Preview
Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 86 of 170 PagelD 480
311.
312.
313.
314.
315.
316.
cyberspace in at least 18 States. Voter data was successfully exfiltrated in two states and
in a subset of those 18, attackers could have altered or deleted voter registration data.
Mr. Halderman states Russia has sophisticated offensive cyber capabilities as well as
intent to use them to hack elections in other locations. He goes on to cite published
reports of Russian involvement in hacking the Ukrainian election in 2014. He states that
countries other than Russia have similar offensive cyber capabilities.
The U.S. Senate Select Committee on Intelligence reported findings and
recommendations based upon its investigation into cybersecurity threats to U.S. election
infrastructure. Mr. Halderman cites this report as evidence of vulnerabilities in the
existing election system used in the United States. Further he quotes DNI Coats and DHS
Secretary Nielsen of Russia’s continuing goal to interfere in the elections within the U.S.
to achieve a variety of outcomes favorable to Russia. He specifically calls out the
Paperless Direct Recording Electronic (DRE) voting machines as being particularly
vulnerable to exploit.
he DRE machines do not create a paper record of each vote. Paperless DRE machines
are notoriously vulnerable to cyber attacks that can cause a multitude of issues. Votes can
changed or erased. Extra votes can be cast, and machines can be made to not work at
all. He goes on to state that paperless DRE machines do not provide even adequate
security against cyber attacks.
He points out Dominion voting systems as being exclusively used in the State of Georgia
and that over the past 15 years he, and others, have repeatedly warned of the
vulnerabilities in this system. These vulnerabilities include both hardware and software
flaws. There are also network architectural weaknesses that cannot be repaired through
software updates.
hese types of voting systems use software that can be reprogrammed. Any attacker
gaining privileged access to that software can modify it to do anything. He has proven
through multiple demonstrations how easy it is to install malware on these systems.
Mr. Halderman cites the first major study of voting systems conducted in 2003 where it
was discovered the source code contained multiple errors and vulnerabilities. The States
of Maryland and Ohio commissioned independent studies and the resulting assessments
confirmed the vulnerabilities in the Dominion voting systems.
79Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 87 of 170 PagelD 481
3i7.
318.
319.
320.
321.
322.
In 2006, another independent security researcher also identified vulnerabilities, primarily
in the software update mechanism that would allow upload of malware. That same year,
Mr. Halderman and others reverse engineered a Dominion voting system and identified
multiple additional vulnerabilities.
As part of this study, they developed malware that would modify all the vote records,
audit logs, and protective counters, preventing any forensic examination from discovering
the crime. The malware was also designed to spread automatically to other voting
machines. This was propagated by the removable memory cards used to program the
ballot design.
In 2007, Mr. Halderman participated in two independent studies for the States of
California and Ohio. In both studies, additional vulnerabilities were discovered that
would allow malware to be installed and propagated to cause even more harm than the
virus created during the 2006 test. Mr. Halderman states that some of the vulnerabilities
could be resolved by improving the underlying software. Other vulnerabilities are more
serious and require hardware and software changes. As a result, California, despite
having a paper ballot trail, decided to decertify the Dominion voting system in use at that
time.
Mr. Halderman points out there are a variety of techniques available to sophisticated
attackers to compromise non-internet connected systems. One of those techniques is the
removable media cards being exploited via the Election Management System (EMS)
prior to insertion in the voting machine. He also states the EMS has recently had remote
access software installed which creates another means of exploitation. The physical
security measures in place to secure the removable memory cards are also weak and can
be easily compromised.
Mr. Halderman goes on to describe how a potential attack might take place. The attacker
would gain access to the election management computers via weak cyber security. The
attacker would then target the pre-election ballot programming with malware that would
spread from machine to machine. This malware would automatically shift “a few percent
of the vote” to a particular candidate.
Mr. Halderman then describes the inadequacy of certain physical security measures, such
as tamper evident seals. These would be less than adequate when the memory card is
80Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 88 of 170 PagelD 482
323.
324,
325,
327.
328.
206
hitps:/f
inserted with the malware already loaded. Furthermore, logic and accuracy tests only
validate the ballot design or counting logic. Such tests would fail to detect malware as it
could be programmed to detect and circumvent logic and accuracy tests or only perform
on election day.
Mr. Halderman states the existing measures to defeat election and voting fraud do not
provide a way to determine if fraud occurred during the election or afterward. Malware
could be programmed to make it appear statistically probable despite the countermeasure
testing taking place. In fact, the malware would delete itself and all log files, thereby
preventing any kind of forensic evidence.
Mr. Halderman states the only way to reliably safeguard a voting system from future
cyber attacks is to generate and examine physical evidence of voter intent, in the form of
a voter-verifiable paper trail. Optical scan paper ballots are the most widely used and
secure technology available for casting votes, according to Mr. Halderman. The
manipulation of both paper and electronic ballots could still be compromised but would
require more extensive resources.
Mr. Halderman points out that with the monies associated with the Help America Vote
Act (HAVA) 2002 in conjunction with the U.S. Senate Select Committee on Intelligence
recommendation that States replace outdated voting systems with newer systems that
have a verified paper trail. He also states the use of all DRE type machines should be
discontinued.
DECLARATION OF SHAWN SMITH
Shawn Smith, retired Military officer with a Master’s degrees in National Security
Affairs and in Aeronautical Science, filed a declaration on 6/8/22 into Kari Lake, et al. v.
Karie Hobbs, Arizona Secretary of State (case 2:22-cv-00677-JJt)2".
In this declaration, he states that his military occupational specialty was space and missile
operations, and he has extensive experience in operating, planning, training, testing, and
commanding the employment of complex, computer-based military weapons systems.
He states that ‘I have been asked to testify about the threat of the compromising of our
supply chain and attack(s) to U.S. national security systems and critical infrastructure, in
es.ttttexas.com, case’ TX_SOS_Election Violation References See Declaration of Shawn Smith
81Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 89 of 170 PagelD 483
329.
330.
331,
332)
333.
particular to election related systems, including voting systems and consequently, to
elections.” As noted in other expert affidavits and declarations, Smith describes the
vulnerability of the U.S.’s critical systems, resulting from compromised supply chains, to
include elections. He states that it is his, “conclusion that U.S. elections are critically
vulnerable to exploitation by foreign adversaries through compromising of our
computerized election systems through supply chains.”
He goes on to say, that despite this fact, the U.S. Government appears to be keenly aware
of the risk of supply chain compromise to the nation’s critical systems. This same
awareness does not appear to extend to any agency responsible for the “procurement,
security, certification or use of election and voting systems, nor to imbue them with any
capacity to respond effectively.”
The targeting of U.S. voting and election systems must be an extraordinarily high priority
for foreign powers and bad actors.
Smith demonstrates that supply chain compromise is pervasive, sophisticated, widespread
and can take place at any stage of the supply chain including: Manipulation of
development tools, development environment, source code repositories (public or
private), source code in open-source dependencies, software update/distribution
mechanisms, compromised and/or infected system images (multiple cases of removable
media infected at the factory), replacement of legitimate software with modified versions,
sales of modified/counterfeit products, and shipment interdiction.
Smith explains that the public lacks awareness of the severity and pervasiveness of
threats to supply chain compromise from malicious cyber activity commonly being
portrayed by media as an opportunistic hacker, rather than nation state operated or
sponsored advanced persistent threat (APT) groups.
Smith identifies a multitude of such APT groups that have in the past and are currently
utilizing supply chain attacks, as well as evidence of many investigations and reports.
Prosecutions have occurred by several U.S. entities including the DOJ, Department of
Commerce, National Counterintelligence and Security Center, Office of the Director of
National Intelligence, National Institute of Standards and Technology, CISA, and the
FBI. Smith demonstrates that the institutions, measures, laws, and guidelines intended to
secure U.S. elections are grossly inadequate:
82Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 90o0f170 PagelD 484
a. Supply chain threats for critical computer-based infrastructure, such as election
ecosystems, are so severe and extensive that the “computer networks of the
Cybersecurity and Infrastructure Security Agency (CISA), the very U.S.
government institution responsible for critical infrastructure security, were
compromised by software supply chain attacks in 2020, the SolarWinds,
SUNBURST and SUPERNOVA attacks, for ten months or more without
detection and, even then, that compromise only became known to CISA due to the
intervention of a private company.”
b. “In the light of CISA’s inability to defend even its own computer systems from
nation-state level supply chain attacks from March through December 2020, little
credence can be given to CISA’s July declaration that the 2020 election would be
‘the most secure election in modern history, and its declaration in November 2020
that the 2020 election was the “most secure in American history.’”
c. “CISA has acknowledged, as early as October 2020, that APRs have targeted not
only the Federal government, but state, local, tribal, and territorial (SLTT)
governments, critical infrastructure, and elections organizations, including
successful APT establishment of unauthorized access to election support
systems.”
d. Despite repeated warnings and recommendations from NIST, the technical body
and agency identified in TITLE 52, USC to advise the EAC, to take measures to
secure against supply chain attacks since 2012, the EAC has effectively provided
no standards, procedure or safeguards to implement those recommended
protections for election systems and elections.
e. To date, nearly all the systems certified and in use in the United States have no
supply chain security, nor any testing or verification of the security as a result of
the EAC’s failures to implement protections. Although the latest version of the
VVSG acknowledges supply chain risk manages as a necessity, no real safeguards
were added. Smith states, “these standards are barely better than the EAC’s non-
existent standards for electronic poll books, centralized statewide voter
registration systems, and election auditing systems.
83Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 91of170 PagelD 485
f. According to VVSG, security testing guidelines do not even require VSTLs to
review common vulnerabilities and exploits that are publicly available.
g. “The EAC’s standards of accreditation for VSTLs do not even ask, let alone
require, awareness in the VSTLs of supply chain vulnerabilities in computerized
voting systems, much less awareness or proficiency in the detection of supply
chain compromises, or in their assessment of effective mitigation, where even
possible, by voting system vendors.”
h. The Technical Guidelines Development Committee (TGDC) is the advisory body
established by HAVA to “assist the (EAC) in the development of (VVSG)”,
includes far more “lawyers, politicians, public affairs, and psychology grads than
computer scientists or software expert, at a 4:1 ratio.” In addition, of those few
committee members that are computer scientists and software experts included the
director for software development at one of the largest US voting system vendors.
i. Although NIST recommended to the TGDC that no wireless devices be permitted
on voting systems as early as 2006, the “TGDC” in 2020 still held a “compromise
position” with no prohibition on wireless devices for the latest 2021 VVSG.
