亚特兰大——2020年的余波选举作为前总统的支持者,让投票机成为焦点唐纳德·特朗普声称他的胜利被偷走了。尽管这些理论未经证实——而且许多理论古怪且明显错误——但选举安全专家表示,确实存在一些需要解决的问题。
例如,在佐治亚州,选举安全专家亚历克斯·哈尔德曼(J. Alex Halderman)表示,根据法庭案件中的宣誓声明,他发现该州触摸屏投票机存在“多个严重的安全缺陷”。
霍尔德曼在电话采访中告诉美联社,虽然他没有看到任何证据表明这些漏洞被利用来改变2020年选举的结果,但“政策制定者和公众仍然需要意识到的严重风险”应该立即得到解决,以保护未来的选举。
特朗普的支持者——宣传“停止偷窃”的口号——举行集会,在社交媒体上发布,并在关键州提起诉讼,通常对多米宁投票系统投票机提出虚假指控。几乎所有质疑选举结果的法律挑战都被驳回或撤回,许多欺诈指控被揭穿。州和联邦选举官员表示,没有证据表明存在广泛的欺诈行为。自治领进行了有力的反击,对高调的特朗普盟友提起诽谤诉讼。
乔治城大学计算机科学和法律教授马特·布雷泽说,作为一名选举安全研究人员,看到错误信息的扩散令人沮丧。他说,多年来,选举安全专家提出的担忧被认为不重要。
他说:“突然之间,人们开始反其道而行之,说缺陷的存在不仅是应该修复的东西,还意味着选举实际上是被窃取的。“那也不是真的。”
大卫·克洛斯是一项长期诉讼中原告的律师,该诉讼是由手工标记纸质选票的支持者提起的。他的客户对佐治亚州电子投票机的担忧早在2020年大选之前就有了,但他表示,他们现在正在努力解决如何暴露漏洞和倡导变革,而不会助长阴谋论。
他说,看到该州“试图无视对投票设备的实际科学、严格的检查,只说我们和‘停止偷窃’的人没有什么不同,而我们依赖的是该国最受尊敬的选举诚信专家”,这也令人沮丧。”
投票技术专家、密歇根大学计算机安全与社会中心主任哈尔德曼(Halderman)是这起诉讼的专家证人,该诉讼是由个人选民和善治联盟提起的。
在亚特兰大联邦法院提交的声明中,哈尔德曼写道,他已经发现了攻击者可以利用的漏洞,“安装恶意软件,要么是临时物理访问(例如投票站选民的访问),要么是从选举管理系统远程访问。”他写道,一旦安装,这种恶意软件“可能会改变选民的投票,同时破坏国家实施的所有程序保护。"
作为诉讼的一部分,他在上个月提交的一份密封报告中详细说明了他的发现,该报告质疑了佐治亚州在2019年购买的选举制度。
州官员一直认为,Dominion机器已经过彻底审查,安全措施已经到位,以防止出现问题。
国务卿布拉德·拉芬斯佩格的发言人阿里·谢弗在一封电子邮件中说:“在一个不断变化的威胁环境中,任何一种选举制度都总是有新的不断演变的威胁。“这就是为什么我们对选举完整性面临的挑战保持警惕。我们不断与联邦和州安全合作伙伴保持联系,以保护我们的选举,并使选举安全可靠。”
该州为新的Dominion系统支付了1亿多美元,替换了自2002年以来一直使用的过时设备。在去年的初选中首次在全州范围内使用,它包括触摸屏投票机,可以产生条形码由扫描仪记录的纸质选票。
霍尔德曼说,他的这份2.5万字的报告是对富尔顿县的Dominion设备进行12周密集测试的结果。根据验证投票(Verified Voting)汇编的数据,佐治亚州的所有选民都使用这些投票机,至少其他11个州的一些选民也使用相同的投票机。
因为它是密封存档的,美联社没有看到哈德曼的报告或任何所谓漏洞的细节。它也被指定为“只有律师的眼睛”,这意味着即使是诉讼的实际当事人也看不到它。
出于这个原因,国务卿办公室里没有人看过这份报告,但副国务卿乔丹·富克斯说,“我们熟悉这些争论。它们并不是新的,哈尔德曼的报告之所以成为可能,只是因为法官允许他不受限制地使用他原本无法获得的设备。”
哈尔德曼长期以来一直认为触摸屏机器容易受到攻击,他说,这种访问让他第一次发现了特定的漏洞以及利用这些漏洞的方式。他认为这些信息应该会迫使政府和Dominion解决这些问题。
“这只是标准的安全措施,”他说。
哈尔德曼的任务是评估这些机器,而不是寻找潜在漏洞在过去的选举中被利用的证据。
上个月,在与各方的电话会议上,负责此案的美国地方法官艾米·托滕伯格说,她还没有准备好公开他的报告。但根据一份文字记录,她确实表示“对其中包含的信息足够关注”。
“我已经看到了这是如何爆炸的,”她补充道。托滕伯格过去在此案中的观点批评了佐治亚州的选举制度,被推动阴谋论的人引用。
由于这份报告是保密的,所以没有与道明分享。哈尔德曼写道,自1月份以来,他一直试图通过原告律师安排与道明的会面,但该公司尚未同意会面。
“尽管针对我们公司及其系统的诽谤性攻击持续不断,但Dominion已经从2020年的选举周期中脱颖而出,拥有可以说是近代史上测试最多、审查最多、证明最充分的投票技术。我们公司欢迎研究人员真诚提供的反馈,”Dominion在一份声明中说。
作为对哈尔德曼报告的回应,该州提交了自己的专家证人之一胡安·吉尔伯特的反驳声明。
佛罗里达大学计算机和信息科学与工程系主任吉尔伯特写道,“只要有足够的权限和坚定的恶意行为者的知识,任何计算机都可以被黑客攻击。”他补充说,虽然他认为电子选票标记设备可以改进,但这“并不意味着我认为它们不够安全,以至于不符合宪法或不被允许的脆弱。”
虽然哈尔德曼说他已经测试了各种他说通常无法检测到的黑客攻击方法,但吉尔伯特写道,“我不知道哈尔德曼博士向任何其他独立研究人员提供了被‘无法检测到’的黑客攻击破坏的设备,来测试他的理论,即事实上它是无法检测到的,也是无法纠正的。”
霍尔德曼在提交给法院的一份声明中反驳说,吉尔伯特的声明并没有质疑他所详述的漏洞的存在,也没有质疑可以采取哪些步骤来改变个人选票和选举结果。哈尔德曼写道,吉尔伯特的声明中没有任何内容表明州官员了解问题有多严重,也没有采取任何措施来解决这些问题。
他认为,州选举官员“迫切需要参与我的报告中的调查结果,并在攻击者利用它们之前解决报告中描述的漏洞。”
Experts: False claims on voting machines obscure real flaws
