use of DRE machines in all elections. Ga. Comp. R. & Regs. r. 183-1-12-.01.

Procedural Background

Two sets of plaintiffs filed § 1983 actions in the U.S. District Court for the Northern District of Georgia in August 2017, claiming that Georgia's use of DREs violated their Fourteenth Amendment rights to due process and equal protection. Both sought declaratory and injunctive relief. The cases were subsequently consolidated. Defendants filed multiple motions to dismiss, arguing that they were immune to this suit under the Eleventh Amendment, and that Plaintiffs did not have standing to pursue this action. Plaintiffs filed for a preliminary injunction in August 2018 for immediate relief for the 2018 election.

On September 17, 2018, the District Court denied Plaintiffs' preliminary injunction as well as Defendants' motions to dismiss. The court found that Defendants were not immune to suit and that Plaintiffs had standing to pursue their claims. The court denied the preliminary injunction because "there were substantial fiscal, organizational, and practical impediments and burdens to complying with such an injunction in time for the upcoming November 2018 election." Defendants appealed the court's decisions on immunity and standing to the Eleventh Circuit.

Several other active cases also challenge Georgia's voting practices, procedures, and use of DREs. These include Common Cause Georgia v. Kemp (alleging Secretary of State Brian Kemp knowingly maintained an unsecure voter registration database), Martin v. Kemp (challenging the disenfranchisement of thousands of eligible mail ballot voters because information requested from voters was immaterial to deciding their eligibility to vote), and Coalition for Good Governance v. Crittenden (challenging the results of the lieutenant governor's race due to inexplicable undervotes caused by Georgia's DRE machines).

EPIC's Interest

EPIC has a long history of working on voter privacy and election integrity issues. These issues are directly implicated in Georgia's use of DRE systems that do not produce a verifiable paper trail.

EPIC has submitted amicus briefs in several voter privacy and election integrity cases, including the Fifth Circuit case Veasey v. Abbott and the Supreme Court case Crawford v. Marion County.

In July 2017, EPIC successfully sued Trump's Presidential Election Commission to block the Commission's unlawful collection and retainment of millions of state voter records. After EPIC brought suit, the Commission temporarily suspended its data collection, discontinued the use of an unsafe computer server, deleted voter information that was illegally obtained, and ultimately disbanded. EPIC later obtained documents through a FOIA request showing that DHS was concerned that the voter data grab would "disrupt critical efforts DHS is leading to work with state and local officials" on election cybersecurity. Documents obtained from another FOIA request showed that officials from four different federal agencies discussed joint plans to "clean" state voter rolls in 2017.

In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC has pursued, and continues to pursue, several FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity).

In 2016, EPIC, Verified Voting, and Common Cause released a report, "The Secret Ballot At Risk: Recommendations for Protecting Democracy," that explained that the secret ballot — the inability to link particular voters to particular votes — is a cornerstone of modern democracies. The secret ballot also reduces the threat of coercion, vote buying and selling, and tampering.

In April 2015, as the result of a Freedom of Information Act lawsuit, EPIC obtained a September 2011 report about online voting from the Department of Defense. The report, produced in response to EPIC's July 2014 FOIA request, summarized a pilot test of an e-voting system. The report recommended several changes, including accessibility and user interface, but did little to address privacy and security concerns except for recommending "visible security features" to "give users greater confidence in the privacy and security of their ballots."

In 2010, EPIC released an update to its "E-Deceptive Campaign Practices: Technology and Democracy 2.0" report, first published in 2008. The report reviewed the potential for abuse of Internet-based technology in the election context, and made recommendations on steps that should be taken by Election Administrators, voters, and those involved in Election Protection efforts. E-Deceptive campaigns are internet-based attempts to misdirect targeted voters regarding the voting process, and include false statements about poll place hours, election dates, voter identification rules, or voter eligibility requirements.

In 2009, EPIC recommended greater transparency on the standards development process to the Election Assistance Commission ("EAC"). The agency sought public comments on a draft of the agency's Voluntary Voting System Guidelines. In its comments, EPIC requested that the EAC follow President Obama's directive to all federal government agencies that they take affirmative steps to make their activities regarding standards development more transparent to the public, make ballot secrecy a critical component of federal voting technology standards, and maintain software independence in the next iteration of voting technology standards.

In 2008, EPIC submitted comments to the Election Assistance Commission on the proposed Voluntary Voting System Guidelines. EPIC proposed new guidance on privacy protection in the casting of ballots. EPIC also recommended more transparency for the privacy protections provided by federally certified voting systems.

Additionally, EPIC testified before the Election Assistance Commission on the 2007 Voting System Guidelines. EPIC urged the Commission to "offer clear and effective guidance to states on issues of functional capability, hardware, software, telecommunication, security, quality assurance, and configuration of voting systems."