Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Heindel v. Andino

United States District Court, D. South Carolina, Columbia Division

February 8, 2019

Frank Heindel and Phil Leventis, Plaintiffs,
v.
Marci Andino, Executive Director of the South Carolina State Election Commission, in her official capacity; Billy Way, Jr., Chair of the South Carolina State Election Commission, in his official capacity; Mark A. Benson, Marilyn Bowers, and Nicole Spain Wright, Members of the South Carolina State Election Commission, in their official capacity, Defendants.

          ORDER AND OPINION

         Before the court for review is a Motion for Summary Judgment[1] (ECF No. 5) by Defendants Marci Andino, Executive Director of the South Carolina State Election Commission (“SCSEC”); Billy Way, Jr., Chair of the SCSEC; and Mark A. Benson, Marilyn Bowers, and Nicole Spain Wright, Members of the SCSEC (collectively “Defendants” or “SCSEC”). Defendants move the court to dismiss Plaintiffs Frank Heindel and Phil Leventis' (collectively “Plaintiffs”) declaratory judgment action for lack of standing. For the reasons that follow, the court GRANTS Defendants' Motion.

         I. FACTUAL AND PROCEDURAL BACKGROUND

         Plaintiffs are “South Carolina voters seeking to vindicate their right to participate effectively in the state's elections.” (ECF No. 1 at 3 ¶ 7.) On July 10, 2018, Plaintiffs filed a Complaint for Declaratory and Injunctive Relief, claiming that “the capacity of [South Carolina]'s election system to record and count votes reliably is deeply compromised by the state's” use of the iVotronic Direct Recording Electronic (DRE) system. (Id. at 2 ¶ 2.) After a Request for Proposal (“RFP”)[2] in 2003, the SCSEC obtained 11, 000 iVotronic voting machines from Electronic Systems & Software (“ES&S”) for $35 million dollars. (Id. at 7-8 ¶¶ 22-23.) By 2006, the machines were in use statewide. (Id. at 8 ¶ 23.)

         In their Complaint, Plaintiffs explain how the iVotronic DRE voting machines work:

         The iVotronic system consists of several components. The physical components-its “hardware”-include the following:

• Voting terminals, which are computer systems that include touchscreens where users indicate their votes;
• Personalized Electronic Ballots (“PEBs”), which are plastic cartridges housing infrared scanners that poll workers insert into the machines to open (or activate) the machines at the beginning of voting, close (or deactivate) the machines at the end of voting, make the correct ballot appear for each voter, and collect votes stored on the machine; and
• Compact flash cards that store image files and an event log . . . from each machine. . . .
The system also includes two software systems. The main one is iVotronic firmware-permanent software programmed into read-only memory-that directs the recording and tabulating of votes within the machines. The firmware creates the screen each voter sees as she scrolls through her electronic ballot. All of South Carolina's iVotronic machines utilize iVotronic firmware version 9.1.6.2, which the [SC]SEC certified in August 2006.
A second software system, Unity, works in conjunction with the machines' iVotronic firmware. Unity, an interconnected set of Windows-based software applications, runs on the counties' and [SC]SEC's server systems to translate the data captured via the iVotronic firmware into election results by county as well as statewide.
The process of voting on the iVotronic system is entirely digital. The user stands at the terminal, which presents the user's choices for each race or ballot question on a touchscreen; the user then votes by pressing the touchscreen to select and submit her choice. At no point in the process does the user create or receive a paper record reflecting her vote.
On Election Day, counties supply each precinct with one “red stripe” (also referred to as “master” or “supervisor”) PEB and several “green stripe” (also referred to as “voter” or “ordinary”) PEBs. Poll workers use the master PEB to open each terminal at the beginning of the day and close the terminals once voting ends. When closing voter terminals, the master PEB downloads and stores the vote totals collected over the course of the day in each machine. Poll workers then transport the master PEBs back to county elections headquarters, where officials transfer the results from the master PEBs to the Election Report Manager, a software system that tallies county-wide vote totals.
The “voter” PEBs serve a different role. Each time a voter checks in to vote, a poll manager uses a voter PEB to activate a terminal for that voter's use. The voter PEB prompts the terminal to show the proper ballot on the touchscreen and allows the user to vote once.
Each voter terminal also houses a compact flash card. The flash card is a removable electronic storage device, like a thumb drive or USB. Over the course of Election Day, the flash card stores “vote image files, ” digital records of ballots cast on that machine, and the selections made during completion of that ballot. The flash card also stores an event log showing what operations voters and poll workers caused the machine to execute over the course of the day. Operations include opening the machine, selecting a candidate, changing a selection, submitting a ballot, and closing the machine at the end of voting.
At county elections headquarters and the [SC]SEC, election officials employ the Unity system to create and manage election databases, design ballots, program the PEBs, and tabulate election results. The [SC]SEC certified Unity version 3.0.1.1 in August 2006. In 2014, the [SC]SEC certified Unity version 3.4.1.1. In 2017, it certified Unity version 4.0.0.3v4.

