 Hello DEF CON. A little bittersweet to be presenting here to you today, unfortunately, by recording instead of in person in Las Vegas, but hopefully next year we'll be together. I'm Susan Greenhall. I am the Senior Advisor for Election Security at Free Speech for People. I'm going to share my screen now and hopefully you can see that. Free Speech for People is a nonpartisan, not-for-profit, public advocacy and legal organization, and we have several projects that are aimed at our mission, which is to strengthen and improve democracy for all people. We work on things like money in politics and corporate abuse of power, and we have a specific project on election security, which I am the Senior Advisor for. Now, we are here today to talk about the wireless odyssey or why the blank do we have wireless connectivity and voting machines. I really want to describe all the ins and outs of a mind-blowingly reckless and stupid decision made by the federal agency that oversees voting technology to allow wireless networking devices and federally certified voting machines. Considering the state of confidence in election systems and the current cyber threat landscape, it would seem to be a complete no-brainer that we should ban all wireless networking in voting machines, but that's not what happened. Instead, over a tremendous amount of public opposition, the United States Election Assistance Commission, or EAC, extra legally met with the voting machine manufacturers and stripped of provision out of the proposed federal voting system guidelines that would have banned any device capable of connecting wirelessly to the internet. So I don't want to get ahead to the end. I'm skipping to the end. This is some of the press about that, and because I want to talk about all the things that led up to the ultimate conclusion, which, you know, put us in this position and sort of foreshadowed the fact that we would see the federal agency guiding with the vendors to permit wireless networking in voting systems. So the US Election Assistance Commission, or the EAC, is the federal agency that is tasked with setting the federal voting system standards. Those are called the Voluntary Voting System Guidelines. They are voluntary, but many states adopt them, and they impact the marketplace considerably, so they're quite influential, and states look to them to develop their own standards as well, even if they don't require EAC certification. The first set of standards developed by the EAC was in 2005, and the EAC is still certifying voting systems to this day, to those standards from 2005, so wildly out of date. Those standards explicitly permit wireless modems and networking connectivity. Yet, like many other election officials, the EAC commissioners help to spread the myth that voting machines are never connected to the internet. And so I'm going to have to slip out of Zoom share for one second, and then I will reshare to show you the video. Okay, so that's just a little sampling. There were multiple instances where the EAC commissioners made public statements or provided testimony to Congress saying that the voting machines are never connected to the internet, and that the federal standards ban any sort of connectivity or any sort of wireless modems, but that was not true. But what was interesting is that, oh wait, I have one more video. We established that they have made this statement. But what was interesting is that this demonstrates the EAC sort of recognized that there was PR value to making these claims, even though they weren't true. But when the EAC actually had the opportunity to update the standards and adopt a ban into federal voting system that would prevent any sort of internet modems or wireless networking connectivity, they did everything they could do to support it. In 2015, the EAC began developing a new set of standards, which was going to be termed BBSG 2.0, Voluntary Voting System Guidelines 2.0. This process is very specifically dictated by the Help America Vote Act, and it's subject to other federal laws like the Administrative Procedures Act, Federal Advisory Committees Act. The standards must be drafted by the EAC's Technical Guidelines Development Committee, then submitted to the EAC's Board of Advisors and Standards Board. It's also published to the Federal Register in subject to a 90-day public comment period, and as well they also held public hearings. All of this to ensure that there was, you know, robust public oversight and engagement. Any modifications have to go through the same process. So at this stage, the EAC did two unexpected things that are relative to what unfolded. First, they separated out the standards into a high-level set of principles and guidelines, things like the voting machine should record your vote accurately. It should be auditable. And then they had a separate document that was the very detailed requirements that would ensure that the voting system met these high-level principles and guidelines. And they decided that both of these parts of the standards document needed to go through the same public comment period, public hearings, advisory boards, review, et cetera, et cetera. And then second, they set up topic-specific public working groups. So they have one on human factors. There was one on cybersecurity, and I participated in the cybersecurity working group, as probably some of the people watching did as well. This was comprised of computer scientists, advocates like myself, election officials, and vendors. So after the high-level principles were completed, the public working groups dug into drafting suggestions for the detailed requirements. And the issue of the wireless modems and voting machines was very hotly debated. It quickly became clear this was going to be a big point of contention. The vendors and election officials opposed to ban cybersecurity experts and advocates, like myself, were in favor of a ban. And we saw we were facing a major fight. And so with some allies, we worked up a plan to try and engage the public on this. In the spring of 2019, at the same time, the wireless issue was hotly debated in the public working group, the high-level principles and guidelines were going through the public comment period, providing a unique opportunity to address this issue. So, and we felt that this was such an important issue that it actually rose to the level of being included in the high-level principles and guidelines, not permitting any sort of wireless networking technology or devices in the system. So several allied organizations from all sides of the political spectrum, including Common Cause, Public Citizen, Daily Cause, and FreedomWorks, all sent emails to their members' lists, asking their members to send in public comments