Curling v. Raffensperger

Whether the use of direct recording electronic (DRE) voting systems that do not produce human-readable paper ballots and that have known cybersecurity vulnerabilities violates the constitution
  • EPIC Amicus: Georgia's Electronic Voting Machines Unreliable, Fail to Safeguard Secret Ballot: In an amicus brief, joined by 31 legal scholars and technical experts, EPIC has asked a federal court to stop Georgia’s use of Direct Recording Electronic voting machines. Experts in election security have shown that DREs are insecure, vulnerable to attack, fail to provide a paper trail that enables auditing, and subject vote tallies to manipulation by remote adversaries. DREs systems also undermine the secret ballot as particular voters could be linked to particular votes. EPIC told the court, “the continued use of these systems poses a direct threat to personal privacy, election integrity, and democratic institutions.” In 2016, EPIC published "The Secret Ballot at Risk: Recommendations for Protecting Democracy," highlighting the importance of the secret ballot for American democracy.. The case is Curling v. Raffensperger. (Jun. 28, 2019)
  • More top news »
  • House Passes Election Security and Paper Ballot Bill » (Jun. 28, 2019)
    The House of Representatives has passed the SAFE Act, an election security bill establishing cybersecurity safeguards for election equipment, prohibiting wireless modems in voting machines, and requiring paper ballots. The bill would also provide for grants to states that perform risk-limiting audits. EPIC, along with the U.S. Technology Policy Committee of the Association for Computing Machinery, recently filed comments to the Election Assistance Commission. The groups urged the Commission to ban internet-connected voting machinery, citing the risks to voting integrity and democratic institutions. "The EAC should ban the use of internet-connected voting machines and protect ballot secrecy," EPIC and USTPC said. EPIC has a long history of working to protect voter privacy and election integrity.
  • D.C. Circuit to Hear Arguments in EPIC v. IRS, FOIA Case for Trump's Tax Returns » (Sep. 11, 2018)
    The D.C. Circuit will hear arguments on Thursday, September 13 in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. Live audio of the arguments will be streamed from this link at or around 9:30 a.m. EPIC has argued that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC has pursued concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyberattack) and EPIC v. DHS (election cybersecurity).
  • After EPIC Obtains FBI Victim Notification Procedures, Court Rules for Bureau » (May. 23, 2018)
    After EPIC obtained the FBI cyberattack victim notification procedures in Freedom of Information Act lawsuit EPIC v. FBI, a D.C. federal court has ruled that the agency may withhold remaining records explaining FBI's response to the Russian interference in the 2016 election. EPIC had argued that the FBI had failed to demonstrate that releasing records of the agency's response to cyberattacks would interfere with its investigation of the Russian interference. The "Victim Notification Procedures" obtained by EPIC led to Associated Press investigation which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. EPIC is currently pursuing related FOIA cases about Russian interference in the 2016 election, including EPIC v. IRS (Release of Trump Tax Returns) and EPIC v. DHS (election cybersecurity).
  • Senators Question Intelligence Officials on Russian Election Interference » (Feb. 13, 2018)
    The Senate Intelligence Committee held a hearing today with top officials from all U.S. intelligence agencies: Office of the Director of National Intelligence, CIA, NSA, Defense Intelligence Agency, FBI, and the National Geospatial-Intelligence Agency. The officials unanimously agreed that Russia interfered in the 2016 election and will interfere in the 2018 election, noting that they have already observed attempts to influence upcoming elections. Director of National Intelligence Dan Coats said: "There should be no doubt that Russia perceived that its past efforts as successful and views the 2018 U.S. midterm elections as a potential target for Russian influence operations." EPIC launched the Project on Democracy and Cybersecurity, after the 2016 presidential election, to safeguard democratic institutions. EPIC is currently pursuing several FOIA cases concerning Russian interference, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). EPIC also provided comments to the Federal Election Commission to improve transparency of election advertising on social media.
  • EPIC Urges House Judiciary to Examine FBI Response to Russian Cyber Attacks » (Dec. 12, 2017)
    EPIC has sent a statement to the House Judiciary Committee ahead of Wednesday's DOJ Oversight hearing. EPIC urged the Committee to question Deputy Attorney General Rosenstein about the FBI's ability to respond to future cyberattacks concerning the 2018 elections. A recent Associated Press investigation found that the FBI, the lead agency for cyber response, did not notify U.S. officials that their email accounts were compromised during the 2016 election. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI, filed earlier this year. EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity).
  • NEWS UPDATE - EPIC Sues FBI for Details of Russian Interference with 2016 Election » (Jan. 18, 2017)
    EPIC today filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation in federal district court in Washington, DC. The case is designated EPIC v. FBI, No. 17-127 (D.D.C. filed Jan. 18, 2017). The complaint states “EPIC challenges the FBI’s failure to make a timely decision concerning EPIC’s request for expedited processing of the FOIA request for records about the Russian interference with the 2016 Presidential Election.” A press conference will be held at the Fund for Constitutional Government on Capitol Hill on Thursday, January 19, 2017 at 1 pm. Media Advisory
  • Senate Armed Services Committee to Examine Foreign Cyber Threats » (Jan. 4, 2017)
    The Senate Armed Services Committee will hold a hearing on "Foreign Cyber Threats to the United States" on January 5, 2016. EPIC submitted a statement to the Committee to alert Senators about a pending Freedom of Information Act request. The EPIC FOIA request concerns the lax response of the FBI to the Russian interference with the 2016 Presidential election. EPIC wrote “we believe that the information that we are seeking from the FBI will also be helpful to the Senate Armed Services Committee as you investigate foreign cyber threats to the United States.”“Director of National Intelligence James Clapper, National Security Agency and Cyber Command Chief Adm. Mike Rogers and Undersecretary of Defense for Intelligence Marcel Lettre are scheduled to testify.