Smith states, “permitting wireless devices in computerized voting systems is
irrational and indefensible in light of the known and persistent threats to those
systems.”
j. “The EAC has demonstrated inadequate awareness, comprehension, and response
to the clear and present danger posed by foreign nation states, supply chain
attacks against the computers and components used in U.S. voting systems.”
Furthermore, the EAC “can’t be relied upon to protect U.S. elections by
competently examining voting systems, prior to use, for indicators of compromise
and vulnerability.”
k. Laboratory Director, and corporate principal, for the VSTL Pro V & V, stated that
he had no “specialized expertise in cybersecurity testing or analysis or
cybersecurity risk analysis,” in a federal court testimony in 2020.
1. Furthermore, the same VSTLs, despite lacking specialized expertise in
cybersecurity testing or cybersecurity risk analysis, are responsible to not only
conduct initial and modification testing, but are also responsible to recommend to
84Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 92 o0f170 PagelD 486
the EAC whether those changes may be implemented without testing, as “de
minims.” Smith describes several other factors that further negatively impact the
security of elections
m. “Even if states and localities could afford the caliber of cybersecurity expertise
needed to defend voting systems, the U.S. workforce of qualified cyber
professionals is too small to staff voting systems offices in 50 states, much less
over our 3,000 U.S. Counties. Hart InterCivic appears to use Hewlett-Packard
computers, which are remanufactured and assembled overseas, containing
overseas-manufactured components, built by foreign workers, and all without U.S
government oversight and “effectively no safeguards in the entirety of the testing
and certification regime for voting systems”
n. “ES&S is owned by the private equity firm McCarthy Group, which doesn’t
disclose the information of investors, including if any other investments or
financial interests, have a controlling interest in ES&S.”
H. DECLARATION OF JOHN R. MILLS
This is a summary of the Declaration of John R. Mills. It is provided without amplification or
supposition.2°7
334.
335.
27 https
Mr. Mills is a retired Colonel in the United States Army Reserve. He has also served as
Former Director of Cybersecurity Policy, Strategy, and International Affairs, as a Senior
Civilian in the Office of the Secretary of Defense. This afforded nearly 40 years of
service to the United States of America and gave him extensive experience in the
employment of cyberspace capabilities. He has held a Top Secret Sensitive
Compartmented Information (SCI) security clearance since approximately 1988. Mr.
Mills has also been an Adjunct Professor teaching graduate level cybersecurity law and
policy at the University of Maryland, Global Campus since 2013. His final uniformed
position within DoD was as liaison to DHS where he coordinated the national response to
emergencies and threats to the United States.
The testimony of Mr. Mills regarding the use of remote access operations for the
unlawful entry and purposes into computer networks was requested. The information is
files. ttttexas.com/ case TX_SOS_ Election Violation References See Declaration of John R. Mills
85Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 93 o0f170 PagelD 487
336.
337.
338.
339,
340.
341.
342
343.
344.
unclassified and based on his personal experience, publicly available reporting and open
source information.
Remote access operations are designed to gain access to computer networks to avoid
detection and residual forensic evidence. This is accomplished via implanted malware,
other software and/or algorithms that facilitate access to the targeted system.
Remote access is not the same as remote maintenance. Remote access is intended as a
legitimate activity subject to active or passive monitoring and logging of the event.
Remote maintenance can be compromised to suit the needs of remote access operations
given discoverable vulnerabilities.
The capabilities to conduct remote access have greatly expanded since the 1980s. The
primary user of remote access is the U.S. Intelligence Community in close partnership
with the Department of Defense and Federal Law Enforcement.
Remote access operations capability is not limited to the United States. Several countries,
organizations, and individuals have developed skillsets with varying degrees of
sophistication. These actions have accelerated over the last 20 years and have become
commonplace among nation state and private actors.
Electronic election infrastructure is considered critical infrastructure and can be subjected
to remote access operations. A successful remote access operation could change vote
totals rendering elections null and void.
Employment of machine-based algorithms to enhance remote access operations is well
within the skillset of nation-state actors such as China, Russia, Iran, and Venezuela. This
capability also exists with non-nation state actors.
Mr. Mills states his review of the Mesa County Forensic reports are consistent with
remote access operations.
He has served as a sworn election official and understands the U.S. election process at the
county level. Due to this and his previous experience amentioned, he states he has very
low confidence in the security of American election critical infrastructure.
Mr. Mills contradicts the claims of the U.S. Intelligence Community, Homeland Security,
and Law Enforcement Agencies that they have the ability to defend election
infrastructure from remote access operations. He states, their high level of confidence is
not supported, and in some cases, may be false. He goes on to relate the breach of the
86Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 94 of 170 PagelD 488
Office of Personnel Management which, despite the resources available to stop such an
attack, failed to do so.
345. In his professional opinion, the statement, “The November 3” election was the most
secure in American history” asserted by CISA, had little, if any, basis in fact.
346. Mr. Mills continues by highlighting the statements made by CISA would require
assessment of the indicators used by the National Intelligence Collection priorities to
track, monitor, and collect during the 2020 election. Furthermore, he states, the capability
of CISA to detect, assess, and respond to remote access operations in a timely manner,
with high confidence, is unrealistic and they have a poor track record to back up this
statement.
347. Mr. Mills states the Mesa County findings are consistent with publicly known intrusion
sets, that are likely nation state level, with intimate insider knowledge of the
infrastructure. He likens the actions taken by the actors be so deeply technical that
anyone monitoring the activity would be unable to detect what was happening given the
level of complexity.
348. Throughout Mr. Mills career he has received a variety of training, some of which
includes work in the Special Operations community. Part of that work included planning,
implementing, observing, and recommending during elections both in the United States
and in foreign countries.
349. Mr. Mills had the opportunity to provide advice for the January 2020 elections in Taiwan.
Among his many recommendations were to keep the process as simple as possible. This
included reliance upon paper ballots, hand counting, and minimization of election
machines as well as any connectivity components or sub-components. In addition, he
advised that any tabulation of ballots (when not hand-counted) be performed as
transparently as possible, and on machines with no other features other than to tabulate
the ballot. This would limit the ability to conduct remote access operation methods to the
power cord used to power the tabulating machines.
350. Asaresult, the Taiwanese elections were conducted flawlessly. The counting of ballots
was done live with multiple observers from both parties. As the ballot was verified and
passed through the tabulator, the counts were changed automatically for all to see.
87Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 95 of170 PagelD 489
351,
352
353.
354.
355.
356.
357
358.
Mr. Mills then provides a history of remote access operations from post World War II to
the present.
Mr. Mills states there is no independent third party review of electronic voting systems.
The level of expertise by those officials who review or access these systems is woefully
inadequate.
He states contractors use intellectual property rights or contractual terms to deny any
third party review of the election systems they provide.
Mr. Mills further states that the culture within the U.S. Intelligence Community actively
stifled any findings from analysts that concluded China interfered in the 2020 U.S.
elections. Even going so far as to pressure analysts to change or withdraw their support
proof of Chinese actions.
Mr. Mills goes on to state that while federal government officials are well meaning, they
simply do not understand U.S. election infrastructure.
He points out anomalies in various statements made Mr. Chris Krebs, then Director of
CISA, who claimed the election of 2020 was secure. Mr. Mills highlights the inaccuracies
in multiple statements made by Mr. Krebs.
Mr. Mills points out that ES&S has admitted to building in remote access to their
machines. He goes on to state that many of the security procedures designed to restrict
the ability of remote access operations, are not being used.
Mr. Mills concludes by assessing the current voting process has become over-
sophisticated; and asks why it would need to this way. He raises legitimate questions of
why counties are spending inordinate amount of resources on a technology environment
without an evaluation of whether it is truly necessary. He further assesses there are no
checks and balances on sworn elected officials and that the entire notion of electronic
voting machines needs to be revisited.
88Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 96 of 170 PagelD 490
I. TEXAS COUNTY FAILURES
HOOD COUNTY
359. Hood County Commissioners, in addition to election officials, have failed to confirm if
the voting equipment in Hood County is properly certified.
360. On July 28, 2021, Michele Carew was questioned about the issue of non-sequential
ballots.2°%
361. November 9, 2021, Plaintiff Karen Towell addressed the Hood County Commissioner’s
court regarding the lack of accredited VSTLs and thereby the lack of state certifications.
Plaintiff provided evidence similar to the evidence in this case.?”
362. Michele Carew resigned shortly after the November 2021 meeting.
363. ES&S was the voting system employed within Hood County."
a. ES&S was first utilized for elections in Hood County in 2008 and continued to be
used through the November 2020 election.
b. According to Melissa Welborn, H. R. Director or Hood County, ES&S version
3.4.1.0 was utilized for the November 2020 elections.
c. The last certification on file indicates that ES&S version 3.4.1.0 was certified in
April 2014.
364. On February 9, 2021, a contract was signed with Hart Intercivic voting systems for use in
elections in Hood County. *!!
a. Certification for Hart Intercivic Verity Voting software version 2.4*!* is on file
with the Secretary of State website.?!?
b. Hood County records indicate that Hart Intercivic software version 2.4.2 was
utilized for the November 2, 2021, elections.
208 https:/www.texastribune.org/202 1/10/01 texas-election-official-hood, (Last visited 5/20/22)
209
https://duckduckgo.com/?q=hood+county+commissioner+meeting&iax=videos&ia=videos&iai=https%3A%2F%2F
www. youtube.com%2Fwatch® o3 Fv’/3 DuguEcPW 7P_A (Lasted visited 5/20/22)
21° hitps files. tttte: tion_Violation_References See Hood County ES&S Contract
21! hitps://files. ttttexas.com, ion_Violation References See Hood County Hart Contract
212 https:/www.sos. state. tx.us, elections’ fois sysexamy hart-verity-2.4-certification-order.pdf (Last visited on
5/18/22)
213 See Tex. Elec Code § 122.036
89Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 97 of170 PagelD 491
c. During inspection of the Hart Intercivic Verity Voting 2.4.2, conducted on April
14-17, 2020, one examiner noted an “over-vote” issue and yet still recommended
the version for certification.?!*
4. In the voting process, an “over-vote” bring up a warning when more than one
candidate can be voted for in a specific race. However, when you make your
selection to continue, there is an automatic de-selection of another candidate
chosen rather than allowing the voter to decide who gets deselected. This could
lead to voter confusion and a casting of an unintended vote without the voter’s
knowledge.
d. Another note in the Hart InterCivic Certification Test Report Modification
document states that Verity Voting version 2.4 is Hart InterCivic Verity Voting
2.4.2. No other version of any Hart modified software/firmware is certified under
an original version number as modified versions are not the same as the original.
