Thursday, September 30, 2021

AZ Audit Exec Summary

 Submitted by: Terry Payne via P McMillan

AZ Audit Exec Summary - PDF Attached

 

Subject: AZ Audit Exec Summary - PDF Attached

 

9/24/2021

 

Executive Summary & Recommendations

Work Performed For: Arizona State Senate 1700 W Washington St Phoenix, AZ 85007

1 DOCUMENT OVERVIEW

This document includes the Executive Summary of the Maricopa County Forensic Audit, a listing of findings within the Findings Summary, as well as Recommendations based on our work in the audit.

For more details about the Methodology & Operations of the audit, please see “Maricopa County Forensic Audit – Volume II – Methodology and Operations”.

For more details about the Findings of the report, or to review the results from the hand-tallying of the 2.1 million ballots, please see “Maricopa County Forensic Audit – Volume III – Result Details”.

2 EXECUTIVE SUMMARY

The preamble to our Constitution reminds us that our nation is always pursuing greater perfection, seeking to establish “… a more perfect Union” so that we can “...secure the Blessings of Liberty to ourselves and our Posterity”. Nothing is more essential in establishing liberty than free and fair elections. To that end, Cyber Ninjas was engaged by the Arizona Senate to audit the 2020 General Election and determine the outcome of the election and in what areas legislative reform is required to ensure that our elections are indeed free and fair in the future.

This audit has been the most comprehensive and complex election audit ever conducted. It involved the hand counting of 2.1 million ballots, a forensic paper inspection of them, a forensic review of the voting machines, and most important, an in-depth analysis of the voter rolls and the 2020 General Election final files.

Many of the issues in the election can be traced back to two primary causative factors: mail-in voting and improper voter registration management. More than 80% of the ballots cast in Maricopa were via mail.

The guarantee of the secret ballot is not only a right that applies to the voter themself, but it is also a right guaranteed to the rest of those voting in the election that that person’s ballot is secret and therefore cannot have come under any undue influence. Mail-in voting eliminates secrecy in voting as it is impossible to control or know who a voter shares their ballot with and what is done with it prior to it being mailed-in or dropped off.

57,734 ballots with serious issues were identified in the audit. These issues include improper voter registration, improper votes, and discrepancies in the registration. This is a conservative estimate, as there were other identified problems that were not quantified nor included in that total, likely resulting in a much larger number of flawed ballots. Additional issues identified: backdated registrations, multiple voter registrations linked to the same voter affidavit, voters without records in a commercial database, and printing defects rendering thousands of ballots as suspicious.

In the 2020 presidential election, the margin of victory was only 10,457 votes, a small fraction of the 57,734 ballots with known issues. Again, this is almost 6 times the margin of victory in the Presidential race and is multiples of the margin of victory in other races. Based on these factual findings, the election should not be certified, and the reported results are not reliable.

Major issues identified:

• There were more than 10,000 double votes across county lines

• Tens of thousands of ballots cast from individuals who had moved prior to the election and could not have physically received their ballots, legally.

None of the systems related to elections integrity had numbers that would balance and agree with each other.

• The voter rolls and the registration management process itself have many data integrity issues. For instance, over 200 individuals were easily identifiable as likely being the same person but having two different Voter IDs and voting twice in the election.

o Without access to the County’s detailed records including personally identifiable information and registration systems it is more likely there were many tens of thousands of improper votes in the election from double voters, deceased voters, voters for which we can find no trace in the public records nor association to their voting address, moved voters, etc.

• Proper voter registration law and procedures were not followed.

o There were unexplained large purges of registered voters, right after the election, of people who had voted in the election.

o There was back dating of registrations, adjustments made to historical voting and voter records, unexplained linking of voter registration affidavits to multiple voters and more.

• Files were missing from the Election Management System (EMS) Server.

• Ballot images on the EMS were corrupt or missing.

• Logs appeared to be intentionally rolled over, and all the data in the database related to the 2020 General Election had been fully cleared.

• On the ballot side, batches were not always clearly delineated, duplicated ballots were missing the required serial numbers, originals were duplicated more than once, and the Auditors were never provided Chain-of-Custody documentation for the ballots for the time-period prior to the ballot’s movement into the Auditors’ care. This all increased the complexity and difficulty in properly auditing the results.

• There were substantial statistically significant anomalies identified in the ratio of hand-folded ballots, on-demand printed ballots, as well as a statistically significant increase in provisional ballot rejections for a mail-in ballot already being cast, suggestive of mail-in ballots being cast for voters without their knowledge.