ATLANTA -- The aftermath of the 2020electionput an intense spotlight on voting machines as supporters of former PresidentDonald Trumpclaimed victory was stolen from him. While the theories were unproven — and many outlandish and blatantly false — election security experts say there are real concerns that need to be addressed.
In Georgia, for example, election security expert J. Alex Halderman says he’s identified “multiple severe security flaws” in the state's touchscreen voting machines, according to a sworn declaration in a court case.
Halderman told The Associated Press in a phone interview that while he's seen no evidence the vulnerabilities were exploited to change the outcome of the 2020 election, “there remain serious risks that policymakers and the public need to be aware of” that should be addressed immediately to protect future elections.
Trump loyalists — pushing the slogan “Stop the Steal” — held rallies, posted on social media and filed lawsuits in key states, often with false claims about Dominion Voting Systems voting machines. Almost all of the legal challenges casting doubt on the outcome of the election have been dismissed or withdrawn and many claims of fraud debunked. State and federal election officials have said there's no evidence of widespread fraud. And Dominion has fought back forcefully, filing defamation lawsuits against high-profile Trump allies.
As an election security researcher, it's been frustrating to watch the proliferation of misinformation, said Matt Blaze, a professor of computer science and law at Georgetown University. For years, he said, concerns raised by election security experts were dismissed as unimportant.
“All of a sudden, people are going the other way, saying the existence of a flaw not only is something that should be fixed, it means the election was actually stolen,” he said. “That’s not true either.”
David Cross is an attorney for plaintiffs in a long-running lawsuit filed by proponents of hand-marked paper ballots. His clients' concerns about Georgia’s electronic voting machines long preceded the 2020 election, but he says they're now grappling with how to expose vulnerabilities and advocate for changes without fueling conspiracy theories.
It's also frustrating, he said, to watch the state "try to dismiss actual scientific, rigorous examination of the voting equipment by just saying we’re no different from the ‘Stop the Steal’ people when we’re relying on the most respected election integrity experts in the country.”
