Friday, January 17 2025

Minority Report:  El Paso County Canvass BoardMinority Report for 2024 General Election

January 16, 2025

December 13, 2024 

To: Steve Schleiker, Clerk and Recorder, El Paso County, Colorado 

From:  Candice Stutzriem Republican Canvass Board Member, El Paso County 

In keeping with the spirit of Section 11 of article VII of the Colorado constitution, “to secure the purity of elections and to guard against the abuses of the elective franchise,” I have elected not to certify the Nov 5, 2024 Coordinated Election on behalf of the El Paso County Republican Party. 

My findings are based partially on actions, rules and statutes of the Colorado Secretary of State, while other complaints are directed at election operations observed in El Paso County. 

Colorado Secretary of State 

Thank you for setting an example of how to better respond to the unprecedented security issues presented by the online disclosure of over 600 BIOS election system passwords.  You were quick to communicate the gravity of the breach to electors in El Paso County and to help them understand how the breach might impact the security of their vote.

Calling for Secretary Griswold’s resignation demonstrated your resolve to do more than paper-over the lapse. Swimming against the stream of the County Clerks Association took courage and conviction on your part. Calling for a vote of no confidence was another brave consideration. It is a charge that many are reluctant to follow, let alone lead. I am not merely flattering you to say this is what the next Secretary of State should look like. 

Looking back on the crisis lends clarity to better ways this could have been handled. I believe former Secretary Scott Gessler offered the most effective and expeditious solution. His letter to SOS Griswold highlights the unprecedented seriousness of the breach of “very confidential, sensitive information,” an explicit violation of Rule 20.6.1.

A security issue of this magnitude calls for the plan he described: Conduct a Trusted Build on all affected equipment, mandated by Rule 20.6.1. (Before that, 1-7-802 reminds the designated election official is responsible for the preservation of any election records.) When wiping the memory is complete, reseal the machines and follow with a new Logic and Accuracy test. Only then, resume counting; and when finished, go back and recount the first half. 

We know this constructive advice that was not heeded. Gessler’s plan would have gone far to restore public trust. Leadership failure was evident from the start. The password breach was first called to the secretary’s attention, not by her longsuffering civil servants, but by the Colorado Republican Party. The department’s response was to circle the wagons and not inform the 64 county clerks in order to avoid a media storm

Next, the Secretary exploited friendly media to broadcast her yet-unchallenged narrative.  So-called hardball questions allowed her to espouse the many falsehoods that have been repeated so often, they are now accepted as truth. 

The testimony of nationally esteemed and certified cyber security experts and white hat hackers instruct us otherwise. There are no such qualified experts on the staff of the Colorado Department of State. The creative narratives of the CDOS should be regarded with skepticism.

It is false that two passwords are required to access the equipment; implying this is similar to activating the nuclear missile launch codes with two people and two keys. The secretary made that up. The passwords leaked were complete passwords; sufficient to permit unfettered access to hundreds of electronic devices. The BIOS password is like a master key that opens and enables all aspects of the device. One password is sufficient to access the entire operating system.

The Secretary claims there is no evidence of outsiders having accessed the machines, but we know that a BIOS breach leaves no footprint.  The secretary can neither prove nor disprove that access was gained, because the breach leaves no evidence behind.

It is false that access is protected due to physical security measures on site in the election offices. Even novices in electronic cyber security know that remote access is highly perfected; allowing bad actors to enter the device not just from another room, but from another building, another state, even another country. Political enemies of this country are scanning websites of the critical infrastructure of our election systems every day, looking for vulnerabilities just like this one.  We now know the door had been open for exploitation for at least four months.

The safest, most comprehensive response is to assume the entire system has been breached and to design full-court mitigation of the widespread compromise we must concede has occurred. We have potentially compromised the outcome of both the 2024 primary and general elections in this county and across Colorado. The consequences of the BIOS password breach are inestimable.

However, once the passwords of the 32 “affected counties” were reset, business commenced as usual in the election offices. In attempt to restore confidence, I noted CDOS Chief Information Security Officer Benjamin Edelen personally reset the BIOS passwords for EPC. The GOP election judge present at the reset noted Edelen neglected to review the machine access logs. 

In Mesa County, when a similar a BIOS password breach was alleged, every “tainted” Dominion tabulator in the office was replaced before the next election. Yet in this incident, all affected machines statewide were immediately pressed back into service midway through the election.

You have repeatedly insisted El Paso County is immune to the risks of a remote access cyber security breach because the newly procured Dominion tabulators do not contain a wifi modem card. Lessons learned from the now famous 2022 Mesa Reports tell us otherwise. It is common knowledge the motherboards of the Dominion tabulators are manufactured in China. ”It is well understood that foreign manufacture or assembly exposes the components to the risk of compromise through the installation of foreign controlled access devices during manufacture.”  

