Georgia Secretary of State and increasingly desperate Republican gubernatorial candidate Brian Kemp, who is tied in the polls with Democratic nominee Stacey Abrams, has shamelessly used his position as the state’s top election monitor to purge hundreds of thousands of voters from the rolls and close hundreds of polling sites over the past few years. On Sunday, he announced that his office is investigating a “failed attempt to hack the state’s voter registration system,” and named the Georgia Democratic Party as a suspect in “possible cyber crimes,” though Kemp did not clarify what those crimes were or pretty much anything else.
In other words, this is a shitty Clue knockoff and Kemp is accusing the Democratic Party of hacking the election computer in the computer room using the computer. No, really. Per CNN:
The office of Brian Kemp, who is also the Republican candidate for governor, said in a Sunday morning news release that they will investigate the Georgia Democratic Party as part of its probe, but did not offer any details on why it is investigating the Democratic party.
“While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes,” said press secretary Candice Broce in the release. “We can also confirm that no personal data was breached and our system remains secure.”
Kemp and his office, however, have a well-documented history of either not understanding how computer systems that handle large amounts of data work or deliberately misleading people on the subject. In 2016, he accused the Department of Homeland Security of an “unsuccessful attempt to penetrate the Georgia Secretary of State’s firewall.” It later emerged that the alleged attack was routine traffic from a federal employee checking the state firearms license database as part of a background examination of private security guards at a federal facility, and the DHS concluded it would have been impossible to launch an attack from the DHS IP addresses involved.
In 2017, under Kemp’s watch, a lawsuit alleged that the state exposed personal information of 6.7 million voters and election officials’ credentials due to vulnerabilities in computer systems. As Slate wrote, state officials then conveniently wiped the servers involved in either an “incredible act of incompetence” or “an attempted cover-up to try to hide from the public a major election security lapse.” In September 2018, a federal judge found that Kemp’s office had done virtually nothing to address vulnerabilities with its voting machines. More recently, according to the Washington Post, Kemp’s office was ordered to stop holding up over 53,000 voter registration applications (“70 percent of them African-Americans”) due to minor discrepancies with other state records like missing hyphens in names. The Post wrote:
U.S. District Judge Eleanor L. Ross ruled [Friday, Nov. 2] that the procedures were likely to result in the violation of voting rights for a large group of people and needed to be halted immediately. She said Kemp’s restrictions raised “grave concerns for the Court about the differential treatment inflicted on a group of individuals who are predominantly minorities.”
The Post added that Kemp has “purged more than a million voters from the rolls during the past year.”
Judging from a report in the Atlanta Journal-Constitution, the “cyber crimes” investigation on Sunday reeks of another attempt by Kemp to distract voters from how badly his office has bungled election security:
A computer scientist and an attorney suing Kemp said his office’s accusation of hacking is a distraction from a report that voter information is vulnerable on the state’s registration website. The Secretary of State’s Office said the system remains secure and voter information wasn’t breached.
The vulnerability could allow someone to access voters’ registration and personal information, said Richard DeMillo, a computer scientist at Georgia Tech.
“The way the website is set up, once you get access to your own voter record, you can go in and change permissions and get access to anyone’s voting record,” DeMillo said.
According to a report on WhoWhatWhy—a small investigative site run by journalist Russ Baker—what may be happening is that security experts alerted Kemp’s office to major vulnerabilities in election databases, whereupon Kemp promptly used that as an excuse to blame the whistleblowers. (Baker’s work has been characterized as aggressively anti-establishment, and he has questioned the official narrative on JFK’s assassination.) However, WhoWhatWhy wrote that several security experts it had contacted had verified the vulnerabilities by examining the site’s code and without actually accessing or altering protected data, and that the Georgia Democratic Party “had already contacted computer security experts and notified them of the vulnerability” by the time of the “cyber crimes” announcement.
Bruce Brown is a counsel for the Coalition for Good Governance, which has been involved in lawsuits over the state’s election systems. He told WhoWhatWhy that he had also emailed Kemp’s office on Saturday to report the vulnerabilities:
What Kemp’s office is doing is disingenuous, Bruce Brown, lawyer for the nonprofit Coalition for Good Governance asserted.
Brown noted that at 7:03 pm last night, he had emailed John Salter and Roy Barnes, former Governor of Georgia, in their capacities as counsel to Secretary of State Kemp, to notify them of the serious potential cyber vulnerability in the registrations files that had been discovered without any hacking at all.
Brown also told Kemp’s lawyers that the information had already been forwarded to national intelligence officials.
A Kemp spokesperson, Candice Broce, denied WhoWhatWhy’s report in a statement to the site. (Gizmodo has reached out to the Georgia Democratic Party for comment, and we’ll update this story if we hear back.)
In the meantime, Democratic officials are issuing blanket denials that any hacking attempt occurred and characterized Kemp’s announcement as a last-minute dirty trick.
State Democratic Party executive director Rebecca DeHart told NBC News this was “yet another example of abuse of power by an unethical Secretary of State,” adding: “To be very clear, Brian Kemp’s scurrilous claims are 100 percent false, and this so-called investigation was unknown to the Democratic Party of Georgia until a campaign operative in Kemp’s official office released a statement this morning.”
As CNN noted, Georgia is “one of only a handful of states” that use voting machines with no paper records during elections. The Journal-Constitution noted that a recent poll found 49 percent of voters are concerned that it is likely or very likely that many people will be told they are not eligible to vote on election day.
Updated: 11/4/2018, 5:55 p.m. ET: Kemp’s office released a statement to NBC News that seems to confirm that his “investigation” started after his legal team received a tip about vulnerabilities on state election websites:
On Sunday afternoon, Kemp’s office released a new statement saying the secretary of state opened the investigation “after receiving information from our legal team about failed efforts to breach the online voter registration system and My Voter Page.”
“We are working with our private sector vendors and investigators to review data logs,” Kemp’s office said. “We have contacted our federal partners and formally requested the Federal Bureau of Investigation to investigate these possible cyber crimes.”
Updated: 11/8/2018: This story has been updated to more accurately qualify the work of WhoWhatWhy.