(Id. at 8-10 ¶¶ 24-31.)[3]

         Plaintiffs allege that, “The iVotronic system is plagued with vulnerabilities that undermine its reliability and open numerous pathways for potential hacking.” (Id. at 12 ¶ 38.)

         In support of their claim, Plaintiffs cite several reports that studied the same iVotronic voting machines and software in use in South Carolina. The first is a 2007 report commissioned by the Ohio Secretary of State entitled, “EVEREST: Evaluation and Validation of Electronic-Related Equipment, Standards and Testing.”[4] (Id. at 13 ¶ 39.) The EVEREST Report concluded that the iVotronic system

lack[s] the fundamental technical controls necessary to guarantee a trustworthy election under operational conditions. Exploitable vulnerabilities allow even persons with limited access-voters and precinct poll workers-to compromise voting machines and precinct results, and, in some cases, to inject and spread software viruses into the central election management system.

(Id. at ¶ 40 (quoting EVEREST Report at 29).) Plaintiffs further allege that, “The architecture of the iVotronic system creates numerous inroads for potential hackers, ” and the fact that the machines are not connected to the Internet does not insulate the system from attacks. (Id. at 16 ¶ 50 (citing EVEREST Report at 57).) For example, Plaintiffs assert that the PEBs, which are used to open and close the voting system, can transfer viruses to the iVotronic machines and to the central server with widespread and potentially undetectable consequences for the entire county's election process. (Id.) Plaintiffs argue that the security flaws identified by the EVEREST Report are not just theoretical because the EVEREST researchers performed several simulated attacks.[5](Id. at 17 ¶ 52.)

         In addition to the EVEREST Report, Plaintiffs cite a report commissioned by the South Carolina General Assembly (“General Assembly”) to review the iVotronic system. (Id. at 19 ¶ 58.) In March 2013, the General Assembly's Legislative Audit Council (“LAC”) published “A Review of Voting Machines in South Carolina, ” a study commissioned by the South Carolina Senate's President Pro Tempore.[6] (Id.) In addition to various “Election Day mishaps” associated with the iVotronic system, the 2013 LAC Report catalogued studies revealing the iVotronic's “deep and systematic vulnerabilities, including the EVEREST . . . report[].” (Id.)

         In 2015, the General Assembly passed legislation establishing a “Joint Voting System Research Committee.” (Id. at 19-20 ¶ 59.) This Joint Committee found “[a] new voting system must include some type of audit function, or ‘paper trail,' that would allow the voter to confirm his or her ballot, as it will be tabulated by the [SC]SEC.” (Id. at 20 at ¶ 59 (quoting 2013 LAC Report at 6).) The Joint Committee also held two public hearings in preparing its report. (Id. at ¶ 60.) At the second hearing, Defendant Andino submitted testimony that South Carolina's current voting system has a life expectancy of twelve to fifteen years, and is approaching “end of life.” (Id. at ¶ 61 (quoting 2013 LAC Report at 9).) Defendant Andino also reported that ES&S, the state's iVotronic machine vendor, informed the [SC]SEC that securing replacement parts “will become a problem at some time in the future.” (Id.) Moreover, Plaintiffs assert that “ES&S no longer manufactures the outdated iVotronic machines.” (Id.)

         Plaintiffs further allege that the iVotronic “machines have failed in ways that impede voting, ” including:

(1) a 2005 election in which machines in Myrtle Beach repeatedly malfunctioned and caused the supply of emergency paper ballots to be “running out”; (2) a 2005 city council primary race in Columbia which initially showed 3, 208 total votes, but in which a manual recount revealed only 768 actual votes; and (3) a 2012 Richland County election in which widespread machine breakdowns caused massive delays, leaving voters waiting in line to vote as late as 11:30 p.m. [2013] LAC Report at 13. And in April 2018, twelve voting machines being used in a Goose Creek municipal election broke down with an unresolvable error.

(Id. at 22-23 ¶ 68.) Additionally, Plaintiffs allege that during the June 2018 primary elections,

voting machines malfunctioned across the state, causing lines at the polls and delaying election results. In Greenville County, 33 voting machines at four precincts stopped working. As a result, lines to vote exceeded an hour in at least one Greenville County precinct. This mass mechanical failure delayed the reporting of results and required poll workers to call in an ES&S technician to review the machines' backup storage devices. The ES&S employee, rather than South Carolina poll workers, retrieved votes from the affected machines. Voting machines also broke in Horry, Marlboro, and Florence Counties. Even when the machines did not breakdown entirely, election officials acknowledged that aging touchscreens made it more difficult for voters to make their selections.