Summary

Individual Georgia voters, along with a voting rights organization, brought separate § 1983 actions, later consolidated, against Georgia state officials alleging that the state’s reliance on direct recording electronic (DRE) voting systems burdened their Fourteenth Amendment rights to due process and equal protection. DRE voting machines do not produce a paper trail or any other way to independently verify each individual's vote. DRE machines also have known cybersecurity vulnerabilities.

Plaintiffs seek, among other things, a declaration that the use of DREs is unconstitutional, and an injunction preventing Georgia from requiring voters to use DREs and requiring Georgia to use a system that produces a paper audit trail. Defendants moved to dismiss the case, arguing that Plaintiffs did not have standing and that Defendants were protected by Eleventh Amendment immunity. The District Court denied this motion. Defendants appealed this decision to the Eleventh Circuit.

The Eleventh Circuit upheld the lower court’s ruling. In May 2019, the district court addressed the defendants’ other claims, and found that res judicata or collateral estoppel from Curling I did not apply and the defendants named were the correct defendants. The Court also rejected the plaintiffs’ claim for a writ of mandamus, but denied the defendant’s motion to dismiss plaintiff’s due process and equal protection claims. The Court ordered discovery to begin immediately.

Background

Factual Background

Georgia uses Diebold AccuVote DRE voting machines in all of their elections. DRE voting machines are touchscreen computers that record votes on a removable memory card. DREs generally do not produce a paper ballot that can be used to verify an individual's vote or audit the computer record. Instead, DREs internally tally the vote totals, and then print the totals to paper.

Cybersecurity experts have long warned about the privacy and security concerns with DRE systems. In 1993, computer scientist Peter G. Neumann set out criteria that electronic voting systems should meet and pointed out that "the absence of a physical record of each vote is a serious vulnerability in direct-recording election (DRE) systems." Cryptographer Ron Rivest has emphasized the importance of verifiable voting, which includes the verifiability that a vote has been "cast as intended," "collected as cast," and "counted as collected." In their book, Broken Ballots: Will Your Vote Count?, computer scientists Barbara Simons and Douglas W. Jones devote an entire chapter to the problems with Diebold DREs, calling the company "the poster child of much that is wrong with DREs."

Cybersecurity experts have shown that DRE machines are vulnerable to manipulation. For example, Dr. Alex Halderman, a Professor of Computer Science and Engineering and Director of the Center for Computer Security and Society at the University of Michigan in Ann Arbor, has demonstrated that a DRE's vote totals can be manipulated by introducing malware via the memory card slot. The attack will go undetected because the malware will modify all relevant data, including audit logs.

There are also privacy concerns with the way DREs record individual ballots. AccuVote DREs record individual ballot data in the order in which they are cast, and they assign a unique serial number and timestamp to each ballot. This makes it possible to match votes to the voters who cast them.

Several authorities have raised the alarm about paperless electronic voting and the use of DRE machines. In March 2018, Department of Homeland Security Secretary Kirstjen Nielsen told the Senate Intelligence Committee that the lack of audit capability is a "national security concern." In August 2018, the National Academies of Science, Engineering, and Medicine released a report urging that electronic voting machines produce "human-readable paper ballots" and that machines that do not provide a voter verifiable paper audit trail "be removed from service as soon as possible."

Georgia law requires that “in jurisdictions in which direct recording electronic (DRE) voting systems are used at the polling places on election day, such direct recording electronic (DRE) voting systems shall be used for casting absentee ballots in person at a registrar's or absentee ballot clerk's office or in accordance with Code Section 21-2-382, providing for additional sites.” O.C.G.A. § 21-2-383(b). In 2002, the Georgia State Election Board passed a rule mandating the use of DRE machines in all elections. Ga. Comp. R. & Regs. r. 183-1-12-.01.

Procedural Background

Two sets of plaintiffs filed § 1983 actions in the U.S. District Court for the Northern District of Georgia in August 2017, claiming that Georgia's use of DREs violated their Fourteenth Amendment rights to due process and equal protection. Both sought declaratory and injunctive relief. The cases were subsequently consolidated. Defendants filed multiple motions to dismiss, arguing that they were immune to this suit under the Eleventh Amendment, and that Plaintiffs did not have standing to pursue this action. Plaintiffs filed for a preliminary injunction in August 2018 for immediate relief for the 2018 election.