to the EAC, asking it to include a ban on wireless networking devices and voting machines. And this caught fire. All combined, all the groups together, we got over 50,000 public comments submitted to the EAC, asking them to include the ban. Now, by any measure of success, that's a pretty good return on investment to get that many people engaged in this sort of weedy, wonky issue, sending public comments to this tiny agency nobody never heard of, about voluntary voting system guidelines, something else a lot of people never heard of. But evidently the EAC was not familiar with online organizing, so they did something extraordinary when they started to see the volume of emails come in. They shut off the email address that was receiving these messages so that it could no longer receive any emails. They did not make any public notification of that. Nothing in the Federal Register, nothing on their website. They did not include a bounce back message that would tell you, this email is no longer receiving messages, please submit your comments in another fashion. So anyone who submitted comments after they closed the email address or shut it off or disconnected it, it would have gone into a black hole and they would never know. So they were essentially telling, and this was in the midst of the public comment period, there were still several days, almost a week, I think a little less than a week was still left when they shut off the email address. A day and a half later they put out a tweet that said that they were asking people to go to an online platform instead to submit their comments. But they still had not put anything in the Federal Register. And so some of the groups that had organized around this were pretty understandably upset, and they complained that the EAC was violating the Procedures Act which requires the 90 day public comment period and they'd already advertised it in the Federal Register. Because the EAC had screwed up the public comment submission so badly, the AC agreed to extend the comment period by a week. And a few days later they published the extension of the Federal Register which was required by law with a link to the submissions page. A few months after this debacle in September of 2019, the EAC's Technical Guidelines Development Committee met and during the meeting an EAC staffer gave an update on the development of the standards and the public comment period and quite unexpectedly, the EAC staff said nothing about receiving tens of thousands of comments on the issue of wireless. Instead the EAC staff told the committee that it had received 2,800 comments. And I have a slide on that as well because I can show you the slide that the EAC. Not visible. Okay, you'll have to take my word for it. The EAC gave, told the committee members that it was 2,800 comments that they had received. But what happened was that the committee members asked to see the comments. They said, can we see the public comments that were received and the EAC staff said no. Now this, I know I have queued up here. And this was the exact exchange. So this is Judd and that's the election director for the state of Colorado who is a member of this committee. Is, are you cliff saying that the public comments aren't public. And this is the EAC's channel council said the public comments have not been accepted by the commissioners to be made public that's correct. The Colorado election director says so we can't see or talk about the public comments. And that's pretty much what they got. No, you can't talk about the public comments. They never got the public comment or a qualify. The public comments in any timely fashion, it took about more than a year before the EAC eventually published all of those 50,000 comments and acknowledged that they were that they had been received. And that was because of a lot of pressure. So just to recap, there was a clear and concerted effort by the EAC to prevent the public from submitting comments and support of a ban on wireless network, wireless networking, then the expressly misrepresented the number of comments it receives to its development committee. And then when the committee asked to see the comments they said no, you can't see the comments the public comments aren't public. Now we skip forward a few more months, though the EAC didn't seem to get the profound dangers associated with including the wireless devices NIST sure did. And because NIST shares the technical development committee NIST prepared the draft standards for the committee and in December of 2019 and this official gave a presentation to the committee. And they sharply explained that these devices create a huge vulnerability in voting systems. And that they should not be present in voting machines. And then this provided the draft standards, which included a ban on an explicit ban on any devices capable of wireless networking and voting machines. This draft was voted on by the technical development committee and passed on to the EAC. At this point it seemed to be settled. NIST had given its recommendations loudly and clearly, and the technical development committee which is directed by law to provide the standards to the EAC had endorsed that version. The draft standards were then published and put out for public comment. EAC and NIST also suspended all the public working groups because the work had been done. The standards were then subject to multiple public hearings and they were also sent to the EAC standards and advisory boards. In the summer of 2020 last year as the draft standards were going through these public reviews, the EAC let slip on a call with the standards board that it was meeting weekly with the voting system vendors in a working group to solicit the vendors comments on the standards. The vendors had already been involved in public working groups. They provided their own public comments, but now there was a special meeting that was closed to the public. That was not being, no minutes were being published, no documents or readouts were being made available to the public. But that was still going on specifically to solicit the vendors comments. And remember that there were the public working group and they had the opportunity and that was already disbanded. So this meant that there was this new private working group. When I learned this I immediately wrote to the EAC and asked to be added to the working group. I assumed it was maybe an extension of the other public working groups. The EAC wouldn't even respond. So I put in a FOIA for all of the documentation and communication between the EAC and the vendors regarding the meetings to try and learn more about it. We waited for several months for the EAC to produce the documents and while we were waiting, we started to