The original version is also not decertified for use in Texas.?!>
e. Inan “Electrical Hardware Test Plan” Verity Voting 2.4 Discrepancies, conducted
by SLI Compliance, issues arose with the “proposition text not saving properly
during election creation” and “loss of audio clarity when audio speed set to
high”. (Emphasis added) ?'°
eu geste,
cies) inugnteaee eet smog rape Sng
Sectoncaten
Jecesa nomenon lemantent CNRS STN |
(ses | Section
free [cco lraroe lament (mantener
[Addressed tha ely wrens netic
Fo afew bem (teen
214 https:/vww.sos.texas. gov’ elections/forms/sysexam/brandon-hurley-hart-2.4.pdf
visited 5/18/22)
215 See Tex. Elec Code § 122.031 (a)
216 https://Wwww.eac. gow sites/de
%20Verity’020Voting’»s202.4%
h=hart%202.4.2 (Last
files/voting_system fil mr G%20-
ODiscrepaney"o20Report.pdt Last visited 07/22/202:
90Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 98 of170 PagelD 492
f.
Listed discrepancies by SLI Compliance for Hart InterCivic Verity Voting version
2.4 were “repaired” by updating to Hart InterCivic Verity Voting firmware
version 2.4.2.
All state of Texas certifications for these versions are currently approved under
version 2.4,
365. SLI Compliance is not an accredited laboratory in accordance with the Voting System
Test Laboratory Program Manual ver. 2.0 effective May 31, 2015, page 38, Sec 3.6.1.
366. On May 3, 2021, Hood County Attorney, Matthew Mills, sent a letter to Attorney
General
the use
, Ken Paxton, requesting clarification of ballot numbering issues associated with
of election machines in Hood County.?!7 2!
367. A letter from Roger B. Borgelt of Borgelt Law dated July 29, 2021, to the Attorney
General
, Ken Paxton, outlines the questions that Hood addressed in the cited letter above
from Matthew Mills, May 3, 2021, concerning the ballot numbering for Hart Intercivic
current!
a.
b.
y in use in Hood County.
“Secretary of State claims that TEX ELEC § 122.001 provides authority for the
Secretary to prescribe “operating procedures” related to voting systems, 7!°
nothing in the Election Code grants the Secretary the authority to provide advice
to ignore specific sections of the Election Code — laws and procedures are not
equal.”
Several times, in the letter from Borgelt Law, it is noted that inconsistent
numbering violates several Texas Election Codes (TX Election Code § 52.062,
§51.006, §51.007, §51.008, §51.010, §62.007, §62.009).
“The Secretary is the Chief Election Officer of the State of
Texas.”*? Among other duties, the Secretary has been tasked by
the Legislature with "obtain[ing] and maintain[{ing] uniformity in
the application, operation, and interpretation of [the Election]
code."*?! As part of performing this duty, the Secretary is required
to "prepare detailed and comprehensive written directives and
217 https://katychristianmagazine.com/wp-content/uploads/ 202 |12/Request-for-Opinion-on-Ballot-Numbering_RQ-
O405-K
218 See Tex.
. Elec Code
ter.pdf (Last visited 5/18/22)
52.062
219 See Tex. Elec Code § 31.003
220 See Tex. Elec Code § 31.001
22! See Tex. Elec Code § 31.003
91Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 99 o0f170 PagelD 493
instructions relating to and based on [the Election] code and the
election laws outside this code."**? The Secretary must "distribute
these materials to the appropriate state and local authorities having
duties in the administration of these laws."
“The Secretary's deficient guidance to counties violates the
Separation of Powers clause of Art. 2, Sec. 1 of the Texas
Constitution. Further, because the Secretary is providing counsel to
counties to ignore Tex. Elec. Code §§ 52.062, 51.006, 51.007, and
51.008, this is a violation of the Suspension of Laws provision in
Art. 1, Sec. 28 of the Texas Constitution. The Constitution
provides that only the Legislature can suspend laws - not the
Secretary, a member of the Executive Branch. These actions by the
Secretary are contrary to the Legislature's intent that the Election
Code be interpreted and applied uniformly across this State for
voting systems. See Tex. Elec. Code § 122.032. By suspending
laws and authorizing exceptions to Tex. Elec. Code § 52.062, and
other statutes, the Secretary is failing to perform his ministerial
duty. Surely the Legislature did not intend for any of these
provisions to be waived, ignored, or violated.”
368. The SoS recommendations for ballot numbering procedures for Hart InterCivic System
and correctly notes that Tex. Elec Code § 52.062 requires ballots to be prepared with
The first option, ordering blank ballot stock with pre-printed numbers, complies with Section
52.062, as the ballots can be numbered consecutively beginning with “1.” This plainly satisfies
both the letter and spirit of Section 52.062 and thus ensures counties’ adherence to other election
laws, such as those cited supra, that relate to ballot numbering.
The second option purports to provide an alternative to Section 52.062 for counties using the
ES&S and Hart InterCivie systems. According to the Secretary, the Hart InterCivic “ballot is
assigned a unique identifier when printed.” However, theiSeeretaryiacknowledges!in Appendix A
that the laék"6f'consecutively-numbereds ballots: renders,it:impossiblerfor'election*officials:to
‘fully Complyewith portions-of the Election: Code:
“The ballots shall be tracked, distributed, and retained just as you would with a traditional
pre-printed full ballot in accordance with Sections 51,006, 51.007, 51.008 with the
exception of notating the serial number of the ballot ranges.”* (Emphasis added.)
‘Theweltemnaineersnconst zed SoH
minimum, TER Code 2
6 and 5 ermore, ihe’ Secretary
consecutive numbers to begin with “1”. The two oops for meeting this requirement.
22 Ig,
92Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 100 of 170 PagelD 494
369. On November 1, 2021, Virginia Hoelscher, Chair of the Opinion Committee for Attorney
General Ken Paxton, sent the following letter to Matthew Mills, Hood County Attorney:
“Re: Procedure for numbering election ballots and which officials
are authorized to select the method for numbering ballots (RQ-
0405-KP) Dear Mr. Mills: Thank you for requesting a written
opinion from this office. Section 402.042 of the Government
Code requires this office to issue an opinion within 180 days of
receiving a request for one unless we explain to the requestor in
writing before the deadline why the opinion will be delayed.
Accordingly, we are notifying you that we will a issue an
Shate (how will ‘officials Gainer carial nie me mare to Shin, "oO will
officials at polls determine if ballots are properly numbered) and 620009 (how will election
judges place numbered ballots face down for voters to choose thei
ballot). In short, the
Should General Paxton determine that Tex. Elec. Code § 52.062 is discretionary and that
computerized machines are permitted to generate random text values onto ballots in lieu of
consecutive numbering starting with “1,” Texas election law will be plunged into confusion and.
uncertainty because violations of several of these ballot numbering statutes are not only illegal,
but punishable criminally:
a) i i
placesisa@lass:@misdemeanon See Tex. Elec. Code § 51.010(c)).
sollingelocatonsscar ECan "CH HT PERANI ( ee Tex. lee, Code ‘31 “007(b),
51,008(d)), and 13 TAC § 7.125(a)(10)), and Tex. Penal Code § 37.10(3)).
opinion on your request within 180 days of the date received
because we need more time to review the law, complete the
analysis that your request requires, and finalize the formal
opinion. We will make every effort to issue this opinion as soon
as possible.”
370. To our knowledge, non-sequential ballots have been used in all Hood County elections
since the Hart InterCivic equipment was first employed in 2021.
371. By Defendants’ own admission via the State of Texas’ Secretary of State website
regarding education of the HAVA 2002; knowingly certified voting software, systems
and modification without a valid VSTL accreditation via the EAC.
93Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 1010f170 PagelD 495
PARKER COUNTY
372. Parker County Commissioners, County Judge and election officials, have failed to
confirm and properly certify the voting equipment in Parker County.
373. October 6, 2021, Plaintiff Jennifer B. Edwards met with Larry Walden, Parker County
Commissioner, Precinct 3, regarding the lack of accredited VSTLs and thereby the lack
of state certifications for the November 3, 2020, elections in Parker County.
374. October 13, 2021, Plaintiff Jennifer B. Edwards met with Larry Walden, Parker County
Commissioner, Precinct 3 and John Forrest, Parker County Attorney regarding the lack of
accredited VSTLs and thereby the lack of state certifications.
375. October 20, 2021, Plaintiffs Jennifer B. Edwards and Jennifer Williams met with Larry
Walden, Parker County Commissioner, Precinct 3, Crickett Miller, Parker County
Elections Administrator and John Forrest, Parker County Attorney regarding the lack of
VSTL’s and thereby the lack of state certifications.
376. October 23, 2021, Plaintiff Jennifer B. Edwards sent letter via email to Pat Deen, Parker
County Judge requesting an emergency meeting of the Parker County Election
Commission be called to present findings regarding the lack of accredited VSTLs and
thereby the lack of state certifications.
377. November 1, 2021, Plaintiffs, Jennifer Williams and Jennifer B. Edwards emailed
Elections Administrator Crickett Miller; County Commissioners Steve Dugan, George
Conley, Craig Peacock, and Larry Walden; County Attorney John Forrest; County Judge
Pat Deen; and Sheriff Russ Autheir alerting them to fact that the election machines have
not been certified as is required by law. Certified letters with evidence were sent to the
District Attorney Jeffrey Swain and the District Judges Craig Townson and Graham
Quisenberry.
378. March 25, 2022, Plaintiffs Jennifer B. Edwards and Jennifer Williams submitted sworn
affidavits to Jeffrey Swain, Parker County District Attorney in accordance with Tex.
Elec. Code § 273 regarding the lack of accredited VSTLs and thereby the lack of state
certifications.
379. Hart InterCivic Voting System 2.4 was utilized in Parker County for the November 3,
2020, election.
94Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 102 0f170 PagelD 496
a. According to Crickett Miller, Parker County Election Administrator, Hart version
2.4 was utilized for the November 2020 general elections.
b. Certification for Hart Intercivic Verity Voting software version 2.4 is on file with
the Secretary of State website.” (Judicial Notice: Parker County regarding 2.4)
c. Inconsistent numbering violating several Texas Elections Codes (TX Election
Code § 52.062, §51.006, §51.007, §51.008, §51.010, $62.007, §62.009).?4
380. SLI Compliance is the VSTL that certified Hart InterCivic voting systems and
equipment.
381. SLI Compliance is not an accredited laboratory in accordance with the Voting System
Test Laboratory Program Manual ver. 2.0 effective May 31, 2015, page 38, Sec 3.6.1.75
382. By Defendants’ own admission via the State of Texas’ Secretary of State website
regarding education of the HAVA 2002; knowingly certified voting software, systems
and modification without a valid VSTL accreditation via the EAC.