(Id. at 24-25 ¶ 74.)

         Plaintiffs also assert that “the [SC]SEC has been aware of serious deficiencies in the security practices observed by county election officials” for at least a decade. (Id. at 25 ¶ 75.) These deficiencies “are different from, and in addition to, the iVotronic system's inherent security vulnerabilities.” (Id.) For example, the 2013 LAC Report found that “‘Computers connected to networks or telephone lines . . . could potentially be used from unsecured or unauthorized access' and poor practices regarding keys and security codes.” (Id. at 25-26 ¶ 75 (quoting 2013 LAC Report at 14).) Plaintiffs also cite 2016 reports from the South Carolina National Guard Defensive Cyber Operations Element, the United States Department of Homeland Security (“DHS”), [7] and the South Carolina Department of Administration (“SCDA”), which found “widely varying levels of physical- and cyber-security vulnerabilities.” (Id. at 26-27 ¶¶ 77-80.) The SCSEC remedied “in hours” two of the three critical infrastructure vulnerabilities identified by the SCDA report. (Id. at 27 ¶ 80.) Plaintiffs allege that “[t]hese security gaps and vulnerabilities reflect a deficient approach to cybersecurity at the [SC]SEC. . . . indicat[ing], at best, a belated patching of critical-and high-vulnerability flaws and demonstrate a history of weak cybersecurity initiatives.” (Id. at 27 ¶ 82.)

         Next, Plaintiffs assert that “[b]ecause it is not possible to prevent all malicious attacks on an election system, states must implement safeguards that mitigate the risk of hacking by preserving a record of voter intent, detecting potential attacks, and providing a method for remedying errors or anomalies caused by successful attacks.” (Id. at 28 ¶ 83.) According to Plaintiffs, the appropriate safeguards are “robust and consistent audit procedures.” (Id.) Plaintiffs contend that in South Carolina, “effective post-election audits simply are not possible” because there is no record of voter intent independent of the iVotronic system. (Id. at 29 ¶ 87.) The SCSEC's current audit system “compares various components of the iVotronic and Unity Systems to determine whether they are internally consistent.” (Id. at 30 ¶ 89.) Thus, Plaintiffs argue the current audit process would not detect any attack on the state's voting system that impacted various system components. (Id. ¶ 90.) According to the EVEREST Report, the iVotronic system “forms a loop, ” meaning “a hack could unfold consistently across the system's components and thereby elude any process designed to detect ‘anomalies.'” (Id.) Thus, if a hack occurred, “the [SC]SEC's audit process would simply check the hacked system against itself.” (Id.) Also, Plaintiffs allege that the SCSEC's audit process does not indicate any mechanism to investigate anomalies in the system. (Id. at 31 ¶ 91.) Additionally, the 2013 LAC Report found that “in many instances, local election officials believe they lack adequate time to conduct the [SC]SEC's prescribed audit procedures between election day and the statutory deadline to certify results.” (Id.)

         Finally, Plaintiffs contend that the prospect of attacks on our nation's election systems is “immediate and acute.” (Id. at 31 ¶ 94.) Plaintiffs assert that “[f]ederal and state election officials broadly recognize that foreign actors attempted to interfere with the 2016 national elections and that they have the capability and intent to do so again in future elections.” (Id. at 32 ¶ 95.) As evidence of this “immediate and acute” threat of attacks on our nation's election system, Plaintiffs point to the indictment of thirteen Russian nationals and three Russian entities in a federal district court in Washington, D.C., for interfering with the United States' political system. (Id. ¶ 96.) Plaintiffs note that “Russia's well-documented interference has included cyberattacks directed at the nation's election infrastructure.” (Id. ¶ 97.)

         Plaintiffs also cite reports by the Federal Bureau of Investigation (“FBI”) and DHS on interference in America's elections. In August 2016, the FBI issued an alert entitled “Targeting Activity Against State Board of Election Systems, ” which reported that “[i]n late June 2016, an unknown actor scanned a state's Board of Election website for vulnerabilities.”[8] (Id. at 33 ¶ 98 (quoting 2016 FBI Alert).) The 2016 FBI Alert advised all states to “take several specific technical steps to guard against similar cyberattacks.” (Id.) In a September 2016 press release, [9]DHS reported detecting “efforts at cyber intrusions of voter registration data maintained in state election systems.” (Id. ¶ 99 (quoting DHS Press Release).) In February 2018, DHS further reported “that hackers working for Russia ‘tested the systems in most states. In some they tried to infiltrate the system and failed, but in Illinois the systems were successfully breached.'”[10] (Id. at 35 ¶ 103 (quoting Graham, How Russia Could Meddle in the U.S. Mid-Term Elections).) Plaintiffs also cite reports by the United States House of Representatives and Senate, which concluded, among other things, that (1) “state and local election infrastructure . . . are not developed to defend against state-sponsored cyber threats. . . . [And] state and local election authorities should consider building in additional redundancies to ensure an audit trail in the event of a compromise of the electronic voting systems, ”[11] (Id. at 35-36 ¶ 104 (quoting HPSCI, Report on Russian Active Measures at 123)); and (2) “[a]t least 18 states had election systems targeted by Russian-affiliated cyber actors in some fashion.”[12] (Id. at 36 ¶ 105 (quoting SSCI, Russian Targeting of Election Infrastructure During the 2016 Election).) The Senate report also found that “[p]aperless [DRE] voting machines . . . are at highest risk for security flaws.” (Id. at 38 ¶ 109 (quoting SSCI, Russian Targeting of Election Infrastructure During the 2016 Election).)