The continued presence of the Microsoft SQL Server Management system has long been an essential fixture in the Dominion tabulators. The presence of a sequel server on a voting machine is taboo because it’s designed to allow somebody to manipulate, manage and change database files. Voting machines should have inviolable database files. Once they’re created they should never change. Nevertheless voting machines in Colorado are still certified even with the dubious SQL servers.

However, a hacker would still need to gain entry into the machines to access that SQL Server and alter the database. We are quick to rule out physical access due to the layers of physical security present in and around the machine room. And virtual remote access to those machines is impossible due to the absence of a wireless modem. However, as far back as 2018, hackers have become fluent in accessing servers through the power cord connections using a method called “Power Hacking.” As the threat landscape continues to evolve, bad actors will continue to exploit still some other route to engage the sequel server software. Once inside, they do their dirty work of flipping vote totals and obliterating audit trails. El Paso County is the largest and red-est county in the state.  Hackers have half a million reasons to find a way into the EPC database.

I believe you have done just about everything possible to take a stand and do the next right thing in the face of this unfolding security crisis. On one hand you had to reassure voters the system was secure in order to prevent voters from just staying home. On the other hand, you were dealing with justifiable anger at the ineptitude and lack of transparency at the highest levels of state government. However, more could have been said to insist that simply changing the passwords in 32 counties was a sufficient remedy. The Trusted Build was clearly indicated by the seriousness of the security issue, mandated by Rule 20.6.1.

You would also do well to continue to assess the changing threat constantly levied against the machines. Realize, you have relied on the Chinese government to make good on their word not to include Wi-Fi access in the machines purchased in 2023. Mesa report 2 cited 36 Wi-Fi access points in the Mesa County system. There is more inside the tabulators other than the Wi-Fi card that renders them vulnerable to internet manipulation.  

The number of ballots cast, ballots counted, the number of registered electors in a precinct and the complete abstract of votes are all values generated by the electronic voting equipment found on the controversial spreadsheet where the BIOS password were publicly posted for over four months. The machines listed on that document create the numbers on which all the clerks and canvass boards rely on to confirm the abstract of votes. We now know, across Colorado, the cybersecurity of the Dominion tabulators has been fully compromised. Therefore, I cannot trust the numbers the machines produce. Since I cannot trust the numbers, I cannot certify the 2024 General Election. 

El Paso County Voting Operations 

  1. Security of mailed ballots.  Westside Cares, located at 2808 W. Colorado Ave, is a faith-based organization that provides mailing addresses for unhoused people, along with food, hygiene supplies, and rental assistance. Recently the nonprofit began registering clients to vote, using the facility as their mailing address. Presently, 379 voters are registered, with 146 active voters receiving mail ballots delivered to the facility. 

The in-house mail facility is a makeshift service that meets the needs of hundreds of clients, enabling them to send and receive mail in a supervised operation. However, we alerted the Clerk and Recorder during the primary election that the service is regrettably insufficient to guarantee security of mailed ballots.  Mail is sorted into numerous open-top fabric bins and arranged in an alphabetical array in a back closet. A volunteer receives, sorts and distributes mail to registered clients. The closet is not under lock and key characteristic of legal post office operations.

The non-secure mail system was called to your attention during the Primary election, calling for a bipartisan solution involving the post office, the food bank and yourself. No meeting of the principles was convened. 

However, for the general election, you decided to monitor the service according to practices followed for nursing home facilities. On Oct 10th, a team of Election Office staff set up a table in the Westside Cares lobby to distribute ballots to clients for two hours.  In that time, two clients collected and returned their ballots on site while another five registered to vote. Following practices typically afforded to nursing homes, the uncollected ballots were then mailed back to the facility through the USPS for distribution to the fabric bins. We know twelve clients voted in the primary race. However, final disposition of the remaining ballots after both elections is unknown.

One proposed solution is to distribute the ballots at the nearby U.S. Post Office at 2410 Robinson Street, four blocks away. Ballots could be picked up at the General Delivery window while the undelivered ballots would remain secure.  There are over 2700 voters registered to four other non-profit services in the county that receive mail under similar non-secure conditions. 

  •  A volunteer team devoted two months to help EPC clean up its voter rolls. Despite the benefit of EPC having run two shake-down comparisons with the Experian credit services data base, there is still a lot of work to do to. Using a software program developed by True the Vote, the team presented the election office with 2,145 “voter registration challenges.” Clerk Schleiker was enthusiastic about their effort and acknowledged receipt for most of the six reports. As the election was fast approaching, cleaning up the VR seemed to take a back seat to other priorities. In the end, over 450 challenges were rejected for administrative reasons and another 1,605 were returned to “Active” status; meaning ballots were again mailed to the addresses the team identified for removal. In all, 28 were rendered “Inactive” and 87 were changed to “Deleted” status.  105 of 2,145 challenges were accepted for cleaner voter rolls. Realize, same day, in-person voter registration is available for all residents up to and including Election Day. Despite multilayered efforts to clean up the rolls, 17,260 undeliverable ballots were returned; 9,798 were later remedied.
  • County bipartisan judges deliver ballots to select nursing homes and engage with elderly clients to assist with casting their vote. Attempts to vote with enfeebled minds and hands require patience and low expectations. The confrontation can be stress-inducing to the elderly client, sometimes creating emotional distress and regret. Colorado is one of ten states that have not created legislative “Provisions for Capacity.” Citizens diagnosed with dementia are permitted to vote. Presently, only the demented persons themselves are permitted to declare themselves demented and unfit to vote. 