COMAL COUNTY
383. Comal County Commissioners, in addition to election officials, have failed to confirm the
voting equipment in Comal County was/is properly certified.
384. Comal County removed the Elections Administrator position due to malfeasance.
385. The County Clerk is the responsible elections official. There is a Deputy under the
County Clerk named the Elections Coordinator.
a. Bobbie Koepp, Comal County Clerk
b. Cynthia Jaqua, Deputy under the Clerk - Elections Coordinator
386. Comal County used KNOWiNK Poll Pads that were updated the night before the
November 3, 2020, General Election.
387. Comal County has not provided the version of KNOWiNK poll pad software that was
utilized during the November 3, 2020.
388. KNOWiNK Poll Pads version 2.4.9 was certified by the SoS on January 23, 2020.22 What
version of software were the poll pads upgraded to the night before the November 3, 2020,
223 https.//www.sos.state.tx.us/elections/ forms sysexamyhart-verity-2.4-certification-order.pdf (Last visited 5/25/22)
224 See Parker County page 9 lof this case
25 https: /www.eac, gow sites/default files/eac_assets/1/28/VSTLManual%207%208%2015%%20FINAL.pdf (Last
visited 5/25/22)
226 httpsv/Wwww.sos. texas. gov elections/forms’sysexam/knowink-poll-pad-certification-letter.pdf Last visited
06/10/22
95Case 4:22-cv-00576-P-BJ Document13 Filed 07/25/22 Page 103 of 170 PagelD 497
General Election?
389. The purchase of these pads was contracted via Hart InterCivic under contract in 2018
with software, maintenance, and upgrade options.
390. The SoS’s office did not inspect the KNOWiNK Poll Pad updated/modified changes as
required by law.227
a. Defendants Koepp and Jaqua did not address the violation of Tex. Elec Code
with the SoS’s office and or make the voters aware of lack of certification.
b. Defendants Koepp and Jaqua authorized the update/modification of poll books
with clear knowledge of Tex. Elec Code.
391. KNOWiNK performed an update the night before the election of November 3, 2020,
similar to how an iPhone updates via a network connection.”
392. Election officials throughout the country-from North Texas to Georgia-reported issues
with poll pads from St. Louis-based KNOWiNK.
393. In some locations; the poll pads also activated ballots on voting machines which
forced some voters to fill out selections on paper ballots.
394. The Defendants proceeded to utilize the paper forms and provided pencils.?”°
395. KNOWiNK poll pads went down November 3, 2020, across the state affecting Comal
County elections.
a. Marcia Ridley, Spalding County Board of Elections, attributed the problem to a
vendor’s 11" hour update per a representative for the election technology vendor,
dominion Voting Systems, told her office that it had uploaded some kind of
“update” the night before the election and that this had created the glitch.”
(emphasis added)
27 See Tex. Elec Code 31.014
28 htips:/www. ksat.com/news local/2020/1 1/03 polling-pads-down-at-comal-county-voting-locations/ Last visited
06/10/22
229 https: /vww.ksat.com/news local/2020/1 1/03 polling-pads-down-at-comal-county-voting-locations/ Last visited
06/10/22
25 https: /Wwww.politico.com/news/2020, 11/04 georgia-election-machine-glitch-434065 Last visited 06/10/22
96Case 4:22-cv-00576-P-BJ Document13 Filed 07/25/22 Page 104 0f170 PagelD 498
396.
397.
398.
399.
400.
401.
Ridley initially told POLITICO on Nov. 3 that Dominion, which prepares the
poll books for counties before elections, “uploaded something last night, which
is not normal, and it caused a glitch.” The glitch prevented poll workers from
programming the voter smart cards for the voting machines.
In her initial comments last week, Ridley said that a representative for the two
companies called her office after poll workers began having problems with the
equipment on the morning of the election. The representative said at the time
that the problem was due to an upload to the machines by one of their
technicians overnight, Ridley told POLITICO.
As a result, “three reports of races not being included on a ballot,”:?*!
a. Contests seats on the New Braunfels ISD Board of Trustees
b. District 2 (Nancy York claiming victory over incumbent Michael Calta by 12
votes)
c. District 4 (John Tucker claiming victory over incumbent Matthew Sargent by 251
votes)
d. Lake Dunlap Proposition not being on the appropriate ballot.
Impacted precincts due to failure of poll pads include 301, 302, 303 and 201.
This resulted in County Judge to extend voting hours due to poll pad failures.
Defendant Bobby Koepp's statement to KensS in which she offers only a partial
responsibility, “It’s part of my duties to make sure that everybody gets what they’re
supposed to get when they come to vote, and I do take responsibility for that”; in which
the Defendant continues placing blame at KNOWiNK. “But in my defense, I honestly
feel [KnowInk] needs to make it right. They need to make a statement and need to tell
everybody what happened.”
Defendant Bobby Koepp believes it is up to the candidates to request a do-over. “We are
doing everything in our power to...try to figure out exactly how many votes were cast
that didn’t get the opportunity to vote the way they needed to.”
The day prior Defendant Bobby Koepp stated to one candidate, Sargent, that reported his
23! https:/www.ken:
election-day-tech-issi
inity’hill-country-reporter/comal-county-investigates-scope-of-
~aa4dd-60edde2db052 Last visited 06/10/22
97Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 105 of 170 PagelD 499
name and race not on the ballot but submitted in error; “If this had been brought to our
attention before the vote was submitted, we could have canceled out the vote and
reviewed the problem. ..”?5?
402. Sargent is left wondering and...” waiting for the county to step up and say there is a
problem or to let us know what they are going to do to fix it.....Or to make us feel all
warm and fuzzy that every vote got counted.”
403. Sargent’s complaint to the SoS Office states...potential violation from the handbook for
Election Judges and Clerks 2020, which in part requires presiding election judges to
cease using malfunctioning equipment installed at polling places “immediately after
discovering that the equipment is not functioning properly.”?*4
404. Sargent’s continues, “The county knew about the problem no later than 10:41 am and
continued to utilize the equipment without shutting the polling places(s). Even though
this was a software issue, and the ballots were not loading correctly the machines were
not properly functioning. The equipment should have been shut down until the software
issue could have been corrected.”
405. Defendants Koepp and Jaqua authorized and continued to use Hart InterCivic voting
systems and equipment after many reported malfunctions including but not limited to
lack of paper ballot and ballot numbering.
406. After multiple PIA requests, Comal County did not provide the Letter of Approval from
the SoS to Comal County approving the contract for the purchase of Hart Verity Voting
2.4. as pursuant to Tex. Elec Code.’*° Making the election null and void if the document
does not exist.
407. By Defendants’ own admission via the State of Texas’ Secretary of State website
regarding education of the HAVA 2002; knowingly certified voting software, systems
and modification without a valid VSTL accreditation via the EAC.
252 hups://www.kens5.com article/news/politics/elections/election-day-glitches-led-to-reports-of-absence-of-races-
and-propositions-on-some-ballots-comal-co-says/273-308a3 fae-49a9-41e4-a4bf-7 11 266c28310 Last visited
06/10/22
233 https://www.kens
and-propositions-on-s
06/10/22
34 https: /herald-zeitung.com/community_alert/article_ $62bdcaa-2483-1 Leb-9728-fb0da9e3734c.html Last visited
06/10/22
235 See Tex. Elec Code § 123.035 (a), (b), (c), (4).
‘ae
m/article/news/politics/el
me-ballots-comal-co-s:
tions election-day-glitches-led-to-reports-of-absence-of-races-
3 fue-49a9-4 Led-a4b f-711266c28310 Last visited
98Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 106 of 170 PagelD 500
TARRANT COUNTY
408. Tarrant County Commissioners, in addition to election officials, have failed to confirm
and properly certify the voting equipment in Tarrant County.
409. Hart Intercivic Verity Voting 2.3, 2.4 and 2.5 contain numerous COTS components,?3©
and that all three versions lack proper EAC certifications according to HAVA 2002.
410. Halderman’s statement with regard to close proximity of the voting system to the internet
rings true. There are several components of the election infrastructure ecosystem utilized
by Tarrant County for all three elections that give cause for concern.
a. November 3, 2020, election contained one or more of these aspects/components
but not limited to:
411. Verity Touch Writer DUO are daisy chain configurations comprised of a Verity
controller device and up to twelve Ballot Marking Devices?*” (BMDs). The Implications
of the utilization of these types of election systems will be addressed in a following
section.
412. Verity Scan equipped with a Relay Kit”** enables direct transmission of cast vote records
from Verity Scan (precinct ballot counter or tabulator) via a preferred
telecommunications carrier, to a central election office.
413. Per the contract obtained between Tarrant County and Hart Intercivic 9 Relay Kits
(COTs modems) were acquired”?
414. Hart Intercivic,’4° as well as Dominion Voting Systems, and ES&S, have disclosed”*!
that some tabulators have wireless modem capabilities, offered as an add-on to base
model kits. Add-on modem kits (e.g., Relay Kits) not only put elections at heightened
236 https://www.eac.gov/ voting-equipment registered-manufacturers: hart-intercivic-ince (Last visited 5/23/22)
257 hitps://www.stat.berkeley.edu ~stark/Preprints bmd-p19.pdf (Last visited 5/23/22)
https://www.michigan.gov/documents sos/071B7700128_Hart_Exhibit_2_to_Sch_A_Tec_Reg_556894_7.pdf
239 hitps://files.ttttexas.com/case/TX_SOS_Election_Violation References See Appendices C & E
249 hitps://www.eac. vow sites/default files/voting_systemfiles/Attachment_G_-
As_Run_Hart_Verity_Voting 2.2.2 EAC Modification Test_Plan_vl.2 pdf See page 15, 20 (Last visited
5/23/22)
241 https: /www.nbenews.com polities/elections’ online-vulnerable-experts-find-nearly-three-dozen-u-s-voting-
nll
36 (Last visited 5/23/22)
99Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 107 of 170 PagelD 501
vulnerability,”*? but also decertify2? EAC certification?’ of the system, according to
Kevin Skoglund, Senior Technology Advisor at the National Election Defense Coalition.
415. The Master Agreement between Tarrant County and Hart Intercivic was signed on
August 13, 2019. However, the Relay Kits do not appear as a component included within
the 2.3 version of Verity Voting per the EAC Certificate for Conformance," nor is it
mentioned in the Memorandum >“ of the SoS.
416. Relay Kits are listed as components of Verity Voting 2.2.2.4’ and as an option for Verity
2.4. Moreover, the application acceptance ** date for version 2.4 (including the Relay
kit) is after the contract for 2.3 was signed, on August 15, 2019, by Tarrant County””?.