On September 17, 2018, the District Court denied Plaintiffs' preliminary injunction as well as Defendants' motions to dismiss. The court found that Defendants were not immune to suit and that Plaintiffs had standing to pursue their claims. The court denied the preliminary injunction because "there were substantial fiscal, organizational, and practical impediments and burdens to complying with such an injunction in time for the upcoming November 2018 election." Defendants appealed the court's decisions on immunity and standing to the Eleventh Circuit.

The Eleventh Circuit upheld the lower court’s ruling. In May 2019, the district court addressed the defendants’ other claims, and found that res judicata or collateral estoppel from Curling I did not apply and the defendants named were the correct defendants. The Court also rejected the plaintiffs’ claim for a writ of mandamus, but denied the defendant’s motion to dismiss plaintiff’s due process and equal protection claims. The Court ordered discovery to begin immediately.

Several other active cases also challenge Georgia's voting practices, procedures, and use of DREs. These include Common Cause Georgia v. Kemp (alleging Secretary of State Brian Kemp knowingly maintained an unsecure voter registration database), Martin v. Kemp (challenging the disenfranchisement of thousands of eligible mail ballot voters because information requested from voters was immaterial to deciding their eligibility to vote), and Coalition for Good Governance v. Crittenden (challenging the results of the lieutenant governor's race due to inexplicable undervotes caused by Georgia's DRE machines).

EPIC's Interest

EPIC has a long history of working on voter privacy and election integrity issues. These issues are directly implicated in Georgia's use of DRE systems that do not produce a verifiable paper trail.

EPIC has submitted amicus briefs in several voter privacy and election integrity cases, including the Fifth Circuit case Veasey v. Abbott and the Supreme Court case Crawford v. Marion County.

In July 2017, EPIC successfully sued Trump's Presidential Election Commission to block the Commission's unlawful collection and retainment of millions of state voter records. After EPIC brought suit, the Commission temporarily suspended its data collection, discontinued the use of an unsafe computer server, deleted voter information that was illegally obtained, and ultimately disbanded. EPIC later obtained documents through a FOIA request showing that DHS was concerned that the voter data grab would "disrupt critical efforts DHS is leading to work with state and local officials" on election cybersecurity. Documents obtained from another FOIA request showed that officials from four different federal agencies discussed joint plans to "clean" state voter rolls in 2017.

In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC has pursued, and continues to pursue, several FOIA cases concerning Russian interference with the 2016 election, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity).

In 2016, EPIC, Verified Voting, and Common Cause released a report, "The Secret Ballot At Risk: Recommendations for Protecting Democracy," that explained that the secret ballot — the inability to link particular voters to particular votes — is a cornerstone of modern democracies. The secret ballot also reduces the threat of coercion, vote buying and selling, and tampering.

In April 2015, as the result of a Freedom of Information Act lawsuit, EPIC obtained a September 2011 report about online voting from the Department of Defense. The report, produced in response to EPIC's July 2014 FOIA request, summarized a pilot test of an e-voting system. The report recommended several changes, including accessibility and user interface, but did little to address privacy and security concerns except for recommending "visible security features" to "give users greater confidence in the privacy and security of their ballots."

In 2010, EPIC released an update to its "E-Deceptive Campaign Practices: Technology and Democracy 2.0" report, first published in 2008. The report reviewed the potential for abuse of Internet-based technology in the election context, and made recommendations on steps that should be taken by Election Administrators, voters, and those involved in Election Protection efforts. E-Deceptive campaigns are internet-based attempts to misdirect targeted voters regarding the voting process, and include false statements about poll place hours, election dates, voter identification rules, or voter eligibility requirements.

In 2009, EPIC recommended greater transparency on the standards development process to the Election Assistance Commission ("EAC"). The agency sought public comments on a draft of the agency's Voluntary Voting System Guidelines. In its comments, EPIC requested that the EAC follow President Obama's directive to all federal government agencies that they take affirmative steps to make their activities regarding standards development more transparent to the public, make ballot secrecy a critical component of federal voting technology standards, and maintain software independence in the next iteration of voting technology standards.

In 2008, EPIC submitted comments to the Election Assistance Commission on the proposed Voluntary Voting System Guidelines. EPIC proposed new guidance on privacy protection in the casting of ballots. EPIC also recommended more transparency for the privacy protections provided by federally certified voting systems.

Additionally, EPIC testified before the Election Assistance Commission on the 2007 Voting System Guidelines. EPIC urged the Commission to "offer clear and effective guidance to states on issues of functional capability, hardware, software, telecommunication, security, quality assurance, and configuration of voting systems."

Legal Documents

U.S. Court of Appeals for the Eleventh Circuit (No. 18-13951)

U.S. District Court for the Northern District of Georgia (No. 5:17-CV-01361)

Resources

News

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

EPIC Mueller Report book