Provision for Capacity also extends to those confined for mental illness:  “People receiving evaluation, care, or treatment for mental illness shall be given the opportunity to exercise his right to register and to vote in primary and general elections.” COLO. REV. STAT. § 27-65-120. 

Once judges have given it their best, completed ballots are collected and returned to the election office.  Ballots that were not completed during the visit are then mailed back to the nursing facility for distribution through their normal mail procedures. Final disposition of the ballots is not clear; ballots are often insufficiently secure and ripe for exploitation.

  • Watchers are an essential part of the election process. Watchers observe all aspects of conduct of the election on behalf of candidates, parties and issue committees. Together, clerks and watchers ensure that elections are conducted fairly and efficiently.

Unless, the election is too big to watch.

Clerk Schleiker and others anticipated record turnout for the 2024 General Election, laying plans for 90% turnout of the half a million registered voters in EPC. In-person voting sites were expanded to include 38 Voter Service and Polling Centers and 41 Secure Ballot Box locations.  800 bipartisan election judges were hired to operate the centers and conduct ballot processing and tabulation; each paid $16.00 an hour. 

Watchers, however, are a volunteer effort, certified for service by party leadership and serve under oath. They have a distinct role, protected by statute, as citizen observers of the election franchise.  Watchers have the unique role of potentially challenging voters for citizenship, residency and age eligibility.  Form 580, The In-Person Voter Challenge Form, may be used to issue challenges to voter eligibility on the basis of citizenship, residency and age as described in Title 1, Article 9, Part 2 of the CRS. Changes made just this summer allowing electors to self-declare citizenship; waiving residency requirements and lowering registration to age fifteen underscore the reason for poll challengers to be present in 2024, circumstances unprecedented in previous elections.

The parties are the face of citizen oversight in elections. It would have required hundreds of volunteer watchers to appropriately observe voting operations in all 38 VSCPs, plus the Election Office. The operation was spread too thin to monitor, too thin for the people to challenge. However we did know that countless undercover government security agents were on duty. The Pikes Peak Regional Office of Emergency Management (PPROEM) was deployed to the in person voting centers and drop boxes to rise to the security challenges and anxiety posed by this record setting election. One of the Concerns identified in the Situation Report was the possibility of “Watchers” impeding or protesting the election results. The PPROEM is watching the watchers? 

All these factors combined to reduce the profile and impact of the legitimate role of citizen poll watching still protected by Colorado statute.

  • Risk Limiting Audit. With each successive RLA, the ever-smaller sample size of the ballots retrieved for audit is reaching absurdity. 160 of 387,297 is .000413 or .04 percent.  There are not enough ballots pulled and examined against the Cast Vote Record to impart any confidence that the outcome of the races is correct. The design of the RLA is sufficiently and deliberately confusing to the observer to discourage investigation or scrutiny.  We as a team are relegated to group data input in the form of votes read off the paper ballots into the audit program which is then fed to the Secretary of State for validation against the Cast Vote Record.  We are rewarded with Job Well Done for correctly entering the votes from a message sent from the SOS.  Why we are not allowed to make that comparison to the El Paso County CVR and validate our work in real time?  In the interest of transparency, we would do well to complete the loop of validation within the EPC elections office. This would complete the circuit of choosing a random ballot, verifying the correct ballot, and making the comparison with the CVR data base within our own elections system. We do not need the top-down interference of the SOS telling us we passed their contrived test with approved results. Localize this audit and make it meaningful. Pull statistically meaningful samples we can understand and trust.
  • Voter Registration Legislation.  Colorado Amendment 76 passed in Nov 2020 amended the constitution to say, “Only a citizen of the United States who has attained the age of eighteen years, has resided in this state …and has been duly registered as a voter …shall be qualified to vote at all elections.” 

Recent changes to the Colorado Revised Statute have radically side-stepped the intent of the constitution. CRS 1-2-205 (Oct 2023) allows any elector to self-affirm they are a citizen of the United States, to register at fifteen years old, and verbally affirm their place of residence. Further, SB24-210 (May 2024) completely waives the 22 day residency requirement in order to receive a provisional ballot to vote in the Presidential election.Again, voters may register to vote, in person, up to and including Election Day. More than ever, clerks must demand Colorado get out of the ERIC (Electronic Registration Information Center) voter registration system, deploy a national voter ID and advocate for access to already existing federal data bases to prove citizenship. 

Respectfully submitted,

Candice Stutzriem

Canvass Board MemberEl Paso County Republican Party