417. The EAC later issued certification of Verity Voting 2.4 (despite the lack of examination
by an accredited VSTL) on February 21, 202075°
418. The Relay Kit is never mentioned in the TX SoS Memorandum of certification, and yet
somehow Tarrant County purchased 9 Relay Kits (modems) outside of the scope of 2.3
that also had not even begun the EAC certification process.”*!
419. Brandon Hurley, an SoS appointed examiner, cited the connectivity capabilities of this
make and version of voting system in his examination report. He reported that Hart
Intercivi
Preview
Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 86 of 170 PagelD 480 311. 312. 313. 314. 315. 316. cyberspace in at least 18 States. Voter data was successfully exfiltrated in two states and in a subset of those 18, attackers could have altered or deleted voter registration data. Mr. Halderman states Russia has sophisticated offensive cyber capabilities as well as intent to use them to hack elections in other locations. He goes on to cite published reports of Russian involvement in hacking the Ukrainian election in 2014. He states that countries other than Russia have similar offensive cyber capabilities. The U.S. Senate Select Committee on Intelligence reported findings and recommendations based upon its investigation into cybersecurity threats to U.S. election infrastructure. Mr. Halderman cites this report as evidence of vulnerabilities in the existing election system used in the United States. Further he quotes DNI Coats and DHS Secretary Nielsen of Russia’s continuing goal to interfere in the elections within the U.S. to achieve a variety of outcomes favorable to Russia. He specifically calls out the Paperless Direct Recording Electronic (DRE) voting machines as being particularly vulnerable to exploit. he DRE machines do not create a paper record of each vote. Paperless DRE machines are notoriously vulnerable to cyber attacks that can cause a multitude of issues. Votes can changed or erased. Extra votes can be cast, and machines can be made to not work at all. He goes on to state that paperless DRE machines do not provide even adequate security against cyber attacks. He points out Dominion voting systems as being exclusively used in the State of Georgia and that over the past 15 years he, and others, have repeatedly warned of the vulnerabilities in this system. These vulnerabilities include both hardware and software flaws. There are also network architectural weaknesses that cannot be repaired through software updates. hese types of voting systems use software that can be reprogrammed. Any attacker gaining privileged access to that software can modify it to do anything. He has proven through multiple demonstrations how easy it is to install malware on these systems. Mr. Halderman cites the first major study of voting systems conducted in 2003 where it was discovered the source code contained multiple errors and vulnerabilities. The States of Maryland and Ohio commissioned independent studies and the resulting assessments confirmed the vulnerabilities in the Dominion voting systems. 79Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 87 of 170 PagelD 481 3i7. 318. 319. 320. 321. 322. In 2006, another independent security researcher also identified vulnerabilities, primarily in the software update mechanism that would allow upload of malware. That same year, Mr. Halderman and others reverse engineered a Dominion voting system and identified multiple additional vulnerabilities. As part of this study, they developed malware that would modify all the vote records, audit logs, and protective counters, preventing any forensic examination from discovering the crime. The malware was also designed to spread automatically to other voting machines. This was propagated by the removable memory cards used to program the ballot design. In 2007, Mr. Halderman participated in two independent studies for the States of California and Ohio. In both studies, additional vulnerabilities were discovered that would allow malware to be installed and propagated to cause even more harm than the virus created during the 2006 test. Mr. Halderman states that some of the vulnerabilities could be resolved by improving the underlying software. Other vulnerabilities are more serious and require hardware and software changes. As a result, California, despite having a paper ballot trail, decided to decertify the Dominion voting system in use at that time. Mr. Halderman points out there are a variety of techniques available to sophisticated attackers to compromise non-internet connected systems. One of those techniques is the removable media cards being exploited via the Election Management System (EMS) prior to insertion in the voting machine. He also states the EMS has recently had remote access software installed which creates another means of exploitation. The physical security measures in place to secure the removable memory cards are also weak and can be easily compromised. Mr. Halderman goes on to describe how a potential attack might take place. The attacker would gain access to the election management computers via weak cyber security. The attacker would then target the pre-election ballot programming with malware that would spread from machine to machine. This malware would automatically shift “a few percent of the vote” to a particular candidate. Mr. Halderman then describes the inadequacy of certain physical security measures, such as tamper evident seals. These would be less than adequate when the memory card is 80Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 88 of 170 PagelD 482 323. 324, 325, 327. 328. 206 hitps:/f inserted with the malware already loaded. Furthermore, logic and accuracy tests only validate the ballot design or counting logic. Such tests would fail to detect malware as it could be programmed to detect and circumvent logic and accuracy tests or only perform on election day. Mr. Halderman states the existing measures to defeat election and voting fraud do not provide a way to determine if fraud occurred during the election or afterward. Malware could be programmed to make it appear statistically probable despite the countermeasure testing taking place. In fact, the malware would delete itself and all log files, thereby preventing any kind of forensic evidence. Mr. Halderman states the only way to reliably safeguard a voting system from future cyber attacks is to generate and examine physical evidence of voter intent, in the form of a voter-verifiable paper trail. Optical scan paper ballots are the most widely used and secure technology available for casting votes, according to Mr. Halderman. The manipulation of both paper and electronic ballots could still be compromised but would require more extensive resources. Mr. Halderman points out that with the monies associated with the Help America Vote Act (HAVA) 2002 in conjunction with the U.S. Senate Select Committee on Intelligence recommendation that States replace outdated voting systems with newer systems that have a verified paper trail. He also states the use of all DRE type machines should be discontinued. DECLARATION OF SHAWN SMITH Shawn Smith, retired Military officer with a Master’s degrees in National Security Affairs and in Aeronautical Science, filed a declaration on 6/8/22 into Kari Lake, et al. v. Karie Hobbs, Arizona Secretary of State (case 2:22-cv-00677-JJt)2". In this declaration, he states that his military occupational specialty was space and missile operations, and he has extensive experience in operating, planning, training, testing, and commanding the employment of complex, computer-based military weapons systems. He states that ‘I have been asked to testify about the threat of the compromising of our supply chain and attack(s) to U.S. national security systems and critical infrastructure, in es.ttttexas.com, case’ TX_SOS_Election Violation References See Declaration of Shawn Smith 81Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 89 of 170 PagelD 483 329. 330. 331, 332) 333. particular to election related systems, including voting systems and consequently, to elections.” As noted in other expert affidavits and declarations, Smith describes the vulnerability of the U.S.’s critical systems, resulting from compromised supply chains, to include elections. He states that it is his, “conclusion that U.S. elections are critically vulnerable to exploitation by foreign adversaries through compromising of our computerized election systems through supply chains.” He goes on to say, that despite this fact, the U.S. Government appears to be keenly aware of the risk of supply chain compromise to the nation’s critical systems. This same awareness does not appear to extend to any agency responsible for the “procurement, security, certification or use of election and voting systems, nor to imbue them with any capacity to respond effectively.” The targeting of U.S. voting and election systems must be an extraordinarily high priority for foreign powers and bad actors. Smith demonstrates that supply chain compromise is pervasive, sophisticated, widespread and can take place at any stage of the supply chain including: Manipulation of development tools, development environment, source code repositories (public or private), source code in open-source dependencies, software update/distribution mechanisms, compromised and/or infected system images (multiple cases of removable media infected at the factory), replacement of legitimate software with modified versions, sales of modified/counterfeit products, and shipment interdiction. Smith explains that the public lacks awareness of the severity and pervasiveness of threats to supply chain compromise from malicious cyber activity commonly being portrayed by media as an opportunistic hacker, rather than nation state operated or sponsored advanced persistent threat (APT) groups. Smith identifies a multitude of such APT groups that have in the past and are currently utilizing supply chain attacks, as well as evidence of many investigations and reports. Prosecutions have occurred by several U.S. entities including the DOJ, Department of Commerce, National Counterintelligence and Security Center, Office of the Director of National Intelligence, National Institute of Standards and Technology, CISA, and the FBI. Smith demonstrates that the institutions, measures, laws, and guidelines intended to secure U.S. elections are grossly inadequate: 82Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 90o0f170 PagelD 484 a. Supply chain threats for critical computer-based infrastructure, such as election ecosystems, are so severe and extensive that the “computer networks of the Cybersecurity and Infrastructure Security Agency (CISA), the very U.S. government institution responsible for critical infrastructure security, were compromised by software supply chain attacks in 2020, the SolarWinds, SUNBURST and SUPERNOVA attacks, for ten months or more without detection and, even then, that compromise only became known to CISA due to the intervention of a private company.” b. “In the light of CISA’s inability to defend even its own computer systems from nation-state level supply chain attacks from March through December 2020, little credence can be given to CISA’s July declaration that the 2020 election would be ‘the most secure election in modern history, and its declaration in November 2020 that the 2020 election was the “most secure in American history.’” c. “CISA has acknowledged, as early as October 2020, that APRs have targeted not only the Federal government, but state, local, tribal, and territorial (SLTT) governments, critical infrastructure, and elections organizations, including successful APT establishment of unauthorized access to election support systems.” d. Despite repeated warnings and recommendations from NIST, the technical body and agency identified in TITLE 52, USC to advise the EAC, to take measures to secure against supply chain attacks since 2012, the EAC has effectively provided no standards, procedure or safeguards to implement those recommended protections for election systems and elections. e. To date, nearly all the systems certified and in use in the United States have no supply chain security, nor any testing or verification of the security as a result of the EAC’s failures to implement protections. Although the latest version of the VVSG acknowledges supply chain risk manages as a necessity, no real safeguards were added. Smith states, “these standards are barely better than the EAC’s non- existent standards for electronic poll books, centralized statewide voter registration systems, and election auditing systems. 83Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 91of170 PagelD 485 f. According to VVSG, security testing guidelines do not even require VSTLs to review common vulnerabilities and exploits that are publicly available. g. “The EAC’s standards of accreditation for VSTLs do not even ask, let alone require, awareness in the VSTLs of supply chain vulnerabilities in computerized voting systems, much less awareness or proficiency in the detection of supply chain compromises, or in their assessment of effective mitigation, where even possible, by voting system vendors.” h. The Technical Guidelines Development Committee (TGDC) is the advisory body established by HAVA to “assist the (EAC) in the development of (VVSG)”, includes far more “lawyers, politicians, public affairs, and psychology grads than computer scientists or software expert, at a 4:1 ratio.” In addition, of those few committee members that are computer scientists and software experts included the director for software development at one of the largest US voting system vendors. i. Although NIST recommended to the TGDC that no wireless devices be permitted on voting systems as early as 2006, the “TGDC” in 2020 still held a “compromise position” with no prohibition on wireless devices for the latest 2021 VVSG. Smith states, “permitting wireless devices in computerized voting systems is irrational and indefensible in light of the known and persistent threats to those systems.” j. “The EAC has demonstrated inadequate awareness, comprehension, and response to the clear and present danger posed by foreign nation states, supply chain attacks against the computers and components used in U.S. voting systems.” Furthermore, the EAC “can’t be relied upon to protect U.S. elections by competently examining voting systems, prior to use, for indicators of compromise and vulnerability.” k. Laboratory Director, and corporate principal, for the VSTL Pro V & V, stated that he had no “specialized expertise in cybersecurity testing or analysis or cybersecurity risk analysis,” in a federal court testimony in 2020. 1. Furthermore, the same VSTLs, despite lacking specialized expertise in cybersecurity testing or cybersecurity risk analysis, are responsible to not only conduct initial and modification testing, but are also responsible to recommend to 84Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 92 o0f170 PagelD 486 the EAC whether those changes may be implemented without testing, as “de minims.” Smith describes several other factors that further negatively impact the security of elections m. “Even if states and localities could afford the caliber of cybersecurity expertise needed to defend voting systems, the U.S. workforce of qualified cyber professionals is too small to staff voting systems offices in 50 states, much less over our 3,000 U.S. Counties. Hart InterCivic appears to use Hewlett-Packard computers, which are remanufactured and assembled overseas, containing overseas-manufactured components, built by foreign workers, and all without U.S government oversight and “effectively no safeguards in the entirety of the testing and certification regime for voting systems” n. “ES&S is owned by the private equity firm McCarthy Group, which doesn’t disclose the information of investors, including if any other investments or financial interests, have a controlling interest in ES&S.” H. DECLARATION OF JOHN R. MILLS This is a summary of the Declaration of John R. Mills. It is provided without amplification or supposition.2°7 334. 335. 27 https Mr. Mills is a retired Colonel in the United States Army Reserve. He has also served as Former Director of Cybersecurity Policy, Strategy, and International Affairs, as a Senior Civilian in the Office of the Secretary of Defense. This afforded nearly 40 years of service to the United States of America and gave him extensive experience in the employment of cyberspace capabilities. He has held a Top Secret Sensitive Compartmented Information (SCI) security clearance since approximately 1988. Mr. Mills has also been an Adjunct Professor teaching graduate level cybersecurity law and policy at the University of Maryland, Global Campus since 2013. His final uniformed position within DoD was as liaison to DHS where he coordinated the national response to emergencies and threats to the United States. The testimony of Mr. Mills regarding the use of remote access operations for the unlawful entry and purposes into computer networks was requested. The information is files. ttttexas.com/ case TX_SOS_ Election Violation References See Declaration of John R. Mills 85Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 93 o0f170 PagelD 487 336. 337. 338. 339, 340. 341. 342 343. 344. unclassified and based on his personal experience, publicly available reporting and open source information. Remote access operations are designed to gain access to computer networks to avoid detection and residual forensic evidence. This is accomplished via implanted malware, other software and/or algorithms that facilitate access to the targeted system. Remote access is not the same as remote maintenance. Remote access is intended as a legitimate activity subject to active or passive monitoring and logging of the event. Remote maintenance can be compromised to suit the needs of remote access operations given discoverable vulnerabilities. The capabilities to conduct remote access have greatly expanded since the 1980s. The primary user of remote access is the U.S. Intelligence Community in close partnership with the Department of Defense and Federal Law Enforcement. Remote access operations capability is not limited to the United States. Several countries, organizations, and individuals have developed skillsets with varying degrees of sophistication. These actions have accelerated over the last 20 years and have become commonplace among nation state and private actors. Electronic election infrastructure is considered critical infrastructure and can be subjected to remote access operations. A successful remote access operation could change vote totals rendering elections null and void. Employment of machine-based algorithms to enhance remote access operations is well within the skillset of nation-state actors such as China, Russia, Iran, and Venezuela. This capability also exists with non-nation state actors. Mr. Mills states his review of the Mesa County Forensic reports are consistent with remote access operations. He has served as a sworn election official and understands the U.S. election process at the county level. Due to this and his previous experience amentioned, he states he has very low confidence in the security of American election critical infrastructure. Mr. Mills contradicts the claims of the U.S. Intelligence Community, Homeland Security, and Law Enforcement Agencies that they have the ability to defend election infrastructure from remote access operations. He states, their high level of confidence is not supported, and in some cases, may be false. He goes on to relate the breach of the 86Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 94 of 170 PagelD 488 Office of Personnel Management which, despite the resources available to stop such an attack, failed to do so. 345. In his professional opinion, the statement, “The November 3” election was the most secure in American history” asserted by CISA, had little, if any, basis in fact. 346. Mr. Mills continues by highlighting the statements made by CISA would require assessment of the indicators used by the National Intelligence Collection priorities to track, monitor, and collect during the 2020 election. Furthermore, he states, the capability of CISA to detect, assess, and respond to remote access operations in a timely manner, with high confidence, is unrealistic and they have a poor track record to back up this statement. 347. Mr. Mills states the Mesa County findings are consistent with publicly known intrusion sets, that are likely nation state level, with intimate insider knowledge of the infrastructure. He likens the actions taken by the actors be so deeply technical that anyone monitoring the activity would be unable to detect what was happening given the level of complexity. 348. Throughout Mr. Mills career he has received a variety of training, some of which includes work in the Special Operations community. Part of that work included planning, implementing, observing, and recommending during elections both in the United States and in foreign countries. 349. Mr. Mills had the opportunity to provide advice for the January 2020 elections in Taiwan. Among his many recommendations were to keep the process as simple as possible. This included reliance upon paper ballots, hand counting, and minimization of election machines as well as any connectivity components or sub-components. In addition, he advised that any tabulation of ballots (when not hand-counted) be performed as transparently as possible, and on machines with no other features other than to tabulate the ballot. This would limit the ability to conduct remote access operation methods to the power cord used to power the tabulating machines. 350. Asaresult, the Taiwanese elections were conducted flawlessly. The counting of ballots was done live with multiple observers from both parties. As the ballot was verified and passed through the tabulator, the counts were changed automatically for all to see. 87Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 95 of170 PagelD 489 351, 352 353. 354. 355. 356. 357 358. Mr. Mills then provides a history of remote access operations from post World War II to the present. Mr. Mills states there is no independent third party review of electronic voting systems. The level of expertise by those officials who review or access these systems is woefully inadequate. He states contractors use intellectual property rights or contractual terms to deny any third party review of the election systems they provide. Mr. Mills further states that the culture within the U.S. Intelligence Community actively stifled any findings from analysts that concluded China interfered in the 2020 U.S. elections. Even going so far as to pressure analysts to change or withdraw their support proof of Chinese actions. Mr. Mills goes on to state that while federal government officials are well meaning, they simply do not understand U.S. election infrastructure. He points out anomalies in various statements made Mr. Chris Krebs, then Director of CISA, who claimed the election of 2020 was secure. Mr. Mills highlights the inaccuracies in multiple statements made by Mr. Krebs. Mr. Mills points out that ES&S has admitted to building in remote access to their machines. He goes on to state that many of the security procedures designed to restrict the ability of remote access operations, are not being used. Mr. Mills concludes by assessing the current voting process has become over- sophisticated; and asks why it would need to this way. He raises legitimate questions of why counties are spending inordinate amount of resources on a technology environment without an evaluation of whether it is truly necessary. He further assesses there are no checks and balances on sworn elected officials and that the entire notion of electronic voting machines needs to be revisited. 88Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 96 of 170 PagelD 490 I. TEXAS COUNTY FAILURES HOOD COUNTY 359. Hood County Commissioners, in addition to election officials, have failed to confirm if the voting equipment in Hood County is properly certified. 360. On July 28, 2021, Michele Carew was questioned about the issue of non-sequential ballots.2°% 361. November 9, 2021, Plaintiff Karen Towell addressed the Hood County Commissioner’s court regarding the lack of accredited VSTLs and thereby the lack of state certifications. Plaintiff provided evidence similar to the evidence in this case.?” 362. Michele Carew resigned shortly after the November 2021 meeting. 363. ES&S was the voting system employed within Hood County." a. ES&S was first utilized for elections in Hood County in 2008 and continued to be used through the November 2020 election. b. According to Melissa Welborn, H. R. Director or Hood County, ES&S version 3.4.1.0 was utilized for the November 2020 elections. c. The last certification on file indicates that ES&S version 3.4.1.0 was certified in April 2014. 