Denver judge says no to hand-counting of ballots

PASSWORD LEAK

By Seth Klamann and Nick Coltrain

The Denver Post

A Denver judge on Tuesday rejected an attempt by the Libertarian Party to require the hand-counting of ballots in more than half of Colorado’s counties in the election.

District Judge Kandace Gerdes ruled that there was no evidence that elections systems had been compromised by the inadvertent release of some passwords on the secretary of state’s website. Gerdes issued the order early Tuesday afternoon, roughly five hours before polls were set to closed.

Hannah Goodman, the chair of the Libertarian Party of Colorado, said the ruling was “basically as I expected” and that the party planned to appeal.

In a statement, Secretary of State Jena Griswold said that “Colorado’s elections are safe due to the multilayered security measures we have in place. I am glad that the Denver District Court has recognized the actions we took to address the password disclosure.”

The ruling came a day after the state Libertarian Party argued in court that ballots in 34 of Colorado’s 64 counties should be hand-counted because some passwords for those counties’ voting systems had been inadvertently available in a spreadsheet for four months on the secretary of state’s website.

The passwords’ presence in a hidden tab on the spreadsheet was identified by a prominent election denier and revealed by the Colorado Republican Party late last month.

The state Libertarian Party filed its suit Friday.

The passwords — which by themselves were insufficient to compromise voting equipment — were changed before the party filed suit. Attorneys representing Griswold’s office had argued the Libertarian’s request would sow “chaos” in the general election.

Gerdes ruled that she did not have authority to respond to parts of the lawsuit. Still, for the sake of a potential appeal, she found that Griswold’s office didn’t knowingly release the passwords, that the office has since addressed the leak, and that “no witness testified, nor was evidence presented, that the affected counties’ voting systems were compromised or altered” because of the password leak.

On Monday, Griswold told The Denver Post that she regretted that the passwords had been released and said her office had hired an outside law firm to investigate.

Nathan Evans, a University of Denver cybersecurity professor, called it “a pretty grave mistake” in an interview, but he said it was not one that left him concerned about overall election integrity because of the other layers of security.

“Given the blowback from this, I think they will take a hard look at their policies and procedures in the future,” Evans said. “If there’s any silver lining, I don’t think something dramatic is going to happen because of this. But it is a chance for (election officials) to say we need to look at our policies and procedures and enforce them everywhere — and not (be) cutting corners and making these dumb mistakes.”

It was a message echoed by Jack Danahy, a vice president and technologist at the cybersecurity firm NuHarbor Security. He called the password leak a “very serious security concern,” but more for the failure of protocols than actual danger to election security. He highlighted the number of redundancies in place for Colorado’s election security.

To use the leaked passwords, the Secretary of State’s Office has said, a person would need a matching password held only by local officials and physical access to the election machines. By law, the machines have 24-hour security cameras, and the rooms they’re in require keycards to enter.

“There’s a lot of other gates you have to go through (to access the machines),” Danahy said in an interview. “… The idea of defensive depth is very, very important and I think the state of Colorado did a pretty good job of that.”