20190701 Plaintiffs Joint GEMS Brief
Total Page:16
File Type:pdf, Size:1020Kb
Case 1:17-cv-02989-AT Document 441 Filed 07/01/19 Page 1 of 443 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION DONNA CURLING, ET AL., ) ) Plaintiffs, ) ) CIVIL ACTION vs. ) ) FILE NO. 1:17-cv-2989-AT BRAD RAFFENSPERGER, ) ET AL., ) ) Defendants. ) PLAINTIFFS’ BRIEF ON GEMS DATABASE DISCOVERY Plaintiffs jointly submit this brief in response to the questions raised in the June 28, 2019 telephone conference relating to the joint discovery dispute initiated by the Coalition Plaintiffs (Doc. 416) relating to the production of GEMS databases. As explained below in Part I, the GEMS databases should be produced immediately without restriction because they are highly relevant and not confidential. State Defendants’ counsel conceded this point during the June 28 teleconference, emphasizing that the GEMS databases themselves provide the “roadmap” that needs to be analyzed to identify flaws or vulnerabilities in the GEMS system. (June 28, 2019 Hearing Tr. 23:4-9, attached as Exhibit A.) As Case 1:17-cv-02989-AT Document 441 Filed 07/01/19 Page 2 of 443 explained in Part II, production of reports generated from the GEMS databases, without the GEMS databases themselves, would be insufficient because reports will not disclose defects in the underlying database configurations. As explained in Part III, the production of the GEMS databases is separate and distinct from the more complex production of images of the GEMS servers and should precede that production. The GEMS databases do not implicate the security concerns Defendants have raised regarding the GEMS servers and thus do not warrant the sort of security measures discussed for the servers. Neither does production of the databases involve anything like the process for producing images of the severs. The GEMS databases can—and should—be produced immediately on discs or hard drives.1 There is no cause for further delay, which already has prejudiced Plaintiffs’ ability to prepare for the July 25-26 hearing. 1 To expedite the production of the GEMS databases as a critical first step in the analyses needed here, Plaintiffs focus here on the production of those databases rather than the forensic images of the GEMS servers. Plaintiffs are prepared to meet and confer further with Defendants further regarding the process and reasonable security measures for production of the images. If the parties cannot resolve that dispute, they will return to the Court for resolution. Obtaining the GEMS databases now likely will help resolve or at least narrow that dispute and make the issues regarding that production less abstract. 2 Case 1:17-cv-02989-AT Document 441 Filed 07/01/19 Page 3 of 443 I. THE GEMS DATABASES SHOULD BE PRODUCED WITHOUT RESTRICTION Plaintiffs seek immediate production of electronic copies of the GEMS databases for the November 6, 2018 election that the Secretary prepared for and transmitted to each Georgia county, and the corresponding GEMS databases that the Secretary received from each county after the election. (Doc. 416-1 at page 6).2 This production should be prior to, and separate from, the more complicated and sensitive production of the forensic images of GEMS servers. Production of the GEMS databases first—while incomplete for the analyses needed in this case— will allow valuable (but far less expensive and time consuming) discovery to 2 Plaintiffs seek pairs of GEMS databases in the Secretary possession for each of the 159 Georgia counties: the Secretary’s copies of the databases that the Secretary sent to the counties, and the Secretary’s copies of the databases that the counties returned. In discussions with the Secretary’s counsel during the June 28, 2019 telephone conference, Plaintiffs suggested reducing the number of counties to 25. The Secretary, however, explained that their objection to producing the databases is confidentiality regarding their structure, not burden, and thus there is no distinction between producing the database for one county versus all 159. June 28, 2019 Hearing Tr. 28:8-15 (“I think the important piece is we don't see a distinction between 25 and the entire database because our concern is not the amount”). Plaintiffs also seek from defendant Fulton County and, currently, from three third- party counties copies of their databases. These requests are in addition to the requests directed at the Secretary. These databases should be the same as the databases in the Secretary’s possession, and examining the extent to which they differ is a critical part of the analyses needed to evaluate security vulnerabilities and flaws in the GEMS system in this case. 3 Case 1:17-cv-02989-AT Document 441 Filed 07/01/19 Page 4 of 443 proceed immediately and will allow a more efficient sequence of gathering information. Defendants bear the burden to support their confidentiality claims regarding the GEMS databases. In re Mentor Corp. ObTape Transobturator Sling Prod. Liab. Litig., 