The 2016 VR Systems Voter Data Breach
And the poll book failure in Durham County, NC
Who do you trust with your vote? What do you know about the companies who provide the systems that enable you to vote?
Let’s have a look at one election systems company.
VR Systems is based in Tallahassee FL. According to their website, they are a homespun mom and pop company that became employee-owned in 2010. They “strive to … enable election officials to secure the public’s trust in democracy.”
Does this company deserve that trust?
Let’s go back to October 2016. A month before the momentous 2016 general election. An ABC News headline read: “Hackers Used Outside Vendor to Access State Voter Info”. The vendor was not named but the article noted that the company was “hired to handle voter information”.
The article goes on to say that hackers “gained access to the database but they didn’t manipulate any of the voter information”.
How do we know this? Was the database being dynamically updated? If so, how do we know that any changes made were legitimate? How long did the hackers have access? So many unanswered questions.
It wasn’t until June of 2017 that the whole story was revealed via a document leaked to the press by NSA employee Reality Leigh Winner. Although the name of the compromised company was redacted from the document, the name of its election system was not. “EViD software allows poll workers to quickly check a voter’s registration status, name and address”.
Who provides this electronic poll book solution? VR Systems.
As reported by Engadget in June 2017:
“Russia’s military intelligence agency infiltrated a US voting-software company and conducted a phishing campaign targeting more than 100 local elections officials. …The actors were probably trying to obtain information associated with election-related hardware and software applications,” the NSA report reads.”
In other words, VR Systems was hacked.
Could this have affected the 2016 election?
Let’s have a look at what happened on election day 2016 in Durham County, North Carolina.
Durham county is large and diverse. It’s the most Democratic-leaning county in an important swing state.
What happened there on election day was utter chaos.
Six large, heavily Democratic precincts experienced major problems with their electronic poll books. Voters showed up to vote and found that they were marked as already having voted. A few hours after the polls opened, the county decided to switch to paper poll books. Voting was halted for nearly two hours at one of the precincts. According to news reports, a number of voters left without voting.
Which company provided those electronic poll books? VR Systems.
To summarize:
1. Voter registration data managed by VR Systems was compromised before the election.
2. Voter information in the VR Systems electronic poll books in at least one North Carolina county was glaringly incorrect.
3. It is unknown whether there were similar but more subtle problems in other poll books provided by VR Systems, in other counties and states.
What did VR Systems do about this? Did the company warn election official that voter information or election system software may have been compromised? Let’s find out.
According to VR Systems, EViD is “a network of electronic devices at voting sites communicating with each other and with the county’s voter registration system”.
How does this system work? How does it communicate with the voter registration data that VR Systems also manages? What could possibly have gone wrong?
According to this story from the News & Observer, on the day of the election Durham County Elections Chair Bill Brian said “It appeared that some of the data from prior elections had not been cleared out, and people were being improperly listed as having already voted”.
Some of the data had not been cleared out? How could that happen?
In order to make better sense of what went wrong, we hunted down the forensic report that was commissioned to analyze the Durham County EViD system failure.
The summary of the report claims
“…the EViD application did not fail during the election. It appears that certain steps were not taken to verify all laptops were properly prepared for the November election”.
In other words, VR Systems blamed human error on the part of Durham County election officials for the failure of their electronic poll books.
This conclusion is very odd, considering the details that follow.
Also odd is the description of the “forensic examination” by the company hired to do the analysis. The company “collected all logs… and provided them to VR Systems”. Let this sink in.
The company charged with performing a forensic examination let the company being scrutinized examine their own logs and data.
Many more questions arise as we read further. For example, how could VR Systems report that 17 laptops had not been “cleaned”, when only 13 laptops had been examined?
Aside from the question of how many laptops were “cleaned”, a sample of 13 from a population of 225, gives a +/- margin or error of over 26% at a confidence level of 95%. In other words, 13 machines out of 225 is not a very good sample size.
This section of the report is a doozy. Let’s take an even closer look. This “improper cleaning” caused a previous version of the EViD application to be used? Seriously?
What do they mean by “cleaned”? Why would that be necessary? Why would an application update require the user to “clean” a computer? The director of the County Board of Elections herself was unaware of any processes or procedures for cleaning the laptops.
Moving on, the “investigative notes” section of the report contains more information about how the EViD system works.
For Durham County, 225 USB devices — aka “activators” — were loaded with “voting data” at a central workstation. These activators were “secured and later distributed to the precincts”, along with laptops. Each activator “allows the laptop to run the EViD application as well as utilize the updated voter data”.
Anyone with an InfoSec background might find some problems here. Why were the USB devices necessary? Why not just load the data and the app directly onto each laptop? How were these devices secured? Were the laptops scanned for malware? What was the exact chain of custody between the central workstation and the precincts where these devices were utilized?
Now let’s look at what happened at some individual precincts that day.
Starting with Precinct #39. The first three people who arrived to vote told by the system that they had already voted. These three voters were adamant that they had not already voted. There were probably 70 people in line.
In Precinct 44 — same thing, voters showing up to vote were told they had already voted.
But why did this happen? According to the report:
“It is not known at this time why this issue occurred. Analysis shows this was not caused as a result or the software not being updated as one of the three systems had been updated with the newest EViD software”.
How does this conclusion reconcile with the claim that the EViD software did not fail?
Meanwhile, at Precinct 19 it was reported that an EViD tech spent about 10 to 15 minutes on the laptops, “performing maintenance”. How was this maintenance performed? Was there an internet connection involved? A memory stick? A CD? Why would anyone be allowed to make changes to a computer during an election?
And then there was this voter, who walked into the county board of elections office because the computer was saying he was not a U.S. Citizen, when records showed that he had been voting in Durham County for quite some time?
According to the director of the Durham County Board of Elections, problems like this were coming in “right and left”.
There had been “issues with the activators” the Sunday before the election. Apparently they were “having a hard time loading”. The director of elections was already on high alert. After several hours of problems, she reverted to the emergency plan — paper poll books.
At that point, a representative from VR Systems was told to not touch anything. He was very upset by the decision to revert to the emergency plan.
How did these errors happen? The report concludes it wasn’t due to software failure or compromised voter records. What was it then?
Could these problems have been due to the fact that this company’s online data systems had been compromised?
How can the state of North Carolina continue to trust this company after such a major failure during a general election?
In fact, the state DID attempt to decertify VR Systems, but that effort was blocked by a judge.
According to its own website, VR Systems is providing election products and solutions to eight states.
Is one of them yours?
This story is published in Noteworthy, where 10,000+ readers come every day to learn about the people & ideas shaping the products we love.
Follow our publication to see more product & design stories featured by the Journal team.