364. On February 9, 2021, a contract was signed with Hart Intercivic voting systems for use in elections in Hood County. *!! a. Certification for Hart Intercivic Verity Voting software version 2.4*!* is on file with the Secretary of State website.?!? b. Hood County records indicate that Hart Intercivic software version 2.4.2 was utilized for the November 2, 2021, elections. 208 https:/www.texastribune.org/202 1/10/01 texas-election-official-hood, (Last visited 5/20/22) 209 https://duckduckgo.com/?q=hood+county+commissioner+meeting&iax=videos&ia=videos&iai=https%3A%2F%2F www. youtube.com%2Fwatch® o3 Fv’/3 DuguEcPW 7P_A (Lasted visited 5/20/22) 21° hitps files. tttte: tion_Violation_References See Hood County ES&S Contract 21! hitps://files. ttttexas.com, ion_Violation References See Hood County Hart Contract 212 https:/www.sos. state. tx.us, elections’ fois sysexamy hart-verity-2.4-certification-order.pdf (Last visited on 5/18/22) 213 See Tex. Elec Code § 122.036 89Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 97 of170 PagelD 491 c. During inspection of the Hart Intercivic Verity Voting 2.4.2, conducted on April 14-17, 2020, one examiner noted an “over-vote” issue and yet still recommended the version for certification.?!* 4. In the voting process, an “over-vote” bring up a warning when more than one candidate can be voted for in a specific race. However, when you make your selection to continue, there is an automatic de-selection of another candidate chosen rather than allowing the voter to decide who gets deselected. This could lead to voter confusion and a casting of an unintended vote without the voter’s knowledge. d. Another note in the Hart InterCivic Certification Test Report Modification document states that Verity Voting version 2.4 is Hart InterCivic Verity Voting 2.4.2. No other version of any Hart modified software/firmware is certified under an original version number as modified versions are not the same as the original. The original version is also not decertified for use in Texas.?!> e. Inan “Electrical Hardware Test Plan” Verity Voting 2.4 Discrepancies, conducted by SLI Compliance, issues arose with the “proposition text not saving properly during election creation” and “loss of audio clarity when audio speed set to high”. (Emphasis added) ?'° eu geste, cies) inugnteaee eet smog rape Sng Sectoncaten Jecesa nomenon lemantent CNRS STN | (ses | Section free [cco lraroe lament (mantener [Addressed tha ely wrens netic Fo afew bem (teen 214 https:/vww.sos.texas. gov’ elections/forms/sysexam/brandon-hurley-hart-2.4.pdf visited 5/18/22) 215 See Tex. Elec Code § 122.031 (a) 216 https://Wwww.eac. gow sites/de %20Verity’020Voting’»s202.4% h=hart%202.4.2 (Last files/voting_system fil mr G%20- ODiscrepaney"o20Report.pdt Last visited 07/22/202: 90Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 98 of170 PagelD 492 f. Listed discrepancies by SLI Compliance for Hart InterCivic Verity Voting version 2.4 were “repaired” by updating to Hart InterCivic Verity Voting firmware version 2.4.2. All state of Texas certifications for these versions are currently approved under version 2.4, 365. SLI Compliance is not an accredited laboratory in accordance with the Voting System Test Laboratory Program Manual ver. 2.0 effective May 31, 2015, page 38, Sec 3.6.1. 366. On May 3, 2021, Hood County Attorney, Matthew Mills, sent a letter to Attorney General the use , Ken Paxton, requesting clarification of ballot numbering issues associated with of election machines in Hood County.?!7 2! 367. A letter from Roger B. Borgelt of Borgelt Law dated July 29, 2021, to the Attorney General , Ken Paxton, outlines the questions that Hood addressed in the cited letter above from Matthew Mills, May 3, 2021, concerning the ballot numbering for Hart Intercivic current! a. b. y in use in Hood County. “Secretary of State claims that TEX ELEC § 122.001 provides authority for the Secretary to prescribe “operating procedures” related to voting systems, 7!° nothing in the Election Code grants the Secretary the authority to provide advice to ignore specific sections of the Election Code — laws and procedures are not equal.” Several times, in the letter from Borgelt Law, it is noted that inconsistent numbering violates several Texas Election Codes (TX Election Code § 52.062, §51.006, §51.007, §51.008, §51.010, §62.007, §62.009). “The Secretary is the Chief Election Officer of the State of Texas.”*? Among other duties, the Secretary has been tasked by the Legislature with "obtain[ing] and maintain[{ing] uniformity in the application, operation, and interpretation of [the Election] code."*?! As part of performing this duty, the Secretary is required to "prepare detailed and comprehensive written directives and 217 https://katychristianmagazine.com/wp-content/uploads/ 202 |12/Request-for-Opinion-on-Ballot-Numbering_RQ- O405-K 218 See Tex. . Elec Code ter.pdf (Last visited 5/18/22) 52.062 219 See Tex. Elec Code § 31.003 220 See Tex. Elec Code § 31.001 22! See Tex. Elec Code § 31.003 91Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 99 o0f170 PagelD 493 instructions relating to and based on [the Election] code and the election laws outside this code."**? The Secretary must "distribute these materials to the appropriate state and local authorities having duties in the administration of these laws." “The Secretary's deficient guidance to counties violates the Separation of Powers clause of Art. 2, Sec. 1 of the Texas Constitution. Further, because the Secretary is providing counsel to counties to ignore Tex. Elec. Code §§ 52.062, 51.006, 51.007, and 51.008, this is a violation of the Suspension of Laws provision in Art. 1, Sec. 28 of the Texas Constitution. The Constitution provides that only the Legislature can suspend laws - not the Secretary, a member of the Executive Branch. These actions by the Secretary are contrary to the Legislature's intent that the Election Code be interpreted and applied uniformly across this State for voting systems. See Tex. Elec. Code § 122.032. By suspending laws and authorizing exceptions to Tex. Elec. Code § 52.062, and other statutes, the Secretary is failing to perform his ministerial duty. Surely the Legislature did not intend for any of these provisions to be waived, ignored, or violated.” 368. The SoS recommendations for ballot numbering procedures for Hart InterCivic System and correctly notes that Tex. Elec Code § 52.062 requires ballots to be prepared with The first option, ordering blank ballot stock with pre-printed numbers, complies with Section 52.062, as the ballots can be numbered consecutively beginning with “1.” This plainly satisfies both the letter and spirit of Section 52.062 and thus ensures counties’ adherence to other election laws, such as those cited supra, that relate to ballot numbering. The second option purports to provide an alternative to Section 52.062 for counties using the ES&S and Hart InterCivie systems. According to the Secretary, the Hart InterCivic “ballot is assigned a unique identifier when printed.” However, theiSeeretaryiacknowledges!in Appendix A that the laék"6f'consecutively-numbereds ballots: renders,it:impossiblerfor'election*officials:to ‘fully Complyewith portions-of the Election: Code: “The ballots shall be tracked, distributed, and retained just as you would with a traditional pre-printed full ballot in accordance with Sections 51,006, 51.007, 51.008 with the exception of notating the serial number of the ballot ranges.”* (Emphasis added.) ‘Theweltemnaineersnconst zed SoH minimum, TER Code 2 6 and 5 ermore, ihe’ Secretary consecutive numbers to begin with “1”. The two oops for meeting this requirement. 22 Ig, 92Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 100 of 170 PagelD 494 369. On November 1, 2021, Virginia Hoelscher, Chair of the Opinion Committee for Attorney General Ken Paxton, sent the following letter to Matthew Mills, Hood County Attorney: “Re: Procedure for numbering election ballots and which officials are authorized to select the method for numbering ballots (RQ- 0405-KP) Dear Mr. Mills: Thank you for requesting a written opinion from this office. Section 402.042 of the Government Code requires this office to issue an opinion within 180 days of receiving a request for one unless we explain to the requestor in writing before the deadline why the opinion will be delayed. Accordingly, we are notifying you that we will a issue an Shate (how will ‘officials Gainer carial nie me mare to Shin, "oO will officials at polls determine if ballots are properly numbered) and 620009 (how will election judges place numbered ballots face down for voters to choose thei ballot). In short, the Should General Paxton determine that Tex. Elec. Code § 52.062 is discretionary and that computerized machines are permitted to generate random text values onto ballots in lieu of consecutive numbering starting with “1,” Texas election law will be plunged into confusion and. uncertainty because violations of several of these ballot numbering statutes are not only illegal, but punishable criminally: a) i i placesisa@lass:@misdemeanon See Tex. Elec. Code § 51.010(c)). sollingelocatonsscar ECan "CH HT PERANI ( ee Tex. lee, Code ‘31 “007(b), 51,008(d)), and 13 TAC § 7.125(a)(10)), and Tex. Penal Code § 37.10(3)). opinion on your request within 180 days of the date received because we need more time to review the law, complete the analysis that your request requires, and finalize the formal opinion. We will make every effort to issue this opinion as soon as possible.” 370. To our knowledge, non-sequential ballots have been used in all Hood County elections since the Hart InterCivic equipment was first employed in 2021. 371. By Defendants’ own admission via the State of Texas’ Secretary of State website regarding education of the HAVA 2002; knowingly certified voting software, systems and modification without a valid VSTL accreditation via the EAC. 93Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 1010f170 PagelD 495 PARKER COUNTY 372. Parker County Commissioners, County Judge and election officials, have failed to confirm and properly certify the voting equipment in Parker County. 373. October 6, 2021, Plaintiff Jennifer B. Edwards met with Larry Walden, Parker County Commissioner, Precinct 3, regarding the lack of accredited VSTLs and thereby the lack of state certifications for the November 3, 2020, elections in Parker County. 374. October 13, 2021, Plaintiff Jennifer B. Edwards met with Larry Walden, Parker County Commissioner, Precinct 3 and John Forrest, Parker County Attorney regarding the lack of accredited VSTLs and thereby the lack of state certifications. 375. October 20, 2021, Plaintiffs Jennifer B. Edwards and Jennifer Williams met with Larry Walden, Parker County Commissioner, Precinct 3, Crickett Miller, Parker County Elections Administrator and John Forrest, Parker County Attorney regarding the lack of VSTL’s and thereby the lack of state certifications. 376. October 23, 2021, Plaintiff Jennifer B. Edwards sent letter via email to Pat Deen, Parker County Judge requesting an emergency meeting of the Parker County Election Commission be called to present findings regarding the lack of accredited VSTLs and thereby the lack of state certifications. 377. November 1, 2021, Plaintiffs, Jennifer Williams and Jennifer B. Edwards emailed Elections Administrator Crickett Miller; County Commissioners Steve Dugan, George Conley, Craig Peacock, and Larry Walden; County Attorney John Forrest; County Judge Pat Deen; and Sheriff Russ Autheir alerting them to fact that the election machines have not been certified as is required by law. Certified letters with evidence were sent to the District Attorney Jeffrey Swain and the District Judges Craig Townson and Graham Quisenberry. 378. March 25, 2022, Plaintiffs Jennifer B. Edwards and Jennifer Williams submitted sworn affidavits to Jeffrey Swain, Parker County District Attorney in accordance with Tex. Elec. Code § 273 regarding the lack of accredited VSTLs and thereby the lack of state certifications. 379. Hart InterCivic Voting System 2.4 was utilized in Parker County for the November 3, 2020, election. 94Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 102 0f170 PagelD 496 a. According to Crickett Miller, Parker County Election Administrator, Hart version 2.4 was utilized for the November 2020 general elections. b. Certification for Hart Intercivic Verity Voting software version 2.4 is on file with the Secretary of State website.” (Judicial Notice: Parker County regarding 2.4) c. Inconsistent numbering violating several Texas Elections Codes (TX Election Code § 52.062, §51.006, §51.007, §51.008, §51.010, $62.007, §62.009).?4 380. SLI Compliance is the VSTL that certified Hart InterCivic voting systems and equipment. 381. SLI Compliance is not an accredited laboratory in accordance with the Voting System Test Laboratory Program Manual ver. 2.0 effective May 31, 2015, page 38, Sec 3.6.1.75 382. By Defendants’ own admission via the State of Texas’ Secretary of State website regarding education of the HAVA 2002; knowingly certified voting software, systems and modification without a valid VSTL accreditation via the EAC. COMAL COUNTY 383. Comal County Commissioners, in addition to election officials, have failed to confirm the voting equipment in Comal County was/is properly certified. 384. Comal County removed the Elections Administrator position due to malfeasance. 385. The County Clerk is the responsible elections official. There is a Deputy under the County Clerk named the Elections Coordinator. a. Bobbie Koepp, Comal County Clerk b. Cynthia Jaqua, Deputy under the Clerk - Elections Coordinator 386. Comal County used KNOWiNK Poll Pads that were updated the night before the November 3, 2020, General Election. 387. Comal County has not provided the version of KNOWiNK poll pad software that was utilized during the November 3, 2020. 388. KNOWiNK Poll Pads version 2.4.9 was certified by the SoS on January 23, 2020.22 What version of software were the poll pads upgraded to the night before the November 3, 2020, 223 https.//www.sos.state.tx.us/elections/ forms sysexamyhart-verity-2.4-certification-order.pdf (Last visited 5/25/22) 224 See Parker County page 9 lof this case 25 https: /www.eac, gow sites/default files/eac_assets/1/28/VSTLManual%207%208%2015%%20FINAL.pdf (Last visited 5/25/22) 226 httpsv/Wwww.sos. texas. gov elections/forms’sysexam/knowink-poll-pad-certification-letter.pdf Last visited 06/10/22 95Case 4:22-cv-00576-P-BJ Document13 Filed 07/25/22 Page 103 of 170 PagelD 497 General Election? 389. The purchase of these pads was contracted via Hart InterCivic under contract in 2018 with software, maintenance, and upgrade options. 390. The SoS’s office did not inspect the KNOWiNK Poll Pad updated/modified changes as required by law.227 a. Defendants Koepp and Jaqua did not address the violation of Tex. Elec Code with the SoS’s office and or make the voters aware of lack of certification. b. Defendants Koepp and Jaqua authorized the update/modification of poll books with clear knowledge of Tex. Elec Code. 391. KNOWiNK performed an update the night before the election of November 3, 2020, similar to how an iPhone updates via a network connection.” 392. Election officials throughout the country-from North Texas to Georgia-reported issues with poll pads from St. Louis-based KNOWiNK. 393. In some locations; the poll pads also activated ballots on voting machines which forced some voters to fill out selections on paper ballots. 394. The Defendants proceeded to utilize the paper forms and provided pencils.?”° 395. KNOWiNK poll pads went down November 3, 2020, across the state affecting Comal County elections. a. Marcia Ridley, Spalding County Board of Elections, attributed the problem to a vendor’s 11" hour update per a representative for the election technology vendor, dominion Voting Systems, told her office that it had uploaded some kind of “update” the night before the election and that this had created the glitch.” (emphasis added) 27 See Tex. Elec Code 31.014 28 htips:/www. ksat.com/news local/2020/1 1/03 polling-pads-down-at-comal-county-voting-locations/ Last visited 06/10/22 229 https: /vww.ksat.com/news local/2020/1 1/03 polling-pads-down-at-comal-county-voting-locations/ Last visited 06/10/22 25 https: /Wwww.politico.com/news/2020, 11/04 georgia-election-machine-glitch-434065 Last visited 06/10/22 96Case 4:22-cv-00576-P-BJ Document13 Filed 07/25/22 Page 104 0f170 PagelD 498 396. 397. 398. 399. 400. 401. Ridley initially told POLITICO on Nov. 3 that Dominion, which prepares the poll books for counties before elections, “uploaded something last night, which is not normal, and it caused a glitch.” The glitch prevented poll workers from programming the voter smart cards for the voting machines. In her initial comments last week, Ridley said that a representative for the two companies called her office after poll workers began having problems with the equipment on the morning of the election. The representative said at the time that the problem was due to an upload to the machines by one of their technicians overnight, Ridley told POLITICO. As a result, “three reports of races not being included on a ballot,”:?*! a. Contests seats on the New Braunfels ISD Board of Trustees b. District 2 (Nancy York claiming victory over incumbent Michael Calta by 12 votes) c. District 4 (John Tucker claiming victory over incumbent Matthew Sargent by 251 votes) d. Lake Dunlap Proposition not being on the appropriate ballot. Impacted precincts due to failure of poll pads include 301, 302, 303 and 201. This resulted in County Judge to extend voting hours due to poll pad failures. Defendant Bobby Koepp's statement to KensS in which she offers only a partial responsibility, “It’s part of my duties to make sure that everybody gets what they’re supposed to get when they come to vote, and I do take responsibility for that”; in which the Defendant continues placing blame at KNOWiNK. “But in my defense, I honestly feel [KnowInk] needs to make it right. They need to make a statement and need to tell everybody what happened.” Defendant Bobby Koepp believes it is up to the candidates to request a do-over. “We are doing everything in our power to...try to figure out exactly how many votes were cast that didn’t get the opportunity to vote the way they needed to.” The day prior Defendant Bobby Koepp stated to one candidate, Sargent, that reported his 23! https:/www.ken: election-day-tech-issi inity’hill-country-reporter/comal-county-investigates-scope-of- ~aa4dd-60edde2db052 Last visited 06/10/22 97Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 105 of 170 PagelD 499 name and race not on the ballot but submitted in error; “If this had been brought to our attention before the vote was submitted, we could have canceled out the vote and reviewed the problem. ..”?5? 402. Sargent is left wondering and...” waiting for the county to step up and say there is a problem or to let us know what they are going to do to fix it.....Or to make us feel all warm and fuzzy that every vote got counted.” 403. Sargent’s complaint to the SoS Office states...potential violation from the handbook for Election Judges and Clerks 2020, which in part requires presiding election judges to cease using malfunctioning equipment installed at polling places “immediately after discovering that the equipment is not functioning properly.”?*4 404. Sargent’s continues, “The county knew about the problem no later than 10:41 am and continued to utilize the equipment without shutting the polling places(s). Even though this was a software issue, and the ballots were not loading correctly the machines were not properly functioning. The equipment should have been shut down until the software issue could have been corrected.” 405. Defendants Koepp and Jaqua authorized and continued to use Hart InterCivic voting systems and equipment after many reported malfunctions including but not limited to lack of paper ballot and ballot numbering. 406. After multiple PIA requests, Comal County did not provide the Letter of Approval from the SoS to Comal County approving the contract for the purchase of Hart Verity Voting 2.4. as pursuant to Tex. Elec Code.’*° Making the election null and void if the document does not exist. 407. By Defendants’ own admission via the State of Texas’ Secretary of State website regarding education of the HAVA 2002; knowingly certified voting software, systems and modification without a valid VSTL accreditation via the EAC. 252 hups://www.kens5.com article/news/politics/elections/election-day-glitches-led-to-reports-of-absence-of-races- and-propositions-on-some-ballots-comal-co-says/273-308a3 fae-49a9-41e4-a4bf-7 11 266c28310 Last visited 06/10/22 233 https://www.kens and-propositions-on-s 06/10/22 34 https: /herald-zeitung.com/community_alert/article_ $62bdcaa-2483-1 Leb-9728-fb0da9e3734c.html Last visited 06/10/22 235 See Tex. Elec Code § 123.035 (a), (b), (c), (4). ‘ae m/article/news/politics/el me-ballots-comal-co-s: tions election-day-glitches-led-to-reports-of-absence-of-races- 3 fue-49a9-4 Led-a4b f-711266c28310 Last visited 98Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 106 of 170 PagelD 500 TARRANT COUNTY 408. Tarrant County Commissioners, in addition to election officials, have failed to confirm and properly certify the voting equipment in Tarrant County. 409. Hart Intercivic Verity Voting 2.3, 2.4 and 2.5 contain numerous COTS components,?3© and that all three versions lack proper EAC certifications according to HAVA 2002. 410. Halderman’s statement with regard to close proximity of the voting system to the internet rings true. There are several components of the election infrastructure ecosystem utilized by Tarrant County for all three elections that give cause for concern. a. November 3, 2020, election contained one or more of these aspects/components but not limited to: 411. Verity Touch Writer DUO are daisy chain configurations comprised of a Verity controller device and up to twelve Ballot Marking Devices?*” (BMDs). The Implications of the utilization of these types of election systems will be addressed in a following section. 412. Verity Scan equipped with a Relay Kit”** enables direct transmission of cast vote records from Verity Scan (precinct ballot counter or tabulator) via a preferred telecommunications carrier, to a central election office. 413. Per the contract obtained between Tarrant County and Hart Intercivic 9 Relay Kits (COTs modems) were acquired”? 414. Hart Intercivic,’4° as well as Dominion Voting Systems, and ES&S, have disclosed”*! that some tabulators have wireless modem capabilities, offered as an add-on to base model kits. Add-on modem kits (e.g., Relay Kits) not only put elections at heightened 236 https://www.eac.gov/ voting-equipment registered-manufacturers: hart-intercivic-ince (Last visited 5/23/22) 257 hitps://www.stat.berkeley.edu ~stark/Preprints bmd-p19.pdf (Last visited 5/23/22) https://www.michigan.gov/documents sos/071B7700128_Hart_Exhibit_2_to_Sch_A_Tec_Reg_556894_7.pdf 239 hitps://files.ttttexas.com/case/TX_SOS_Election_Violation References See Appendices C & E 249 hitps://www.eac. vow sites/default files/voting_systemfiles/Attachment_G_- As_Run_Hart_Verity_Voting 2.2.2 EAC Modification Test_Plan_vl.2 pdf See page 15, 20 (Last visited 5/23/22) 241 https: /www.nbenews.com polities/elections’ online-vulnerable-experts-find-nearly-three-dozen-u-s-voting- nll 36 (Last visited 5/23/22) 99Case 4:22-cv-00576-P-BJ Document 13 Filed 07/25/22 Page 107 of 170 PagelD 501 vulnerability,”*? but also decertify2? EAC certification?’ of the system, according to Kevin Skoglund, Senior Technology Advisor at the National Election Defense Coalition. 415. The Master Agreement between Tarrant County and Hart Intercivic was signed on August 13, 2019. However, the Relay Kits do not appear as a component included within the 2.3 version of Verity Voting per the EAC Certificate for Conformance," nor is it mentioned in the Memorandum >“ of the SoS. 416. Relay Kits are listed as components of Verity Voting 2.2.2.4’ and as an option for Verity 2.4. Moreover, the application acceptance ** date for version 2.4 (including the Relay kit) is after the contract for 2.3 was signed, on August 15, 2019, by Tarrant County””?. 417. The EAC later issued certification of Verity Voting 2.4 (despite the lack of examination by an accredited VSTL) on February 21, 202075° 418. The Relay Kit is never mentioned in the TX SoS Memorandum of certification, and yet somehow Tarrant County purchased 9 Relay Kits (modems) outside of the scope of 2.3 that also had not even begun the EAC certification process.”*! 419. Brandon Hurley, an SoS appointed examiner, cited the connectivity capabilities of this make and version of voting system in his examination report. He reported that Hart Intercivi