632 F.Supp. 2d 1370, 1375-76 (M.D.Ga. 2009) (citing In re Grand Jury Investigation, 842 F.2d 1223, 1225 (11th Cir.1987)). Plaintiffs bear no burden to prove otherwise. But Defendants have offered only vague, conclusory claims about the “structure” of the GEMS databases, without any evidentiary support. In fact, during the Court-Ordered meet-and-confer on June 28, State Defendants’ counsel questioned Plaintiffs’ experts at length—without interruption from Plaintiffs’ counsel—about their need for the GEMS databases; but State Defendants’ counsel abruptly interrupted when Dr. Halderman asked Merrit Beaver, Chief Information Officer of the Secretary of State, a simple and direct question concerning the GEMS databases and refused to allow Mr. Beaver to answer the question. Throughout the call, Mr. Beaver merely parroted counsel’s conclusory claim that the “structure” of the GEMS databases is somehow confidential. He never explained how or why this is so or provided any details to support the claim. When Dr. Halderman asked him what aspects of the GEMS system he would examine were he to analyze the security of the system as 4 Case 1:17-cv-02989-AT Document 441 Filed 07/01/19 Page 5 of 443 Plaintiffs’ experts seek to do and whether he would rely only on what State Defendants have offered to produce, that’s when State Defendants’ counsel immediately shut down the discussion and refused to allow him to answer.3 State Defendants’ counsel evidently feared what he would have to admit (without having been prepped for the question): no reliable or reasonable analyses of vulnerabilities or flaws in the GEMS system could be performed with the paltry reports State Defendants have offered or without the GEMS databases Plaintiffs seek. The fact is that the GEMS databases should be produced without any “confidentiality” designation because the State Defendants have not identified any confidential information that is contained in the GEMS databases.4 Indeed, the 3 During the June 28, 2015 conference with the Court, State Defendants’ counsel claimed that “the questions were turning into a cross-examination and a deposition of whether Mr. Beaver would concede certain points.” Hearing Tr. 22:6-9. This was surprisingly and disappointingly untrue. Dr. Halderman—rather than Plaintiffs’ counsel—asked Mr. Beaver a single, direct question aimed at understanding what Mr. Beaver would examine for the sort of security analyses Plaintiffs’ experts seek to do regarding the GEMS system. The only “cross- examination” that occurred was by Mr. Tyson of Plaintiffs’ experts, which proceeded uninterrupted. Plaintiffs’ experts have nothing to hide. 4 The GEMS databases that Plaintiffs seek in discovery should not contain passwords, encryption codes, or other security information, but, if they do, that information can be redacted before production. 5 Case 1:17-cv-02989-AT Document 441 Filed 07/01/19 Page 6 of 443 State Defendants concede that there is no confidential data contained in GEMS databases, and instead vaguely insist that the “structure” or “archecture” of the GEMS databases is somehow confidential because it is unique to Georgia and that disclosure of the GEMS databases will somehow threaten election security. Yet the State Defendants do not explain even generally what is unique about the “structure” of Georgia’s GEMS databases (or what that even means) and do not provide any evidence or expert testimony supporting that naked assertion.5 In fact, the Secretary of State’s current position is directly contradicted by the sworn testimony of Merle King, the former Executive Director of Georgia’s CES. Mr. King was an expert for the government in the Pima County case, and testified that the “structure” of the GEMS databases in Georgia is consistent with that of GEMS databases all over the country: The structure of the database is consistent through all jurisdictions that use GEMS, so the revelation of one jurisdiction's database structure reveals information -- potentially reveals information about other jurisdictions. (Deposition of Merle King, at 11:17-21, attached as Exhibit B). 5 For testimony explaining the GEMS databases generally, and the issues outlined in this Brief, see the Declaration of Dr. Alex Halderman, attached hereto as Exhibit G. 6 Case 1:17-cv-02989-AT Document 441 Filed 07/01/19 Page 7 of 443 In addition, Coalition Plaintiffs’ expert has reviewed GEMS databases from other jurisdictions (which are public records) and has found “no data” that “poses a privacy threat to voters or exploitation of the voting system by being disclosed.” (Bernhard Decl., July 1, 2019, attached as Exhibit C). In addition, Mr. Bernhard states: “The structure of the database is disclosed in GEMS manuals that have been publicly available since the system was first put in service.” (Id.). While the GEMS servers—containing the GEMS software—may contain source code and sensitive information that needs reasonable security protection, the GEMS databases do not.