An important lesson became clear last week after a Colorado jury convicted former Mesa County Clerk Tina Peters of helping conspiracy theorists to breach her county’s voting system in 2021. Her verdict shows us the true threat to elections is not the voting machines.
This news analysis originally appeared in Votebeat’s free weekly newsletter. Sign up to get future editions, including the latest reporting from Votebeat bureaus and curated news from other publications, delivered to your inbox every Saturday.
At the same time the trial was wrapping up, some tech whizzes were gathered in Las Vegas at DEF CON, the annual event where white-hat hackers try to break into all kinds of computer systems, from banking to aerospace, in search of security vulnerabilities.
Voting machines are among the technologies tested, and — every election cycle — some reporters cover the “Voting Village” at DEF CON breathlessly. For example, here is how Politico described the event last week:
“Some of the best hackers in the world gathered in Las Vegas over the weekend to try to break into voting machines that will be used in this year’s election — all with an eye to helping officials identify and fix vulnerabilities.
The problem? Their findings will likely come too late to make any fixes before Nov. 5.”
One technologist quoted in the piece said that the vulnerabilities the researchers found spanned “multiple pages,” though he declined to comment on what they were. He would only say that the findings were “consistent with previous years,” Politico reported.
Jennifer Morrell, a partner at the Elections Group, has long criticized DEF CON. The Voting Village, she said, “continues to erode public trust by highlighting vulnerabilities in outdated voting systems that are no longer in use, serving to advance the organizer’s own interests.”
By contrast, she said, other attempts at investigating machine security — like the recent Election Security Research Forum — “foster collaboration to genuinely strengthen the security of our election systems.”
This isn’t the first time DEF CON has sparked misleading coverage of voting security. In 2018, for example, DEF CON circulated a story that an 11-year-old had hacked a state elections website. That report was super misleading and basically not true, but it still dominated the news cycle for multiple days.
And since 2020, election conspiracy theorists often cite the misinformation about easily hacked voting machines to support Donald Trump’s false narrative of a stolen election.
While DEF CON can be an interesting academic exercise, letting hackers take their shot at election equipment in a hotel ballroom is not an accurate simulation of how elections are run, or where the vulnerabilities lie.
The real, pressing security issues are not the things DEF CON uncovers, but rather the more boring things: chain-of-custody procedures, appropriate training, and adequate oversight.
Which brings us back to Tina Peters, an actual threat to elections systems.
“This case was a simple case centered around the use of deceit to commit a fraud,” Robert Shapiro, a special deputy district attorney for Colorado’s 21st Judicial District, told the jury during closing arguments in Peters’ trial Monday. “It’s not about computers. It’s not about election records. It’s about using deceit to trick and manipulate others, specifically public servants who were simply trying to do their job.”
Here’s how the Colorado Sun summarizes the extent of Peters’ deceit and subversion, as recounted in court:
“Prosecutors reminded the jurors that Peters had surveillance cameras turned off in the secure tabulation room before she brought in a former pro surfer named Conan Hayes to copy information from the hard drives on that system. She used an encrypted messaging system with her small band of co-conspirators. She had some of those conspirators start using burner phones so their conversations could not be monitored by law enforcement. She bragged about having a ‘hidey hole’ in her house where she placed a phone that was initially overlooked by law officers who searched her house.”
It’s not sexy, but both the things Peters did, and the things investigators did to prove she’d done them, were basically straightforward: The person in charge (Peters) allowed someone without authorization to copy technical information from her office, and then this information was posted online. An investigation followed, and Peters wasn’t particularly good at hiding her tracks. Now, she could be going to jail, potentially for many years.
None of the things Peters did to endanger the voting system were particularly high-tech. Their exploits give the vibe that Peters and her pro-Trump allies watched a few Tom Cruise movies and went from there. And yet, the tantalizing voting machine “hacking” scenario captivates us in every election cycle. It’s fun to think about, it’s fun to write about, sure, but it’s not really that helpful to understanding the actual problems facing us as millions of Americans prepare to cast their ballots in November: A problem of trust.
None of this should minimize the potential damage someone like Peters can cause. Exposing sensitive voting data is extremely harmful. Part of what she allowed to be posted online included passwords for voting equipment. In Peters’ case, it led the state of Colorado to decertify Mesa County’s entire set of machines, putting taxpayers on the hook to replace them.
There’s been quite a lot of coverage of election conspiracy theorists taking up positions in election offices. So, there’s a chance we’ll see more of this wrongdoing this year. We’d encourage readers to keep their eyes on the ball: If our systems are compromised this year, the culprit is likely to be a misguided county employee rather than a faceless hacker.
Back Then
I don’t mean to suggest that DEF CON can’t be helpful. It is a fascinating test of transparency and abilities, and can lead to good outcomes. In 2017, for example, Virginia finally decertified its direct-recording electronic voting machines in part because of DEF CON.
According to the Washington Post, “The three-member board voted unanimously to decertify Direct Recording Electronic voting machines, acting partly out of concern that their security had been compromised at DefCon …. The machines do not produce a paper trail, which the department described as an important security feature.”
The decision meant that 12 jurisdictions in Virginia that weren’t already planning to ditch their DREs — encompassing 140 precincts with some 190,000 voters — had to replace them quickly before the state’s general election that November.
Jessica Huseman is Votebeat’s editorial director and is based in Dallas. Contact Jessica at jhuseman@votebeat.org.
This article was originally published by Votebeat, a nonprofit news organization covering local election administration and voting access.