         As to Plaintiffs' claims, Plaintiffs contend that “[w]hile the Constitution does not require a state to guarantee perfect accuracy or impregnable safeguards in its election systems, [the Constitution] does require a level of reliability that votes will be accurately counted, and that voters will not face arbitrary and disparate treatment.” (Id. at 43 ¶ 124.) Plaintiffs assert that “Defendants have violated Plaintiffs' fundamental right to vote in violation of the Fourteenth Amendment by failing to approve and adopt a voting system that meets reasonable security standards.” (Id. at 42 ¶ 121.) Plaintiffs also contend “[t]he [SC]SEC has provided and maintained a voting system that places a severe burden on Plaintiffs' right to vote. The state's voting system, organized around the iVotronic system, is so intensely vulnerable as to violate Plaintiffs' due process right to have their votes effectively recorded and counted.” (Id. ¶ 122.) Finally, Plaintiffs claim that in violation of the Equal Protection Clause of the Fourteenth Amendment, Defendants have “subjected each Plaintiff's vote to arbitrary treatment as the system does not ensure that all machines, precincts, and counties will record and tabulate votes equally and reliably.” (Id. at 42-43 ¶ 123.)

         Based on these allegations, Plaintiffs request that the court (1) “[a]ssume jurisdiction over this action”; (2) “[d]eclare that . . .Defendants' failure to provide an elections system that has basic safeguards to ensure that the Plaintiffs' votes are reliably and accurately counted violates Plaintiffs' fundamental right to vote as protected by the 14th Amendment to the U.S. Constitution”; (3) “[e]njoin Defendants from maintaining an election system that fails to reliably record and tabulate votes”; (4) “[i]mpose injunctive relief requiring Defendants to ensure that Plaintiffs have access to a voting system that will reliably and accurately record their votes”; and (5) “[a]ward the Plaintiffs reasonable attorneys' fees and costs pursuant to 42 U.S.C. § 1988.” (Id. at 44.)

         On July 30, 2018, Defendants moved to dismiss Plaintiffs' Complaint under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). (ECF No. 5 at 1.) Defendants argue Plaintiffs do not have standing to bring this action because their alleged injury (1) is not “concrete and particularized” and “actual or imminent” and (2) is not traceable to Defendants' conduct. (ECF No. 5-1 at 7-9, 10-12.) On August 28, 2018, Plaintiffs filed a Memorandum in Opposition to Defendants' Motion for Summary Judgment and Motion to Dismiss. (ECF No. 14.) On August 30, 2018, Defendants filed a Reply to Plaintiffs' Opposition to Motion to Dismiss. (ECF No. 15.) On January 4, 2019, Defendants filed a Supplemental Memorandum in Support of Defendants' Motion for Summary Judgment and Motion to Dismiss. (ECF No. 43.) In this Supplemental Memorandum, Defendants argue that Plaintiffs' claims are moot as a result of a RFP[13] issued by the SCSEC on December 7, 2018. (Id. at 1-2.) Defendants argue

the [c]ourt should dismiss this case because Plaintiffs lack standing. Defendants have issued an RFP for a new voting system, one with a paper record of each voter's selections, that effectively moots the case. Moreover, Plaintiffs lack standing to bring the suit because a favorable decision would not redress Plaintiffs' alleged injury. The [SCSEC] is currently bound by a web of statutes and regulations that dictate how a new voting system is to be procured and implemented. Indeed, as is evidenced by the recently issued RFP, this process is ongoing and will be completed before the upcoming 2020 primaries. Stated plainly, the [c]ourt does not need to issue an order compelling the [SCSEC] to obtain new voting machines-the process is well under way.

(Id. at 15.) On January 11, 2019, Plaintiffs filed a Memorandum in Response to Defendants' Supplemental Memorandum. (ECF No. 45.) On January 15, 2019, the court held a hearing on ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.