The 2005 Report on Federal Election Reform, which was an effort led by democrats, stated the following regarding mail-in voting:

“While vote by mail appears to increase turnout for local elections there is no evidence that it significantly expands participation in federal elections. Moreover it raises concerns about privacy as citizens voting at home may come under pressure to vote for certain candidates and it increases the risk of fraud.”

Managing an election conducted almost entirely by mail is a difficult endeavor and raises numerous issues which would be much less likely to occur if most voting was in-person.

Had Maricopa County chosen to cooperate with the audit, many of the obstacles faced in the audit could have been overcome. By the County withholding subpoena items, their unwillingness to answer questions as is normal between auditor and auditee, and in some cases actively interfering with audit research, the County prevented a complete audit. This did not stop the primary goal of offering recommendations for legislative reform to the Arizona Senate, but it did leave many questions open as to the way and manner that the 2020 General Election was conducted.

3 FINDING SUMMARY

The following is a list of findings covered within the report. Details on all these findings as well as the results of the hand-tallying can be found in the document “Maricopa County Forensic Audit – Volume III – Results Details”.

Finding Name    Phase   Ballots Impacted        Severity       
Mail-in Ballots Voted from Prior Address        Voter History   23,344  Critical       
Potential Voters that Voted in Multiple Counties        Voter History   10,342  Critical       
More Ballots Returned by Voter Than Received    Certified Results       9,041   High   
Election Management System Database Purged      Voting Machine  N/A     High   
Election Files Deleted  Voting Machine  N/A     High   
Corrupt Ballot Images   Voting Machine  N/A     High   
Official Results Does Not Match Who Voted       Certified Results       3,432   Medium 
More Duplicates Than Original Ballots   Ballot  2,592   Medium 
In-Person Voters Who Had Moved out of Maricopa County   Certified Results       2,382   Medium 
Voters Moved Out-of-State During 29-Day Period Proceeding Election      Voter History   2,081   Medium 
Missing Ballot Images   Voting Machine  N/A     Medium 
Failure to Follow Basic Cyber Security Practices        Voting Machine  N/A     Medium 
Subpoenaed Equipment Not Provided       Voting Machine  N/A     Medium 
Anonymous Logins        Voting Machine  N/A     Medium 
Dual Boot System Discovered     Voting Machine  N/A     Medium 
EMS Operating System Logs Not Preserved         Voting Machine  N/A     Medium 
Votes Counted in Excess of Voters Who Voted     Certified results       836     Low    
Voters not part of the Official Precinct Register       Voter History   618     Low    
Ballots Returned Not in the Final Voted File    Certified Results       527     Low    
Duplicated Ballots Incorrect & Missing Serial Numbers   Ballot  500     Low    
Mail-In Ballot Received without Record of Being Sent    Certified Results       397     Low    
Voters With Incomplete Names    Voter History   393     Low    
Deceased Voters         Voter History   282     Low    
Audit UOCAVA Count Does Not Match the EAC Count         Ballots         226     Low    
Late Registered Voters with Counted Votes       Voter History   198     Low    
Date of Registration Changes to Earlier Date    Voter History   194     Low    
Duplicate Voter IDs     Voter History   186     Low    
Multiple Voters Linked by AFFSEQ        Voter History   101     Low    
Double Scanned & Counted Ballots        Ballot  50      Low    
UOCAVA Electronic Ballots Double Counted        Ballot  6       Low    
Duplicate Ballots Reuse Serial Numbers  Ballot  6       Low    
EMS Operating System Logs Not Preserved         Voter History   N/A     Low    
Election Data Found from Other States   Voter History   N/A     Low    
Audit Interference      Ballot  N/A     Informational  
Batch Discrepancies     Ballot  N/A     Informational  
Commingled Damaged and Original Ballots         Ballot  N/A     Informational  
Early Votes Not Accounted for In EV33   Certified Results       N/A     Informational  
High Bleed-Through Rates on Ballots     Ballot  N/A     Informational  
Improper Paper Utilized         Ballot  N/A     Informational  
Inaccurate Identification of UOCAVA Ballots     Ballot  N/A     Informational  
Missing Subpoena Items  Ballot  N/A     Informational  
No Record of Voters in Commercial Database      Voter History   N/A     Informational  
Out of Calibration Ballot Printers      Ballot  N/A     Informational  
Real-Time Provisional Ballots   Voter History   N/A     Informational  
Voter Registration System Audit Access  Voter History   N/A     Informational  
Questionable Ballots    Ballot  N/A     Informational  

4 RECOMMENDATIONS

The following sections outline the key recommendations that were determined over the course of this audit.

4.1 Elimination of Universal Mail-in Voting

Universal Mail-in Voting statutes should be repealed, and absentee ballots only allowed in the strictest of circumstances for military personnel stationed outside of Arizona as well as doctor verified individuals who are not physically able to make it to a polling location.