hear rumors that the EAC was revising the standards to allow wireless devices and voting machines, provided they were disabled, but that could be disabled by software didn't require a physical disabling. Now we know the vendors like to push the wireless networking devices and electronic transmission of electronic results from polling places to county headquarters. But there are other factors that were driving this there are vendors that are building their systems using entirely COTS hardware, and they, those vendors have insisted it would be way too expensive to have to remove the wireless devices. Additionally, including the wireless devices could allow vendors to use them to update machines at the same time they had to put in a software update or upgrade it, rather than having to manually update each individual machine. And so these are changes that we know directly benefited the vendors. We wanted to head off this terrible decision so free speech or people enlisted a bunch of top computer scientists and election security experts to send a letter to the EAC warning of the dangers of permitting wireless devices. And in voting machine wireless networking devices. Not surprisingly the ESC never responded but they did respond to the news stories by publishing a document that tried to spin the changes as a mere clarification. And that the draft was never intended to actually prohibit the presence of any wireless capability. And this wasn't supported out by the facts or the record, or even the EAC's own statements to the press before they decided to take this tax so they took one pack and then took another. On January 13 the EAC held the meeting of the Board of Advisors, which the members, and in which the members repeatedly asked about the new draft they wanted to see it because they knew that they were voting on, it was supposed to be coming up soon. It was supposed to provide it to them even though they are the Board of Advisors put there by the Help America Vote Act. On January 26 in 2021 the EAC announced it would meet on February 10 to vote on the new voting system standards but they still have not published this, what they were going to vote on, we still have no idea what changes they had made if any. You know, they really shouldn't be making any the stage without it going through the process again a public process. And a couple of days later on February 1, 2020, they published the revision to the draft, which had not been subject to any review by the advisory board to the public, the new version allowed wireless devices provided they were disabled by software. It also gutted some robust requirements that guaranteed public access to any system submitted as EDE verifiable or unverifiable. There had been a very robust provision to make sure that if anyone tried to submit a system as and unverifiable to avoid the paper ballot requirement, they would have to make the protocol available to the public readily available. For an extended period of time for anybody that wanted it, completely gutted, no public review of unverifiable systems any longer. And there were some other pro vendor changes like removing a provision to prevent the vendors from advertising on ballots. So now you can look at your ballots and have a nice advertisement from ESS or Heart and Drastic or Dominion. And nine days later, he voted to accept the new standards. And several weeks after that we have free speech for people sued the EAC over the unfulfilled FOIA request for the communication with the vendors and the private meetings. March we sued, after we sued the EAC began to produce the documents and we found more details of the weekly meetings that EAC was holding with the vendors which documented the regularity and some of the topics that they were covering. We still haven't gotten the full production. A few months after that though we sued again. And this time we did it under the Federal Administrative Procedures Act, the Federal Advisory Committees Act, and the Help America Vote Act. And so we used, we sued under those acts and I'm not a lawyer so I'm doing my best to explain the Administrative Procedures Act requires certain documents to be made public to go to the federal register, etc. As mentioned the public comment period was there were issues with public comment period. The Federal Advisory Committees Act requires that any sort of group that's formed like the working group with the vendors that that needs to be made public, keeping that private is a big no no under federal law. And the Help America Vote Act which requires that when the standards are modified they need to go back through the same public process and they did substantially a change them so they were a modification and they should have gone back through the public comment period and to the EAC standards before the Board of Advisors. Our lead plaintiff is Professor Philip Stark many of whom you know Philip is a member of the EAC's Board of Advisors. So his rights as a member of the board were explicitly aggregated when the AC did not let him review the standards before they were published. So we're taking relief to reinstate the original provisions and roll back these changes that were made. So, you can make your own judgment, maybe I've given you a presented a bias story here, but it seems evident to me that the AC is an agency that is way too close to the vendors it is supposed to be regulating. It's far out of its way to dismiss the public in favor of the vendors preferences on this issue, while pretty brazenly flouting the federal laws that would have prevented the agency from holding clandestine meetings with the vendors and making substantial changes to the voting system guidelines secretly outside of the legally mandated process. The lawsuits are currently pending. Under the FOIA lawsuit the EAC has begun to produce the documents. And we'll see they continue to comply for the second suit that alleges violations of federal law we have regarding the development of the standards we have yet to see a response so we'll have to see how they respond to that. The bottom line is that despite all of the public statements by the EAC and others there are wireless networking devices and voting machines around the country, and that the new federal voting system standards adopted by the EAC. When they have the opportunity to ban them all together the EAC did everything it could to subvert that it's pretty incredible and pretty disappointing. I am happy to take any questions on the discord channel. You can read our complaints and filings if you go to www.freespeecherpeople.org and look at legal actions. It's dark the EAC and free speech or people the EAC. Thank you very much and look forward to your questions. Thank you. Thanks very much.