A worker returns voting machines to storage at the Fulton County Election preparation Center on Nov. 4, 2020, in Atlanta. The list of security breaches at local election offices since the 2020 election keeps growing, with investigations ongoing in at least three states, Colorado, Georgia and Michigan. Security experts say the breaches by themselves have not necessarily increased threats to the November elections, but say they increase the possibility that rogue election workers could access election equipment to launch attacks. (AP Photo/John Bazemore, File)
ATLANTA — Sensitive voting system passwords posted online. Copies of confidential voting software available for download. Ballot-counting machines inspected by people not supposed to have access.
The list of suspected security breaches at local election offices since the 2020 election keeps growing, with investigations underway in at least three states — Colorado, Georgia and Michigan. The stakes appeared to rise this week when the existence of a federal probe came to light involving a prominent loyalist to former President Donald Trump who has been promoting voting machine conspiracy theories across the country.
While much remains unknown about the investigations, one of the most pressing questions is what it all could mean for security of voting machines with the midterm elections less than two months away.
Election security experts say the breaches by themselves have not necessarily increased threats to the November voting. Election officials already assume hostile foreign governments might have the sensitive data, and so they take precautions to protect their voting systems.
The more immediate concern is the possibility that rogue election workers, including those sympathetic to lies about the 2020 presidential election, might use their access to election equipment and the knowledge gained through the breaches to launch an attack from within. That could be intended to gain an advantage for their desired candidate or party, or to introduce system problems that would sow further distrust in the election results.
In some of the suspected security breaches, authorities are investigating whether local officials provided unauthorized access to people who copied software and hard drive data, and in several cases shared it publicly.
After the Georgia breach, a group of election security experts said the unauthorized copying and sharing of election data from rural Coffee County presented “serious threats” to the November election. They urged the state election board to replace the touchscreen devices used throughout the state and use only hand-marked paper ballots.
Harri Hursti, a leading expert in voting security, said he is concerned about another use of the breached data. Access to the voting equipment data or software can be used to develop a realistic looking video in which someone claims to have manipulated a voting system, he said.
Such a fake video posted online or to social media on or after Election Day could create chaos for an election office and cause voters to challenge the accuracy of the results.
“If you have those rogue images, now you can start manufacturing false, compelling evidence — false evidence of wrongdoing that never happened,” Hursti said. “You can start creating very compelling imaginary evidence.”
There has been no evidence that voting machines have been manipulated, either during the 2020 election or in this year’s primaries. But conspiracy theories widely promoted among some conservatives have led to calls for replacing the machines with hand-marked and hand-counted ballots and raised concerns that they could be targeted by people working inside election offices or at polling places.
The suspected breaches appear to be orchestrated or encouraged by people who falsely claim the 2020 election was stolen from Trump. In several of the cases, employees of local election offices or election boards gave access to voting systems to people who were not authorized to have it. The incidents emerged into public view after the voting system passwords for Mesa County, Colorado, were posted online, prompting a local investigation and a successful effort to replace the county clerk from overseeing elections.
MyPillow CEO Mike Lindell, who has organized or attended forums around the U.S. peddling conspiracy theories about voting machines, said this week that he had received a subpoena from a federal grand jury investigating the breach in Colorado and was ordered to hand over his cellphone to FBI agents who approached him at a fast-food restaurant in Minnesota.
“And they told me not to tell anybody,” Lindell said in a video afterward. “OK, I won’t. But I am.”
Lindell and others have been traveling the country over the past year, holding events where attendees are told that voting machines have been corrupted, that officials are “selected” rather than elected and that widespread fraud cost Trump the 2020 election.
In an interview with the Star Tribune of Minneapolis, Lindell said FBI agents questioned him about the Colorado breach and Dominion Voting Systems. The company provides voting equipment used in about 30 states and has had its machines targeted in the Colorado, Georgia and Michigan breaches.
When agents asked him why he flies between different states, Linden told them, “I’m going to attorney generals and politicians, and I’m trying to get them to get rid of these voting machines in our country.”
The Justice Department did not respond when asked for details about its investigation.
Dominion has sued Lindell and others, accusing them of defamation. In a statement this week, the company said it would not comment about ongoing investigations but said its systems are secure. It noted that no credible evidence has been provided to show that its machines “did anything other than count votes accurately and reliably in all states.”
The scope of the federal grand jury probe in Colorado isn’t known, but local authorities have charged Mesa County clerk Tina Peters in what they described as a “deceptive scheme which was designed to influence public servants, breach security protocols, exceed permissible access to voting equipment and set in motion the eventual distribution of confidential information to unauthorized people.”
Peters has pleaded not guilty and said she had the authority to investigate concerns that the voting equipment had been manipulated. She has appeared at numerous events with Lindell over the past year, including Lindell’s “cybersymposium” last August in which a digital copy of Mesa County’s election management system was distributed.
David Becker, a former U.S. Justice Department attorney who now leads the Center for Election Innovation & Research, notes the irony of those who raise alarms about voting equipment being involved in allegations of breaches of the same systems.
“The people who have been attacking the integrity of elections are destroying the actual integrity of elections,” he said.
Associated Press writer Michael Balsamo contributed to this report.
MyPillow chief executive Mike Lindell, speaks to reporters outside federal court June 24, 2021, in Washington. Lindell, who has organized or attended forums around the U.S. peddling conspiracy theories about voting machines, said earlier this week that he had received a subpoena from a federal grand jury investigating the breach in Colorado and was ordered to hand over his cell phone to FBI agents who approached him at a fast-food restaurant in Minnesota. (AP Photo/Manuel Balce Ceneta, File)