 

4.2 Result Reconciliation

Legislation should be considered that does not allow an election to be certified until the Official Canvas and the Final Voted File is fully reconciled. Furthermore, full records for every ballot sent, ballot received, ballot rejected, and ballot voided should have to be fully reconciled within a defined period after the election.

 

4.3 Voter Registration

Legislation should be enacted that centralizes voter registration at the state level tied into the State’s motor vehicle and identification system ensuring that voters are registered under their full legal name and that they have only a single residential address with the state and one mailing address if applicable.

 

4.4 Voter Rolls

Legislation should be enacted that links voter roll registration to changes in driver’s licenses or other state identification, as well as requiring the current voter rolls be validated against the United States Postal Service (USPS) National Change of Address (NCOA) at a predefined period prior to every election. Any voter roll software should validate that there is only one entry in the state database per identification number, such as a driver’s license number.

Laws already exist for interstate reporting of changes in residence, addresses, and driver’s licenses. Tying voter roll registration to these forms of identification would greatly increase the likelihood that voter registration details would be kept up to date. Individuals are much more likely to remember their license needs to be updated immediately than voter registration, and since most states now offer the ability to register to vote when getting a license, license updates could also update voter rolls.

It is recommended that the voter rolls be validated against the NCOA both 30 days or more prior to the election, in addition to a week before absentee ballots are sent out, along with requiring absentee voters to register prior to every election. This check would not be utilized to purge the rolls, but to validate that an absentee ballot should be sent prior to that ballot going out.

In addition, legislation should be considered to require the voter rolls to periodically be compared against ERIC, the Social Security’s Master Death List, or other commercially available tools that gives access to this information. Failure to do this at least once a year should come with financial penalties.

 

4.5 Election Software

Legislation should be considered that would require applications developed and utilized for voter rolls or voting to be developed to rigorous standards that ensure the confidentiality and integrity of the systems. Specifically, its recommended that the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) Level 3 be applied to all applications associated with voter rolls or voting and that it be required that this be fully validation no less than once every two years. Part of this testing should be explicitly testing a programming interface access to validate that no external party has the capability to manipulate the voter rolls.

Furthermore, it should be required that whoever builds the software be required to rotate vendors doing the OWASP ASVS Level 3 assessment a minimum of once every four years, with a rotation of no less than three vendors before returning back to a vendor utilized in the past.

The vendor who performs this work must be willing to attest that their assessment fully covered the ASVS Level 3 requirements that there are no critical or high vulnerabilities detected, and that there is a remediation plan for any moderate risk vulnerabilities.

4.6 Voting Machines

Legislation should be considered that would prohibit connecting tabulators, or the Election Management System Servers or similar equipment from being connected to the internet or any other mechanism that could allow remote access to these systems.

Furthermore, County employees should have access to all administrative functions of all election equipment and have sufficient access to independently validate any configuration items on the device without requiring the involvement of any 3rd party vendor.

In addition, electronic voting machines must always have a paper backup of all ballots which can be used to confirm that votes were cast as intended; and these machines must be regularly maintained according to the vendors recommended maintenance schedule. Failing to do so should have a financial impact on the County.

Legislation should be considered that would require that paper stocks utilized on election day should conform to manufacturer recommendations to ensure that the paper that has been tested in the device is what is actually utilized to cast votes.

4.7 Election Audits

Legislation should be considered that creates an election audit department in charge of regularly conducting audits on a rotating basis across all counties in Arizona after elections. This department should validate that the County follows all processes and procedures outlined in the Elections Procedure Manual (EPM) and have the ability to financially impact the County for repetitive EPM failures, or other failures that make auditing more difficult.

Legislation should be considered that requires batches of ballots to be clearly labeled, separated from each other in a manner where they cannot easily mix together, and easily connected to the batches run through the tabulation equipment for easy auditing of the system. Failure to follow these practices should have financial implications for the County.

Legislation should be considered with have financial and criminal penalties for purposely inhibiting a legislative investigation, or an officially sanction audit of an election.

4.8 Ballots

Legislation should be considered that will make ballot images and the Cast Vote Record artifacts from an election that is publicly published within a few days of the results being certified for increased transparency and accountability in the election process.

Legislation should further be considered that would require all ballots to be cast on paper by hand utilizing paper with security features such as watermarks or similar technology; with a detailed accounting of what paper(s) and the quantities utilized for any given election cycle.

Absentee voting should incorporate an objective standard of verification for early voter identification, similar to the ID requirements required for in person voting.

No comments:

Post a Comment