Halderman, a voting technology specialist and director of the University of Michigan’s Center for Computer Security and Society, serves as an expert witness in the lawsuit, which was filed by individual voters and the Coalition for Good Governance.
In declarations submitted as part of the case in federal court in Atlanta, Halderman wrote that he had identified vulnerabilities that attackers could exploit to “install malicious software, either with temporary physical access (such as that of voters in the polling place) or remotely from election management systems." Once installed, he wrote, such malware “could alter voters’ votes while subverting all the procedural protections practiced by the State.”
He detailed his findings in a report filed under seal last month as part of the lawsuit, which challenges the election system Georgia bought in 2019.
State officials have consistently argued that the Dominion machines have been thoroughly vetted and that security measures are in place to prevent problems.
“In an ever-changing threat environment, there are always new evolving threats to any kind of election system,” Ari Schaffer, a spokesman for Secretary of State Brad Raffensperger, said in an email. “That is why we are vigilant to the challenges that arise to the integrity of our elections. We are constantly in touch with federal and state security partners to protect our elections and keep them secure and reliable.”
The state paid more than $100 million for the new Dominion system, replacing the outdated equipment it had been using since 2002. First used statewide during last year’s primary election, it includes touchscreen voting machines that produce paper ballots with barcodes tallied by scanners.
Halderman said his 25,000-word report was the result of 12 weeks of intensive testing of Dominion equipment from Fulton County. All voters in Georgia use those machines, and at least some voters in 11 other states also use the same voting machines, according to data compiled by Verified Voting.
Because it was filed under seal, The Associated Press hasn’t seen Halderman's report or any specifics of the alleged vulnerabilities. It was also designated “attorneys’ eyes only,” meaning even the actual parties to the lawsuit cannot see it.
For that reason, no one in the secretary of state’s office has seen the report, but Deputy Secretary of State Jordan Fuchs said, “We are familiar with these contentions. They are not new and Halderman’s report is only possible because the judge gave him unrestricted access to equipment that he could not otherwise get.”
Halderman, who has long argued that the touchscreen machines are vulnerable, said the access allowed him to identify for the first time specific vulnerabilities and the ways they could be exploited. He believes the information should force the state and Dominion to address the issues.
“That’s just standard security practice," he said.
Halderman was tasked with evaluating the machines, not with looking for evidence that potential vulnerabilities had been exploited in a past election.
During a conference call with the parties last month, U.S. District Judge Amy Totenberg, who’s presiding over the case, said she wasn’t ready to unseal his report. But she did say she’s “concerned enough about the information contained in it,” according to a transcript.
“I have seen how this can blow up,” she added. Totenberg's past opinions in the case, which were critical of Georgia’s election system, have been cited by people pushing conspiracy theories.
Because of its confidential designation, the report hasn't been shared with Dominion. Halderman wrote that he’s been trying since January, through the plaintiffs’ lawyers, to arrange a meeting with Dominion but the company has not agreed to meet.
“Despite continued defamatory attacks against our company and its systems, Dominion has emerged from the 2020 election cycle with arguably the most-tested, most-scrutinized, and most-proven voting technology in recent history. Our company welcomes feedback that is provided in good faith by researchers,” Dominion said in a statement.
In response to Halderman’s report, the state filed a rebuttal declaration from one of its own expert witnesses, Juan Gilbert.
Gilbert, chair of the computer and information science and engineering department at the University of Florida, wrote that “any computer can be hacked with enough access and knowledge of a determined malicious actor.” He added that while he believes electronic ballot-marking devices can be improved upon, that “does not mean I believe they are so insufficiently secure as to be unconstitutional or otherwise impermissibly vulnerable.”
While Halderman says he has tested various methods of hacking that he says are generally undetectable, Gilbert wrote, “I am not aware that Dr. Halderman has provided equipment marred by ‘un-detectable’ hacks to any other independent researcher to test his theory that it is, in fact, un-detectable and not correctable.”
Halderman countered in a declaration filed with the court that the declaration from Gilbert doesn't dispute the existence of the vulnerabilities he detailed or the steps that could be taken to alter individual votes and election outcomes. Nothing in Gilbert's declaration indicates that state officials understand how serious the problems are or have taken any steps to address them, Halderman wrote.
He argued that state election officials “urgently need to engage with the findings in my report and address the vulnerabilities it describes before attackers exploit them.”